From 8e9f8bda5bac4ea122f130de6a20fd3e179bb2b2 Mon Sep 17 00:00:00 2001 From: jhh Date: Fri, 10 Jul 2020 13:14:58 -0500 Subject: [POLICY] tomcat security upgrade legacy components Cert stores password support for APEX component in frankfurt (POLICY-2633). Issue-ID: POLICY-2678 Signed-off-by: jhh Change-Id: Ic7bda77f0ecc59109bc0263eeb1d7c630d326128 Signed-off-by: jhh --- kubernetes/policy/charts/brmsgw/values.yaml | 2 +- kubernetes/policy/charts/pdp/values.yaml | 2 +- .../policy-apex-pdp/resources/config/config.json | 64 ---------------------- .../policy-apex-pdp/templates/statefulset.yaml | 9 ++- .../policy/charts/policy-apex-pdp/values.yaml | 17 ++++-- kubernetes/policy/values.yaml | 2 +- 6 files changed, 21 insertions(+), 75 deletions(-) delete mode 100644 kubernetes/policy/charts/policy-apex-pdp/resources/config/config.json diff --git a/kubernetes/policy/charts/brmsgw/values.yaml b/kubernetes/policy/charts/brmsgw/values.yaml index 70a2e3e855..70bea2c028 100644 --- a/kubernetes/policy/charts/brmsgw/values.yaml +++ b/kubernetes/policy/charts/brmsgw/values.yaml @@ -56,7 +56,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-pe:1.6.4 +image: onap/policy-pe:1.6.5 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/charts/pdp/values.yaml b/kubernetes/policy/charts/pdp/values.yaml index 8921eabf81..f33a736c80 100644 --- a/kubernetes/policy/charts/pdp/values.yaml +++ b/kubernetes/policy/charts/pdp/values.yaml @@ -51,7 +51,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-pe:1.6.4 +image: onap/policy-pe:1.6.5 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/policy/charts/policy-apex-pdp/resources/config/config.json b/kubernetes/policy/charts/policy-apex-pdp/resources/config/config.json deleted file mode 100644 index 5df0a26596..0000000000 --- a/kubernetes/policy/charts/policy-apex-pdp/resources/config/config.json +++ /dev/null @@ -1,64 +0,0 @@ -# ============LICENSE_START======================================================= -# Copyright (C) 2018 Ericsson. All rights reserved. -# ================================================================================ -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# -# SPDX-License-Identifier: Apache-2.0 -# ============LICENSE_END========================================================= -{ - "javaProperties" : [ - ["javax.net.ssl.trustStore", "/opt/app/policy/apex-pdp/etc/ssl/policy-truststore"], - ["javax.net.ssl.trustStorePassword", "${TRUSTSTORE_PASSWORD_BASE64}"] - ], - "engineServiceParameters": { - "name": "MyApexEngine", - "version": "0.0.1", - "id": 45, - "instanceCount": 4, - "deploymentPort": 12345, - "policyModelFileName": "examples/models/SampleDomain/SamplePolicyModelJAVASCRIPT.json", - "engineParameters": { - "executorParameters": { - "JAVASCRIPT": { - "parameterClassName": "org.onap.policy.apex.plugins.executor.javascript.JavascriptExecutorParameters" - } - } - } - }, - "eventOutputParameters": { - "FirstProducer": { - "carrierTechnologyParameters": { - "carrierTechnology": "FILE", - "parameters": { - "standardIo": true - } - }, - "eventProtocolParameters": { - "eventProtocol": "JSON" - } - } - }, - "eventInputParameters": { - "FirstConsumer": { - "carrierTechnologyParameters": { - "carrierTechnology": "FILE", - "parameters": { - "standardIo": true - } - }, - "eventProtocolParameters": { - "eventProtocol": "JSON" - } - } - } -} diff --git a/kubernetes/policy/charts/policy-apex-pdp/templates/statefulset.yaml b/kubernetes/policy/charts/policy-apex-pdp/templates/statefulset.yaml index 35f8aacb40..2e6a08c487 100644 --- a/kubernetes/policy/charts/policy-apex-pdp/templates/statefulset.yaml +++ b/kubernetes/policy/charts/policy-apex-pdp/templates/statefulset.yaml @@ -1,5 +1,6 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. +# Modifications Copyright (C) 2020 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -43,10 +44,8 @@ spec: - sh args: - -c - - "export TRUSTSTORE_PASSWORD_BASE64=`echo -n ${TRUSTSTORE_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-pass" "key" "password") | indent 10 }} - name: RESTSERVER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "restserver-creds" "key" "login") | indent 10 }} - name: RESTSERVER_PASSWORD @@ -84,6 +83,10 @@ spec: env: - name: REPLICAS value: "{{ .Values.replicaCount }}" + - name: KEYSTORE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-pass" "key" "password") | indent 12 }} + - name: TRUSTSTORE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-pass" "key" "password") | indent 12 }} volumeMounts: - mountPath: /etc/localtime name: localtime diff --git a/kubernetes/policy/charts/policy-apex-pdp/values.yaml b/kubernetes/policy/charts/policy-apex-pdp/values.yaml index 9d52812f91..0959a77a5d 100644 --- a/kubernetes/policy/charts/policy-apex-pdp/values.yaml +++ b/kubernetes/policy/charts/policy-apex-pdp/values.yaml @@ -1,6 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2018 Ericsson. All rights reserved. # Modifications Copyright (C) 2019-2020 AT&T Intellectual Property. +# Modifications Copyright (C) 2020 Nordix Foundation. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,9 +36,14 @@ secrets: password: '{{ .Values.restServer.password }}' - uid: truststore-pass type: password - externalSecret: '{{ tpl (default "" .Values.truststore.passwordExternalSecret) . }}' - password: '{{ .Values.truststore.password }}' - policy: required + externalSecret: '{{ tpl (default "" .Values.certStores.trustStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.trustStorePassword }}' + passwordPolicy: required + - uid: keystore-pass + type: password + externalSecret: '{{ tpl (default "" .Values.certStores.keyStorePasswordExternalSecret) . }}' + password: '{{ .Values.certStores.keyStorePassword }}' + passwordPolicy: required ################################################################# # Application configuration defaults. @@ -55,8 +61,9 @@ debugEnabled: false restServer: user: healthcheck password: zb!XztG34 -truststore: - password: Pol1cy_0nap +certStores: + keyStorePassword: Pol1cy_0nap + trustStorePassword: Pol1cy_0nap # default number of instances replicaCount: 1 diff --git a/kubernetes/policy/values.yaml b/kubernetes/policy/values.yaml index 4de13eee2d..a136b0ad46 100644 --- a/kubernetes/policy/values.yaml +++ b/kubernetes/policy/values.yaml @@ -67,7 +67,7 @@ secrets: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/policy-pe:1.6.4 +image: onap/policy-pe:1.6.5 mariadb_image: library/mariadb:10 pullPolicy: Always -- cgit 1.2.3-korg