diff options
author | Krzysztof Gajewski <krzysztof.gajewski@nokia.com> | 2020-10-15 20:33:34 +0200 |
---|---|---|
committer | Krzysztof Gajewski <krzysztof.gajewski@nokia.com> | 2020-10-29 14:14:10 +0000 |
commit | cd2e66f770d8778dbd5c95a73fa810b9ee0ee779 (patch) | |
tree | 2ae935051ea2ff955dcf7efc6c5dd2dca1fe3cd2 /kubernetes/so/components | |
parent | 3ed223d7f77b43033fa97d584246db4a386d6b0c (diff) |
[SO] Enable SO-Monitoring - use HTTPS and certInitializer
- SO-Monitoring service exposed as NodePort
- Certs are retrieved dynamically using certInitializer
Issue-ID: SO-2920
Signed-off-by: Krzysztof Gajewski <krzysztof.gajewski@nokia.com>
Change-Id: I04e6556bcddc3c67afc2a76c5b4fecb59a134911
Diffstat (limited to 'kubernetes/so/components')
5 files changed, 89 insertions, 18 deletions
diff --git a/kubernetes/so/components/so-monitoring/requirements.yaml b/kubernetes/so/components/so-monitoring/requirements.yaml index 2eb32d00ed..29f9a9fcd0 100755 --- a/kubernetes/so/components/so-monitoring/requirements.yaml +++ b/kubernetes/so/components/so-monitoring/requirements.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Modifications © 2020 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,3 +19,6 @@ dependencies: # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' + - name: soHelpers + version: ~6.x-0 + repository: 'file://../soHelpers' diff --git a/kubernetes/so/components/so-monitoring/resources/config/overrides/override.yaml b/kubernetes/so/components/so-monitoring/resources/config/overrides/override.yaml index c2e6ad06f3..cf54fa43f8 100644 --- a/kubernetes/so/components/so-monitoring/resources/config/overrides/override.yaml +++ b/kubernetes/so/components/so-monitoring/resources/config/overrides/override.yaml @@ -1,8 +1,17 @@ server: port: {{ index .Values.containerPort }} + {{- if .Values.global.aafEnabled }} + ssl: + keyStore: ${KEYSTORE} + keyStorePassword: ${KEYSTORE_PASSWORD} + trustStore: ${TRUSTSTORE} + trustStorePassword: ${TRUSTSTORE_PASSWORD} + {{- end }} tomcat: max-threads: 50 + {{- if not .Values.global.aafEnabled }} ssl-enable: false + {{- end }} camunda: rest: api: @@ -15,3 +24,12 @@ mso: api: url: http://so-request-db-adapter.{{ include "common.namespace" . }}:8083/infraActiveRequests/ auth: Basic YnBlbDpwYXNzd29yZDEk +spring: + main: + allow-bean-definition-overriding: true + security: + usercredentials: + - + username: ${SO_MONITORING_USERNAME} + password: ${SO_MONITORING_PASSWORD} + role: GUI-Client diff --git a/kubernetes/so/components/so-monitoring/templates/deployment.yaml b/kubernetes/so/components/so-monitoring/templates/deployment.yaml index f5969738f6..9463b28271 100644 --- a/kubernetes/so/components/so-monitoring/templates/deployment.yaml +++ b/kubernetes/so/components/so-monitoring/templates/deployment.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. +# Modifications Copyright © 2020 Nokia # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -42,7 +43,7 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: - initContainers: + initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }} - name: so-chown image: alpine:3.6 volumeMounts: @@ -55,6 +56,21 @@ spec: - name: {{ include "common.name" . }} image: {{ include "common.repository" . }}/{{ .Values.image }} resources: {{ include "common.resources" . | nindent 12 }} + command: + - /bin/sh + args: + - -c + - | + export SO_MONITORING_PASSWORD=`htpasswd -bnBC 10 "" $SO_MON_PASS | tr -d ':\n' | sed 's/\$2y/\$2a/'` + {{- if .Values.global.aafEnabled }} + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/org.onap.so.cred.props | xargs -0) + export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export KEYSTORE=file://$cadi_keystore + export KEYSTORE_PASSWORD=$cadi_keystore_password_p12 + export TRUSTSTORE=file://$cadi_truststore + export TRUSTSTORE_PASSWORD=$cadi_truststore_password + {{- end }} + /app/start-app.sh env: - name: DB_HOST valueFrom: @@ -74,11 +90,16 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "login") | indent 10 }} - name: DB_ADMIN_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-admin-creds" "key" "password") | indent 10 }} + - name: SO_MONITORING_USERNAME + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 10 }} + - name: SO_MON_PASS + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 10 }} + envFrom: - configMapRef: name: {{ include "common.fullname" . }}-configmap imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - volumeMounts: + volumeMounts: {{ include "so.certificate.volumeMount" . | nindent 8 }} - name: logs mountPath: /app/logs - name: config @@ -101,7 +122,7 @@ spec: - containerPort: {{ index .Values.containerPort }} name: {{ .Values.service.portName }} protocol: TCP - volumes: + volumes: {{ include "so.certificate.volumes" . | nindent 6 }} - name: logs emptyDir: {} - name: config diff --git a/kubernetes/so/components/so-monitoring/templates/service.yaml b/kubernetes/so/components/so-monitoring/templates/service.yaml index c4c2ae9d13..660ddb8125 100644 --- a/kubernetes/so/components/so-monitoring/templates/service.yaml +++ b/kubernetes/so/components/so-monitoring/templates/service.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. +# Modifications © 2020 Nokia # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,9 +28,13 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: + {{if .Values.global.aafEnabled -}} type: {{ .Values.service.type }} + {{- else -}} + type: ClusterIP + {{- end }} ports: - {{if eq .Values.service.type "NodePort" -}} + {{if and (eq .Values.service.type "NodePort") (.Values.global.aafEnabled) -}} - port: {{ .Values.service.internalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} name: {{ .Values.service.portName }} diff --git a/kubernetes/so/components/so-monitoring/values.yaml b/kubernetes/so/components/so-monitoring/values.yaml index e746baf1bb..9ba1d7b7d8 100644 --- a/kubernetes/so/components/so-monitoring/values.yaml +++ b/kubernetes/so/components/so-monitoring/values.yaml @@ -1,6 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Copyright (C) 2020 Huawei +# Modifications Copyright © 2020 Nokia # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -27,8 +28,15 @@ global: readinessImage: onap/oom/readiness:3.0.1 aafAgentImage: onap/aaf/aaf_agent:2.1.20 envsubstImage: dibi/envsubst + aafEnabled: true persistence: mountPath: /dockerdata-nfs + security: + aaf: + enabled: true + aaf: + auth: + header: Basic c29Ac28ub25hcC5vcmc6ZGVtbzEyMzQ1Ngo= ################################################################# # Secrets metaconfig @@ -46,25 +54,21 @@ secrets: login: '{{ .Values.db.adminName }}' password: '{{ .Values.db.adminPassword }}' passwordPolicy: required + - uid: app-user-creds + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.server.monitoring.soMonitoringCredsExternalSecret) . }}' + login: '{{ .Values.server.monitoring.username }}' + password: '{{ .Values.server.monitoring.password }}' #secretsFilePaths: | # - 'my file 1' # - '{{ include "templateThatGeneratesFileName" . }}' ################################################################# -# AAF part -################################################################# -soHelpers: - nameOverride: so-monitoring-cert-init - certInitializer: - nameOverride: so-monitoring-cert-init - credsPath: /opt/app/osaaf/local - -################################################################# # Application configuration defaults. ################################################################# repository: nexus3.onap.org:10001 -image: onap/so/so-monitoring:1.6.4 +image: onap/so/so-monitoring:1.7.7 pullPolicy: Always db: @@ -77,15 +81,34 @@ db: replicaCount: 1 minReadySeconds: 10 -containerPort: 9091 +containerPort: &containerPort 9091 logPath: app/logs/ app: so-monitoring + +################################################################# +# soHelpers part +################################################################# +soHelpers: + nameOverride: so-monitoring-cert-init + certInitializer: + nameOverride: so-monitoring-cert-init + credsPath: /opt/app/osaaf/local + cadi: + apiEnforcement: org.onap.so.monitoringPerm + containerPort: *containerPort + +server: + monitoring: + username: demo + # password: demo123456! + # soMonitoringCredsExternalSecret: some secret + service: #Since this is a feature for monitoring the service type is changed to internal, users can change it to NodePort on need basis... - type: ClusterIP + type: NodePort nodePort: 24 - internalPort: 9091 - externalPort: 9091 + internalPort: *containerPort + externalPort: *containerPort portName: so-monitor-port updateStrategy: type: RollingUpdate |