diff options
author | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-03-08 16:52:20 +0000 |
---|---|---|
committer | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-04-04 07:42:24 +0000 |
commit | 375d0eaa1368368df3c2b9512d9ac8ee6056c63d (patch) | |
tree | 35e6c2dbbe78cb8ba714eb03038ec10e3948894a /kubernetes | |
parent | 333281b85d86c356ab0f09caab82890fce0442fb (diff) |
[AAI][SPARKY] Automatically retrieve certs
Instead of using hardcoded certificates, use certInitializer in order to
retrieve them automatically.
Issue-ID: OOM-2683
Change-Id: I1bd3fe575c1d3450905bdc5876b442fdb43660a9
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Diffstat (limited to 'kubernetes')
18 files changed, 316 insertions, 105 deletions
diff --git a/kubernetes/aai/components/aai-sparky-be/requirements.yaml b/kubernetes/aai/components/aai-sparky-be/requirements.yaml index cf22720435..f9ba1c1fb7 100644 --- a/kubernetes/aai/components/aai-sparky-be/requirements.yaml +++ b/kubernetes/aai/components/aai-sparky-be/requirements.yaml @@ -21,6 +21,9 @@ dependencies: # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' + - name: certInitializer + version: ~8.x-0 + repository: '@local' - name: repositoryGenerator version: ~8.x-0 repository: '@local' diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-default.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties index 084f6e46bc..084f6e46bc 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-default.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-default.properties diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-override.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties index 4465fb3e11..4465fb3e11 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-override.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-override.properties diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-schema-prod.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties index 094c815744..fe8bd16fa1 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-oxm-schema-prod.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-oxm-schema-prod.properties @@ -15,14 +15,14 @@ */}} oxm.schemaNodeDir=/opt/app/sparky/onap/oxm -#schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config +#schemaServiceTranslator is used to define whether to retreive the oxm from schema service microservice or read from the disk, possible values are schema-service/config oxm.schemaServiceTranslatorList=config # The end point for onap is https://<hostname>:<port>/onap/schema-service/v1/ oxm.schemaServiceBaseUrl=https://<schema-service/config>/aai/schema-service/v1/ -oxm.schemaServiceKeystore=file:${CONFIG_HOME}/auth/aai-client-cert.p12 -oxm.schemaServiceTruststore=file:${CONFIG_HOME}/auth/tomcat_keystore -oxm.schemaServiceKeystorePassword=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o -oxm.schemaServiceTruststorePassword=OBF:1i9a1u2a1unz1lr61wn51wn11lss1unz1u301i6o +oxm.schemaServiceKeystore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 +oxm.schemaServiceTruststore=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks +oxm.schemaServiceKeystorePassword=${KEYSTORE_PASSWORD} +oxm.schemaServiceTruststorePassword=${TRUSTSTORE_PASSWORD} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-resources.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties index 59c0349b06..3c6bd4e1ad 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-resources.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-resources.properties @@ -19,4 +19,7 @@ resources.port=8443 resources.authType=SSL_BASIC resources.basicAuthUserName=aai@aai.onap.org resources.basicAuthPassword=1fia1ju61l871lfe18xp18xr18xt1lc41l531jrk1fek -resources.trust-store=tomcat_keystore +resources.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks +resources.trust-store-password=${TRUSTSTORE_PASSWORD} +resources.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 +resources.client-cert-password=${KEYSTORE_PASSWORD} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-ssl.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties index 4db6c0a374..2e2351ad95 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-ssl.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-ssl.properties @@ -13,8 +13,8 @@ # limitations under the License. server.port=8000 -server.ssl.key-store=file:${CONFIG_HOME}/auth/org.onap.aai.p12 -server.ssl.key-store-password=OBF:1xfz1qie1jf81b3s1ir91tag1h381cvr1kze1zli16kj1b301b4y16kb1zm01kzo1cw71gze1t9y1ivd1b461je21qiw1xf3 +server.ssl.key-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 +server.ssl.key-store-password=${KEYSTORE_PASSWORD} server.ssl.enabled-protocols=TLSv1.1,TLSv1.2 -server.ssl.trust-store=file:${CONFIG_HOME}/auth/truststoreONAPall.jks -server.ssl.trust-store-password=OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 +server.ssl.trust-store=file:{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks +server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application-sync.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties index 4fb10a21f7..4fb10a21f7 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application-sync.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application-sync.properties diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties index 1269f25355..120f8ac114 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/application.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/application.properties @@ -25,11 +25,11 @@ spring.mvc.favicon.enabled=false spring.profiles.active=camel,ssl,fe-prod,oxm-schema-prod,oxm-default,resources,aai-proxy portal.cadiFileLocation={{.Values.config.cadiFileLocation}} -portal.cadiFileLocation={{.Values.config.cadiFileLocation}} searchservice.hostname={{.Values.global.searchData.serviceName}} searchservice.port=9509 -searchservice.client-cert=client-cert-onap.p12 -searchservice.client-cert-password=1xfz1qie1jf81b3s1ir91tag1h381cvr1kze1zli16kj1b301b4y16kb1zm01kzo1cw71gze1t9y1ivd1b461je21qiw1xf3 -searchservice.truststore=tomcat_keystore +searchservice.client-cert={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 +searchservice.client-cert-password=${KEYSTORE_PASSWORD} +searchservice.truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks +searchservice.truststore-password=${TRUSTSTORE_PASSWORD} schema.ingest.file=${CONFIG_HOME}/schemaIngest.properties diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml b/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml new file mode 100644 index 0000000000..cd5338f5b3 --- /dev/null +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/logback.xml @@ -0,0 +1,187 @@ +<configuration scan="true" scanPeriod="3 seconds" debug="false"> + <!--{{/* + # Copyright © 2018 AT&T + # Copyright © 2021 Orange + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. + */}}--> + <!--<jmxConfigurator /> --> + <!-- directory path for all other type logs --> + + <property name="logDir" value="/var/log/onap" /> + + <!-- <ECOMP-component-name>::= "MSO" | "DCAE" | "ASDC " | "AAI" |"Policy" + | "SDNC" | "AC" --> + <property name="componentName" value="AAI-UI"></property> + + <!-- default eelf log file names --> + <property name="generalLogName" value="error" /> + <property name="metricsLogName" value="metrics" /> + <property name="auditLogName" value="audit" /> + <property name="debugLogName" value="debug" /> + + <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|AAIUI|%mdc{PartnerName}|%logger|%.-5level|%msg%n" /> + <property name="auditMetricPattern" value="%m%n" /> + + <property name="logDirectory" value="${logDir}/${componentName}" /> + + + <!-- Example evaluator filter applied against console appender --> + <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender"> + <encoder> + <pattern>${errorLogPattern}</pattern> + </encoder> + </appender> + + <!-- ============================================================================ --> + <!-- EELF Appenders --> + <!-- ============================================================================ --> + + <!-- The EELFAppender is used to record events to the general application + log --> + + <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${generalLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip +</fileNamePattern> + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <pattern>${errorLogPattern}</pattern> + </encoder> + </appender> + <appender name="asyncEELF" class="ch.qos.logback.classic.AsyncAppender"> + <!-- deny all events with a level below INFO, that is TRACE and DEBUG --> + <filter class="ch.qos.logback.classic.filter.ThresholdFilter"> + <level>INFO</level> + </filter> + <queueSize>256</queueSize> + <appender-ref ref="EELF" /> + </appender> + + + <!-- EELF Audit Appender. This appender is used to record audit engine related + logging events. The audit logger and appender are specializations of the + EELF application root logger and appender. This can be used to segregate + Policy engine events from other components, or it can be eliminated to record + these events as part of the application root log. --> + + <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${auditLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip +</fileNamePattern> + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <pattern>${auditMetricPattern}</pattern> + </encoder> + </appender> + <appender name="asyncEELFAudit" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFAudit" /> + </appender> + + <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${metricsLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip +</fileNamePattern> + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <!-- <pattern>"%d{HH:mm:ss.SSS} [%thread] %-5level %logger{1024} - %msg%n"</pattern> --> + <pattern>${auditMetricPattern}</pattern> + </encoder> + </appender> + + + <appender name="asyncEELFMetrics" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFMetrics" /> + </appender> + + <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <file>${logDirectory}/${debugLogName}.log</file> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip +</fileNamePattern> + <maxHistory>60</maxHistory> + </rollingPolicy> + <encoder> + <pattern>${errorLogPattern}</pattern> + </encoder> + </appender> + + <appender name="asyncEELFDebug" class="ch.qos.logback.classic.AsyncAppender"> + <queueSize>256</queueSize> + <appender-ref ref="EELFDebug" /> + <includeCallerData>false</includeCallerData> + </appender> + + <!-- ============================================================================ --> + <!-- EELF loggers --> + <!-- ============================================================================ --> + <logger name="com.att.eelf" level="info" additivity="false"> + <appender-ref ref="asyncEELF" /> + <appender-ref ref="asyncEELFDebug" /> + <appender-ref ref="STDOUT" /> + </logger> + + <logger name="com.att.eelf.audit" level="info" additivity="false"> + <appender-ref ref="asyncEELFAudit" /> + </logger> + <logger name="com.att.eelf.metrics" level="info" additivity="false"> + <appender-ref ref="asyncEELFMetrics" /> + </logger> + + <!-- Spring related loggers --> + <logger name="org.springframework" level="WARN" /> + <logger name="org.springframework.beans" level="WARN" /> + <logger name="org.springframework.web" level="WARN" /> + <logger name="com.blog.spring.jms" level="WARN" /> + + <!-- Sparky loggers --> + <logger name="org.onap" level="INFO"> + <appender-ref ref="STDOUT" /> + </logger> + + <!-- Other Loggers that may help troubleshoot --> + <logger name="net.sf" level="WARN" /> + <logger name="org.apache.commons.httpclient" level="WARN" /> + <logger name="org.apache.commons" level="WARN" /> + <logger name="org.apache.coyote" level="WARN" /> + <logger name="org.apache.jasper" level="WARN" /> + + <!-- Camel Related Loggers (including restlet/servlet/jaxrs/cxf logging. + May aid in troubleshooting) --> + <logger name="org.apache.camel" level="WARN" /> + <logger name="org.apache.cxf" level="WARN" /> + <logger name="org.apache.camel.processor.interceptor" level="WARN" /> + <logger name="org.apache.cxf.jaxrs.interceptor" level="WARN" /> + <logger name="org.apache.cxf.service" level="WARN" /> + <logger name="org.restlet" level="WARN" /> + <logger name="org.apache.camel.component.restlet" level="WARN" /> + + <!-- logback internals logging --> + <logger name="ch.qos.logback.classic" level="WARN" /> + <logger name="ch.qos.logback.core" level="WARN" /> + + <root> + <appender-ref ref="asyncEELF" /> + <appender-ref ref="STDOUT" /> + <!-- <appender-ref ref="asyncEELFDebug" /> --> + </root> + +</configuration>
\ No newline at end of file diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/roles.config b/kubernetes/aai/components/aai-sparky-be/resources/config/application/roles.config index df41395058..df41395058 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/roles.config +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/roles.config diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/users.config b/kubernetes/aai/components/aai-sparky-be/resources/config/application/users.config index ce69e88918..ce69e88918 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/users.config +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/application/users.config diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/auth/client-cert-onap.p12 b/kubernetes/aai/components/aai-sparky-be/resources/config/auth/client-cert-onap.p12 Binary files differdeleted file mode 100644 index 2601acf88a..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/auth/client-cert-onap.p12 +++ /dev/null diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/auth/org.onap.aai.p12 b/kubernetes/aai/components/aai-sparky-be/resources/config/auth/org.onap.aai.p12 Binary files differdeleted file mode 100644 index 2601acf88a..0000000000 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/auth/org.onap.aai.p12 +++ /dev/null diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties index 2592e5ca7c..7a0fb8250b 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/BOOT-INF/classes/portal.properties @@ -46,4 +46,4 @@ ext_req_connection_timeout=15000 ext_req_read_timeout=20000 #Add AAF namespace if the app is centralized -auth_namespace={{.Values.config.aafNamespace}} +auth_namespace={{ .Values.certInitializer.fqi_namespace }} diff --git a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties index 1f154b6101..baefd9806b 100644 --- a/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties +++ b/kubernetes/aai/components/aai-sparky-be/resources/config/portal/cadi.properties @@ -6,14 +6,18 @@ aaf_url=<%=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1 # AAF Environment Designation #if you are running aaf service from a docker image you have to use aaf service IP and port number -aaf_id={{.Values.config.aafUsername}} +aaf_id={{ .Values.certInitializer.fqi }} #Encrypt the password using AAF Jar -aaf_password={{.Values.config.aafPassword}} +aaf_password={{ .Values.certInitializer.aafDeployPass }} # Sample CADI Properties, from CADI 1.4.2 #hostname=org.onap.aai.orr csp_domain=PROD # Add Absolute path to Keyfile -cadi_keyfile={{.Values.config.cadiKeyFile}} +cadi_keyfile={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.keyfile +cadi_keystore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 +cadi_keystore_password=${KEYSTORE_PASSWORD} + +cadi_alias={{ .Values.certInitializer.fqi }} # This is required to accept Certificate Authentication from Certman certificates. # can be TEST, IST or PROD @@ -23,9 +27,9 @@ aaf_env=DEV cadi_loglevel=DEBUG # Add Absolute path to truststore2018.jks -cadi_truststore={{.Values.config.cadiTrustStore}} +cadi_truststore={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks # Note: This is the ONLY password that doesn't have to be encrypted. All Java's TrustStores are this passcode by default, because they are public certs -cadi_truststore_password={{.Values.config.cadiTrustStorePassword}} +cadi_truststore_password=${TRUSTSTORE_PASSWORD} # how to turn on SSL Logging #javax.net.debug=ssl diff --git a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml index 162e96b0dc..fee07d8acf 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/configmap.yaml @@ -14,25 +14,6 @@ # limitations under the License. */}} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "common.fullname" . }}-prop - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -data: -{{ tpl (.Files.Glob "resources/config/application.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/application-resources.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/application-ssl.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/application-oxm-default.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/application-oxm-override.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/application-oxm-schema-prod.properties").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/roles.config").AsConfig . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/users.config").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap @@ -45,7 +26,7 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} data: -{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +{{ tpl (.Files.Glob "resources/config/application/*").AsConfig . | indent 2 }} --- apiVersion: v1 kind: ConfigMap diff --git a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml index 6e74526ddc..45ff270047 100644 --- a/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-sparky-be/templates/deployment.yaml @@ -38,7 +38,34 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} + - command: + - sh + args: + - -c + - | + echo "*** retrieve Truststore and Keystore password" + export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \ + | xargs -0) + if [ -z "$KEYSTORE_PASSWORD" ] + then + echo " /!\ certificates retrieval failed" + exit 1 + fi + echo "*** write them in portal part" + cd /config-input + for PFILE in `ls -1 .` + do + envsubst <${PFILE} >/config/${PFILE} + done + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + - mountPath: /config-input + name: portal-config-input + - mountPath: /config + name: portal-config + image: {{ include "repositoryGenerator.image.envsubst" . }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-update-config - command: - /app/ready.py args: @@ -57,68 +84,56 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - - volumeMounts: + command: + - sh + args: + - -c + - | + echo "*** retrieve Truststore and Keystore password" + export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop \ + | xargs -0) + echo "*** actual launch of AAI Sparky BE" + /opt/app/sparky/bin/start.sh + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true - - mountPath: /opt/app/sparky/config/auth/client-cert-onap.p12 - name: {{ include "common.fullname" . }}-auth-config - subPath: client-cert-onap.p12 - - mountPath: /opt/app/sparky/config/auth/csp-cookie-filter.properties - name: {{ include "common.fullname" . }}-auth-config + name: auth-config subPath: csp-cookie-filter.properties - - - mountPath: /opt/app/sparky/config/auth/org.onap.aai.p12 - name: {{ include "common.fullname" . }}-auth-config - subPath: org.onap.aai.p12 - - - mountPath: /opt/app/sparky/config/auth/truststoreONAPall.jks - name: aai-common-aai-auth-mount - subPath: truststoreONAPall.jks - - mountPath: /opt/app/sparky/config/portal/ - name: {{ include "common.fullname" . }}-portal-config - + name: portal-config - mountPath: /opt/app/sparky/config/portal/BOOT-INF/classes/ - name: {{ include "common.fullname" . }}-portal-config-props - + name: portal-config-props - mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-logs - + name: logs - mountPath: /opt/app/sparky/config/application.properties - name: {{ include "common.fullname" . }}-properties + name: config subPath: application.properties - - mountPath: /opt/app/sparky/config/application-resources.properties - name: {{ include "common.fullname" . }}-properties + name: config subPath: application-resources.properties - - mountPath: /opt/app/sparky/config/application-ssl.properties - name: {{ include "common.fullname" . }}-properties + name: config subPath: application-ssl.properties - - mountPath: /opt/app/sparky/config/application-oxm-default.properties - name: {{ include "common.fullname" . }}-properties + name: config subPath: application-oxm-default.properties - - mountPath: /opt/app/sparky/config/application-oxm-override.properties - name: {{ include "common.fullname" . }}-properties + name: config subPath: application-oxm-override.properties - - mountPath: /opt/app/sparky/config/application-oxm-schema-prod.properties - name: {{ include "common.fullname" . }}-properties + name: config subPath: application-oxm-schema-prod.properties - - mountPath: /opt/app/sparky/config/roles.config - name: {{ include "common.fullname" . }}-properties + name: config subPath: roles.config - - mountPath: /opt/app/sparky/config/users.config - name: {{ include "common.fullname" . }}-properties + name: config subPath: users.config - + - mountPath: /opt/app/sparky/config/logging/logback.xml + name: config + subPath: logback.xml ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -155,45 +170,35 @@ spec: subPath: filebeat.yml name: filebeat-conf - mountPath: /var/log/onap - name: {{ include "common.fullname" . }}-logs + name: logs - mountPath: /usr/share/filebeat/data name: aai-sparky-filebeat resources: {{ include "common.resources" . }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: localtime hostPath: path: /etc/localtime - - - name: {{ include "common.fullname" . }}-properties - configMap: - name: {{ include "common.fullname" . }}-prop - - - name: {{ include "common.fullname" . }}-config + - name: config configMap: name: {{ include "common.fullname" . }} - - - name: {{ include "common.fullname" . }}-portal-config + - name: portal-config + emptyDir: + medium: Memory + - name: portal-config-input configMap: name: {{ include "common.fullname" . }}-portal - - - name: {{ include "common.fullname" . }}-portal-config-props + - name: portal-config-props configMap: name: {{ include "common.fullname" . }}-portal-props - - - name: {{ include "common.fullname" . }}-auth-config + - name: auth-config secret: secretName: {{ include "common.fullname" . }} - - - name: aai-common-aai-auth-mount - secret: - secretName: aai-common-aai-auth - - name: filebeat-conf configMap: name: aai-filebeat - - name: {{ include "common.fullname" . }}-logs + - name: logs emptyDir: {} - name: aai-sparky-filebeat emptyDir: {} diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml index f8de79d31a..98dca5d11d 100644 --- a/kubernetes/aai/components/aai-sparky-be/values.yaml +++ b/kubernetes/aai/components/aai-sparky-be/values.yaml @@ -27,6 +27,40 @@ global: # global defaults searchData: serviceName: aai-search-data + +################################################################# +# Certificate configuration +################################################################# +certInitializer: + nameOverride: aai-sparky-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: "aai" + app_ns: "org.osaaf.aaf" + fqi_namespace: "org.onap.aai" + fqi: "aai@aai.onap.org" + public_fqdn: "aaf.osaaf.org" + cadi_longitude: "0.0" + cadi_latitude: "0.0" + credsPath: /opt/app/osaaf/local + aaf_add_config: | + echo "*** changing passwords into shell safe ones" + export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + cd {{ .Values.credsPath }} + keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ + -storepass "${cadi_keystore_password_p12}" \ + -keystore {{ .Values.fqi_namespace }}.p12 + keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \ + -storepass "${cadi_truststore_password}" \ + -keystore {{ .Values.fqi_namespace }}.trust.jks + echo "*** save the generated passwords" + echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop + echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop + echo "*** change ownership of certificates to targeted user" + chown -R 1000 {{ .Values.credsPath }} + # application image image: onap/sparky-be:2.0.3 pullPolicy: Always @@ -44,13 +78,7 @@ config: portalPassword: OBF:1t2v1vfv1unz1vgz1t3b portalCookieName: UserId portalAppRoles: ui_view - aafUsername: aai@aai.onap.org - aafNamespace: org.onap.aai - aafPassword: enc:xxYw1FqXU5UpianbPeH5Rezg0YfjzuwQrSiLcCmJGfz - cadiKeyFile: /opt/app/sparky/config/portal/keyFile - cadiTrustStore: /opt/app/sparky/config/auth/truststoreONAPall.jks cadiFileLocation: /opt/app/sparky/config/portal/cadi.properties - cadiTrustStorePassword: changeit cookieDecryptorClass: org.onap.aai.sparky.security.BaseCookieDecryptor # ONAP Cookie Processing - During initial development, the following flag, if true, will |