From 27fd7d8750ceeb798052eb8af36264c79b6536fb Mon Sep 17 00:00:00 2001 From: osk11461 Date: Fri, 18 Jun 2021 00:51:17 +0200 Subject: [AAI] Service Mesh compatibility This patch makes AAI to work on service mesh by removing https calls from everywhere. It allows also to use AAI on an environment without need of TLS. Issue-ID: OOM-2670 Signed-off-by: Ondrej Frindrich Change-Id: I19adabc7b33c1ada243ec16f77dbf8fde19b1386 --- .../config/haproxy/haproxy-pluggable-security.cfg | 2 +- .../aai/resources/config/haproxy/haproxy.cfg | 47 ++++++++++++++++++++-- 2 files changed, 44 insertions(+), 5 deletions(-) (limited to 'kubernetes/aai/resources') diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg index e605e1886f..9fa6d2ee9b 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg @@ -106,7 +106,7 @@ frontend IST_8443 ####################### -#DEFAULT BACKEND 847### +#DEFAULT BACKEND 8447## ####################### backend IST_Default_8447 diff --git a/kubernetes/aai/resources/config/haproxy/haproxy.cfg b/kubernetes/aai/resources/config/haproxy/haproxy.cfg index c8f3670349..1db4addb5a 100644 --- a/kubernetes/aai/resources/config/haproxy/haproxy.cfg +++ b/kubernetes/aai/resources/config/haproxy/haproxy.cfg @@ -35,7 +35,9 @@ defaults log global mode http option httplog +{{- if ( include "common.needTLS" .) }} option ssl-hello-chk +{{- end }} option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ QUFJOkFBSQ== default-server init-addr none # option dontlognull @@ -58,6 +60,37 @@ defaults timeout http-keep-alive 30000 +frontend IST_8080 + mode http + bind 0.0.0.0:8080 + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" + option httplog + log global + option logasap + option forwardfor + capture request header Host len 100 + capture response header Host len 100 + option log-separate-errors + option forwardfor + http-request set-header X-Forwarded-Proto http + reqadd X-Forwarded-Proto:\ http + reqadd X-Forwarded-Port:\ 8080 + +####################### +#ACLS FOR PORT 8446#### +####################### + + acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ + acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ + acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ + acl is_dsl path_reg -i ^/aai/v[0-9]+/dsl$ + acl is_named-query path_beg -i /aai/search/named-query + acl is_search-model path_beg -i /aai/search/model + use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model or is_dsl + + default_backend IST_Default_8447 + +{{- if ( include "common.needTLS" .) }} frontend IST_8443 mode http bind 0.0.0.0:8443 name https ssl crt /opt/app/osaaf/local/certs/fullchain.pem @@ -88,6 +121,7 @@ frontend IST_8443 http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Port:\ 8443 +{{- end }} ####################### #ACLS FOR PORT 8446#### @@ -103,17 +137,19 @@ frontend IST_8443 default_backend IST_Default_8447 - ####################### -#DEFAULT BACKEND 847### +#DEFAULT BACKEND 8447## ####################### backend IST_Default_8447 balance roundrobin http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; +{{- if ( include "common.needTLS" .) }} server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none - +{{- else }} + server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check port 8447 +{{- end }} ####################### # BACKEND 8446######### @@ -123,5 +159,8 @@ backend IST_AAI_8446 balance roundrobin http-request set-header X-Forwarded-Port %[src_port] http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; +{{- if ( include "common.needTLS" .) }} server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none - +{{- else }} + server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check port 8446 +{{- end }} -- cgit 1.2.3-korg