From 7990dd55911eb2139020d61524f646aef09dd9e2 Mon Sep 17 00:00:00 2001 From: rameshiyer27 Date: Tue, 17 May 2022 12:04:03 +0100 Subject: Add user configurable parameter for permitted helm repo protocols User can configure the permitted helm repository protocols http/https based on the requirement. Issue-ID: POLICY-4113 Signed-off-by: zrrmmua Change-Id: Ib7c91413babd15d0bd22ceffe10cdc1c3a6a0fd0 (cherry picked from commit b77b61847ddd169da9a71b05742ed51bc826f5f6) --- .../resources/etc/KubernetesParticipantParameters.yaml | 14 ++++++++++++++ .../kubernetes/configurations/HelmRepositoryConfig.java | 2 ++ .../acm/participant/kubernetes/service/ChartService.java | 13 +++++++------ .../src/main/resources/config/application.yaml | 8 ++++++-- .../participant/kubernetes/service/ChartServiceTest.java | 1 + 5 files changed, 30 insertions(+), 8 deletions(-) diff --git a/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml b/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml index c6acf4052..ad1669c66 100644 --- a/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml +++ b/packages/policy-clamp-tarball/src/main/resources/etc/KubernetesParticipantParameters.yaml @@ -59,3 +59,17 @@ logging: chart: api: enabled: false + +# Update the config here for permitting repositories and protocols +helm: + repos: + - + repoName: kong + address: https://charts.konghq.com + - + repoName: bitnami + address: https://charts.bitnami.com/bitnami + + protocols: + - http + - https \ No newline at end of file diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java index 4d00e38ec..61a813e8a 100644 --- a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java +++ b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/configurations/HelmRepositoryConfig.java @@ -38,4 +38,6 @@ public class HelmRepositoryConfig { private final Logger logger = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); private List repos = new ArrayList<>(); + + private List protocols = new ArrayList<>(); } diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java index e9cd8a2c3..888600fde 100644 --- a/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java +++ b/participant/participant-impl/participant-impl-kubernetes/src/main/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartService.java @@ -93,7 +93,7 @@ public class ChartService { * @throws IOException in case of IO errors */ public boolean installChart(ChartInfo chart) throws ServiceException, IOException { - boolean whiteListed = false; + boolean permittedRepo = false; if (chart.getRepository() == null) { String repoName = findChartRepo(chart); if (repoName == null) { @@ -106,17 +106,18 @@ public class ChartService { } } else { // Add remote repository if passed via TOSCA - // check whether the repo is whitelisted + // check whether the repo is permitted for (HelmRepository repo : helmRepositoryConfig.getRepos()) { if (repo.getAddress().equals(chart.getRepository().getAddress()) - && chart.getRepository().getAddress().contains("https")) { + && helmRepositoryConfig.getProtocols() + .contains(chart.getRepository().getAddress().split(":")[0])) { configureRepository(chart.getRepository()); - whiteListed = true; + permittedRepo = true; break; } } - if (!whiteListed) { - logger.error("Repository is not Whitelisted / plain http in not allowed"); + if (!permittedRepo) { + logger.error("Helm Repository/Protocol is not permitted for {}", chart.getRepository().getAddress()); return false; } } diff --git a/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml b/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml index ac18bca39..0f8c49547 100644 --- a/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml +++ b/participant/participant-impl/participant-impl-kubernetes/src/main/resources/config/application.yaml @@ -58,7 +58,7 @@ logging: chart: api: enabled: false - +# Update the config here for permitting repositories and protocols helm: repos: - @@ -66,4 +66,8 @@ helm: address: https://charts.konghq.com - repoName: bitnami - address: https://charts.bitnami.com/bitnami \ No newline at end of file + address: https://charts.bitnami.com/bitnami + + protocols: + - http + - https \ No newline at end of file diff --git a/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartServiceTest.java b/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartServiceTest.java index d83d43f20..669ca3fe3 100644 --- a/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartServiceTest.java +++ b/participant/participant-impl/participant-impl-kubernetes/src/test/java/org/onap/policy/clamp/acm/participant/kubernetes/service/ChartServiceTest.java @@ -123,6 +123,7 @@ class ChartServiceTest { List helmRepositoryList = new ArrayList<>(); helmRepositoryList.add(HelmRepository.builder().address("https://localhost:8080").build()); doReturn(helmRepositoryList).when(helmRepositoryConfig).getRepos(); + doReturn(List.of("http", "https")).when(helmRepositoryConfig).getProtocols(); assertDoesNotThrow(() -> chartService.installChart(charts.get(0))); doThrow(ServiceException.class).when(helmClient).installChart(any()); assertThatThrownBy(() -> chartService.installChart(charts.get(0))).isInstanceOf(ServiceException.class); -- cgit 1.2.3-korg