From b5353c9977f4c1545b706fe0dbbaa75da635dd50 Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Mon, 15 Feb 2021 11:30:29 +0100 Subject: [A1P] Retrieve the certificates automatically Instead of using hardcoded certificates in the container, let's retrieve them automatically. Issue-ID: OOM-2681 Signed-off-by: Sylvain Desbureaux Change-Id: If08469469fecdc8bf86d080980f221e5941a2329 --- kubernetes/a1policymanagement/requirements.yaml | 3 + .../resources/config/application.yaml | 74 ++++++++++++++++++++++ .../a1policymanagement/templates/deployment.yaml | 25 ++++++-- kubernetes/a1policymanagement/values.yaml | 38 +++++++++++ 4 files changed, 134 insertions(+), 6 deletions(-) create mode 100644 kubernetes/a1policymanagement/resources/config/application.yaml (limited to 'kubernetes/a1policymanagement') diff --git a/kubernetes/a1policymanagement/requirements.yaml b/kubernetes/a1policymanagement/requirements.yaml index e570cb0b32..1872e91a0f 100644 --- a/kubernetes/a1policymanagement/requirements.yaml +++ b/kubernetes/a1policymanagement/requirements.yaml @@ -18,6 +18,9 @@ dependencies: - name: common version: ~7.x-0 repository: '@local' + - name: certInitializer + version: ~7.x-0 + repository: '@local' - name: repositoryGenerator version: ~7.x-0 repository: '@local' \ No newline at end of file diff --git a/kubernetes/a1policymanagement/resources/config/application.yaml b/kubernetes/a1policymanagement/resources/config/application.yaml new file mode 100644 index 0000000000..37754ca00c --- /dev/null +++ b/kubernetes/a1policymanagement/resources/config/application.yaml @@ -0,0 +1,74 @@ +{{/* +# +# ============LICENSE_START======================================================= +# ONAP : ccsdk oran +# ================================================================================ +# Copyright (C) 2020 Nordix Foundation. All rights reserved. +# Copyright (C) 2021 Orange. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +# +*/}} +spring: + profiles: + active: prod + main: + allow-bean-definition-overriding: true + aop: + auto: false +management: + endpoints: + web: + exposure: + # Enabling of springboot actuator features. See springboot documentation. + include: "loggers,logfile,health,info,metrics,threaddump,heapdump" + +logging: + # Configuration of logging + level: + ROOT: DEBUG + org.springframework: DEBUG + org.springframework.data: DEBUG + org.springframework.web.reactive.function.client.ExchangeFunctions: DEBUG + org.onap.ccsdk.oran.a1policymanagementservice: DEBUG + file: + name: /var/log/policy-agent/application.log +server: + # Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework. + # See springboot documentation. + port: 8433 + http-port: 8081 + ssl: + key-store-type: PKCS12 + key-store-password: ${KEYSTORE_PASSWORD} + key-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12 + key-password: ${KEYSTORE_PASSWORD} + key-alias: {{ .Values.certInitializer.fqi }} +app: + # Location of the component configuration file. The file will only be used if the Consul database is not used; + # configuration from the Consul will override the file. + filepath: /opt/app/policy-agent/data/application_configuration.json + webclient: + # Configuration of the trust store used for the HTTP client (outgoing requests) + # The file location and the password for the truststore is only relevant if trust-store-used == true + # Note that the same keystore as for the server is used. + trust-store-used: false + trust-store-password: ${TRUSTSORE_PASSWORD} + trust-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks + # Configuration of usage of HTTP Proxy for the southbound accesses. + # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s + http.proxy-host: + http.proxy-port: 0 diff --git a/kubernetes/a1policymanagement/templates/deployment.yaml b/kubernetes/a1policymanagement/templates/deployment.yaml index ce2e2732e6..43431f0a35 100644 --- a/kubernetes/a1policymanagement/templates/deployment.yaml +++ b/kubernetes/a1policymanagement/templates/deployment.yaml @@ -27,7 +27,7 @@ spec: metadata: labels: {{- include "common.labels" . | nindent 8 }} spec: - initContainers: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - name: {{ include "common.name" . }}-bootstrap-config image: {{ include "repositoryGenerator.image.envsubst" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -35,13 +35,22 @@ spec: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; chmod o+w /config/${PFILE}; done" + - | + export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop\ + | xargs -0) + cd /config-input + for PFILE in `ls -1` + do + envsubst <${PFILE} >/config/${PFILE} + chmod o+w /config/${PFILE} + done + cat /config/application.yaml env: - name: A1CONTROLLER_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }} - name: A1CONTROLLER_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }} - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /config-input name: {{ include "common.fullname" . }}-policy-conf-input - mountPath: /config @@ -86,11 +95,15 @@ spec: scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} + - name: config + mountPath: /opt/app/policy-agent/data/application_configuration.json + subPath: application_configuration.json - name: config - mountPath: /opt/app/policy-agent/data + mountPath: /opt/app/policy-agent/config/application.yaml + subPath: application.yaml resources: {{ include "common.resources" . | nindent 10 }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: {{ include "common.fullname" . }}-policy-conf-input configMap: name: {{ include "common.fullname" . }}-policy-conf diff --git a/kubernetes/a1policymanagement/values.yaml b/kubernetes/a1policymanagement/values.yaml index a1602c569c..e118b35cfd 100644 --- a/kubernetes/a1policymanagement/values.yaml +++ b/kubernetes/a1policymanagement/values.yaml @@ -29,6 +29,44 @@ secrets: password: '{{ .Values.a1controller.password }}' passwordPolicy: required +################################################################# +# AAF part +################################################################# +certInitializer: + nameOverride: a1p-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: a1p + fqi: a1p@a1p.onap.org + public_fqdn: a1p.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + fqi_namespace: org.onap.a1p + aaf_add_config: | + echo "*** changing them into shell safe ones" + export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + cd {{ .Values.credsPath }} + keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \ + -storepass "${cadi_keystore_password_p12}" \ + -keystore {{ .Values.fqi_namespace }}.p12 + keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \ + -storepass "${cadi_truststore_password}" \ + -keystore {{ .Values.fqi_namespace }}.trust.jks + echo "*** set key password as same password as keystore password" + keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \ + -keystore {{ .Values.fqi_namespace }}.p12 \ + -keypass "${cadi_keystore_password_p12}" \ + -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }} + echo "*** save the generated passwords" + echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop + echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop + echo "*** change ownership of certificates to targeted user" + chown -R 1000 . + image: onap/ccsdk-oran-a1policymanagementservice:1.0.1 userID: 1000 #Should match with image-defined user ID groupID: 999 #Should match with image-defined group ID -- cgit 1.2.3-korg