summaryrefslogtreecommitdiffstats
path: root/kubernetes
diff options
context:
space:
mode:
authorRavi Geda <gravik@amdocs.com>2018-11-07 22:37:16 +0000
committerAlexis de Talhouët <alexis.de_talhouet@bell.ca>2018-12-04 13:00:09 +0000
commit2578aa1bb72e71823df701aa10a3b87dcce66202 (patch)
tree36d6c8e268803d67ef6ee50e1774c582aaf1c106 /kubernetes
parent693bc2491bb1249f3e0313a31c4240f5f65e3ba3 (diff)
Add Pluggable Security to aai-resources
Note that by default this feature is turned off. To enable update the installSidecarSecurity in aai/values.yaml to true. Change-Id: If5d2be859ead2f0bd81aabb4fde749f105974bcf Issue-ID: AAF-616 Signed-off-by: Ravi Geda <gravik@amdocs.com>
Diffstat (limited to 'kubernetes')
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/config/auth/aai_policy.json298
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/client-cert.p12bin0 -> 3617 bytes
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/fproxy_truststorebin0 -> 4639 bytes
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/tomcat_keystorebin0 -> 2214 bytes
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/fproxy/config/fproxy.properties2
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/fproxy/config/logback-spring.xml48
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/fproxy/config/readme.txt1
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/client-cert.p12bin0 -> 4291 bytes
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/org.onap.aai.p12bin0 -> 4158 bytes
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/tomcat_keystorebin0 -> 4943 bytes
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json99
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/cadi.properties39
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/forward-proxy.properties4
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/logback-spring.xml48
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/primary-service.properties3
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/readme.txt1
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties1
-rw-r--r--kubernetes/aai/charts/aai-resources/resources/rproxy/config/security/keyfile27
-rw-r--r--kubernetes/aai/charts/aai-resources/templates/configmap.yaml85
-rw-r--r--kubernetes/aai/charts/aai-resources/templates/deployment.yaml123
-rw-r--r--kubernetes/aai/charts/aai-resources/values.yaml5
-rw-r--r--kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg138
-rw-r--r--kubernetes/aai/templates/configmap.yaml4
-rw-r--r--kubernetes/aai/templates/deployment.yaml8
24 files changed, 934 insertions, 0 deletions
diff --git a/kubernetes/aai/charts/aai-resources/resources/config/auth/aai_policy.json b/kubernetes/aai/charts/aai-resources/resources/config/auth/aai_policy.json
new file mode 100644
index 0000000000..65f13eff5f
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/config/auth/aai_policy.json
@@ -0,0 +1,298 @@
+{
+ "roles": [
+ {
+ "name": "admin",
+ "functions": [
+ {
+ "name": "actions",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "DELETE"
+ },
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "servers",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "DELETE"
+ },
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "cloudinfra",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "DELETE"
+ },
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "cloud-infrastructure",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "DELETE"
+ },
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "sdandc",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "DELETE"
+ },
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "service-design-and-creation",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "DELETE"
+ },
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "business",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "DELETE"
+ },
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "network",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "DELETE"
+ },
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "search",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "POST"
+ }
+ ]
+ },
+ {
+ "name": "util",
+ "methods": [
+ {
+ "name": "GET"
+ }
+ ]
+ },
+ {
+ "name": "license-management",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "DELETE"
+ },
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "examples",
+ "methods": [
+ {
+ "name": "GET"
+ }
+ ]
+ },
+ {
+ "name": "resources",
+ "methods": [
+ {
+ "name": "GET"
+ }
+ ]
+ },
+ {
+ "name": "generateurl",
+ "methods": [
+ {
+ "name": "GET"
+ }
+ ]
+ },
+ {
+ "name": "bulkadd",
+ "methods": [
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "nodes",
+ "methods": [
+ {
+ "name": "GET"
+ }
+ ]
+ },
+ {
+ "name": "query",
+ "methods": [
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "dbquery",
+ "methods": [
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "bulk",
+ "methods": [
+ {
+ "name": "POST"
+ }
+ ]
+ },
+ {
+ "name": "bulkprocess",
+ "methods": [
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "recents",
+ "methods": [
+ {
+ "name": "GET"
+ }
+ ]
+ },
+ {
+ "name": "dsl",
+ "methods": [
+ {
+ "name": "PUT"
+ }
+ ]
+ },
+ {
+ "name": "common",
+ "methods": [
+ {
+ "name": "GET"
+ },
+ {
+ "name": "DELETE"
+ },
+ {
+ "name": "PUT"
+ }
+ ]
+ }
+ ],
+ "users": [
+ {
+ "username": "CN=aai, OU=OSAAF, OU=aai@aai.onap.org, O=ONAP, C=US"
+ }
+ ]
+ },
+ {
+ "name": "basicauth",
+ "functions": [
+ {
+ "name": "util",
+ "methods": [
+ {
+ "name": "GET"
+ }
+ ]
+ }
+ ],
+ "users": [
+ {
+ "user": "aai",
+ "pass": "OBF:1u2a1t2v1vgb1s3g1s3m1vgj1t3b1u30"
+ }
+ ]
+ },
+ {
+ "name": "HAProxy",
+ "functions": [
+ {
+ "name": "util",
+ "methods": [
+ {
+ "name": "GET"
+ }
+ ]
+ }
+ ],
+ "users": [
+ {
+ "username": "CN=haproxyuser, OU=OSAAF, OU=aai@aai.onap.org, O=ONAP, C=US"
+ }
+ ]
+ }
+ ]
+}
diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/client-cert.p12
new file mode 100644
index 0000000000..d9fe86e4ec
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/client-cert.p12
Binary files differ
diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/fproxy_truststore b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/fproxy_truststore
new file mode 100644
index 0000000000..f6ebc75ed8
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/fproxy_truststore
Binary files differ
diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/tomcat_keystore
new file mode 100644
index 0000000000..9eec841aa2
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/tomcat_keystore
Binary files differ
diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/fproxy.properties b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/fproxy.properties
new file mode 100644
index 0000000000..f512fb71a6
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/fproxy.properties
@@ -0,0 +1,2 @@
+credential.cache.timeout.ms=180000
+transactionid.header.name=X-TransactionId \ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/logback-spring.xml b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/logback-spring.xml
new file mode 100644
index 0000000000..4fae434edd
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/logback-spring.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+ <property name="LOGS" value="./logs/AAF-FPS" />
+ <property name="FILEPREFIX" value="application" />
+
+ <appender name="Console"
+ class="ch.qos.logback.core.ConsoleAppender">
+ <layout class="ch.qos.logback.classic.PatternLayout">
+ <Pattern>
+ %d{ISO8601} %-5level [%t] %C{1.}: %msg%n%throwable
+ </Pattern>
+ </layout>
+ </appender>
+
+ <appender name="RollingFile"
+ class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${LOGS}/${FILEPREFIX}.log</file>
+ <encoder
+ class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <Pattern>%d %p %C{1.} [%t] %m%n</Pattern>
+ </encoder>
+
+ <rollingPolicy
+ class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <!-- rollover daily and when the file reaches 10 MegaBytes -->
+ <fileNamePattern>${LOGS}/archived/${FILEPREFIX}-%d{yyyy-MM-dd}.%i.log
+ </fileNamePattern>
+ <timeBasedFileNamingAndTriggeringPolicy
+ class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP">
+ <maxFileSize>10MB</maxFileSize>
+ </timeBasedFileNamingAndTriggeringPolicy>
+ </rollingPolicy>
+ </appender>
+
+ <!-- LOG everything at INFO level -->
+ <root level="info">
+ <appender-ref ref="RollingFile" />
+ <appender-ref ref="Console" />
+ </root>
+
+ <!-- LOG "com.baeldung*" at TRACE level -->
+ <logger name="org.onap.aaf.fproxy" level="trace" additivity="false">
+ <appender-ref ref="RollingFile" />
+ <appender-ref ref="Console" />
+ </logger>
+
+</configuration> \ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/readme.txt b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/readme.txt
new file mode 100644
index 0000000000..79cf29e73c
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/readme.txt
@@ -0,0 +1 @@
+Relevant configuration files need to be copied here to successfully run this service locally. \ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/client-cert.p12
new file mode 100644
index 0000000000..071d407de5
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/client-cert.p12
Binary files differ
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/org.onap.aai.p12 b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/org.onap.aai.p12
new file mode 100644
index 0000000000..023e2eaac6
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/org.onap.aai.p12
Binary files differ
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/tomcat_keystore
new file mode 100644
index 0000000000..6ad5f51ad3
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/tomcat_keystore
Binary files differ
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json
new file mode 100644
index 0000000000..e23c03d833
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json
@@ -0,0 +1,99 @@
+[
+ {
+ "uri": "\/not\/allowed\/at\/all$",
+ "permissions": [
+ "test.auth.access.ifYouLikedItYouShouldHavePutAPermissionOnIt"
+ ]
+ },
+ {
+ "uri": "\/one\/auth\/required$",
+ "permissions": [
+ "test.auth.access.aSimpleSingleAuth"
+ ]
+ },
+ {
+ "uri": "\/multi\/auth\/required$",
+ "permissions": [
+ "test.auth.access.aMultipleAuth1",
+ "test.auth.access.aMultipleAuth2",
+ "test.auth.access.aMultipleAuth3"
+ ]
+ },
+ {
+ "uri": "\/one\/[^\/]+\/required$",
+ "permissions": [
+ "test.auth.access.aSimpleSingleAuth"
+ ]
+ },
+ {
+ "uri": "\/services\/getAAFRequest$",
+ "permissions": [
+ "test.auth.access|services|GET,PUT"
+ ]
+ },
+ {
+ "uri": "\/admin\/getAAFRequest$",
+ "permissions": [
+ "test.auth.access|admin|GET,PUT,POST"
+ ]
+ },
+ {
+ "uri": "\/service\/aai\/webapp\/index.html$",
+ "permissions": [
+ "test.auth.access|services|GET,PUT"
+ ]
+ },
+ {
+ "uri": "\/services\/aai\/webapp\/index.html$",
+ "permissions": [
+ "test.auth.access|services|GET,PUT"
+ ]
+ },
+ {
+ "uri": "\/$",
+ "permissions": [
+ "\\|services\\|GET",
+ "test\\.auth\\.access\\|services\\|GET,PUT"
+ ]
+ },
+ {
+ "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions$",
+ "permissions": [
+ "test\\.auth\\.access\\|rest\\|read"
+ ]
+ },
+ {
+ "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+$*",
+ "permissions": [
+ "test.auth.access|clouds|read",
+ "test.auth.access|tenants|read"
+ ]
+ },
+ {
+ "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+\/tenants/tenant/[^\/]+/vservers/vserver/[^\/]+$",
+ "permissions": [
+ "test.auth.access|clouds|read",
+ "test.auth.access|tenants|read",
+ "test.auth.access|vservers|read"
+ ]
+ },
+ {
+ "uri": "\/backend$",
+ "permissions": [
+ "test\\.auth\\.access\\|services\\|GET,PUT",
+ "\\|services\\|GET"
+ ]
+ },
+ {
+ "uri": "\/aai\/.*",
+ "permissions": [
+ "org\\.onap\\.aai\\.resources\\|\\*\\|.*"
+ ]
+ },
+ {
+ "uri": "\/aai\/util\/echo",
+ "permissions": [
+ "org\\.onap\\.aai\\.resources\\|\\*\\|.*"
+ ]
+ }
+]
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/cadi.properties b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/cadi.properties
new file mode 100644
index 0000000000..c2b628dbb3
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/cadi.properties
@@ -0,0 +1,39 @@
+# This is a normal Java Properties File
+# Comments are with Pound Signs at beginning of lines,
+# and multi-line expression of properties can be obtained by backslash at end of line
+
+#hostname is used for local testing where you may have to set your hostname to **.att.com or **.sbc.com. The example given below
+#will allow for an ATT cross domain cookie to be used for GLO. If you are running on Windows corp machine, your machine name
+#may be used automatically by cadi. However, if it is not, you will need to use hostname=mywebserver.att.com and add mywebserver.att.com
+#to your hosts file on your machine.
+#hostname=test.aic.cip.att.com
+
+cadi_loglevel=DEBUG
+
+# OAuth2
+aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.0/token
+aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.0/introspect
+
+cadi_latitude=37.78187
+cadi_longitude=-122.26147
+
+# Locate URL (which AAF Env)
+aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095
+
+# AAF URL
+aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.0
+
+cadi_keyfile=/opt/app/rproxy/config/security/keyfile
+cadi_keystore=/opt/app/rproxy/config/auth/org.onap.aai.p12
+cadi_keystore_password=enc:383RDJRFA6yQz9AOxUxC1iIg3xTJXityw05MswnpnEtelRQy2D4r5INQjrea7GTV
+cadi_alias=aai@aai.onap.org
+cadi_truststore=/opt/app/rproxy/config/auth/tomcat_keystore
+cadi_truststore_password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+
+aaf_env=DEV
+
+aaf_id=demo@people.osaaf.org
+aaf_password=enc:92w4px0y_rrm265LXLpw58QnNPgDXykyA1YTrflbAKz
+
+# This is a colon separated list of client cert issuers
+cadi_x509_issuers=CN=ONAP, OU=ONAP, O=ONAP, L=Ottawa, ST=Ontario, C=CA
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/forward-proxy.properties b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/forward-proxy.properties
new file mode 100644
index 0000000000..1b58d4235c
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/forward-proxy.properties
@@ -0,0 +1,4 @@
+forward-proxy.protocol = https
+forward-proxy.host = localhost
+forward-proxy.port = 10680
+forward-proxy.cacheurl = /credential-cache \ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/logback-spring.xml b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/logback-spring.xml
new file mode 100644
index 0000000000..57bc4e268f
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/logback-spring.xml
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+
+ <property name="LOGS" value="./logs/reverse-proxy" />
+ <property name="FILEPREFIX" value="application" />
+
+ <appender name="Console"
+ class="ch.qos.logback.core.ConsoleAppender">
+ <layout class="ch.qos.logback.classic.PatternLayout">
+ <Pattern>
+ %d{ISO8601} %-5level [%t] %C{1.}: %msg%n%throwable
+ </Pattern>
+ </layout>
+ </appender>
+
+ <appender name="RollingFile"
+ class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <file>${LOGS}/${FILEPREFIX}.log</file>
+ <encoder
+ class="ch.qos.logback.classic.encoder.PatternLayoutEncoder">
+ <Pattern>%d %p %C{1.} [%t] %m%n</Pattern>
+ </encoder>
+
+ <rollingPolicy
+ class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <!-- rollover daily and when the file reaches 10 MegaBytes -->
+ <fileNamePattern>${LOGS}/archived/${FILEPREFIX}-%d{yyyy-MM-dd}.%i.log
+ </fileNamePattern>
+ <timeBasedFileNamingAndTriggeringPolicy
+ class="ch.qos.logback.core.rolling.SizeAndTimeBasedFNATP">
+ <maxFileSize>10MB</maxFileSize>
+ </timeBasedFileNamingAndTriggeringPolicy>
+ </rollingPolicy>
+ </appender>
+
+ <!-- LOG everything at INFO level -->
+ <root level="debug">
+ <appender-ref ref="RollingFile" />
+ <appender-ref ref="Console" />
+ </root>
+
+ <!-- LOG "com.baeldung*" at TRACE level -->
+ <logger name="org.onap.aaf.rproxy" level="trace" additivity="false">
+ <appender-ref ref="RollingFile" />
+ <appender-ref ref="Console" />
+ </logger>
+
+</configuration>
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/primary-service.properties b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/primary-service.properties
new file mode 100644
index 0000000000..2c89d28180
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/primary-service.properties
@@ -0,0 +1,3 @@
+primary-service.protocol = https
+primary-service.host = localhost
+primary-service.port = 8447
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/readme.txt b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/readme.txt
new file mode 100644
index 0000000000..79cf29e73c
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/readme.txt
@@ -0,0 +1 @@
+Relevant configuration files need to be copied here to successfully run this service locally. \ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties
new file mode 100644
index 0000000000..8d46e1f429
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties
@@ -0,0 +1 @@
+transactionid.header.name=X-TransactionId \ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/security/keyfile b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/security/keyfile
new file mode 100644
index 0000000000..3416d4a737
--- /dev/null
+++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/security/keyfile
@@ -0,0 +1,27 @@
+2otP92kNFHdexroZxvgYY7ffslFiwCD3CiVYMIfUF2edqZK7972NwkvE_mbaBo6jh8lByLIqrWAf
+jyzoiVsvQ_kCa0cS1xaRLpcxv3bx1b7o3hGPBqpd6vmSG4y2JLzNlCBZWuTJz827wr8p_fWrYuUm
+4L1WoaEe8W5PRnXjl4hDqbJBAlEoRIBXugUDt_7O5wgx2Rl3HVoOczZtf0RzONZ1F0BmKf3QlAUe
+moSbARitYRgIPt5sLbT7qPyoEpGDhQ1XBowR744-wsjBc-14yO62Ajp5xWKTp15uWn3_HHuw1SAf
+GWSBRGlSlEVkXQqi9Hw5jDttKVzHX1ckwR0SQOirbtHPHplxPX3WKjKhSdSeMzw6LOAHIQYRMKBT
+74oGnULAfPtV7TaGwOKriT3P49CoPdt9On89-LGyCZSxDWKH0K-rgB6I2_hPT2Uzr3jmXiMa-sfh
+iMvyQ7ABBVx0OFsUuNb5mcU2O6dWiQreL5RerrloV_X3ZtnNjxENXKjQ5KBR1A5ISPjFFK-kf4Rb
+p6FSII8LcsiqgdWuZ4GX_C6x8HX4A-vD0x3Uc9CfoXY-k23cNIy-R-W-oB-P2OgdWDNgZ7VaOLNt
+3L-NwWpNblfYvs93cNmkbVAwCZ3r0OP7RFeuON84TRaynK_Fh2S3rypRyJcUmM1pvpZqJ5_-umSW
+hUs1OqkdLv3xjlVzzK-3nMr0q3Zcyp4XdyLYtcX5I3Xqk9ZcsyAT7ghmHhV8KjUjue7OcfAWg0m7
+RJLGq6VC8HeK4HEMa4lF677Qh7DRufghIDEmQSIDfGA790WGSA8HqcOvAL4hURCHyCWiPa5i8ksX
+xX4HyqF8PCVCLJ_ZhzcuIlc0jStAexWbJU_vcyX7XgUaHCkF-M-zv1FP6Z3DHBMD2QqSWjmyNCCk
+8sIuwzs62P_j2o9jG33kssedCrUWOwZancU107-5H0Zw-UWvtCqUfmRZ7TsEbWY7lk_SKfLfAN5q
+ncOQgU_VxDXUFDST4LN_WVECRafK3UtwWomxWSji25Lbf6NVni3ok-yLMDZR-wrE-54jLPES9j0i
+5N0xrk9CfsvGUpUZ1_XQcgaxI6m27DtCCJXb5ywenPBiUIJCMCTq88CqNZxGpju2i4BJcUH2hUHe
+GKhO8pgslwhtEVot9EDwdzSrJkWFCfb6ud4zMxrqdi7-mLWMOydg6lhpEFEX5wu2BLIujGsZlEGE
+_K9jGfBypjXuJCKDZIuPfEnf_7idjKis_JcFB7x4Hx2HHDcBjlWWFZN_VIEnPkQSyZEC26RTFP3k
+zkY3GwUfA36a4XW2pu3gE9wz-W6fkONfzOZ6YiyCm_dRFUVuGSdJG02Hh5iXYlMOGJltPzWH2jVf
+S-QTOmXQTKSOheXoJO6O-9uQbsRf-kq-6w1pvIOp4ms35w4_0Xj0Xr2a9y-L9PdBZvrUsa-jxsZU
+LyA-YY4Ej6QwDBDTD2MGjF1E5_ekYgjoNlltM9rJjofruM4ym0n7LPHC7YXXQSEFOZYeTKi6wUDw
+hQ1DoWHgu4PQ2lexada8sxQdConbPe2iW16h-PrO5D12E4XbT00fqaMlBmjQwzdNRdCC2NRPIQ5W
+nwaO8dZ9yjxsjT7ZVHb9-DRblb3XDocponzxVXqUGtJAie4WXQnerX0ApTWGaHEr5y56JJVS_3LP
+bKrbXBXcs4jTUX4ECXRrOs8JQDQNysXhvTPCu0XUxNZpjx6KLxDs93k2OcESHjl5J6n6OKKJqqoN
+JEyFO5LGXpnmUJbn0-CaHHPRI1mHwEu4brY8wDZd9A0PD1KGXDoCHMfEk1lGblQdyOcVrXZ6uSBk
+Z6zHDnwSCHO1mPYqtelJQehZoFuPSv9PIgKLxs_qJOtZFnXII5YO1mGXgiIBWBjUFDR5HG4ENS6y
+J4MCF-JLMp-PVMAkOaCIQRRDpRnMm_fT1sc_P562Diu_pcdt-r55pMFQYGoGfjRmxQBKk0-SsdnP
+mlZIiis9DfQEN0q3QQdNRYBJD7tmhUwhAPZdLgXqJA8sZf8UyFQhhpsky79NT343YL9smUlF \ No newline at end of file
diff --git a/kubernetes/aai/charts/aai-resources/templates/configmap.yaml b/kubernetes/aai/charts/aai-resources/templates/configmap.yaml
index 001f5ead65..4fd939dbd0 100644
--- a/kubernetes/aai/charts/aai-resources/templates/configmap.yaml
+++ b/kubernetes/aai/charts/aai-resources/templates/configmap.yaml
@@ -136,3 +136,88 @@ data:
{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.p12").AsSecrets . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/aaf/truststoreONAPall.jks").AsSecrets . | indent 2 }}
{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }}
+
+{{ if .Values.global.installSidecarSecurity }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-aai-policy-configmap
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/config/auth/aai_policy.json").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-fproxy-config
+ namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/fproxy/config/*").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-fproxy-log-config
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/fproxy/config/logback-spring.xml").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.fullname" . }}-fproxy-auth-config
+ namespace: {{ include "common.namespace" . }}
+type: Opaque
+data:
+{{ tpl (.Files.Glob "resources/fproxy/config/auth/*").AsSecrets . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-rproxy-config
+ namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/rproxy/config/*").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-rproxy-log-config
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/rproxy/config/logback-spring.xml").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.fullname" . }}-rproxy-auth-config
+ namespace: {{ include "common.namespace" . }}
+type: Opaque
+data:
+{{ tpl (.Files.Glob "resources/rproxy/config/auth/*").AsSecrets . | indent 2 }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.fullname" . }}-rproxy-security-config
+ namespace: {{ include "common.namespace" . }}
+type: Opaque
+data:
+{{ tpl (.Files.Glob "resources/rproxy/config/security/*").AsSecrets . | indent 2 }}
+{{ end }}
diff --git a/kubernetes/aai/charts/aai-resources/templates/deployment.yaml b/kubernetes/aai/charts/aai-resources/templates/deployment.yaml
index 4dcfa2cf9c..8d7b740276 100644
--- a/kubernetes/aai/charts/aai-resources/templates/deployment.yaml
+++ b/kubernetes/aai/charts/aai-resources/templates/deployment.yaml
@@ -419,6 +419,12 @@ spec:
spec:
hostname: aai-resources
{{ if .Values.global.initContainers.enabled }}
+ {{ if .Values.global.installSidecarSecurity }}
+ hostAliases:
+ - ip: {{ .Values.global.aaf.serverIp }}
+ hostnames:
+ - {{ .Values.global.aaf.serverHostname }}
+ {{ end }}
initContainers:
- command:
{{ if .Values.global.jobs.createSchema.enabled }}
@@ -441,6 +447,13 @@ spec:
image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
name: {{ include "common.name" . }}-readiness
+ {{ if .Values.global.installSidecarSecurity }}
+ - name: {{ .Values.global.tproxyConfig.name }}
+ image: "{{ include "common.repository" . }}/{{ .Values.global.tproxyConfig.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ securityContext:
+ privileged: true
+ {{ end }}
{{ end }}
containers:
- name: {{ include "common.name" . }}
@@ -475,6 +488,11 @@ spec:
- mountPath: /opt/app/aai-resources/resources/etc/auth/realm.properties
name: {{ include "common.fullname" . }}-realm-conf
subPath: realm.properties
+ {{ if .Values.global.installSidecarSecurity }}
+ - mountPath: /opt/app/aai-resources/resources/etc/auth/aai_policy.json
+ name: {{ include "common.fullname" . }}-aai-policy
+ subPath: aai_policy.json
+ {{ end }}
- mountPath: /opt/app/aai-resources/resources/aaf/org.onap.aai.keyfile
name: {{ include "common.fullname" . }}-aaf-certs
subPath: org.onap.aai.keyfile
@@ -548,6 +566,85 @@ spec:
name: {{ include "common.fullname" . }}-logs
- mountPath: /usr/share/filebeat/data
name: {{ include "common.fullname" . }}-filebeat
+ {{ if .Values.global.installSidecarSecurity }}
+ - name: {{ .Values.global.rproxy.name }}
+ image: "{{ include "common.repository" . }}/{{ .Values.global.rproxy.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ env:
+ - name: CONFIG_HOME
+ value: "/opt/app/rproxy/config"
+ - name: KEY_STORE_PASSWORD
+ value: {{ .Values.sidecar.keyStorePassword }}
+ - name: spring_profiles_active
+ value: {{ .Values.global.rproxy.activeSpringProfiles }}
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-rproxy-config
+ mountPath: /opt/app/rproxy/config/forward-proxy.properties
+ subPath: forward-proxy.properties
+ - name: {{ include "common.fullname" . }}-rproxy-config
+ mountPath: /opt/app/rproxy/config/primary-service.properties
+ subPath: primary-service.properties
+ - name: {{ include "common.fullname" . }}-rproxy-config
+ mountPath: /opt/app/rproxy/config/reverse-proxy.properties
+ subPath: reverse-proxy.properties
+ - name: {{ include "common.fullname" . }}-rproxy-config
+ mountPath: /opt/app/rproxy/config/cadi.properties
+ subPath: cadi.properties
+ - name: {{ include "common.fullname" . }}-rproxy-log-config
+ mountPath: /opt/app/rproxy/config/logback-spring.xml
+ subPath: logback-spring.xml
+ - name: {{ include "common.fullname" . }}-rproxy-auth-config
+ mountPath: /opt/app/rproxy/config/auth/tomcat_keystore
+ subPath: tomcat_keystore
+ - name: {{ include "common.fullname" . }}-rproxy-auth-config
+ mountPath: /opt/app/rproxy/config/auth/client-cert.p12
+ subPath: client-cert.p12
+ - name: {{ include "common.fullname" . }}-rproxy-auth-config
+ mountPath: /opt/app/rproxy/config/auth/uri-authorization.json
+ subPath: uri-authorization.json
+ - name: {{ include "common.fullname" . }}-rproxy-auth-config
+ mountPath: /opt/app/rproxy/config/auth/aaf_truststore.jks
+ subPath: aaf_truststore.jks
+ - name: {{ include "common.fullname" . }}-rproxy-security-config
+ mountPath: /opt/app/rproxy/config/security/keyfile
+ subPath: keyfile
+ - name: {{ include "common.fullname" . }}-rproxy-auth-config
+ mountPath: /opt/app/rproxy/config/auth/org.onap.aai.p12
+ subPath: org.onap.aai.p12
+ ports:
+ - containerPort: {{ .Values.global.rproxy.port }}
+
+ - name: {{ .Values.global.fproxy.name }}
+ image: "{{ include "common.repository" . }}/{{ .Values.global.fproxy.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ env:
+ - name: CONFIG_HOME
+ value: "/opt/app/fproxy/config"
+ - name: KEY_STORE_PASSWORD
+ value: {{ .Values.sidecar.keyStorePassword }}
+ - name: TRUST_STORE_PASSWORD
+ value: {{ .Values.sidecar.trustStorePassword }}
+ - name: spring_profiles_active
+ value: {{ .Values.global.fproxy.activeSpringProfiles }}
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-fproxy-config
+ mountPath: /opt/app/fproxy/config/fproxy.properties
+ subPath: fproxy.properties
+ - name: {{ include "common.fullname" . }}-fproxy-log-config
+ mountPath: /opt/app/fproxy/config/logback-spring.xml
+ subPath: logback-spring.xml
+ - name: {{ include "common.fullname" . }}-fproxy-auth-config
+ mountPath: /opt/app/fproxy/config/auth/fproxy_truststore
+ subPath: fproxy_truststore
+ - name: {{ include "common.fullname" . }}-fproxy-auth-config
+ mountPath: /opt/app/fproxy/config/auth/tomcat_keystore
+ subPath: tomcat_keystore
+ - name: {{ include "common.fullname" . }}-fproxy-auth-config
+ mountPath: /opt/app/fproxy/config/auth/client-cert.p12
+ subPath: client-cert.p12
+ ports:
+ - containerPort: {{ .Values.global.fproxy.port }}
+ {{ end }}
volumes:
- name: localtime
@@ -595,6 +692,32 @@ spec:
- key: {{ . }}
path: {{ . }}
{{ end }}
+ {{ if .Values.global.installSidecarSecurity }}
+ - name: {{ include "common.fullname" . }}-aai-policy
+ configMap:
+ name: {{ include "common.fullname" . }}-aai-policy-configmap
+ - name: {{ include "common.fullname" . }}-rproxy-config
+ configMap:
+ name: {{ include "common.fullname" . }}-rproxy-config
+ - name: {{ include "common.fullname" . }}-rproxy-log-config
+ configMap:
+ name: {{ include "common.fullname" . }}-rproxy-log-config
+ - name: {{ include "common.fullname" . }}-rproxy-auth-config
+ secret:
+ secretName: {{ include "common.fullname" . }}-rproxy-auth-config
+ - name: {{ include "common.fullname" . }}-rproxy-security-config
+ secret:
+ secretName: {{ include "common.fullname" . }}-rproxy-security-config
+ - name: {{ include "common.fullname" . }}-fproxy-config
+ configMap:
+ name: {{ include "common.fullname" . }}-fproxy-config
+ - name: {{ include "common.fullname" . }}-fproxy-log-config
+ configMap:
+ name: {{ include "common.fullname" . }}-fproxy-log-config
+ - name: {{ include "common.fullname" . }}-fproxy-auth-config
+ secret:
+ secretName: {{ include "common.fullname" . }}-fproxy-auth-config
+ {{ end }}
restartPolicy: {{ .Values.restartPolicy }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/aai/charts/aai-resources/values.yaml b/kubernetes/aai/charts/aai-resources/values.yaml
index d7813ead11..3fd5a89a98 100644
--- a/kubernetes/aai/charts/aai-resources/values.yaml
+++ b/kubernetes/aai/charts/aai-resources/values.yaml
@@ -68,6 +68,11 @@ readiness:
initialDelaySeconds: 60
periodSeconds: 10
+# application configuration
+sidecar:
+ keyStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+ keyManagerPassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+ trustStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
service:
type: ClusterIP
diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
new file mode 100644
index 0000000000..1c82050db0
--- /dev/null
+++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg
@@ -0,0 +1,138 @@
+# Copyright © 2018 Amdocs, Bell Canada, AT&T
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+global
+ log /dev/log local0
+ stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
+ stats timeout 30s
+ user root
+ group root
+ daemon
+ #################################
+ # Default SSL material locations#
+ #################################
+ ca-base /etc/ssl/certs
+ crt-base /etc/ssl/private
+
+ # Default ciphers to use on SSL-enabled listening sockets.
+ # For more information, see ciphers(1SSL). This list is from:
+ # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ # An alternative list with additional directives can be obtained from
+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+ tune.ssl.default-dh-param 2048
+
+defaults
+ log global
+ mode http
+ option httplog
+ option ssl-hello-chk
+ option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==
+ default-server init-addr none
+# option dontlognull
+# errorfile 400 /etc/haproxy/errors/400.http
+# errorfile 403 /etc/haproxy/errors/403.http
+# errorfile 408 /etc/haproxy/errors/408.http
+# errorfile 500 /etc/haproxy/errors/500.http
+# errorfile 502 /etc/haproxy/errors/502.http
+# errorfile 503 /etc/haproxy/errors/503.http
+# errorfile 504 /etc/haproxy/errors/504.http
+
+ option http-server-close
+ option forwardfor except 127.0.0.1
+ retries 6
+ option redispatch
+ maxconn 50000
+ timeout connect 50000
+ timeout client 480000
+ timeout server 480000
+ timeout http-keep-alive 30000
+
+
+frontend IST_8443
+ mode http
+ bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
+# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
+ log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+ option httplog
+ log global
+ option logasap
+ option forwardfor
+ capture request header Host len 100
+ capture response header Host len 100
+ option log-separate-errors
+ option forwardfor
+ http-request set-header X-Forwarded-Proto https if { ssl_fc }
+ http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
+ http-request set-header X-AAI-SSL %[ssl_fc]
+ http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify]
+ http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn]
+ http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
+ http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn]
+ http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore]
+ http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter]
+ http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64]
+ http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)]
+ http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)]
+ http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)]
+ http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)]
+ http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)]
+ reqadd X-Forwarded-Proto:\ https
+ reqadd X-Forwarded-Port:\ 8443
+
+#######################
+#ACLS FOR PORT 8446####
+#######################
+
+ acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
+ acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
+ acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+ acl is_named-query path_beg -i /aai/search/named-query
+ acl is_search-model path_beg -i /aai/search/model
+ use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
+
+ default_backend IST_Default_8447
+
+
+#######################
+#DEFAULT BACKEND 847###
+#######################
+
+backend IST_Default_8447
+ balance roundrobin
+ http-request set-header X-Forwarded-Port %[src_port]
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+ server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none
+
+
+#######################
+# BACKEND 8446#########
+#######################
+
+backend IST_AAI_8446
+ balance roundrobin
+ http-request set-header X-Forwarded-Port %[src_port]
+ http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+ server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none
+
+listen IST_AAI_STATS
+ mode http
+ bind *:8080
+ stats uri /stats
+ stats enable
+ stats refresh 30s
+ stats hide-version
+ stats auth admin:admin
+ stats show-legends
+ stats show-desc IST AAI APPLICATION NODES
+ stats admin if TRUE
diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml
index 212f9cdc4c..a23ed5fdc7 100644
--- a/kubernetes/aai/templates/configmap.yaml
+++ b/kubernetes/aai/templates/configmap.yaml
@@ -37,7 +37,11 @@ metadata:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
+{{ if .Values.global.installSidecarSecurity }}
+{{ tpl (.Files.Glob "resources/config/haproxy/haproxy-pluggable-security.cfg").AsConfig . | indent 2 }}
+{{ else }}
{{ tpl (.Files.Glob "resources/config/haproxy/haproxy.cfg").AsConfig . | indent 2 }}
+{{ end }}
---
apiVersion: v1
kind: Secret
diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml
index 3f16e25ffd..1f337e4374 100644
--- a/kubernetes/aai/templates/deployment.yaml
+++ b/kubernetes/aai/templates/deployment.yaml
@@ -64,7 +64,11 @@ spec:
- mountPath: /dev/log
name: aai-service-log
- mountPath: /usr/local/etc/haproxy/haproxy.cfg
+ {{ if .Values.global.installSidecarSecurity }}
+ subPath: haproxy-pluggable-security.cfg
+ {{ else }}
subPath: haproxy.cfg
+ {{ end }}
name: haproxy-cfg
ports:
- containerPort: {{ .Values.service.internalPort }}
@@ -86,6 +90,10 @@ spec:
httpHeaders:
- name: X-FromAppId
value: OOM_ReadinessCheck
+ {{ if .Values.global.installSidecarSecurity }}
+ - name: Authorization
+ value: Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==
+ {{ end }}
- name: X-TransactionId
value: {{ uuidv4 }}
- name: Accept