[DCAEGEN2] Add pem support in CMPv2 for dcaegen2-services

[oom.git] / kubernetes / dcaegen2-services / common / dcaegen2-services-common / templates / _deployment.tpl

diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
index c03be83..10a63eb 100644 (file)
--- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
+++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
@@ -2,6 +2,8 @@
 #============LICENSE_START========================================================
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.
 #============LICENSE_START========================================================
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.

+# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.

 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.


@@ -17,6 +19,56 @@
 # ============LICENSE_END=========================================================
 */}}
 {{/*
 # ============LICENSE_END=========================================================
 */}}
 {{/*

+For internal use only!
+
+dcaegen2-services-common._ms-specific-env-vars:
+This template generates a list of microservice-specific environment variables
+as specified in .Values.applicationEnv.  The
+dcaegen2-services-common.microServiceDeployment uses this template
+to add the microservice-specific environment variables to the microservice's container.
+These environment variables are in addition to a standard set of environment variables
+provided to all microservices.
+
+The template expects a single argument, pointing to the caller's global context.
+
+Microservice-specific environment variables can be specified in two ways:
+  1. As literal string values.
+  2. As values that are sourced from a secret, identified by the secret's
+     uid and the key within the secret that provides the value.
+
+The following example shows an example of each type.  The example assumes
+that a secret has been created using the OOM common secret mechanism, with
+a secret uid "example-secret" and a key called "password".
+
+applicationEnv:
+  APPLICATION_PASSWORD:
+    secretUid: example-secret
+    key: password
+  APPLICATION_EXAMPLE: "An example value"
+
+The example would set two environment variables on the microservice's container,
+one called "APPLICATION_PASSWORD" with the value set from the "password" key in
+the secret with uid "example-secret", and one called "APPLICATION_EXAMPLE" set to
+the the literal string "An example value".
+*/}}
+{{- define "dcaegen2-services-common._ms-specific-env-vars" -}}
+  {{- $global := . }}
+  {{- if .Values.applicationEnv }}
+    {{- range $envName, $envValue := .Values.applicationEnv }}
+      {{- if kindIs "string" $envValue }}
+- name: {{ $envName }}
+  value: {{ $envValue | quote }}
+      {{- else }}
+        {{ if or (not $envValue.secretUid) (not $envValue.key) }}
+          {{ fail (printf "Env %s definition is not a string and does not contain secretUid or key fields" $envName) }}
+        {{- end }}
+- name: {{ $envName }}
+  {{- include "common.secret.envFromSecretFast" (dict "global" $global "uid" $envValue.secretUid "key" $envValue.key) | indent 2 }}
+      {{- end -}}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+{{/*

 dcaegen2-services-common.microserviceDeployment:
 This template produces a Kubernetes Deployment for a DCAE microservice.
 
 dcaegen2-services-common.microserviceDeployment:
 This template produces a Kubernetes Deployment for a DCAE microservice.
 


@@ -63,12 +115,21 @@ certificate information will include a server cert and key, in various
 formats.  It will also include the AAF CA cert.   If the microservice is
 a TLS client only (indicated by setting .Values.tlsServer to false), the
 certificate information includes only the AAF CA cert.
 formats.  It will also include the AAF CA cert.   If the microservice is
 a TLS client only (indicated by setting .Values.tlsServer to false), the
 certificate information includes only the AAF CA cert.

+
+Deployed POD may also include a Policy-sync sidecar container.
+The sidecar is included if .Values.policies is set.  The
+Policy-sync sidecar polls PolicyEngine (PDP) periodically based
+on .Values.policies.duration and configuration retrieved is shared with
+DCAE Microservice container by common volume. Policy can be retrieved based on
+list of policyID or filter

 */}}
 
 {{- define "dcaegen2-services-common.microserviceDeployment" -}}
 {{- $logDir :=  default "" .Values.logDirectory -}}
 {{- $certDir := default "" .Values.certDirectory . -}}
 {{- $tlsServer := default "" .Values.tlsServer -}}
 */}}
 
 {{- define "dcaegen2-services-common.microserviceDeployment" -}}
 {{- $logDir :=  default "" .Values.logDirectory -}}
 {{- $certDir := default "" .Values.certDirectory . -}}
 {{- $tlsServer := default "" .Values.tlsServer -}}

+{{- $policy := default "" .Values.policies -}}
+

 apiVersion: apps/v1
 kind: Deployment
 metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 apiVersion: apps/v1
 kind: Deployment
 metadata: {{- include "common.resourceMetadata" . | nindent 2 }}


@@ -130,6 +191,7 @@ spec:
         - mountPath: /opt/app/osaaf
           name: tls-info
       {{- end }}
         - mountPath: /opt/app/osaaf
           name: tls-info
       {{- end }}

+      {{ include "dcaegen2-services-common._certPostProcessor" .  | nindent 4 }}

       containers:
       - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
       containers:
       - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}


@@ -137,7 +199,7 @@ spec:
         env:
         {{- if $certDir }}
         - name: DCAE_CA_CERTPATH
         env:
         {{- if $certDir }}
         - name: DCAE_CA_CERTPATH

-          value: {{ $certDir}}/cacert.pem
+          value: {{ $certDir }}/cacert.pem

         {{- end }}
         - name: CONSUL_HOST
           value: consul-server.onap
         {{- end }}
         - name: CONSUL_HOST
           value: consul-server.onap


@@ -150,12 +212,7 @@ spec:
             fieldRef:
               apiVersion: v1
               fieldPath: status.podIP
             fieldRef:
               apiVersion: v1
               fieldPath: status.podIP

-        {{- if .Values.applicationEnv }}
-        {{- range $envName, $envValue := .Values.applicationEnv }}
-        - name: {{ $envName }}
-          value: {{ $envValue | quote }}
-        {{- end }}
-        {{- end }}
+        {{- include "dcaegen2-services-common._ms-specific-env-vars" . | nindent 8 }}

         {{- if .Values.service }}
         ports: {{ include "common.containerPorts" . | nindent 10 }}
         {{- end }}
         {{- if .Values.service }}
         ports: {{ include "common.containerPorts" . | nindent 10 }}
         {{- end }}


@@ -180,8 +237,9 @@ spec:
           {{- end }}
         {{- end }}
         resources: {{ include "common.resources" . | nindent 2 }}
           {{- end }}
         {{- end }}
         resources: {{ include "common.resources" . | nindent 2 }}

-        {{- if or $logDir $certDir  }}

         volumeMounts:
         volumeMounts:

+        - mountPath: /app-config
+          name: app-config

         {{- if $logDir }}
         - mountPath: {{ $logDir}}
           name: component-log
         {{- if $logDir }}
         - mountPath: {{ $logDir}}
           name: component-log


@@ -189,7 +247,13 @@ spec:
         {{- if $certDir }}
         - mountPath: {{ $certDir }}
           name: tls-info
         {{- if $certDir }}
         - mountPath: {{ $certDir }}
           name: tls-info

+          {{- if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+          {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}}
+          {{- end -}}

         {{- end }}
         {{- end }}

+        {{- if $policy }}
+        - name: policy-shared
+          mountPath: /etc/policies

         {{- end }}
       {{- if $logDir }}
       - image: {{ include "repositoryGenerator.image.logging" . }}
         {{- end }}
       {{- if $logDir }}
       - image: {{ include "repositoryGenerator.image.logging" . }}


@@ -211,6 +275,53 @@ spec:
           name: filebeat-conf
           subPath: filebeat.yml
       {{- end }}
           name: filebeat-conf
           subPath: filebeat.yml
       {{- end }}

+      {{- if $policy }}
+      - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: policy-sync
+        env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: POLICY_SYNC_PDP_USER
+          valueFrom:
+            secretKeyRef:
+              name: onap-policy-xacml-pdp-api-creds
+              key: login
+        - name: POLICY_SYNC_PDP_PASS
+          valueFrom:
+            secretKeyRef:
+              name: onap-policy-xacml-pdp-api-creds
+              key: password
+        - name: POLICY_SYNC_PDP_URL
+          value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969
+        - name: POLICY_SYNC_OUTFILE
+          value : "/etc/policies/policies.json"
+        - name: POLICY_SYNC_V1_DECISION_ENDPOINT
+          value : "policy/pdpx/v1/decision"
+        {{- if $policy.filter }}
+        - name: POLICY_SYNC_FILTER
+          value: {{ $policy.filter }}
+        {{- end -}}
+        {{- if $policy.policyID }}
+        - name: POLICY_SYNC_ID
+          value: {{ $policy.policyID }}
+        {{- end -}}
+        {{- if $policy.duration }}
+        - name: POLICY_SYNC_DURATION
+          value: {{ $policy.duration }}
+        {{- end }}
+        resources: {{ include "common.resources" . | nindent 2 }}
+        volumeMounts:
+        - mountPath: /etc/policies
+          name: policy-shared
+        {{- if $certDir }}
+        - mountPath: /opt/ca-certificates/
+          name: tls-info
+        {{- end }}
+      {{- end }}

       hostname: {{ include "common.name" . }}
       volumes:
       - configMap:
       hostname: {{ include "common.name" . }}
       volumes:
       - configMap:


@@ -233,7 +344,60 @@ spec:
       {{- if $certDir }}
       - emptyDir: {}
         name: tls-info
       {{- if $certDir }}
       - emptyDir: {}
         name: tls-info

+        {{ if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+        {{ include "common.certManager.volumesReadOnly" . | nindent 6 }}
+        {{- end }}
+      {{- end }}
+      {{- if $policy }}
+      - name: policy-shared
+        emptyDir: {}

       {{- end }}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
 {{ end -}}
       {{- end }}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
 {{ end -}}

+
+{{/*
+  For internal use
+
+  Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore
+  and swaps keystore files.
+*/}}
+{{- define "dcaegen2-services-common._certPostProcessor" -}}
+  {{- $certDir := default "" .Values.certDirectory . -}}
+  {{- if and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}}
+    {{- $cmpv2Certificate := (index .Values.certificates 0) -}}
+    {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}}
+    {{- $certType := "pem" -}}
+    {{- if $cmpv2Certificate.keystore -}}
+      {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}}
+    {{- end -}}
+    {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "cacert.pem" -}}
+    {{- $truststoresPasswordPaths := ":" -}}
+    {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "cert.pem" $cmpv2CertificateDir "key.pem" -}}
+    {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}}
+    {{- if not (eq $certType "pem") -}}
+      {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}}
+      {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}}
+      {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}}
+      {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}}
+    {{- end }}
+  - name: cert-post-processor
+    image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }}
+    imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+    resources:
+      {{- include "common.resources" . | nindent 4 }}
+    volumeMounts:
+    - mountPath: {{ $certDir }}
+      name: tls-info
+      {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }}
+    env:
+    - name: TRUSTSTORES_PATHS
+      value: {{ $truststoresPaths | quote}}
+    - name: TRUSTSTORES_PASSWORDS_PATHS
+      value: {{ $truststoresPasswordPaths | quote }}
+    - name: KEYSTORE_SOURCE_PATHS
+      value: {{ $keystoreSourcePaths | quote }}
+    - name: KEYSTORE_DESTINATION_PATHS
+      value: {{ $keystoreDestinationPaths | quote }}
+  {{- end }}
+{{- end -}}