From c80bff934c950c2ad75fe06b0abcc91502f57fdf Mon Sep 17 00:00:00 2001
From: IlanaP <ilanap@amdocs.com>
Date: Mon, 18 Nov 2019 21:10:08 +0200
Subject: Secure FE communications to the workflow backend

Update of the workflow fe and be charts to secure the communications and to start the backend server is https mode with a secured connection to SDC

Issue-ID: OOM-1954

Signed-off-by: IlanaP <ilanap@amdocs.com>
Change-Id: Ia3c4c714e317b8f8b6b4ee9245daa50eea50275f
Signed-off-by: IlanaP <ilanap@amdocs.com>
---
 kubernetes/sdc/charts/sdc-wfd-fe/templates/_helper.tpl |  1 +
 .../sdc/charts/sdc-wfd-fe/templates/deployment.yaml    | 15 +++++++++------
 .../sdc/charts/sdc-wfd-fe/templates/service.yaml       | 18 ++++++------------
 kubernetes/sdc/charts/sdc-wfd-fe/values.yaml           | 15 ++++++---------
 4 files changed, 22 insertions(+), 27 deletions(-)
 create mode 100644 kubernetes/sdc/charts/sdc-wfd-fe/templates/_helper.tpl

(limited to 'kubernetes/sdc/charts/sdc-wfd-fe')

diff --git a/kubernetes/sdc/charts/sdc-wfd-fe/templates/_helper.tpl b/kubernetes/sdc/charts/sdc-wfd-fe/templates/_helper.tpl
new file mode 100644
index 0000000000..546bab7ddf
--- /dev/null
+++ b/kubernetes/sdc/charts/sdc-wfd-fe/templates/_helper.tpl
@@ -0,0 +1 @@
+{{- define "wfd-fe.internalPort" }}{{ if .Values.config.isHttpsEnabled }}{{ .Values.service.internalPort2 }}{{ else }}{{ .Values.service.internalPort }}{{ end }}{{- end }}
diff --git a/kubernetes/sdc/charts/sdc-wfd-fe/templates/deployment.yaml b/kubernetes/sdc/charts/sdc-wfd-fe/templates/deployment.yaml
index 1daee714b6..08ecaa6daa 100644
--- a/kubernetes/sdc/charts/sdc-wfd-fe/templates/deployment.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-fe/templates/deployment.yaml
@@ -50,18 +50,17 @@ spec:
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           ports:
-          - containerPort: {{ .Values.service.internalPort }}
-          - containerPort: {{ .Values.service.internalPort2 }}
+          - containerPort: {{ template "wfd-fe.internalPort" . }}
           {{ if .Values.liveness.enabled }}
           livenessProbe:
             tcpSocket:
-              port: {{ .Values.service.internalPort }}
+              port: {{ template "wfd-fe.internalPort" . }}
             initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
             periodSeconds: {{ .Values.liveness.periodSeconds }}
           {{ end }}
           readinessProbe:
             tcpSocket:
-              port: {{ .Values.service.internalPort }}
+              port: {{ template "wfd-fe.internalPort" . }}
             initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
             periodSeconds: {{ .Values.readiness.periodSeconds }}
           env:
@@ -75,13 +74,17 @@ spec:
             value: "{{ .Values.config.isHttpsEnabled}}"
             {{ if and .Values.config.isHttpsEnabled (eq .Values.security.isDefaultStore false) }}
           - name: KEYSTORE_PASS
-            value: "{{ .Values.security.keystorePass}}"
+            valueFrom:
+              secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: keystore_password}
           - name: TRUSTSTORE_PASS
-            value: "{{ .Values.security.truststorePass}}"
+            valueFrom:
+              secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: truststore_password}
           - name: TRUSTSTORE_PATH
             value: "{{ .Values.security.storePath }}/{{ .Values.security.truststoreFilename }}"
           - name: KEYSTORE_PATH
             value: "{{ .Values.security.storePath }}/{{ .Values.security.keystoreFilename }}"
+          - name: TRUST_ALL
+            value: "{{ .Values.config.isTrustAll}}"
             {{ end }}
           volumeMounts:
           - name: {{ include "common.fullname" . }}-localtime
diff --git a/kubernetes/sdc/charts/sdc-wfd-fe/templates/service.yaml b/kubernetes/sdc/charts/sdc-wfd-fe/templates/service.yaml
index 87ca3607d7..d8a105513a 100644
--- a/kubernetes/sdc/charts/sdc-wfd-fe/templates/service.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-fe/templates/service.yaml
@@ -29,7 +29,7 @@ metadata:
           "version": "v1",
           "url": "/",
           "protocol": "UI",
-          "port": "{{ .Values.service.internalPort }}",
+          "port": "{{ .Values.service.internalPort2 }}",
           "visualRange":"0|1"
       }
       ]'
@@ -37,19 +37,13 @@ spec:
   type: {{ .Values.service.type }}
   ports:
     {{if eq .Values.service.type "NodePort" -}}
-    - port: {{ .Values.service.internalPort }}
+    - port: {{ template "wfd-fe.internalPort" . }}
       nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
-      name: {{ .Values.service.portName | default "http" }}
-    - port: {{ .Values.service.internalPort2 }}
-      nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort2 }}
-      name: {{ .Values.service.portName2 | default "https" }}
+      name: {{ .Values.service.portName  }}
     {{- else -}}
-    - port: {{ .Values.service.externalPort }}
-      targetPort: {{ .Values.service.internalPort }}
-      name: {{ .Values.service.portName | default "http" }}
-    - port: {{ .Values.service.externalPort2 }}
-      targetPort: {{ .Values.service.internalPort2 }}
-      name: {{ .Values.service.portName2 | default "https" }}
+    - port:  {{ if .Values.config.isHttpsEnabled }}{{ .Values.service.externalPort2 }}{{ else }}{{ .Values.service.externalPort }}{{ end }}
+      targetPort: {{ template "wfd-fe.internalPort" . }}
+      name: {{ .Values.service.portName }}
     {{- end}}
   selector:
     app: {{ include "common.name" . }}
diff --git a/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml b/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml
index 21c7c17d66..6b7e026c18 100644
--- a/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml
+++ b/kubernetes/sdc/charts/sdc-wfd-fe/values.yaml
@@ -28,7 +28,7 @@ global:
 #################################################################
 # application image
 repository: nexus3.onap.org:10001
-image: onap/workflow-frontend:1.5.2
+image: onap/workflow-frontend:1.6.0
 pullPolicy: Always
 
 # flag to enable debugging - application support required
@@ -36,16 +36,15 @@ debugEnabled: false
 
 config:
   javaOptions: "-Xmx256m -Xms256m"
-  backendServerURL: "http://sdc-wfd-be:8080"
+  backendServerURL: "https://sdc-wfd-be:8443"
   isHttpsEnabled: true
-
+  # following flag decides whether to check the certificate on the outgoing proxy request or whether to trust all parties
+  isTrustAll: true
 # https relevant settings. Change in case you have other trust files then default ones.
 security:
   isDefaultStore: false
   truststoreFilename: "org.onap.sdc.trust.jks"
   keystoreFilename: "org.onap.sdc.p12"
-  keystorePass: "!ppJ.JvWn0hGh)oVF]([Kv)^"
-  truststorePass: "].][xgtze]hBhz*wy]}m#lf*"
   storePath: "etc"
 
 # default number of instances
@@ -71,12 +70,10 @@ service:
   type: NodePort
   internalPort: 8080
   externalPort: 8080
-  portName: sdc-wfd-fe
-  nodePort: "56"
-  portName2: sdc-wfd-fe2
   internalPort2: 8443
   externalPort2: 8443
-  nodePort2: "31"
+  portName: sdc-wfd-fe
+  nodePort: "56" # only one node port. set to http or https port depending on isHttpsEnabled property
 
 ingress:
   enabled: false
-- 
cgit 1.2.3-korg