From 10e3a8bcd4627db15e96e1737dcc72665a034717 Mon Sep 17 00:00:00 2001 From: osgn422w Date: Thu, 23 May 2019 14:19:39 +0200 Subject: kibana https only remove http access and allow only https for kibana UI Issue-ID: OJSI-147 Change-Id: I6026044c919abd51b8b6bd3b65f9552555c98e4c Signed-off-by: osgn422w --- .../resources/certs/org.onap.clamp.crt.pem | 30 ++++++++++++++++++++ .../resources/certs/org.onap.clamp.key.pem | 32 ++++++++++++++++++++++ .../clamp-dash-kibana/resources/config/kibana.yml | 6 ++-- .../clamp-dash-kibana/templates/configmap.yaml | 9 ++++++ .../clamp-dash-kibana/templates/deployment.yaml | 5 ++++ .../clamp/charts/clamp-dash-kibana/values.yaml | 3 ++ 6 files changed, 82 insertions(+), 3 deletions(-) create mode 100644 kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.crt.pem create mode 100644 kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.key.pem (limited to 'kubernetes') diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.crt.pem b/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.crt.pem new file mode 100644 index 0000000000..ce630d4354 --- /dev/null +++ b/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.crt.pem @@ -0,0 +1,30 @@ +Bag Attributes + friendlyName: clamp@clamp.onap.org + localKeyID: 54 69 6D 65 20 31 35 35 33 37 38 37 35 31 38 33 30 33 +subject=/CN=clamp/emailAddress=/OU=clamp@clamp.onap.org/OU=OSAAF/O=ONAP/C=US +issuer=/C=US/O=ONAP/OU=OSAAF/CN=intermediateCA_9 +-----BEGIN CERTIFICATE----- +MIIEKDCCAxCgAwIBAgIIWY+5kgf/UG4wDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE +BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp +bnRlcm1lZGlhdGVDQV85MB4XDTE5MDMyMTE2MTY1OFoXDTIwMDMyMTE2MTY1OFow +bDEOMAwGA1UEAwwFY2xhbXAxDzANBgkqhkiG9w0BCQEWADEdMBsGA1UECwwUY2xh +bXBAY2xhbXAub25hcC5vcmcxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQ +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALic +uDccBjOAlOsL1Z1nKnDPRTNxBwIVfARRQDxK3C0zDHQ5qEmIQlF0Vjp+bJ2rgzMW +BnodC38zt1jSXymEsekZNV2sUyBbzJl6vxvA1xJKI9VHLyPSzyUEd1H4qh8b7IDX +3GDqUJgNfvzJ94DaNnnYWFVZq/IYdLjCFaXDxPUQZtlmpdkIWBzvMeNRe4bWajau +immkmSi5/2BYQfZXHXpiKiyBnN+1FbU3consmjNwS1L+PjD+k3JLsc5ANZYZMOTp +Szhu3xmDiB3UV4gPQWacQQZEo/5exywY3Ax3TowGwIA660eSkW1L5RPdyvzEgp7A +vu4+rbhfeR5bXjy2iAUCAwEAAaOB8jCB7zAJBgNVHRMEAjAAMA4GA1UdDwEB/wQE +AwIF4DAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwVAYDVR0jBE0w +S4AUgfeZWxC5yIze81Je6k5poEM+rN2hMKQuMCwxDjAMBgNVBAsMBU9TQUFGMQ0w +CwYDVQQKDARPTkFQMQswCQYDVQQGEwJVU4IBBzAdBgNVHQ4EFgQU+GZ6wmWDPrmq +Wd1/NtMYiCQ8Dg4wOwYDVR0RBDQwMoIFY2xhbXCCHWNsYW1wLmFwaS5zaW1wbGVk +ZW1vLm9uYXAub3JnggpjbGFtcC5vbmFwMA0GCSqGSIb3DQEBCwUAA4IBAQCFZdhB +U6xm6l0vj4q89onLx4opTPvwGNRc0n402lifkPYXseFtphZSHIf2Sg0mFTH4KHb4 +FdMyBzq1+f5WLU+xRC1nT4eGJ0FvRR6204/fGVrzJTS67phnRnxr2WZzLPW0wPJe +K8SzN6tkUgE7/a/s0T/htE/blDxWh75+tA2jQlgj1Ri0y9A1J8wx++REKjGlHjFN +53aiipsB+wC/oEMzYL4qEPiYPI0Lr3Lsay1F7f6cvDT4+EYzBLMFuwCvpcnHgSMS +4fFj2ROmUG2+CC23B88Q0WNxjLPq/CrmHZZBsqwruPJ0cSuCQxfshTQ6uZhcjtu8 +6TRYkIcL0x9r/AHP +-----END CERTIFICATE----- diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.key.pem b/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.key.pem new file mode 100644 index 0000000000..fcf68bfa23 --- /dev/null +++ b/kubernetes/clamp/charts/clamp-dash-kibana/resources/certs/org.onap.clamp.key.pem @@ -0,0 +1,32 @@ +Bag Attributes + friendlyName: clamp@clamp.onap.org + localKeyID: 54 69 6D 65 20 31 35 35 33 37 38 37 35 31 38 33 30 33 +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4nLg3HAYzgJTr +C9WdZypwz0UzcQcCFXwEUUA8StwtMwx0OahJiEJRdFY6fmydq4MzFgZ6HQt/M7dY +0l8phLHpGTVdrFMgW8yZer8bwNcSSiPVRy8j0s8lBHdR+KofG+yA19xg6lCYDX78 +yfeA2jZ52FhVWavyGHS4whWlw8T1EGbZZqXZCFgc7zHjUXuG1mo2ropppJkouf9g +WEH2Vx16YiosgZzftRW1N3KJ7JozcEtS/j4w/pNyS7HOQDWWGTDk6Us4bt8Zg4gd +1FeID0FmnEEGRKP+XscsGNwMd06MBsCAOutHkpFtS+UT3cr8xIKewL7uPq24X3ke +W148togFAgMBAAECggEATncV+R5pKFS7dteV2IvzxvTh1cZxkxoslu0t3zJ2OKPc +5D1pYK+QeGx5Be2cHru6TOlMoXRc4ZjKke8AUXY74/Y573GB91vtL0KznYkuIHDw +oALcb153eqVWTbniHMzSjcSxv2N4E9iQo8L39oVI6CrjCIvPgFuSqMCdUNJPkVTI +4nsarTfLK4fzi7IbWzi9JdE1QRNIxcCMcYJRnLZMdneMLBleR0UL82Xc2KOy5SEt +zyKYCQ8zS247FKolnOrDkhKxXI5fzdDpRK5AQSsAykUPWlYq7pzKjY/dU9rMRohx +YSltFjPZ3sQ3UKqqIqhZS+GoVuZoc925WyhViPsqtQKBgQDsL4LFfPWN8nnsusQp +VR3T7HvvwXuEVAydlaJMwZU0cRYN+L7RHHjDoXZZrNJDIDzNoWnBLKRGx3mtLmgJ +9Pa6SxN6Oc8oo6jzv2D59g1PVjNOMOYTCTb/2Xum4LMLaeeF57HkWxzeA3Ws47++ +gXwzQpbE90tp1Ys4uXD3JoivvwKBgQDIGZTwLGhLSegdAjG83WEgmdtzT1kjvx0Q +A8IR2jkgkTJHdKiuslJ8Z3/XufHEwWMWwfs1XLwxYluoo1y9eNvNeHZXjLqjL62c +I3034F9IvvTUqFcxam2WdoklXbAiSvLUo/9exPgOuVxok6Zv1imRgGb/vYV9vyG7 +86MRuQu5OwKBgQC9E3fcA6JMpY3H3uhEsngzfMDm+fyYvfRvfyezzNFWbyWZv8V6 +gBGJg0vMlFarGDa044BW/hbw9qXI5zqwpeOS1aFdGsRlo0cRAuduk/Spy7c85FZ7 +bMgT4BZmTMHo5DpNb2NxDSO59AkThCuvJde47ZjnS5WavzI6EfKGWNnZ3wKBgQCF +QiwjCp/mS/DtqLFxAsmVSYGROG231aXILYiIFRloa+ndFn7j4NP4D4FfLHErRFL2 +K/ddIUYfaU57b1fqwts26ht90LXWyYDH9AaHOMCcFLe+C+INgcA7rPNG1C7hl6JC +JHmEJo7AV4eICZSU9D44rRdrB08oYCpaHjYiLmb1UwKBgQCWCDJ4p2DrNL9hzj3K +kzvM5saXrfI4aVBXVt9rw9s1d/WG8JOpnmHcnLPb6Tj59rDktrLCLv0sVstMwNVJ +sOO+qsgn1VoZalcVhhjdONm5YvhJQgz0F7Y2xkr6g/AuMPz2YigGfm7fe/z7rc+L +q9Ua2HmUS8DDBy7W89MNZJNkDQ== +-----END PRIVATE KEY----- diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml b/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml index 1747c75811..a94413ce06 100644 --- a/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml +++ b/kubernetes/clamp/charts/clamp-dash-kibana/resources/config/kibana.yml @@ -64,9 +64,9 @@ elasticsearch.url: "http://{{.Values.config.elasticsearchServiceName}}.{{ includ #elasticsearch.password: "changeme" # Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively. # These settings enable SSL for outgoing requests from the Kibana server to the browser. -#server.ssl.enabled: $server_ssl_enabled -#server.ssl.certificate: $server_ssl_certificate -#server.ssl.key: $server_ssl_key +server.ssl.enabled: {{.Values.config.sslEnabled}} +server.ssl.certificate: {{.Values.config.sslPemCertFilePath}} +server.ssl.key: {{.Values.config.sslPemkeyFilePath}} # Optional settings that provide the paths to the PEM-format SSL certificate and key files. # These files validate that your Elasticsearch backend uses the same key files. diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/templates/configmap.yaml b/kubernetes/clamp/charts/clamp-dash-kibana/templates/configmap.yaml index 9186cd919a..8fcd405fa9 100644 --- a/kubernetes/clamp/charts/clamp-dash-kibana/templates/configmap.yaml +++ b/kubernetes/clamp/charts/clamp-dash-kibana/templates/configmap.yaml @@ -25,3 +25,12 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-aaf-pem-keys + namespace: {{ include "common.namespace" . }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml b/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml index d29148fe71..31752fc661 100644 --- a/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml +++ b/kubernetes/clamp/charts/clamp-dash-kibana/templates/deployment.yaml @@ -75,6 +75,8 @@ spec: - mountPath: /usr/share/kibana/config/kibana.yml name: {{ include "common.fullname" . }} subPath: kibana.yml + - name: {{ include "common.fullname" . }}-aaf-pem-certs + mountPath: /usr/share/kibana/config/keystore/ resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -95,5 +97,8 @@ spec: items: - key: kibana.yml path: kibana.yml + - name: {{ include "common.fullname" . }}-aaf-pem-certs + secret: + secretName: {{ include "common.fullname" . }}-aaf-pem-keys imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml b/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml index 9356c47522..4d55338e06 100644 --- a/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml +++ b/kubernetes/clamp/charts/clamp-dash-kibana/values.yaml @@ -44,6 +44,9 @@ debugEnabled: false config: elasticsearchServiceName: cdash-es elasticsearchPort: 9200 + sslEnabled: true + sslPemCertFilePath: /usr/share/kibana/config/keystore/org.onap.clamp.crt.pem + sslPemkeyFilePath: /usr/share/kibana/config/keystore/org.onap.clamp.key.pem # default number of instances replicaCount: 1 -- cgit 1.2.3-korg