From 7007041548231606f3a2f0f98419d43619340bda Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Mon, 9 Nov 2020 21:58:48 +0100 Subject: [AAI] Reintegrate AAI OOM charts in main repo AAI chart is currently in its own directory. As a lot will be done in the charts with tight coordination between "common" part and components parts, it's a lot easier to have everything in a same place for now. Issue-ID: OOM-2513 Signed-off-by: Sylvain Desbureaux Change-Id: I5e27f7de286bf74e6d3a443e1cb31f63b3d83265 [Update aai to commit 18d4bd165e12cb4d03baa318e506f0dda381cd89] Signed-off-by: Krzysztof Opasiak --- kubernetes/aai/resources/config/aai/aai_keystore | Bin 0 -> 7544 bytes .../resources/config/auth/truststoreONAPall.jks | Bin 0 -> 117990 bytes .../resources/config/fproxy/auth/client-cert.p12 | Bin 0 -> 3591 bytes .../resources/config/fproxy/auth/fproxy_truststore | Bin 0 -> 5569 bytes .../resources/config/fproxy/auth/tomcat_keystore | Bin 0 -> 3607 bytes kubernetes/aai/resources/config/haproxy/aai.pem | 88 +++++++++++++ .../config/haproxy/haproxy-pluggable-security.cfg | 138 +++++++++++++++++++++ .../aai/resources/config/haproxy/haproxy.cfg | 126 +++++++++++++++++++ .../aai/resources/config/log/filebeat/filebeat.yml | 55 ++++++++ .../resources/config/rproxy/auth/client-cert.p12 | Bin 0 -> 2556 bytes .../resources/config/rproxy/auth/org.onap.aai.p12 | Bin 0 -> 4158 bytes .../resources/config/rproxy/auth/tomcat_keystore | Bin 0 -> 3594 bytes .../aai/resources/config/rproxy/security/keyfile | 27 ++++ 13 files changed, 434 insertions(+) create mode 100644 kubernetes/aai/resources/config/aai/aai_keystore create mode 100644 kubernetes/aai/resources/config/auth/truststoreONAPall.jks create mode 100644 kubernetes/aai/resources/config/fproxy/auth/client-cert.p12 create mode 100644 kubernetes/aai/resources/config/fproxy/auth/fproxy_truststore create mode 100644 kubernetes/aai/resources/config/fproxy/auth/tomcat_keystore create mode 100644 kubernetes/aai/resources/config/haproxy/aai.pem create mode 100644 kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg create mode 100644 kubernetes/aai/resources/config/haproxy/haproxy.cfg create mode 100644 kubernetes/aai/resources/config/log/filebeat/filebeat.yml create mode 100644 kubernetes/aai/resources/config/rproxy/auth/client-cert.p12 create mode 100644 kubernetes/aai/resources/config/rproxy/auth/org.onap.aai.p12 create mode 100644 kubernetes/aai/resources/config/rproxy/auth/tomcat_keystore create mode 100644 kubernetes/aai/resources/config/rproxy/security/keyfile (limited to 'kubernetes/aai/resources/config') diff --git a/kubernetes/aai/resources/config/aai/aai_keystore b/kubernetes/aai/resources/config/aai/aai_keystore new file mode 100644 index 0000000000..d1ebae8e23 Binary files /dev/null and b/kubernetes/aai/resources/config/aai/aai_keystore differ diff --git a/kubernetes/aai/resources/config/auth/truststoreONAPall.jks b/kubernetes/aai/resources/config/auth/truststoreONAPall.jks new file mode 100644 index 0000000000..ff844b109d Binary files /dev/null and b/kubernetes/aai/resources/config/auth/truststoreONAPall.jks differ diff --git a/kubernetes/aai/resources/config/fproxy/auth/client-cert.p12 b/kubernetes/aai/resources/config/fproxy/auth/client-cert.p12 new file mode 100644 index 0000000000..7a4979a7a3 Binary files /dev/null and b/kubernetes/aai/resources/config/fproxy/auth/client-cert.p12 differ diff --git a/kubernetes/aai/resources/config/fproxy/auth/fproxy_truststore b/kubernetes/aai/resources/config/fproxy/auth/fproxy_truststore new file mode 100644 index 0000000000..f5e41700dc Binary files /dev/null and b/kubernetes/aai/resources/config/fproxy/auth/fproxy_truststore differ diff --git a/kubernetes/aai/resources/config/fproxy/auth/tomcat_keystore b/kubernetes/aai/resources/config/fproxy/auth/tomcat_keystore new file mode 100644 index 0000000000..d68bf73815 Binary files /dev/null and b/kubernetes/aai/resources/config/fproxy/auth/tomcat_keystore differ diff --git a/kubernetes/aai/resources/config/haproxy/aai.pem b/kubernetes/aai/resources/config/haproxy/aai.pem new file mode 100644 index 0000000000..6390db10de --- /dev/null +++ b/kubernetes/aai/resources/config/haproxy/aai.pem @@ -0,0 +1,88 @@ +-----BEGIN CERTIFICATE----- +MIIFKzCCBBOgAwIBAgIILW/fiLbps3kwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE +BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp +bnRlcm1lZGlhdGVDQV85MB4XDTIwMDMxNzIwMjg1NloXDTIxMDMxNzIwMjg1Nlow +WTEMMAoGA1UEAwwDYWFpMR0wGwYDVQQLDBRhYWlAYWFpLm9uYXAub3JnOkRFVjEO +MAwGA1UECwwFT1NBQUYxDTALBgNVBAoMBE9OQVAxCzAJBgNVBAYTAlVTMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAov4ddmOzRCWAU/sx2Q9kcYZZ0r/x +agqwDBcmlS2OP0MAou/f/xY2gzE2ugXXGGEXG6PCUx4YEHGeRxyezEQ/+c+kSjFe +0FTUa8Z1Ojad3VDsJfjfZ1994NpV99KTrrw1Twq9Ei7dpkypUA8kZxEjg7eM11TU +F4jS6x5NEyVsxih5uJjIF7ErGwimSEKsympcsXezYgG9Z/VPBpZWmYlYl5MWjzT6 +F0FgGfSbajWauMifEPajmvn8ZXn6Lyx0RCI25+BCcOhS6UvYXFX+jE/uOoEbKgwz +11tIdryEFrXiLVfD01uhacx02YCrzj1u53RWiD6bCPyatKo1hQsf+aDkEQIDAQAB +o4ICBzCCAgMwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBeAwIAYDVR0lAQH/BBYw +FAYIKwYBBQUHAwEGCCsGAQUFBwMCMFQGA1UdIwRNMEuAFIH3mVsQuciM3vNSXupO +aaBDPqzdoTCkLjAsMQ4wDAYDVQQLDAVPU0FBRjENMAsGA1UECgwET05BUDELMAkG +A1UEBhMCVVOCAQcwHQYDVR0OBBYEFP94WTftXhHcz93nBT6jIdMe6h+6MIIBTQYD +VR0RBIIBRDCCAUCBH21hcmsuZC5tYW5hZ2VyQHBlb3BsZS5vc2FhZi5jb22CA2Fh +aYIUYWFpLXNlYXJjaC1kYXRhLm9uYXCCEmFhaS1zcGFya3ktYmUub25hcIIbYWFp +LmFwaS5zaW1wbGVkZW1vLm9uYXAub3JngiVhYWkuZWxhc3RpY3NlYXJjaC5zaW1w +bGVkZW1vLm9uYXAub3JngiVhYWkuZ3JlbWxpbnNlcnZlci5zaW1wbGVkZW1vLm9u +YXAub3Jngh1hYWkuaGJhc2Uuc2ltcGxlZGVtby5vbmFwLm9yZ4IIYWFpLm9uYXCC +JWFhaS5zZWFyY2hzZXJ2aWNlLnNpbXBsZWRlbW8ub25hcC5vcmeCF2FhaS5zaW1w +bGVkZW1vLm9uYXAub3JnghphYWkudWkuc2ltcGxlZGVtby5vbmFwLm9yZzANBgkq +hkiG9w0BAQsFAAOCAQEAVigPPsYd8yscW+U6zpffBc5S6Mg2DQD/gikB0uF//lIq +oa5qTI3yB0wPoRKmxpeEZiJYDkBs3App2sPM2fPb9GGmGncCLkprqTflM2Y4yxX4 +k/a7w8vEwMoCrBgxEdmniAj9TirsISyLqBIXoGT7WtaXBLZarYhJ4P7TplhyWuwe +sV6jxkZLIRLj31ihf32adFIhPZQKxaHbbFnyEylLTdPuZGy3nvdmjajZuomOFF8h +HhDIouSJAtgkuWVsMiX6iR1qG9//6ymnZMvUyDGr8bkZURhMqesAejwP4aKxqDZg +B0uVjapQTJH4ES0M+2PoY9gP8uh0dc3TusOs1QYJiA== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB +RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN +MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG +A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL +neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d +o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3 +nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV +v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO +15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw +gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV +M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/ +BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B +AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q +ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl +u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+ ++pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/ +QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht +8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX +kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3 +aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky +uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w +tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep +BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k= +-----END CERTIFICATE----- +Bag Attributes + friendlyName: aai@aai.onap.org + localKeyID: 54 69 6D 65 20 31 35 38 34 34 37 36 39 33 36 35 31 35 +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCi/h12Y7NEJYBT ++zHZD2RxhlnSv/FqCrAMFyaVLY4/QwCi79//FjaDMTa6BdcYYRcbo8JTHhgQcZ5H +HJ7MRD/5z6RKMV7QVNRrxnU6Np3dUOwl+N9nX33g2lX30pOuvDVPCr0SLt2mTKlQ +DyRnESODt4zXVNQXiNLrHk0TJWzGKHm4mMgXsSsbCKZIQqzKalyxd7NiAb1n9U8G +llaZiViXkxaPNPoXQWAZ9JtqNZq4yJ8Q9qOa+fxlefovLHREIjbn4EJw6FLpS9hc +Vf6MT+46gRsqDDPXW0h2vIQWteItV8PTW6FpzHTZgKvOPW7ndFaIPpsI/Jq0qjWF +Cx/5oOQRAgMBAAECggEAVYWGSf9IKYKP0gDkh+LmrhZzfPxPnHddJgrjqLSNha4P +YG8CliK+mZmyAGteECGpcUw8g0YwFDi5dtCSldVdyCLmLjO3bxKDnsUz70aHEIAM +WGQ8PE5Diz6kivMHoFCKnB2jVS4YCNECqco4LIg2nT8q/DU7T9nv6YQtptUlPNdY +OmJRXfUfcBSUINqVi/VbEjHtbZqc6dgvaRNEF0CYtqHm7P51BXGa3pH+6drL+U+a +o3T4yHrEsDKUaQzJZoiJneexwN91x42gcyHzg30UZVgCP+9Zt2GQWXqpENNZjGlI +bwzouvBj266ViBNbuu3tar58MASOCnCKGA0Jrs3P3QKBgQD0ENenvzaqNzV0A47x ++RI76DM2eorY2dxh+4txAt1pXlkbMZuWXjs1ysBPYaGHZRitiCFcaSwdP2T0oCET +ojYEU97bJkKlcuw2scAqznSi7U0uSaStwaWzEviGTsQ51MKghRESMfpt3BxZqyi0 +BV+fPeRk3l3xaw1AuZQ/JTn0qwKBgQCq9msPcbRzKvsmfsAVvjKAodzl6EaM+PcF +YLnJLurjCtdyjj1lRaCBg9bRbaRbt9YPg4VA5oMYm2SuwbJQQHjqaeN+SpnV8GGc +nPsZgoSlfZrnLovyGgC3muiA3uSPREZWUlp+IE8qlQ8VztSWkNyxNej4nhxk2UTH +DOE2ZmNyMwKBgFD+yeKkZUrFuZp/l8+bfb6dx2kb77oZSrbFmLfvYHUYV2/b3atg +KDwoxftSBh39odvs4k1dpcMrB6DbBz8RxOVYxAtsPg/T/KoGASTzkOeE4ukqjVkQ +e6Ha+NjxiNM8VT6aCllEdrxAoLPtRju/0MTy8Dm9ReXZRfOl4pm2C+6zAoGAY2D6 +uu+NxaSmeaoUXo9BLCTrE3oCCNBwR2ACnz/2qiQTOTQV3FitBJxusy7Y67fhZwM8 +4o0ch6FM1Yki7iOMJjeHVlJnOkWReEiIbjvAf7KT6O7VytXytMgHf2IR2nYFrQgS +Ml71pfsf2b1xNlTe9OQxmNPQDY9+u3ZxM/4wsKECgYBPvlYMaZNIOLFf7VXzUYGG +rkXMpbLgLvIHvhF+4nsvspPVSqPeWjh2KMee3tMamy93H4R66G/KfoQw02JuZH+N +HbGnnpyLa2jGjY0NkXEo08o2wsqv2QFtT/SFRoDLkah8rwZUwpxIg0akgrwwTslO +rzAazDQvlb0itUxgU4qgqw== +-----END PRIVATE KEY----- diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg new file mode 100644 index 0000000000..1c82050db0 --- /dev/null +++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg @@ -0,0 +1,138 @@ +# Copyright © 2018 Amdocs, Bell Canada, AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global + log /dev/log local0 + stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin + stats timeout 30s + user root + group root + daemon + ################################# + # Default SSL material locations# + ################################# + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # An alternative list with additional directives can be obtained from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy + tune.ssl.default-dh-param 2048 + +defaults + log global + mode http + option httplog + option ssl-hello-chk + option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ== + default-server init-addr none +# option dontlognull +# errorfile 400 /etc/haproxy/errors/400.http +# errorfile 403 /etc/haproxy/errors/403.http +# errorfile 408 /etc/haproxy/errors/408.http +# errorfile 500 /etc/haproxy/errors/500.http +# errorfile 502 /etc/haproxy/errors/502.http +# errorfile 503 /etc/haproxy/errors/503.http +# errorfile 504 /etc/haproxy/errors/504.http + + option http-server-close + option forwardfor except 127.0.0.1 + retries 6 + option redispatch + maxconn 50000 + timeout connect 50000 + timeout client 480000 + timeout server 480000 + timeout http-keep-alive 30000 + + +frontend IST_8443 + mode http + bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem +# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" + option httplog + log global + option logasap + option forwardfor + capture request header Host len 100 + capture response header Host len 100 + option log-separate-errors + option forwardfor + http-request set-header X-Forwarded-Proto https if { ssl_fc } + http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } + http-request set-header X-AAI-SSL %[ssl_fc] + http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify] + http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn] + http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] + http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn] + http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] + http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] + http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64] + http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)] + http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)] + http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)] + http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)] + http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] + reqadd X-Forwarded-Proto:\ https + reqadd X-Forwarded-Port:\ 8443 + +####################### +#ACLS FOR PORT 8446#### +####################### + + acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ + acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ + acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ + acl is_named-query path_beg -i /aai/search/named-query + acl is_search-model path_beg -i /aai/search/model + use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model + + default_backend IST_Default_8447 + + +####################### +#DEFAULT BACKEND 847### +####################### + +backend IST_Default_8447 + balance roundrobin + http-request set-header X-Forwarded-Port %[src_port] + http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; + server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none + + +####################### +# BACKEND 8446######### +####################### + +backend IST_AAI_8446 + balance roundrobin + http-request set-header X-Forwarded-Port %[src_port] + http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; + server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none + +listen IST_AAI_STATS + mode http + bind *:8080 + stats uri /stats + stats enable + stats refresh 30s + stats hide-version + stats auth admin:admin + stats show-legends + stats show-desc IST AAI APPLICATION NODES + stats admin if TRUE diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg new file mode 100644 index 0000000000..4606a42439 --- /dev/null +++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg @@ -0,0 +1,126 @@ +# Copyright © 2018 Amdocs, Bell Canada, AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global + log /dev/log local0 + stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin + stats timeout 30s + daemon + ################################# + # Default SSL material locations# + ################################# + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # An alternative list with additional directives can be obtained from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy + tune.ssl.default-dh-param 2048 + +defaults + log global + mode http + option httplog + option ssl-hello-chk + option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ== + default-server init-addr none +# option dontlognull +# errorfile 400 /etc/haproxy/errors/400.http +# errorfile 403 /etc/haproxy/errors/403.http +# errorfile 408 /etc/haproxy/errors/408.http +# errorfile 500 /etc/haproxy/errors/500.http +# errorfile 502 /etc/haproxy/errors/502.http +# errorfile 503 /etc/haproxy/errors/503.http +# errorfile 504 /etc/haproxy/errors/504.http + + option http-server-close + option forwardfor except 127.0.0.1 + retries 6 + option redispatch + maxconn 50000 + timeout connect 50000 + timeout client 480000 + timeout server 480000 + timeout http-keep-alive 30000 + + +frontend IST_8443 + mode http + bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem +# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" + option httplog + log global + option logasap + option forwardfor + capture request header Host len 100 + capture response header Host len 100 + option log-separate-errors + option forwardfor + http-request set-header X-Forwarded-Proto https if { ssl_fc } + http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } + http-request set-header X-AAI-SSL %[ssl_fc] + http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify] + http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn] + http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] + http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn] + http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] + http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] + http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64] + http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)] + http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)] + http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)] + http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)] + http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] + reqadd X-Forwarded-Proto:\ https + reqadd X-Forwarded-Port:\ 8443 + +####################### +#ACLS FOR PORT 8446#### +####################### + + acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ + acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ + acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ + acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$ + acl is_named-query path_beg -i /aai/search/named-query + acl is_search-model path_beg -i /aai/search/model + use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl + + default_backend IST_Default_8447 + + +####################### +#DEFAULT BACKEND 847### +####################### + +backend IST_Default_8447 + balance roundrobin + http-request set-header X-Forwarded-Port %[src_port] + http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; + server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none + + +####################### +# BACKEND 8446######### +####################### + +backend IST_AAI_8446 + balance roundrobin + http-request set-header X-Forwarded-Port %[src_port] + http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; + server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none + diff --git a/kubernetes/aai/resources/config/log/filebeat/filebeat.yml b/kubernetes/aai/resources/config/log/filebeat/filebeat.yml new file mode 100644 index 0000000000..39cc6db9bf --- /dev/null +++ b/kubernetes/aai/resources/config/log/filebeat/filebeat.yml @@ -0,0 +1,55 @@ +# Copyright © 2018 Amdocs, Bell Canada, AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +filebeat.prospectors: +#it is mandatory, in our case it's log +- input_type: log + #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. + paths: + - /var/log/onap/*/*/*/*.log + - /var/log/onap/*/*/*.log + - /var/log/onap/*/*.log + #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive + ignore_older: 48h + # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit + clean_inactive: 96h + + +# Name of the registry file. If a relative path is used, it is considered relative to the +# data path. Else full qualified file name. +#filebeat.registry_file: ${path.data}/registry + + +output.logstash: + #List of logstash server ip addresses with port number. + #But, in our case, this will be the loadbalancer IP address. + #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. + hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] + #If enable will do load balancing among availabe Logstash, automatically. + loadbalance: true + + #The list of root certificates for server verifications. + #If certificate_authorities is empty or not set, the trusted + #certificate authorities of the host system are used. + #ssl.certificate_authorities: $ssl.certificate_authorities + + #The path to the certificate for SSL client authentication. If the certificate is not specified, + #client authentication is not available. + #ssl.certificate: $ssl.certificate + + #The client certificate key used for client authentication. + #ssl.key: $ssl.key + + #The passphrase used to decrypt an encrypted key stored in the configured key file + #ssl.key_passphrase: $ssl.key_passphrase diff --git a/kubernetes/aai/resources/config/rproxy/auth/client-cert.p12 b/kubernetes/aai/resources/config/rproxy/auth/client-cert.p12 new file mode 100644 index 0000000000..dbf4fcacec Binary files /dev/null and b/kubernetes/aai/resources/config/rproxy/auth/client-cert.p12 differ diff --git a/kubernetes/aai/resources/config/rproxy/auth/org.onap.aai.p12 b/kubernetes/aai/resources/config/rproxy/auth/org.onap.aai.p12 new file mode 100644 index 0000000000..023e2eaac6 Binary files /dev/null and b/kubernetes/aai/resources/config/rproxy/auth/org.onap.aai.p12 differ diff --git a/kubernetes/aai/resources/config/rproxy/auth/tomcat_keystore b/kubernetes/aai/resources/config/rproxy/auth/tomcat_keystore new file mode 100644 index 0000000000..99129c145f Binary files /dev/null and b/kubernetes/aai/resources/config/rproxy/auth/tomcat_keystore differ diff --git a/kubernetes/aai/resources/config/rproxy/security/keyfile b/kubernetes/aai/resources/config/rproxy/security/keyfile new file mode 100644 index 0000000000..3416d4a737 --- /dev/null +++ b/kubernetes/aai/resources/config/rproxy/security/keyfile @@ -0,0 +1,27 @@ +2otP92kNFHdexroZxvgYY7ffslFiwCD3CiVYMIfUF2edqZK7972NwkvE_mbaBo6jh8lByLIqrWAf +jyzoiVsvQ_kCa0cS1xaRLpcxv3bx1b7o3hGPBqpd6vmSG4y2JLzNlCBZWuTJz827wr8p_fWrYuUm +4L1WoaEe8W5PRnXjl4hDqbJBAlEoRIBXugUDt_7O5wgx2Rl3HVoOczZtf0RzONZ1F0BmKf3QlAUe +moSbARitYRgIPt5sLbT7qPyoEpGDhQ1XBowR744-wsjBc-14yO62Ajp5xWKTp15uWn3_HHuw1SAf +GWSBRGlSlEVkXQqi9Hw5jDttKVzHX1ckwR0SQOirbtHPHplxPX3WKjKhSdSeMzw6LOAHIQYRMKBT +74oGnULAfPtV7TaGwOKriT3P49CoPdt9On89-LGyCZSxDWKH0K-rgB6I2_hPT2Uzr3jmXiMa-sfh +iMvyQ7ABBVx0OFsUuNb5mcU2O6dWiQreL5RerrloV_X3ZtnNjxENXKjQ5KBR1A5ISPjFFK-kf4Rb +p6FSII8LcsiqgdWuZ4GX_C6x8HX4A-vD0x3Uc9CfoXY-k23cNIy-R-W-oB-P2OgdWDNgZ7VaOLNt +3L-NwWpNblfYvs93cNmkbVAwCZ3r0OP7RFeuON84TRaynK_Fh2S3rypRyJcUmM1pvpZqJ5_-umSW +hUs1OqkdLv3xjlVzzK-3nMr0q3Zcyp4XdyLYtcX5I3Xqk9ZcsyAT7ghmHhV8KjUjue7OcfAWg0m7 +RJLGq6VC8HeK4HEMa4lF677Qh7DRufghIDEmQSIDfGA790WGSA8HqcOvAL4hURCHyCWiPa5i8ksX +xX4HyqF8PCVCLJ_ZhzcuIlc0jStAexWbJU_vcyX7XgUaHCkF-M-zv1FP6Z3DHBMD2QqSWjmyNCCk +8sIuwzs62P_j2o9jG33kssedCrUWOwZancU107-5H0Zw-UWvtCqUfmRZ7TsEbWY7lk_SKfLfAN5q +ncOQgU_VxDXUFDST4LN_WVECRafK3UtwWomxWSji25Lbf6NVni3ok-yLMDZR-wrE-54jLPES9j0i +5N0xrk9CfsvGUpUZ1_XQcgaxI6m27DtCCJXb5ywenPBiUIJCMCTq88CqNZxGpju2i4BJcUH2hUHe +GKhO8pgslwhtEVot9EDwdzSrJkWFCfb6ud4zMxrqdi7-mLWMOydg6lhpEFEX5wu2BLIujGsZlEGE +_K9jGfBypjXuJCKDZIuPfEnf_7idjKis_JcFB7x4Hx2HHDcBjlWWFZN_VIEnPkQSyZEC26RTFP3k +zkY3GwUfA36a4XW2pu3gE9wz-W6fkONfzOZ6YiyCm_dRFUVuGSdJG02Hh5iXYlMOGJltPzWH2jVf +S-QTOmXQTKSOheXoJO6O-9uQbsRf-kq-6w1pvIOp4ms35w4_0Xj0Xr2a9y-L9PdBZvrUsa-jxsZU +LyA-YY4Ej6QwDBDTD2MGjF1E5_ekYgjoNlltM9rJjofruM4ym0n7LPHC7YXXQSEFOZYeTKi6wUDw +hQ1DoWHgu4PQ2lexada8sxQdConbPe2iW16h-PrO5D12E4XbT00fqaMlBmjQwzdNRdCC2NRPIQ5W +nwaO8dZ9yjxsjT7ZVHb9-DRblb3XDocponzxVXqUGtJAie4WXQnerX0ApTWGaHEr5y56JJVS_3LP +bKrbXBXcs4jTUX4ECXRrOs8JQDQNysXhvTPCu0XUxNZpjx6KLxDs93k2OcESHjl5J6n6OKKJqqoN +JEyFO5LGXpnmUJbn0-CaHHPRI1mHwEu4brY8wDZd9A0PD1KGXDoCHMfEk1lGblQdyOcVrXZ6uSBk +Z6zHDnwSCHO1mPYqtelJQehZoFuPSv9PIgKLxs_qJOtZFnXII5YO1mGXgiIBWBjUFDR5HG4ENS6y +J4MCF-JLMp-PVMAkOaCIQRRDpRnMm_fT1sc_P562Diu_pcdt-r55pMFQYGoGfjRmxQBKk0-SsdnP +mlZIiis9DfQEN0q3QQdNRYBJD7tmhUwhAPZdLgXqJA8sZf8UyFQhhpsky79NT343YL9smUlF \ No newline at end of file -- cgit 1.2.3-korg