Vijay VK | 2648c6d | 2018-09-19 04:30:37 +0100 | [diff] [blame] | 1 | .. This work is licensed under a Creative Commons Attribution 4.0 International License. |
| 2 | .. http://creativecommons.org/licenses/by/4.0 |
| 3 | |
| 4 | TLS Support |
| 5 | =========== |
| 6 | |
| 7 | To comply with ONAP security requirement, all services exposing external API required TLS support using AAF generated certificates. DCAE Platform was updated in R3 to enable certificate distribution mechanism for services needing TLS support |
| 8 | |
| 9 | Solution overview |
| 10 | ----------------- |
| 11 | 1. Certificate generation: |
| 12 | This step is done manually currently using Test AAF instance in POD25. Required namespace, DCAE identity (dcae@dcae.onap.org), roles and Subject Alternative Names for all components are preset. Using the procedure desribed by AAF (using agent.sh), the certificates are generated. Using .jks generated from AAF, create the .pem files and load them into tls-init-container under dcaegen2/deployment repository. The im age has a script that runs when theim age is deployed. The script copies the certificate artifacts into a Kubernetesvolume. The container is used as an "init-container" included in the Kubernetes pod for a component that needs to use TLS. |
| 13 | |
| 14 | 2. Plugin and Blueprint: |
| 15 | Update blueprint to include new (optional) node property (tls_info) to the type definitions for the Kubernetes component types. The property is a dictionary with two elements: A boolean (use_tls) that indicates whether the com ponent uses TLS. A string (cert_directory) that indicates where the component expects to find certificate artifacts |
| 16 | |
Vijay VK | 86cd893 | 2018-10-23 16:35:29 +0100 | [diff] [blame^] | 17 | During deployment Kubernetes plugin (referenced in blueprint) will check if the tls_info property is set and use_tls is set to true, then the plugin will add some elements to the Kubernetes Deployment for the component: |
Vijay VK | 2648c6d | 2018-09-19 04:30:37 +0100 | [diff] [blame] | 18 | * A Kubernetes volume (tls-info) that will hold the certificate artifacts |
| 19 | * A Kubernetes initContainer (tls-init) |
| 20 | * A Kubernetes volumeMount for the initContainer that mounts the tlsinit volume at /opt/tls/shared. |
| 21 | * A Kubernetes volumeMount for the main container that mounts the tlsinit volume at the mount point specified in the cert_directory property. |
| 22 | * If the component has an HTTP healthcheck specified, the plugin will setup the corresponding Kubernetes readiness probe with same endpoint. |
| 23 | |
| 24 | 3. Certificate Artifacts |
| 25 | |
| 26 | The certificate directory m ounted on the container will include the following files: |
Vijay VK | 86cd893 | 2018-10-23 16:35:29 +0100 | [diff] [blame^] | 27 | - cert.jks: A Java keystore containing the DCAE certificate. |
| 28 | - jks.pass: A text file with a single line that contains the password for the cert.jks keystore. |
| 29 | - trust.jks: A Jave truststore containing the AAF CA certificate (needed by clients) |
| 30 | - trust.pass: A text file with a single line that contains the password for the trust.jks keystore. |
| 31 | - cert.p12: The DCAE certificate and private key package in PKCS12 form at. |
| 32 | - p12.pass: A text file with a single line that contains the password for cert.p12 file. |
| 33 | - cert.pem: The DCAE certificate, in PEM form at. |
| 34 | - key.pem: The private key for the DCAE certificate. The key is not encrypted. |