From a41dfc0f083a27f3063c6b68b82918df3ba67a1f Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Mon, 15 Feb 2021 10:14:22 +0100 Subject: [AAI][TRAVERSAL] Remove Hardcoded certificates Use Certinitializer in order to retrieve needed certificates. Issue-ID: OOM-2680 Signed-off-by: Sylvain Desbureaux Change-Id: I1ec295d863f8f6c0d11e64173b474e82f63e6b17 --- .../aai-traversal/templates/configmap.yaml | 19 +----- .../aai-traversal/templates/deployment.yaml | 68 +++++++++------------- .../components/aai-traversal/templates/job.yaml | 16 +---- .../components/aai-traversal/templates/secret.yaml | 30 ++++++++++ .../aai-traversal/templates/service.yaml | 1 - 5 files changed, 59 insertions(+), 75 deletions(-) create mode 100644 kubernetes/aai/components/aai-traversal/templates/secret.yaml (limited to 'kubernetes/aai/components/aai-traversal/templates') diff --git a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml index 5c6dc7293d..c0bcb3b491 100644 --- a/kubernetes/aai/components/aai-traversal/templates/configmap.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada, AT&T +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,7 +18,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "common.fullname" . }}-configmap + name: {{ include "common.fullname" . }} namespace: {{ include "common.namespace" . }} labels: app: {{ include "common.name" . }} @@ -48,19 +49,3 @@ data: {{ tpl (.Files.Glob "resources/config/aaf/permissions.properties").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.props").AsConfig . | indent 2 }} {{ tpl (.Files.Glob "resources/config/aaf/cadi.properties").AsConfig . | indent 2 }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-aaf-keys - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.keyfile").AsSecrets . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.p12").AsSecrets . | indent 2 }} -{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }} diff --git a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml index 6f5ac8263b..23621491e7 100644 --- a/kubernetes/aai/components/aai-traversal/templates/deployment.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/deployment.yaml @@ -91,31 +91,28 @@ spec: {{- end }} spec: hostname: aai-traversal - {{ if .Values.global.initContainers.enabled }} - initContainers: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - command: - {{ if .Values.global.jobs.migration.enabled }} - /app/ready.py args: + {{- if .Values.global.jobs.migration.enabled }} - --job-name - {{ include "common.release" . }}-aai-graphadmin-migration - {{ else if .Values.global.jobs.createSchema.enabled }} - - /app/ready.py - args: + {{- else }} + {{- if .Values.global.jobs.createSchema.enabled }} - --job-name - {{ include "common.release" . }}-aai-graphadmin-create-db-schema - {{ else }} - - /app/ready.py - args: + {{- else }} - --container-name - {{- if .Values.global.cassandra.localCluster }} + {{- if .Values.global.cassandra.localCluster }} - aai-cassandra - {{- else }} + {{- else }} - cassandra - {{- end }} + {{- end }} - --container-name - aai-schema-service - {{ end }} + {{- end }} + {{- end }} env: - name: NAMESPACE valueFrom: @@ -125,19 +122,29 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness - {{ end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + command: + - sh + args: + - -c + - | + echo "*** retrieve Truststore and Keystore password" + export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) + echo "*** actual launch of AAI Resources" + /bin/bash /opt/app/aai-traversal/docker-entrypoint.sh env: + - name: TRUSTORE_ALL_PASSWORD + value: {{ .Values.certInitializer.truststoreAllPassword }} - name: DISABLE_UPDATE_QUERY value: {{ .Values.config.disableUpdateQuery | quote }} - name: LOCAL_USER_ID value: {{ .Values.global.config.userId | quote }} - name: LOCAL_GROUP_ID value: {{ .Values.global.config.groupId | quote }} - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -163,9 +170,6 @@ spec: - mountPath: /opt/app/aai-traversal/resources/etc/auth/realm.properties name: {{ include "common.fullname" . }}-config subPath: realm.properties - - mountPath: /opt/app/aai-traversal/resources/aaf/org.onap.aai.keyfile - name: {{ include "common.fullname" . }}-aaf-certs - subPath: org.onap.aai.keyfile - mountPath: /opt/app/aai-traversal/resources/aaf/bath_config.csv name: {{ include "common.fullname" . }}-aaf-certs subPath: bath_config.csv @@ -181,21 +185,9 @@ spec: - mountPath: /opt/app/aai-traversal/resources/cadi.properties name: {{ include "common.fullname" . }}-aaf-properties subPath: cadi.properties - - mountPath: /opt/app/aai-traversal/resources/aaf/org.onap.aai.p12 - name: {{ include "common.fullname" . }}-aaf-certs - subPath: org.onap.aai.p12 - - mountPath: /opt/app/aai-traversal/resources/aaf/truststoreONAPall.jks - name: aai-common-aai-auth-mount - subPath: truststoreONAPall.jks - mountPath: /opt/app/aai-traversal/resources/application.properties name: {{ include "common.fullname" . }}-config subPath: application.properties - {{ $global := . }} - {{ range $job := .Values.global.config.auth.files }} - - mountPath: /opt/app/aai-traversal/resources/etc/auth/{{ . }} - name: {{ include "common.fullname" $global }}-auth-truststore-sec - subPath: {{ . }} - {{ end }} ports: - containerPort: {{ .Values.service.internalPort }} - containerPort: {{ .Values.service.internalPort2 }} @@ -218,7 +210,7 @@ spec: {{- if .Values.nodeSelector }} nodeSelector: {{ toYaml .Values.nodeSelector | indent 8 }} - {{- end -}} + {{- end }} {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 8 }} @@ -238,7 +230,7 @@ spec: name: {{ include "common.fullname" . }}-filebeat resources: {{ include "common.resources" . }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: localtime hostPath: path: /etc/localtime @@ -253,24 +245,16 @@ spec: emptyDir: {} - name: {{ include "common.fullname" . }}-config configMap: - name: {{ include "common.fullname" . }}-configmap + name: {{ include "common.fullname" . }} - name: {{ include "common.fullname" . }}-aaf-properties configMap: name: {{ include "common.fullname" . }}-aaf-props - name: {{ include "common.fullname" . }}-aaf-certs secret: - secretName: {{ include "common.fullname" . }}-aaf-keys + secretName: {{ include "common.fullname" . }}-aaf - name: aai-common-aai-auth-mount secret: secretName: aai-common-aai-auth - - name: {{ include "common.fullname" . }}-auth-truststore-sec - secret: - secretName: aai-common-truststore - items: - {{ range $job := .Values.global.config.auth.files }} - - key: {{ . }} - path: {{ . }} - {{ end }} restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aai/components/aai-traversal/templates/job.yaml b/kubernetes/aai/components/aai-traversal/templates/job.yaml index 16e7022c0d..2eac7fe722 100644 --- a/kubernetes/aai/components/aai-traversal/templates/job.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/job.yaml @@ -106,12 +106,6 @@ spec: - mountPath: /opt/app/aai-traversal/resources/application.properties name: {{ include "common.fullname" . }}-config subPath: application.properties - {{ $global := . }} - {{ range $job := .Values.global.config.auth.files }} - - mountPath: /opt/app/aai-traversal/resources/etc/auth/{{ . }} - name: {{ include "common.fullname" $global }}-auth-truststore-sec - subPath: {{ . }} - {{ end }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container volumes: @@ -129,15 +123,7 @@ spec: emptyDir: {} - name: {{ include "common.fullname" . }}-config configMap: - name: {{ include "common.fullname" . }}-configmap - - name: {{ include "common.fullname" . }}-auth-truststore-sec - secret: - secretName: aai-common-truststore - items: - {{ range $job := .Values.global.config.auth.files }} - - key: {{ . }} - path: {{ . }} - {{ end }} + name: {{ include "common.fullname" . }} restartPolicy: OnFailure imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aai/components/aai-traversal/templates/secret.yaml b/kubernetes/aai/components/aai-traversal/templates/secret.yaml new file mode 100644 index 0000000000..8e022fe6b0 --- /dev/null +++ b/kubernetes/aai/components/aai-traversal/templates/secret.yaml @@ -0,0 +1,30 @@ +{{/* +# Copyright © 2018 Amdocs, Bell Canada, AT&T +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-aaf + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/aai/components/aai-traversal/templates/service.yaml b/kubernetes/aai/components/aai-traversal/templates/service.yaml index 66dfd493dd..fad857bb41 100644 --- a/kubernetes/aai/components/aai-traversal/templates/service.yaml +++ b/kubernetes/aai/components/aai-traversal/templates/service.yaml @@ -43,4 +43,3 @@ spec: selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} - clusterIP: None -- cgit 1.2.3-korg