aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes
diff options
context:
space:
mode:
authorSylvain Desbureaux <sylvain.desbureaux@orange.com>2019-12-17 18:57:12 +0000
committerGerrit Code Review <gerrit@onap.org>2019-12-17 18:57:12 +0000
commit4a18669124ad341e06ffec59711a477d7223c873 (patch)
treed5a9a171e72a50b2971db9e479f31936c5e332b4 /kubernetes
parent448a16ef7f4816620fb45e842a664c6e6dc65c52 (diff)
parentc80bff934c950c2ad75fe06b0abcc91502f57fdf (diff)
Merge "Secure FE communications to the workflow backend"
Diffstat (limited to 'kubernetes')
-rw-r--r--kubernetes/sdc/charts/sdc-fe/values.yaml4
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl30
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml27
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml10
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-be/values.yaml28
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-fe/templates/_helper.tpl1
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-fe/templates/deployment.yaml15
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-fe/templates/service.yaml18
-rw-r--r--kubernetes/sdc/charts/sdc-wfd-fe/values.yaml15
-rw-r--r--kubernetes/sdc/templates/secrets.yaml6
-rw-r--r--kubernetes/sdc/values.yaml4
11 files changed, 71 insertions, 87 deletions
diff --git a/kubernetes/sdc/charts/sdc-fe/values.yaml b/kubernetes/sdc/charts/sdc-fe/values.yaml
index a435b59203..c6f39f9822 100644
--- a/kubernetes/sdc/charts/sdc-fe/values.yaml
+++ b/kubernetes/sdc/charts/sdc-fe/values.yaml
@@ -38,8 +38,8 @@ config:
dcae_source_url: "https://sdc.dcae.plugin.simpledemo.onap.org:30264/dcaed/#/home"
dcae_dt_discovery_url: "https://sdc-dcae-dt:9446/dcae/#/dcae/home"
dcae_dt_source_url: "https://sdc.dcae.plugin.simpledemo.onap.org:30266/dcae/#/dcae/home"
- workflow_discovery_url: "http://sdc-wfd-fe:8080/workflows"
- workflow_source_url: "https://sdc.workflow.plugin.simpledemo.onap.org:30431/workflows/"
+ workflow_discovery_url: "https://sdc-wfd-fe:8443/workflows"
+ workflow_source_url: "https://sdc.workflow.plugin.simpledemo.onap.org:30256/workflows/"
# default number of instances
replicaCount: 1
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl b/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl
index c69fb7c81c..298a2cd673 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl
+++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl
@@ -1,29 +1 @@
-{{- define "sdc-wfd-be.volumes" }}
- {{ if .Values.config.cassandraSSLEnabled }}
- - name: {{ include "common.fullname" . }}-cassandra-client-truststore
- hostPath:
- path: /etc/cassandra-client-truststore/truststore
- type: File
- {{- end }}
- {{ if .Values.config.serverSSLEnabled }}
- - name: {{ include "common.fullname" . }}-server-https-keystore
- hostPath:
- path: /config/server-https-keystore/keystore
- type: File
- {{- end }}
-{{- end }}
-
-{{- define "sdc-wfd-be.volumeMounts" }}
- {{ if .Values.config.cassandraSSLEnabled }}
- - name: {{ include "common.fullname" . }}-cassandra-client-truststore
- mountPath: /etc/cassandra-client-truststore/truststore
- subPath: truststore
- readOnly: true
- {{- end }}
- {{ if .Values.config.serverSSLEnabled }}
- - name: {{ include "common.fullname" . }}-server-https-keystore
- mountPath: /etc/server-https-keystore/keystore
- subPath: keystore
- readOnly: true
- {{- end }}
-{{- end }} \ No newline at end of file
+{{- define "wfd-be.internalPort" }}{{ if .Values.config.serverSSLEnabled }}{{ .Values.service.internalPort2 }}{{ else }}{{ .Values.service.internalPort }}{{ end }}{{- end }}
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml
index 31ab7d5eaf..00a986f4d2 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml
@@ -53,20 +53,19 @@ spec:
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
ports:
- - containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPort2 }}
+ - containerPort: {{ template "wfd-be.internalPort" . }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{ if .Values.liveness.enabled }}
livenessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort2 }}
+ port: {{ template "wfd-be.internalPort" . }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end }}
readinessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort2 }}
+ port: {{ template "wfd-be.internalPort" . }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
@@ -89,7 +88,8 @@ spec:
- name: CS_TRUST_STORE_PATH
value: "{{ .Values.config.cassandraTrustStorePath }}"
- name: CS_TRUST_STORE_PASSWORD
- value: "{{ .Values.config.cassandraTrustStorePassword }}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: cs_truststore_password}
- name: SDC_PROTOCOL
value: "{{ .Values.config.sdcProtocol }}"
- name: SDC_ENDPOINT
@@ -97,7 +97,8 @@ spec:
- name: SDC_USER
value: "{{ .Values.config.sdcExternalUser }}"
- name: SDC_PASSWORD
- value: "{{ .Values.config.sdcExternalUserPassword }}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: wf_external_user_password}
- name: SERVER_SSL_ENABLED
value: "{{ .Values.config.serverSSLEnabled }}"
- name: SERVER_SSL_KEYSTORE_TYPE
@@ -105,10 +106,14 @@ spec:
- name: SERVER_SSL_KEYSTORE_PATH
value: "{{ .Values.config.serverSSLKeyStorePath }}"
- name: SERVER_SSL_KEY_PASSWORD
- value: "{{ .Values.config.serverSSLKeyPassword }}"
- volumeMounts:
- {{- template "sdc-wfd-be.volumeMounts" . }}
- volumes:
- {{- template "sdc-wfd-be.volumes" . }}
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: keystore_password}
+ - name: SERVER_SSL_TRUSTSTORE_TYPE
+ value: "{{ .Values.config.serverSSLTrustStoreType }}"
+ - name: SERVER_SSL_TRUSTSTORE_PATH
+ value: "{{ .Values.config.serverSSLTrustStorePath }}"
+ - name: SERVER_SSL_TRUST_PASSWORD
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: truststore_password}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml b/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml
index 14a937fe00..fee95ba42e 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml
@@ -28,13 +28,13 @@ spec:
type: {{ .Values.service.type }}
ports:
{{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.internalPort }}
+ - port: {{ template "wfd-be.internalPort" . }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName | default "http" }}
+ name: {{ .Values.service.portName }}
{{- else -}}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName | default "http" }}
+ - port: {{ if .Values.config.serverSslEnabled }}{{ .Values.service.externalPort2 }}{{ else }}{{ .Values.service.externalPort }}{{ end }}
+ targetPort: {{ template "wfd-be.internalPort" . }}
+ name: {{ .Values.service.portName }}
{{- end}}
selector:
app: {{ include "common.name" . }}
diff --git a/kubernetes/sdc/charts/sdc-wfd-be/values.yaml b/kubernetes/sdc/charts/sdc-wfd-be/values.yaml
index 92903ba96a..68f487674d 100644
--- a/kubernetes/sdc/charts/sdc-wfd-be/values.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-be/values.yaml
@@ -28,13 +28,10 @@ global:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/workflow-backend:1.5.2
-configInitImage: onap/workflow-init:1.5.2
+image: onap/workflow-backend:1.6.0
+configInitImage: onap/workflow-init:1.6.0
pullPolicy: Always
-# flag to enable debugging - application support required
-debugEnabled: false
-
initJob:
enabled: true
@@ -43,17 +40,21 @@ config:
cassandraAuthenticationEnabled: true
cassandraThriftClientPort: 9160
cassandraClientPort: 9042
+
sdcProtocol: HTTPS
sdcEndpoint: sdc-be:8443
sdcExternalUser: workflow
- sdcExternalUserPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
- serverSSLEnabled: false
+
+ serverSSLEnabled: true
+
serverSSLKeyStoreType: jks
- serverSSLKeyStorePath: etc/org.onap.sdc.p12
- serverSSLKeyPassword: "!ppJ.JvWn0hGh)oVF]([Kv)^"
+ serverSSLKeyStorePath: /etc/keystore
+
+ serverSSLTrustStoreType: jks
+ serverSSLTrustStorePath: /etc/truststore
+
cassandraSSLEnabled: false
- cassandraTrustStorePath: /etc/cassandra-client-truststore/truststore
- cassandraTrustStorePassword: password
+ cassandraTrustStorePath: /etc/truststore
# default number of instances
replicaCount: 1
@@ -76,12 +77,13 @@ readiness:
service:
type: NodePort
+ portName: sdc-wfd-be
internalPort: 8080
externalPort: 8080
internalPort2: 8443
externalPort2: 8443
- portName: sdc-wfd-be
- nodePort: "57"
+ nodePort: "57" # only one node port. set to http or https port depending on isHttpsEnabled property
+
ingress:
enabled: false
diff --git a/kubernetes/sdc/charts/sdc-wfd-fe/templates/_helper.tpl b/kubernetes/sdc/charts/sdc-wfd-fe/templates/_helper.tpl
new file mode 100644
index 0000000000..546bab7ddf
--- /dev/null
+++ b/kubernetes/sdc/charts/sdc-wfd-fe/templates/_helper.tpl
@@ -0,0 +1 @@
+{{- define "wfd-fe.internalPort" }}{{ if .Values.config.isHttpsEnabled }}{{ .Values.service.internalPort2 }}{{ else }}{{ .Values.service.internalPort }}{{ end }}{{- end }}
diff --git a/kubernetes/sdc/charts/sdc-wfd-fe/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-wfd-fe/templates/deployment.yaml
index 1daee714b6..08ecaa6daa 100644
--- a/kubernetes/sdc/charts/sdc-wfd-fe/templates/deployment.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-fe/templates/deployment.yaml
@@ -50,18 +50,17 @@ spec:
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
ports:
- - containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPort2 }}
+ - containerPort: {{ template "wfd-fe.internalPort" . }}
{{ if .Values.liveness.enabled }}
livenessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort }}
+ port: {{ template "wfd-fe.internalPort" . }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end }}
readinessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort }}
+ port: {{ template "wfd-fe.internalPort" . }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
@@ -75,13 +74,17 @@ spec:
value: "{{ .Values.config.isHttpsEnabled}}"
{{ if and .Values.config.isHttpsEnabled (eq .Values.security.isDefaultStore false) }}
- name: KEYSTORE_PASS
- value: "{{ .Values.security.keystorePass}}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: keystore_password}
- name: TRUSTSTORE_PASS
- value: "{{ .Values.security.truststorePass}}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: truststore_password}
- name: TRUSTSTORE_PATH
value: "{{ .Values.security.storePath }}/{{ .Values.security.truststoreFilename }}"
- name: KEYSTORE_PATH
value: "{{ .Values.security.storePath }}/{{ .Values.security.keystoreFilename }}"
+ - name: TRUST_ALL
+ value: "{{ .Values.config.isTrustAll}}"
{{ end }}
volumeMounts:
- name: {{ include "common.fullname" . }}-localtime
diff --git a/kubernetes/sdc/charts/sdc-wfd-fe/templates/service.yaml b/kubernetes/sdc/charts/sdc-wfd-fe/templates/service.yaml
index 87ca3607d7..d8a105513a 100644
--- a/kubernetes/sdc/charts/sdc-wfd-fe/templates/service.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-fe/templates/service.yaml
@@ -29,7 +29,7 @@ metadata:
"version": "v1",
"url": "/",
"protocol": "UI",
- "port": "{{ .Values.service.internalPort }}",
+ "port": "{{ .Values.service.internalPort2 }}",
"visualRange":"0|1"
}
]'
@@ -37,19 +37,13 @@ spec:
type: {{ .Values.service.type }}
ports:
{{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.internalPort }}
+ - port: {{ template "wfd-fe.internalPort" . }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName | default "http" }}
- - port: {{ .Values.service.internalPort2 }}
- nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort2 }}
- name: {{ .Values.service.portName2 | default "https" }}
+ name: {{ .Values.service.portName }}
{{- else -}}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName | default "http" }}
- - port: {{ .Values.service.externalPort2 }}
- targetPort: {{ .Values.service.internalPort2 }}
- name: {{ .Values.service.portName2 | default "https" }}
+ - port: {{ if .Values.config.isHttpsEnabled }}{{ .Values.service.externalPort2 }}{{ else }}{{ .Values.service.externalPort }}{{ end }}
+ targetPort: {{ template "wfd-fe.internalPort" . }}
+ name: {{ .Values.service.portName }}
{{- end}}
selector:
app: {{ include "common.name" . }}
diff --git a/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml b/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml
index 4de1b20249..fc30297885 100644
--- a/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml
@@ -28,7 +28,7 @@ global:
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/workflow-frontend:1.5.2
+image: onap/workflow-frontend:1.6.0
pullPolicy: Always
# flag to enable debugging - application support required
@@ -36,16 +36,15 @@ debugEnabled: false
config:
javaOptions: "-Xmx256m -Xms256m"
- backendServerURL: "http://sdc-wfd-be:8080"
+ backendServerURL: "https://sdc-wfd-be:8443"
isHttpsEnabled: true
-
+ # following flag decides whether to check the certificate on the outgoing proxy request or whether to trust all parties
+ isTrustAll: true
# https relevant settings. Change in case you have other trust files then default ones.
security:
isDefaultStore: false
truststoreFilename: "org.onap.sdc.trust.jks"
keystoreFilename: "org.onap.sdc.p12"
- keystorePass: "!ppJ.JvWn0hGh)oVF]([Kv)^"
- truststorePass: "].][xgtze]hBhz*wy]}m#lf*"
storePath: "etc"
# default number of instances
@@ -71,12 +70,10 @@ service:
type: NodePort
internalPort: 8080
externalPort: 8080
- portName: sdc-wfd-fe
- nodePort: "56"
- portName2: sdc-wfd-fe2
internalPort2: 8443
externalPort2: 8443
- nodePort2: "31"
+ portName: sdc-wfd-fe
+ nodePort: "56" # only one node port. set to http or https port depending on isHttpsEnabled property
ingress:
enabled: false
diff --git a/kubernetes/sdc/templates/secrets.yaml b/kubernetes/sdc/templates/secrets.yaml
index b3470e2ea2..1f59ab27c1 100644
--- a/kubernetes/sdc/templates/secrets.yaml
+++ b/kubernetes/sdc/templates/secrets.yaml
@@ -30,3 +30,9 @@ data:
sdc_password: "{{ .Values.global.secrets.sdc_password }}"
#default user:
cs_password: "{{ .Values.global.secrets.cs_password }}"
+ cs_truststore_password: "{{ .Values.global.secrets.cs_truststore_password }}"
+ # ssl - stores
+ truststore_password: "{{ .Values.global.secrets.truststore_password }}"
+ keystore_password: "{{ .Values.global.secrets.keystore_password }}"
+ # workflow
+ wf_external_user_password: "{{ .Values.global.secrets.wf_external_user_password }}" \ No newline at end of file
diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml
index cafa59ad77..a7006bc56c 100644
--- a/kubernetes/sdc/values.yaml
+++ b/kubernetes/sdc/values.yaml
@@ -22,6 +22,10 @@ global:
sdc_password: QWExMjM0JV4h
#Should be the password of shared cassandra instance/chart
cs_password: Y2Fzc2FuZHJh
+ cs_truststore_password: XS5dW3hndHplXWhCaHoqd3ldfW0jbGYq
+ truststore_password: XS5dW3hndHplXWhCaHoqd3ldfW0jbGYq
+ keystore_password: IXBwSi5KdlduMGhHaClvVkZdKFtLdile
+ wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==
ubuntuInitRepository: oomk8s
ubuntuInitImage: ubuntu-init:1.0.0
cassandra: