summaryrefslogtreecommitdiffstats
path: root/kubernetes/sdc/charts/sdc-wfd-be
diff options
context:
space:
mode:
authorIlanaP <ilanap@amdocs.com>2019-11-18 21:10:08 +0200
committerIlanaP <ilanap@amdocs.com>2019-12-17 14:27:45 +0200
commitc80bff934c950c2ad75fe06b0abcc91502f57fdf (patch)
treec75408726c62d0e38c295c0aa10686cac23f2f9b /kubernetes/sdc/charts/sdc-wfd-be
parent8501d7cee5a887f9e19d5fe3671ef8180bce526b (diff)
Secure FE communications to the workflow backend
Update of the workflow fe and be charts to secure the communications and to start the backend server is https mode with a secured connection to SDC Issue-ID: OOM-1954 Signed-off-by: IlanaP <ilanap@amdocs.com> Change-Id: Ia3c4c714e317b8f8b6b4ee9245daa50eea50275f Signed-off-by: IlanaP <ilanap@amdocs.com>
Diffstat (limited to 'kubernetes/sdc/charts/sdc-wfd-be')
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl30
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml27
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml10
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/values.yaml28
4 files changed, 37 insertions, 58 deletions
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl b/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl
index c69fb7c81c..298a2cd673 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl
+++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl
@@ -1,29 +1 @@
-{{- define "sdc-wfd-be.volumes" }}
- {{ if .Values.config.cassandraSSLEnabled }}
- - name: {{ include "common.fullname" . }}-cassandra-client-truststore
- hostPath:
- path: /etc/cassandra-client-truststore/truststore
- type: File
- {{- end }}
- {{ if .Values.config.serverSSLEnabled }}
- - name: {{ include "common.fullname" . }}-server-https-keystore
- hostPath:
- path: /config/server-https-keystore/keystore
- type: File
- {{- end }}
-{{- end }}
-
-{{- define "sdc-wfd-be.volumeMounts" }}
- {{ if .Values.config.cassandraSSLEnabled }}
- - name: {{ include "common.fullname" . }}-cassandra-client-truststore
- mountPath: /etc/cassandra-client-truststore/truststore
- subPath: truststore
- readOnly: true
- {{- end }}
- {{ if .Values.config.serverSSLEnabled }}
- - name: {{ include "common.fullname" . }}-server-https-keystore
- mountPath: /etc/server-https-keystore/keystore
- subPath: keystore
- readOnly: true
- {{- end }}
-{{- end }} \ No newline at end of file
+{{- define "wfd-be.internalPort" }}{{ if .Values.config.serverSSLEnabled }}{{ .Values.service.internalPort2 }}{{ else }}{{ .Values.service.internalPort }}{{ end }}{{- end }}
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml
index 31ab7d5eaf..00a986f4d2 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml
@@ -53,20 +53,19 @@ spec:
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
ports:
- - containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPort2 }}
+ - containerPort: {{ template "wfd-be.internalPort" . }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{ if .Values.liveness.enabled }}
livenessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort2 }}
+ port: {{ template "wfd-be.internalPort" . }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end }}
readinessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort2 }}
+ port: {{ template "wfd-be.internalPort" . }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
@@ -89,7 +88,8 @@ spec:
- name: CS_TRUST_STORE_PATH
value: "{{ .Values.config.cassandraTrustStorePath }}"
- name: CS_TRUST_STORE_PASSWORD
- value: "{{ .Values.config.cassandraTrustStorePassword }}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: cs_truststore_password}
- name: SDC_PROTOCOL
value: "{{ .Values.config.sdcProtocol }}"
- name: SDC_ENDPOINT
@@ -97,7 +97,8 @@ spec:
- name: SDC_USER
value: "{{ .Values.config.sdcExternalUser }}"
- name: SDC_PASSWORD
- value: "{{ .Values.config.sdcExternalUserPassword }}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: wf_external_user_password}
- name: SERVER_SSL_ENABLED
value: "{{ .Values.config.serverSSLEnabled }}"
- name: SERVER_SSL_KEYSTORE_TYPE
@@ -105,10 +106,14 @@ spec:
- name: SERVER_SSL_KEYSTORE_PATH
value: "{{ .Values.config.serverSSLKeyStorePath }}"
- name: SERVER_SSL_KEY_PASSWORD
- value: "{{ .Values.config.serverSSLKeyPassword }}"
- volumeMounts:
- {{- template "sdc-wfd-be.volumeMounts" . }}
- volumes:
- {{- template "sdc-wfd-be.volumes" . }}
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: keystore_password}
+ - name: SERVER_SSL_TRUSTSTORE_TYPE
+ value: "{{ .Values.config.serverSSLTrustStoreType }}"
+ - name: SERVER_SSL_TRUSTSTORE_PATH
+ value: "{{ .Values.config.serverSSLTrustStorePath }}"
+ - name: SERVER_SSL_TRUST_PASSWORD
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: truststore_password}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml b/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml
index 14a937fe00..fee95ba42e 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml
@@ -28,13 +28,13 @@ spec:
type: {{ .Values.service.type }}
ports:
{{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.internalPort }}
+ - port: {{ template "wfd-be.internalPort" . }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName | default "http" }}
+ name: {{ .Values.service.portName }}
{{- else -}}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName | default "http" }}
+ - port: {{ if .Values.config.serverSslEnabled }}{{ .Values.service.externalPort2 }}{{ else }}{{ .Values.service.externalPort }}{{ end }}
+ targetPort: {{ template "wfd-be.internalPort" . }}
+ name: {{ .Values.service.portName }}
{{- end}}
selector:
app: {{ include "common.name" . }}
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/values.yaml b/kubernetes/sdc/charts/sdc-wfd-be/values.yaml
index 92903ba96a..68f487674d 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/values.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-be/values.yaml
@@ -28,13 +28,10 @@ global:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/workflow-backend:1.5.2
-configInitImage: onap/workflow-init:1.5.2
+image: onap/workflow-backend:1.6.0
+configInitImage: onap/workflow-init:1.6.0
pullPolicy: Always
-# flag to enable debugging - application support required
-debugEnabled: false
-
initJob:
enabled: true
@@ -43,17 +40,21 @@ config:
cassandraAuthenticationEnabled: true
cassandraThriftClientPort: 9160
cassandraClientPort: 9042
+
sdcProtocol: HTTPS
sdcEndpoint: sdc-be:8443
sdcExternalUser: workflow
- sdcExternalUserPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
- serverSSLEnabled: false
+
+ serverSSLEnabled: true
+
serverSSLKeyStoreType: jks
- serverSSLKeyStorePath: etc/org.onap.sdc.p12
- serverSSLKeyPassword: "!ppJ.JvWn0hGh)oVF]([Kv)^"
+ serverSSLKeyStorePath: /etc/keystore
+
+ serverSSLTrustStoreType: jks
+ serverSSLTrustStorePath: /etc/truststore
+
cassandraSSLEnabled: false
- cassandraTrustStorePath: /etc/cassandra-client-truststore/truststore
- cassandraTrustStorePassword: password
+ cassandraTrustStorePath: /etc/truststore
# default number of instances
replicaCount: 1
@@ -76,12 +77,13 @@ readiness:
service:
type: NodePort
+ portName: sdc-wfd-be
internalPort: 8080
externalPort: 8080
internalPort2: 8443
externalPort2: 8443
- portName: sdc-wfd-be
- nodePort: "57"
+ nodePort: "57" # only one node port. set to http or https port depending on isHttpsEnabled property
+
ingress:
enabled: false