From 27fd7d8750ceeb798052eb8af36264c79b6536fb Mon Sep 17 00:00:00 2001
From: osk11461 <ondrej1.frindrich@orange.com>
Date: Fri, 18 Jun 2021 00:51:17 +0200
Subject: [AAI] Service Mesh compatibility

This patch makes AAI to work on service mesh by removing https calls
from everywhere.
It allows also to use AAI on an environment without need of TLS.

Issue-ID: OOM-2670
Signed-off-by: Ondrej Frindrich <ondrej1.frindrich@orange.com>
Change-Id: I19adabc7b33c1ada243ec16f77dbf8fde19b1386
---
 .../resources/config/aaiconfig.properties          | 10 +++++++++-
 .../resources/config/application.properties        | 22 ++++++++++++++++------
 .../aai-graphadmin/templates/deployment.yaml       |  2 +-
 .../templates/job-copy-db-backup.yaml              |  6 ++++--
 .../aai-graphadmin/templates/job-create-db.yaml    |  8 +++++---
 .../aai-graphadmin/templates/job-migration.yaml    | 10 +++++++---
 .../aai-graphadmin/templates/service.yaml          |  5 ++---
 .../aai/components/aai-graphadmin/values.yaml      |  9 ++++++---
 8 files changed, 50 insertions(+), 22 deletions(-)

(limited to 'kubernetes/aai/components/aai-graphadmin')

diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
index e62ba07bfd..512e906b00 100644
--- a/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
+++ b/kubernetes/aai/components/aai-graphadmin/resources/config/aaiconfig.properties
@@ -24,20 +24,28 @@ aai.config.checktime=1000
 # this could come from siteconfig.pl?
 aai.config.nodename=AutomaticallyOverwritten
 
+{{ if ( include "common.needTLS" .) }}
 aai.server.url.base=https://aai.{{ include "common.namespace" . }}:8443/aai/
 aai.server.url=https://aai.{{ include "common.namespace" . }}:8443/aai/{{ .Values.global.config.schema.version.api.default }}/
 aai.global.callback.url=https://aai.{{ include "common.namespace" . }}:8443/aai/
+{{ else }}
+aai.server.url.base=http://aai.{{ include "common.namespace" . }}/aai/
+aai.server.url=http://aai.{{ include "common.namespace" . }}/aai/{{ .Values.global.config.schema.version.api.default }}/
+aai.global.callback.url=http://aai.{{ include "common.namespace" . }}/aai/
+{{ end }}
 
-{{ if .Values.global.config.basic.auth.enabled }}
+{{ if or (.Values.global.config.basic.auth.enabled) ( include "common.onServiceMesh" .) }}
 aai.tools.enableBasicAuth=true
 aai.tools.username={{ .Values.global.config.basic.auth.username }}
 aai.tools.password={{ .Values.global.config.basic.auth.passwd }}
 {{ end }}
 
+{{ if ( include "common.needTLS" .) }}
 aai.truststore.filename={{ .Values.global.config.truststore.filename }}
 aai.truststore.passwd.x={{ .Values.global.config.truststore.passwd }}
 aai.keystore.filename={{ .Values.global.config.keystore.filename }}
 aai.keystore.passwd.x={{ .Values.global.config.keystore.passwd }}
+{{ end }}
 
 aai.notification.current.version={{ .Values.global.config.schema.version.api.default }}
 aai.notificationEvent.default.status=UNPROCESSED
diff --git a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
index 8cefebc825..367e9038cd 100644
--- a/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
+++ b/kubernetes/aai/components/aai-graphadmin/resources/config/application.properties
@@ -33,7 +33,7 @@ server.servlet.context-path=/
 
 spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
 
-spring.profiles.active={{ .Values.config.profiles.active }}
+spring.profiles.active={{ .Values.config.profiles.active }}{{ (eq "true" (include "common.needTLS" .)) | ternary ",one-way-ssl" "" }}
 spring.jersey.application-path=${schema.uri.base.path}
 #The max number of active threads in this pool
 server.tomcat.max-threads=200
@@ -48,6 +48,7 @@ server.local.startpath=aai-graphadmin/src/main/resources/
 server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
 
 server.port=8449
+{{ if ( include "common.needTLS" .) }}
 server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
 server.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
 server.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
@@ -55,11 +56,15 @@ server.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.conf
 server.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
 server.ssl.client-auth=want
 server.ssl.key-store-type=JKS
+{{ else }}
+security.require-ssl=false
+server.ssl.enabled=false
+{{ end }}
 
 # JMS bind address host port
 jms.bind.address=tcp://localhost:61649
-dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:3905
-dmaap.ribbon.transportType=https
+dmaap.ribbon.listOfServers=message-router.{{.Release.Namespace}}:{{ (eq "true" (include "common.needTLS" .)) | ternary 3905 3904 }}
+dmaap.ribbon.transportType={{ include "common.scheme" . }}
 
 # Schema related attributes for the oxm and edges
 # Any additional schema related attributes should start with prefix schema
@@ -91,23 +96,28 @@ schema.version.edge.label.start={{ .Values.global.config.schema.version.edge.lab
 schema.version.api.default={{ .Values.global.config.schema.version.api.default }}
 
 schema.translator.list={{ .Values.global.config.schema.translator.list }}
-schema.service.base.url=https://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/
+schema.service.base.url={{ include "common.scheme" . }}://aai-schema-service.{{ include "common.namespace" . }}:8452/aai/schema-service/v1/
 schema.service.nodes.endpoint=nodes?version=
 schema.service.edges.endpoint=edgerules?version=
 schema.service.versions.endpoint=versions
-schema.service.client={{ .Values.global.config.schema.service.client }}
+schema.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
 
+{{ if ( include "common.needTLS" .) }}
 schema.service.ssl.key-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.keystore.filename }}
 schema.service.ssl.trust-store=${server.local.startpath}/etc/auth/{{ .Values.global.config.truststore.filename }}
 schema.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
 schema.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+{{ end }}
 
 aperture.rdbmsname=aai_relational
 
-aperture.service.client={{ .Values.global.config.schema.service.client }}
+aperture.service.client={{ (eq "true" (include "common.needTLS" .)) | ternary .Values.global.config.schema.service.client "no-auth" }}
+
 aperture.service.base.url=http://localhost:8457/aai/aperture
+{{ if ( include "common.needTLS" .) }}
 aperture.service.ssl.key-store=${server.local.startpath}etc/auth/{{ .Values.global.config.keystore.filename }}
 aperture.service.ssl.trust-store=${server.local.startpath}etc/auth/{{ .Values.global.config.truststore.filename }}
 aperture.service.ssl.key-store-password=password({{ .Values.global.config.keystore.passwd }})
 aperture.service.ssl.trust-store-password=password({{ .Values.global.config.truststore.passwd }})
+{{ end }}
 aperture.service.timeout-in-milliseconds=300000
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
index 5e6f2bc33d..8ed7ce83bc 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/deployment.yaml
@@ -187,4 +187,4 @@ spec:
             {{ end }}
       restartPolicy: {{ .Values.restartPolicy }}
       imagePullSecrets:
-      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+      - name: {{ include "common.namespace" . }}-docker-registry-key
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
index 154ad30c1a..0cdce11395 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-copy-db-backup.yaml
@@ -80,8 +80,10 @@ spec:
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         command:
         - /bin/bash
-        - docker-entrypoint.sh
-        - dataSnapshot.sh
+        - -c
+        - |
+           bash docker-entrypoint.sh dataSnapshot.sh ;
+           {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
         env:
         - name: LOCAL_USER_ID
           value: {{ .Values.global.config.userId | quote }}
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
index 79144680b4..7c078e9236 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-create-db.yaml
@@ -80,8 +80,10 @@ spec:
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         command:
         - /bin/bash
-        - docker-entrypoint.sh
-        - createDBSchema.sh
+        - -c
+        - |
+           bash docker-entrypoint.sh createDBSchema.sh ;
+           {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
         env:
         - name: LOCAL_USER_ID
           value: {{ .Values.global.config.userId | quote }}
@@ -149,5 +151,5 @@ spec:
             {{ end }}
       restartPolicy: Never
       imagePullSecrets:
-      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+      - name: {{ include "common.namespace" . }}-docker-registry-key
 {{ end }}
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
index 4b100dd97b..9b4be4e4c7 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/job-migration.yaml
@@ -130,7 +130,9 @@ spec:
         command:
         - /bin/bash
         - -c
-        - bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges
+        - |
+           bash docker-entrypoint.sh run_Migrations.sh -e UpdateAaiUriIndexMigration --commit --skipPreMigrationSnapShot --runDisabled RebuildAllEdges ;
+           {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
         env:
         - name: LOCAL_USER_ID
           value: {{ .Values.global.config.userId | quote }}
@@ -248,8 +250,10 @@ spec:
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         command:
         - /bin/bash
-        - docker-entrypoint.sh
-        - dataSnapshot.sh
+        - -c
+        - |
+           bash docker-entrypoint.sh dataSnapshot.sh ;
+           {{- include "common.serviceMesh.killSidecar" . | indent 11 | trim }}
         env:
         - name: LOCAL_USER_ID
           value: {{ .Values.global.config.userId | quote }}
diff --git a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
index 2f7aaa960d..85165e2dc4 100644
--- a/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/templates/service.yaml
@@ -35,17 +35,16 @@ spec:
   {{if eq .Values.service.type "NodePort" -}}
   - port: {{ .Values.service.internalPort }}
     nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
-    name: {{ .Values.service.portName }}
+    name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
   - port: {{ .Values.service.internalPort2 }}
     nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }}
     name: {{ .Values.service.portName2 }}
   {{- else -}}
   - port: {{ .Values.service.internalPort }}
-    name: {{ .Values.service.portName }}
+    name: {{ .Values.service.portName }}{{ (eq "true" (include "common.needTLS" .)) | ternary "s" "" }}
   - port: {{ .Values.service.internalPort2 }}
     name: {{ .Values.service.portName2 }}
   {{- end}}
   selector:
     app: {{ include "common.name" . }}
     release: {{ include "common.release" . }}
-  clusterIP: None
diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml
index 63c668fb9e..ad6ef3c984 100644
--- a/kubernetes/aai/components/aai-graphadmin/values.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/values.yaml
@@ -61,6 +61,7 @@ global: # global defaults
     # Schema specific properties that include supported versions of api
     schema:
       # Specifies if the connection should be one way ssl, two way ssl or no auth
+      # will be set to no-auth if tls is disabled
       service:
         client: one-way-ssl
       # Specifies which translator to use if it has schema-service, then it will
@@ -131,7 +132,9 @@ config:
 
   # Specify the profiles for the graphadmin microservice
   profiles:
-    active: "dmaap,one-way-ssl"
+    # one way ssl profile will be set unless tlsEnabled is set to false or serviceMesh is enabled and
+    # serviceMesh.tls is set to tru
+    active: dmaap #,one-way-ssl"
 
   # Specifies the timeout limit for the REST API requests
   timeout:
@@ -200,9 +203,9 @@ readiness:
 service:
   type: ClusterIP
   # REST API port for the graphadmin microservice
-  portName: aai-graphadmin-8449
+  portName: http
   internalPort: 8449
-  portName2: aai-graphadmin-5005
+  portName2: tcp-5005
   internalPort2: 5005
 
 ingress:
-- 
cgit 1.2.3-korg