From 554bc6b6d540810be1fd2c4fa1117719c21527de Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Thu, 25 Feb 2021 18:13:19 +0100 Subject: [VNFSDK] Automatically retrieve certificates Instead of using hardcoded certificates, let's use certInitializer in order to retrieve them. Issue-ID: OOM-2696 Signed-off-by: Sylvain Desbureaux Change-Id: I6ed12dda660647cd0990c34f51e6c05ed533774a --- kubernetes/vnfsdk/requirements.yaml | 3 ++ kubernetes/vnfsdk/resources/nginx/nginx.conf | 63 ++++++++++++++++++++++++++++ kubernetes/vnfsdk/templates/configmap.yaml | 13 ++++++ kubernetes/vnfsdk/templates/deployment.yaml | 12 ++++-- kubernetes/vnfsdk/values.yaml | 33 ++++++++++++++- 5 files changed, 120 insertions(+), 4 deletions(-) create mode 100644 kubernetes/vnfsdk/resources/nginx/nginx.conf (limited to 'kubernetes/vnfsdk') diff --git a/kubernetes/vnfsdk/requirements.yaml b/kubernetes/vnfsdk/requirements.yaml index b6683593fd..3a4aed7e83 100644 --- a/kubernetes/vnfsdk/requirements.yaml +++ b/kubernetes/vnfsdk/requirements.yaml @@ -16,6 +16,9 @@ dependencies: - name: common version: ~7.x-0 repository: '@local' + - name: certInitializer + version: ~7.x-0 + repository: '@local' - name: postgres version: ~7.x-0 repository: '@local' diff --git a/kubernetes/vnfsdk/resources/nginx/nginx.conf b/kubernetes/vnfsdk/resources/nginx/nginx.conf new file mode 100644 index 0000000000..d26cc5d813 --- /dev/null +++ b/kubernetes/vnfsdk/resources/nginx/nginx.conf @@ -0,0 +1,63 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +daemon off; + +#pid /run/nginx.pid; + +events { + worker_connections 500; + # multi_accept on; +} +http { + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + #Comment or disable the access_log once tested to avoid runtime logs +# access_log /var/log/nginx/access.log format gzip; + access_log off; + error_log /var/log/nginx/error.log; + + server { + listen *:8703 ssl; + server_name + ssl on; + ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.pem; + ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; + ssl_session_cache builtin:1000 shared:SSL:80m; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; + ssl_prefer_server_ciphers on; + ssl_session_timeout 10m; + keepalive_timeout 70; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://localhost:8702; + proxy_read_timeout 90; + proxy_redirect off; + } + } +} \ No newline at end of file diff --git a/kubernetes/vnfsdk/templates/configmap.yaml b/kubernetes/vnfsdk/templates/configmap.yaml index c41c3ef0d6..d06379331f 100644 --- a/kubernetes/vnfsdk/templates/configmap.yaml +++ b/kubernetes/vnfsdk/templates/configmap.yaml @@ -26,3 +26,16 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-nginx + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/nginx/*").AsConfig . | indent 2 }} \ No newline at end of file diff --git a/kubernetes/vnfsdk/templates/deployment.yaml b/kubernetes/vnfsdk/templates/deployment.yaml index 7e4ad5bd92..89eba2f360 100644 --- a/kubernetes/vnfsdk/templates/deployment.yaml +++ b/kubernetes/vnfsdk/templates/deployment.yaml @@ -35,7 +35,7 @@ spec: release: {{ include "common.release" . }} name: {{ include "common.name" . }} spec: - initContainers: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - command: - sh args: @@ -75,10 +75,13 @@ spec: name: {{ include "common.name" . }} resources: {{ include "common.resources" . | indent 12 }} - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }} - mountPath: /service/webapps/ROOT/WEB-INF/classes/mybatis/configuration/configuration.xml name: init-data subPath: configuration.xml + - mountPath: /etc/nginx/nginx.conf + name: nginx + subPath: nginx.conf readinessProbe: tcpSocket: port: {{ .Values.service.internalPort }} @@ -86,10 +89,13 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: init-data-input configMap: name: {{ include "common.fullname" . }} + - name: nginx + configMap: + name: {{ include "common.fullname" . }}-nginx - name: init-data emptyDir: medium: Memory diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml index 28a2ac419e..0fbee4c07f 100644 --- a/kubernetes/vnfsdk/values.yaml +++ b/kubernetes/vnfsdk/values.yaml @@ -33,6 +33,37 @@ secrets: password: '{{ .Values.postgres.config.pgUserPassword }}' passwordPolicy: generate +################################################################# +# AAF part +################################################################# +certInitializer: + nameOverride: refrepo-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: refrepo + fqi: refrepo@refrepo.onap.org + fqi_namespace: org.onap.refrepo + public_fqdn: refrepo.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: | + echo "*** transform AAF certs into pem files" + mkdir -p {{ .Values.credsPath }}/certs + echo "keystore password: $$cadi_keystore_password_p12" + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ + {{ .Values.credsPath }}/certs/cert.key + echo "*** change ownership of certificates to targeted user" + chown -R 999 {{ .Values.credsPath }}/certs + + ################################################################# # Application configuration defaults. ################################################################# @@ -102,7 +133,7 @@ readiness: service: type: NodePort name: refrepo - portName: refrepo + portName: https nodePort: 97 internalPort: 8703 -- cgit 1.2.3-korg