From c80bff934c950c2ad75fe06b0abcc91502f57fdf Mon Sep 17 00:00:00 2001 From: IlanaP Date: Mon, 18 Nov 2019 21:10:08 +0200 Subject: Secure FE communications to the workflow backend Update of the workflow fe and be charts to secure the communications and to start the backend server is https mode with a secured connection to SDC Issue-ID: OOM-1954 Signed-off-by: IlanaP Change-Id: Ia3c4c714e317b8f8b6b4ee9245daa50eea50275f Signed-off-by: IlanaP --- .../sdc/charts/sdc-wfd-be/templates/_helper.tpl | 30 +--------------------- .../charts/sdc-wfd-be/templates/deployment.yaml | 27 +++++++++++-------- .../sdc/charts/sdc-wfd-be/templates/service.yaml | 10 ++++---- kubernetes/sdc/charts/sdc-wfd-be/values.yaml | 28 ++++++++++---------- 4 files changed, 37 insertions(+), 58 deletions(-) (limited to 'kubernetes/sdc/charts/sdc-wfd-be') diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl b/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl index c69fb7c81c..298a2cd673 100644 --- a/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl +++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/_helper.tpl @@ -1,29 +1 @@ -{{- define "sdc-wfd-be.volumes" }} - {{ if .Values.config.cassandraSSLEnabled }} - - name: {{ include "common.fullname" . }}-cassandra-client-truststore - hostPath: - path: /etc/cassandra-client-truststore/truststore - type: File - {{- end }} - {{ if .Values.config.serverSSLEnabled }} - - name: {{ include "common.fullname" . }}-server-https-keystore - hostPath: - path: /config/server-https-keystore/keystore - type: File - {{- end }} -{{- end }} - -{{- define "sdc-wfd-be.volumeMounts" }} - {{ if .Values.config.cassandraSSLEnabled }} - - name: {{ include "common.fullname" . }}-cassandra-client-truststore - mountPath: /etc/cassandra-client-truststore/truststore - subPath: truststore - readOnly: true - {{- end }} - {{ if .Values.config.serverSSLEnabled }} - - name: {{ include "common.fullname" . }}-server-https-keystore - mountPath: /etc/server-https-keystore/keystore - subPath: keystore - readOnly: true - {{- end }} -{{- end }} \ No newline at end of file +{{- define "wfd-be.internalPort" }}{{ if .Values.config.serverSSLEnabled }}{{ .Values.service.internalPort2 }}{{ else }}{{ .Values.service.internalPort }}{{ end }}{{- end }} diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml index 31ab7d5eaf..00a986f4d2 100644 --- a/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml +++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/deployment.yaml @@ -53,20 +53,19 @@ spec: image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} ports: - - containerPort: {{ .Values.service.internalPort }} - - containerPort: {{ .Values.service.internalPort2 }} + - containerPort: {{ template "wfd-be.internalPort" . }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{ if .Values.liveness.enabled }} livenessProbe: tcpSocket: - port: {{ .Values.service.internalPort2 }} + port: {{ template "wfd-be.internalPort" . }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end }} readinessProbe: tcpSocket: - port: {{ .Values.service.internalPort2 }} + port: {{ template "wfd-be.internalPort" . }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} env: @@ -89,7 +88,8 @@ spec: - name: CS_TRUST_STORE_PATH value: "{{ .Values.config.cassandraTrustStorePath }}" - name: CS_TRUST_STORE_PASSWORD - value: "{{ .Values.config.cassandraTrustStorePassword }}" + valueFrom: + secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: cs_truststore_password} - name: SDC_PROTOCOL value: "{{ .Values.config.sdcProtocol }}" - name: SDC_ENDPOINT @@ -97,7 +97,8 @@ spec: - name: SDC_USER value: "{{ .Values.config.sdcExternalUser }}" - name: SDC_PASSWORD - value: "{{ .Values.config.sdcExternalUserPassword }}" + valueFrom: + secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: wf_external_user_password} - name: SERVER_SSL_ENABLED value: "{{ .Values.config.serverSSLEnabled }}" - name: SERVER_SSL_KEYSTORE_TYPE @@ -105,10 +106,14 @@ spec: - name: SERVER_SSL_KEYSTORE_PATH value: "{{ .Values.config.serverSSLKeyStorePath }}" - name: SERVER_SSL_KEY_PASSWORD - value: "{{ .Values.config.serverSSLKeyPassword }}" - volumeMounts: - {{- template "sdc-wfd-be.volumeMounts" . }} - volumes: - {{- template "sdc-wfd-be.volumes" . }} + valueFrom: + secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: keystore_password} + - name: SERVER_SSL_TRUSTSTORE_TYPE + value: "{{ .Values.config.serverSSLTrustStoreType }}" + - name: SERVER_SSL_TRUSTSTORE_PATH + value: "{{ .Values.config.serverSSLTrustStorePath }}" + - name: SERVER_SSL_TRUST_PASSWORD + valueFrom: + secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: truststore_password} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml b/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml index 14a937fe00..fee95ba42e 100644 --- a/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml +++ b/kubernetes/sdc/charts/sdc-wfd-be/templates/service.yaml @@ -28,13 +28,13 @@ spec: type: {{ .Values.service.type }} ports: {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.internalPort }} + - port: {{ template "wfd-be.internalPort" . }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName | default "http" }} + name: {{ .Values.service.portName }} {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName | default "http" }} + - port: {{ if .Values.config.serverSslEnabled }}{{ .Values.service.externalPort2 }}{{ else }}{{ .Values.service.externalPort }}{{ end }} + targetPort: {{ template "wfd-be.internalPort" . }} + name: {{ .Values.service.portName }} {{- end}} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/sdc/charts/sdc-wfd-be/values.yaml b/kubernetes/sdc/charts/sdc-wfd-be/values.yaml index 92903ba96a..68f487674d 100644 --- a/kubernetes/sdc/charts/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/charts/sdc-wfd-be/values.yaml @@ -28,13 +28,10 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/workflow-backend:1.5.2 -configInitImage: onap/workflow-init:1.5.2 +image: onap/workflow-backend:1.6.0 +configInitImage: onap/workflow-init:1.6.0 pullPolicy: Always -# flag to enable debugging - application support required -debugEnabled: false - initJob: enabled: true @@ -43,17 +40,21 @@ config: cassandraAuthenticationEnabled: true cassandraThriftClientPort: 9160 cassandraClientPort: 9042 + sdcProtocol: HTTPS sdcEndpoint: sdc-be:8443 sdcExternalUser: workflow - sdcExternalUserPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U - serverSSLEnabled: false + + serverSSLEnabled: true + serverSSLKeyStoreType: jks - serverSSLKeyStorePath: etc/org.onap.sdc.p12 - serverSSLKeyPassword: "!ppJ.JvWn0hGh)oVF]([Kv)^" + serverSSLKeyStorePath: /etc/keystore + + serverSSLTrustStoreType: jks + serverSSLTrustStorePath: /etc/truststore + cassandraSSLEnabled: false - cassandraTrustStorePath: /etc/cassandra-client-truststore/truststore - cassandraTrustStorePassword: password + cassandraTrustStorePath: /etc/truststore # default number of instances replicaCount: 1 @@ -76,12 +77,13 @@ readiness: service: type: NodePort + portName: sdc-wfd-be internalPort: 8080 externalPort: 8080 internalPort2: 8443 externalPort2: 8443 - portName: sdc-wfd-be - nodePort: "57" + nodePort: "57" # only one node port. set to http or https port depending on isHttpsEnabled property + ingress: enabled: false -- cgit 1.2.3-korg