diff options
author | rameshiyer27 <ramesh.murugan.iyer@est.tech> | 2022-05-17 12:04:03 +0100 |
---|---|---|
committer | Ramesh Murugan Iyer <ramesh.murugan.iyer@est.tech> | 2022-06-14 09:05:27 +0000 |
commit | 7990dd55911eb2139020d61524f646aef09dd9e2 (patch) | |
tree | e9bd34029caf3114a61d9baac4a08f2867370ed3 | |
parent | 8fe87e5d203b86f6c53c39e21dff5713bb81348c (diff) |
Add user configurable parameter for permitted helm repo protocols
User can configure the permitted helm repository protocols http/https
based on the requirement.
Issue-ID: POLICY-4113
Signed-off-by: zrrmmua <ramesh.murugan.iyer@est.tech>
Change-Id: Ib7c91413babd15d0bd22ceffe10cdc1c3a6a0fd0
(cherry picked from commit b77b61847ddd169da9a71b05742ed51bc826f5f6)
5 files changed, 30 insertions, 8 deletions
diff --git a/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml b/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml index c6acf4052..ad1669c66 100644 --- a/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml +++ b/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml @@ -59,3 +59,17 @@ logging: chart: api: enabled: false + +# Update the config here for permitting repositories and protocols +helm: + repos: + - + repoName: kong + address: https://charts.konghq.com + - + repoName: bitnami + address: https://charts.bitnami.com/bitnami + + protocols: + - http + - https
\ No newline at end of file diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java index 4d00e38ec..61a813e8a 100644 --- a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java +++ b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java @@ -38,4 +38,6 @@ public class HelmRepositoryConfig { private final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private List<HelmRepository> repos = new ArrayList<>(); + + private List<String> protocols = new ArrayList<>(); } diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java index e9cd8a2c3..888600fde 100644 --- a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java +++ b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java @@ -93,7 +93,7 @@ public class ChartService { * @throws IOException in case of IO errors */ public boolean installChart(ChartInfo chart) throws ServiceException, IOException { - boolean whiteListed = false; + boolean permittedRepo = false; if (chart.getRepository() == null) { String repoName = findChartRepo(chart); if (repoName == null) { @@ -106,17 +106,18 @@ public class ChartService { } } else { // Add remote repository if passed via TOSCA - // check whether the repo is whitelisted + // check whether the repo is permitted for (HelmRepository repo : helmRepositoryConfig.getRepos()) { if (repo.getAddress().equals(chart.getRepository().getAddress()) - && chart.getRepository().getAddress().contains("https")) { + && helmRepositoryConfig.getProtocols() + .contains(chart.getRepository().getAddress().split(":")[0])) { configureRepository(chart.getRepository()); - whiteListed = true; + permittedRepo = true; break; } } - if (!whiteListed) { - logger.error("Repository is not Whitelisted / plain http in not allowed"); + if (!permittedRepo) { + logger.error("Helm Repository/Protocol is not permitted for {}", chart.getRepository().getAddress()); return false; } } diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml b/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml index ac18bca39..0f8c49547 100644 --- a/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml +++ b/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml @@ -58,7 +58,7 @@ logging: chart: api: enabled: false - +# Update the config here for permitting repositories and protocols helm: repos: - @@ -66,4 +66,8 @@ helm: address: https://charts.konghq.com - repoName: bitnami - address: https://charts.bitnami.com/bitnami
\ No newline at end of file + address: https://charts.bitnami.com/bitnami + + protocols: + - http + - https
\ No newline at end of file diff --git a/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartServiceTest.java b/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartServiceTest.java index d83d43f20..669ca3fe3 100644 --- a/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartServiceTest.java +++ b/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartServiceTest.java @@ -123,6 +123,7 @@ class ChartServiceTest { List<HelmRepository> helmRepositoryList = new ArrayList<>(); helmRepositoryList.add(HelmRepository.builder().address("https://localhost:8080").build()); doReturn(helmRepositoryList).when(helmRepositoryConfig).getRepos(); + doReturn(List.of("http", "https")).when(helmRepositoryConfig).getProtocols(); assertDoesNotThrow(() -> chartService.installChart(charts.get(0))); doThrow(ServiceException.class).when(helmClient).installChart(any()); assertThatThrownBy(() -> chartService.installChart(charts.get(0))).isInstanceOf(ServiceException.class); |