From d82050c60d7cf623f28edc103784e0da2fdccb89 Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Tue, 17 Mar 2020 10:43:40 +0100 Subject: [NBI] Use AAF init container for certificates Onboard server certificates for HTTPs via AAF init containers. Issue-ID: EXTAPI-375 Signed-off-by: Sylvain Desbureaux Change-Id: Icbcf075dd2dd8588aa9f14d23974a122bde38ae7 --- .../nbi/templates/configmap-aaf-add-config.yaml | 28 ++++++++++++++ kubernetes/nbi/templates/deployment.yaml | 42 +++++++++++++++++---- kubernetes/nbi/values.yaml | 44 ++++++++++++++++++---- 3 files changed, 98 insertions(+), 16 deletions(-) create mode 100644 kubernetes/nbi/templates/configmap-aaf-add-config.yaml diff --git a/kubernetes/nbi/templates/configmap-aaf-add-config.yaml b/kubernetes/nbi/templates/configmap-aaf-add-config.yaml new file mode 100644 index 0000000000..fe099b140d --- /dev/null +++ b/kubernetes/nbi/templates/configmap-aaf-add-config.yaml @@ -0,0 +1,28 @@ +{{ if .Values.global.aafEnabled }} +{{/* +# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- if .Values.aafConfig.addconfig -}} +apiVersion: v1 +kind: ConfigMap +{{- $suffix := "aaf-add-config" }} +metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} +data: + aaf-add-config.sh: |- + /opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \ + {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.aafConfig.credsPath }}/mycreds.prop +{{- end -}} +{{- end -}} diff --git a/kubernetes/nbi/templates/deployment.yaml b/kubernetes/nbi/templates/deployment.yaml index 528a3f7e76..3283239100 100644 --- a/kubernetes/nbi/templates/deployment.yaml +++ b/kubernetes/nbi/templates/deployment.yaml @@ -32,6 +32,9 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.fullname" . }} spec: +{{- if .Values.global.aafEnabled }} + initContainers: {{ include "common.aaf-config" . | nindent 6 }} +{{- end }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -40,16 +43,39 @@ spec: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container + {{- if .Values.global.aafEnabled }} + command: + - bash + args: + - -c + - | + export $(grep '^c' {{ .Values.aafConfig.credsPath }}/mycreds.prop | xargs -0) + export JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \ + -Dserver.ssl.key-store={{ .Values.aafConfig.credsPath }}/org.onap.nbi.p12 \ + -Dserver.ssl.key-store-type=PKCS12 \ + -Djavax.net.ssl.trustStore={{ .Values.aafConfig.credsPath }}/org.onap.nbi.trust.jks \ + -Dserver.ssl.key-store-password=$cadi_keystore_password_p12 \ + -Djavax.net.ssl.trustStoreType=jks\ + -Djava.security.egd=file:/dev/./urandom -Dserver.port=8443" + {{- if eq "DEBUG" .Values.config.loglevel }} + export JAVA_DEBUG="-Djavax.net.debug=all" + {{- end }} + exec java -XX:+UseContainerSupport $JAVA_DEBUG $JAVA_OPTS -jar /opt/onap/app.jar + {{- end }} {{ if .Values.liveness.enabled }} livenessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} + httpGet: + port: {{ .Values.liveness.port }} + path: {{ .Values.liveness.path }} + scheme: HTTPS initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: - tcpSocket: - port: {{ .Values.service.internalPort }} + httpGet: + port: {{ .Values.readiness.port }} + path: {{ .Values.readiness.path }} + scheme: HTTPS initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -72,7 +98,7 @@ spec: - name: ONAP_CLOUDOWNER value: {{ .Values.config.cloudOwner }} - name: NBI_URL - value: "http://nbi.{{ include "common.namespace" . }}:8080/nbi/api/v4" + value: "https://nbi.{{ include "common.namespace" . }}:8443/nbi/api/v4" - name: SDC_HOST value: "https://sdc-be.{{ include "common.namespace" . }}:8443" - name: SDC_HEADER_ECOMPINSTANCEID @@ -90,7 +116,7 @@ spec: value: {{ .Values.so_authorization }} {{- end }} - name: DMAAP_HOST - value: "https://message-router.{{ include "common.namespace" . }}:3905" + value: "http://message-router.{{ include "common.namespace" . }}:3904" - name: LOGGING_LEVEL_ORG_ONAP_NBI value: {{ .Values.config.loglevel }} - name: MSB_ENABLED @@ -99,7 +125,7 @@ spec: value: "msb-discovery.{{ include "common.namespace" . }}" - name: MSB_DISCOVERY_PORT value: "10081" - volumeMounts: + volumeMounts: {{ include "common.aaf-config-volume-mountpath" . | nindent 12 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -125,7 +151,7 @@ spec: # name: esr-server-logs # - mountPath: /usr/share/filebeat/data # name: esr-server-filebeat - volumes: + volumes: {{ include "common.aaf-config-volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml index 4e22af6494..ceab7fad2a 100644 --- a/kubernetes/nbi/values.yaml +++ b/kubernetes/nbi/values.yaml @@ -28,6 +28,30 @@ global: service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera + aafAgentImage: onap/aaf/aaf_agent:2.1.15 + aafEnabled: true + busyBoxImage: busybox:1.30 + busyBoxRepository: docker.io + +################################################################# +# AAF part +################################################################# +aafConfig: + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: nbi + fqi: nbi@nbi.onap.org + public_fqdn: nbi.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + credsPath: /opt/app/osaaf/local + app_ns: org.osaaf.aaf + permission_user: 1000 + permission_group: 999 + addconfig: true + secret_uid: &aaf_secret_uid nbi-aaf-deploy-creds + ################################################################# # Secrets metaconfig @@ -39,13 +63,19 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' login: '{{ .Values.config.db.userName }}' password: '{{ .Values.config.db.userPassword }}' + - uid: *aaf_secret_uid + type: basicAuth + externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}' + login: '{{ .Values.aafConfig.aafDeployFqi }}' + password: '{{ .Values.aafConfig.aafDeployPass }}' + passwordPolicy: required subChartsOnly: enabled: true # application image repository: nexus3.onap.org:10001 -image: onap/externalapi/nbi:6.0.0 +image: onap/externalapi/nbi:6.0.1 pullPolicy: IfNotPresent sdc_authorization: Basic YWFpOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU= aai_authorization: Basic QUFJOkFBSQ== @@ -109,9 +139,8 @@ affinity: {} # probe configuration parameters liveness: - httpGet: - path: /nbi/api/v4/status - port: 8080 + path: /nbi/api/v4/status + port: 8443 initialDelaySeconds: 180 periodSeconds: 30 # necessary to disable liveness probe when setting breakpoints @@ -119,9 +148,8 @@ liveness: enabled: true readiness: - httpGet: - path: /nbi/api/v4/status - port: 8080 + path: /nbi/api/v4/status + port: 8443 initialDelaySeconds: 185 periodSeconds: 30 @@ -130,7 +158,7 @@ service: portName: api name: nbi nodePort: 74 - internalPort: 8080 + internalPort: 8443 ingress: enabled: false -- cgit 1.2.3-korg