[VNFSDK] Automatically retrieve certificates
Instead of using hardcoded certificates, let's use certInitializer in
order to retrieve them.
Issue-ID: OOM-2696
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I6ed12dda660647cd0990c34f51e6c05ed533774a
diff --git a/kubernetes/vnfsdk/requirements.yaml b/kubernetes/vnfsdk/requirements.yaml
index b668359..3a4aed7 100644
--- a/kubernetes/vnfsdk/requirements.yaml
+++ b/kubernetes/vnfsdk/requirements.yaml
@@ -16,6 +16,9 @@
- name: common
version: ~7.x-0
repository: '@local'
+ - name: certInitializer
+ version: ~7.x-0
+ repository: '@local'
- name: postgres
version: ~7.x-0
repository: '@local'
diff --git a/kubernetes/vnfsdk/resources/nginx/nginx.conf b/kubernetes/vnfsdk/resources/nginx/nginx.conf
new file mode 100644
index 0000000..d26cc5d
--- /dev/null
+++ b/kubernetes/vnfsdk/resources/nginx/nginx.conf
@@ -0,0 +1,63 @@
+# Copyright 2020 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+daemon off;
+
+#pid /run/nginx.pid;
+
+events {
+ worker_connections 500;
+ # multi_accept on;
+}
+http {
+
+ ##
+ # Basic Settings
+ ##
+
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+
+ #Comment or disable the access_log once tested to avoid runtime logs
+# access_log /var/log/nginx/access.log format gzip;
+ access_log off;
+ error_log /var/log/nginx/error.log;
+
+ server {
+ listen *:8703 ssl;
+ server_name
+ ssl on;
+ ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.pem;
+ ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key;
+ ssl_session_cache builtin:1000 shared:SSL:80m;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
+ ssl_prefer_server_ciphers on;
+ ssl_session_timeout 10m;
+ keepalive_timeout 70;
+
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_pass http://localhost:8702;
+ proxy_read_timeout 90;
+ proxy_redirect off;
+ }
+ }
+}
\ No newline at end of file
diff --git a/kubernetes/vnfsdk/templates/configmap.yaml b/kubernetes/vnfsdk/templates/configmap.yaml
index c41c3ef..d063793 100644
--- a/kubernetes/vnfsdk/templates/configmap.yaml
+++ b/kubernetes/vnfsdk/templates/configmap.yaml
@@ -26,3 +26,16 @@
heritage: {{ .Release.Service }}
data:
{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "common.fullname" . }}-nginx
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ include "common.release" . }}
+ heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/nginx/*").AsConfig . | indent 2 }}
\ No newline at end of file
diff --git a/kubernetes/vnfsdk/templates/deployment.yaml b/kubernetes/vnfsdk/templates/deployment.yaml
index 7e4ad5b..89eba2f 100644
--- a/kubernetes/vnfsdk/templates/deployment.yaml
+++ b/kubernetes/vnfsdk/templates/deployment.yaml
@@ -35,7 +35,7 @@
release: {{ include "common.release" . }}
name: {{ include "common.name" . }}
spec:
- initContainers:
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
- command:
- sh
args:
@@ -75,10 +75,13 @@
name: {{ include "common.name" . }}
resources:
{{ include "common.resources" . | indent 12 }}
- volumeMounts:
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
- mountPath: /service/webapps/ROOT/WEB-INF/classes/mybatis/configuration/configuration.xml
name: init-data
subPath: configuration.xml
+ - mountPath: /etc/nginx/nginx.conf
+ name: nginx
+ subPath: nginx.conf
readinessProbe:
tcpSocket:
port: {{ .Values.service.internalPort }}
@@ -86,10 +89,13 @@
periodSeconds: {{ .Values.readiness.periodSeconds }}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
- volumes:
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
- name: init-data-input
configMap:
name: {{ include "common.fullname" . }}
+ - name: nginx
+ configMap:
+ name: {{ include "common.fullname" . }}-nginx
- name: init-data
emptyDir:
medium: Memory
diff --git a/kubernetes/vnfsdk/values.yaml b/kubernetes/vnfsdk/values.yaml
index 28a2ac4..0fbee4c 100644
--- a/kubernetes/vnfsdk/values.yaml
+++ b/kubernetes/vnfsdk/values.yaml
@@ -34,6 +34,37 @@
passwordPolicy: generate
#################################################################
+# AAF part
+#################################################################
+certInitializer:
+ nameOverride: refrepo-cert-initializer
+ aafDeployFqi: deployer@people.osaaf.org
+ aafDeployPass: demo123456!
+ # aafDeployCredsExternalSecret: some secret
+ fqdn: refrepo
+ fqi: refrepo@refrepo.onap.org
+ fqi_namespace: org.onap.refrepo
+ public_fqdn: refrepo.onap.org
+ cadi_longitude: "0.0"
+ cadi_latitude: "0.0"
+ app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ aaf_add_config: |
+ echo "*** transform AAF certs into pem files"
+ mkdir -p {{ .Values.credsPath }}/certs
+ echo "keystore password: $$cadi_keystore_password_p12"
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** copy key"
+ cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+ {{ .Values.credsPath }}/certs/cert.key
+ echo "*** change ownership of certificates to targeted user"
+ chown -R 999 {{ .Values.credsPath }}/certs
+
+
+#################################################################
# Application configuration defaults.
#################################################################
# application image
@@ -102,7 +133,7 @@
service:
type: NodePort
name: refrepo
- portName: refrepo
+ portName: https
nodePort: 97
internalPort: 8703