Merge "[DCAEGEN2] Update CMPv2 certs usage in dcaegen2-services"

[oom.git] / kubernetes / dcaegen2-services / common / dcaegen2-services-common / templates / _deployment.tpl

diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
index 94b6ace..310d9ae 100644 (file)
--- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
+++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl
@@ -2,6 +2,8 @@
 #============LICENSE_START========================================================
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.
 #============LICENSE_START========================================================
 # ================================================================================
 # Copyright (c) 2021 J. F. Lucas. All rights reserved.

+# Copyright (c) 2021 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2021 Nokia. All rights reserved.

 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.


@@ -67,6 +69,83 @@ the the literal string "An example value".
   {{- end }}
 {{- end -}}
 {{/*
   {{- end }}
 {{- end -}}
 {{/*

+For internal use only!
+
+dcaegen2-services-common._externalVolumes:
+This template generates a list of volumes associated with the pod,
+based on information provided in .Values.externalVolumes.  This
+template works in conjunction with dcaegen2-services-common._externalVolumeMounts
+to give the microservice access to data in volumes created else.
+This initial implementation supports ConfigMaps only, as this is the only
+external volume mounting required by current microservices.
+
+.Values.externalValues is a list of objects.  Each object has 3 required fields and 1 optional field:
+   - name: the name of the resource (in the current implementation, it must be a ConfigMap)
+     that is to be set up as a volume.  The value is a case sensitive string.  Because the
+     names of resources are sometimes set at deployment time (for instance, to prefix the Helm
+     release to the name), the string can be a Helm template fragment that will be expanded at
+     deployment time.
+   - type: the type of the resource (in the current implementation, only "ConfigMap" is supported).
+     The value is a case-INsensitive string.
+   - mountPoint: the path to the mount point for the volume in the container file system.  The
+     value is a case-sensitive string.
+   - readOnly: (Optional) Boolean flag.  Set to true to mount the volume as read-only.
+     Defaults to false.
+
+Here is an example fragment from a values.yaml file for a microservice:
+
+externalVolumes:
+  - name: my-example-configmap
+    type: configmap
+    mountPath: /opt/app/config
+  - name: '{{ include "common.release" . }}-another-example'
+    type: configmap
+    mountPath: /opt/app/otherconfig
+*/}}
+{{- define "dcaegen2-services-common._externalVolumes" -}}
+  {{- $global := . -}}
+  {{- if .Values.externalVolumes }}
+    {{- range $vol := .Values.externalVolumes }}
+      {{- if eq (lower $vol.type) "configmap" }}
+        {{- $vname := (tpl $vol.name $global) }}
+- configMap:
+    defaultMode: 420
+    name: {{ $vname }}
+  name: {{ $vname }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{/*
+For internal use only!
+
+dcaegen2-services-common._externalVolumeMounts:
+This template generates a list of volume mounts for the microservice container,
+based on information provided in .Values.externalVolumes.  This
+template works in conjunction with dcaegen2-services-common._externalVolumes
+to give the microservice access to data in volumes created else.
+This initial implementation supports ConfigMaps only, as this is the only
+external volume mounting required by current microservices.
+
+See the documentation for dcaegen2-services-common._externalVolumes for
+details on how external volumes are specified in the values.yaml file for
+the microservice.
+*/}}
+{{- define "dcaegen2-services-common._externalVolumeMounts" -}}
+  {{- $global := . -}}
+  {{- if .Values.externalVolumes }}
+    {{- range $vol := .Values.externalVolumes }}
+      {{- if eq (lower $vol.type) "configmap" }}
+        {{- $vname := (tpl $vol.name $global) -}}
+        {{- $readOnly := $vol.readOnly | default false }}
+- mountPath: {{ $vol.mountPath }}
+  name: {{ $vname }}
+  readOnly: {{ $readOnly }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{/*

 dcaegen2-services-common.microserviceDeployment:
 This template produces a Kubernetes Deployment for a DCAE microservice.
 
 dcaegen2-services-common.microserviceDeployment:
 This template produces a Kubernetes Deployment for a DCAE microservice.
 


@@ -113,12 +192,21 @@ certificate information will include a server cert and key, in various
 formats.  It will also include the AAF CA cert.   If the microservice is
 a TLS client only (indicated by setting .Values.tlsServer to false), the
 certificate information includes only the AAF CA cert.
 formats.  It will also include the AAF CA cert.   If the microservice is
 a TLS client only (indicated by setting .Values.tlsServer to false), the
 certificate information includes only the AAF CA cert.

+
+Deployed POD may also include a Policy-sync sidecar container.
+The sidecar is included if .Values.policies is set.  The
+Policy-sync sidecar polls PolicyEngine (PDP) periodically based
+on .Values.policies.duration and configuration retrieved is shared with
+DCAE Microservice container by common volume. Policy can be retrieved based on
+list of policyID or filter

 */}}
 
 {{- define "dcaegen2-services-common.microserviceDeployment" -}}
 {{- $logDir :=  default "" .Values.logDirectory -}}
 {{- $certDir := default "" .Values.certDirectory . -}}
 {{- $tlsServer := default "" .Values.tlsServer -}}
 */}}
 
 {{- define "dcaegen2-services-common.microserviceDeployment" -}}
 {{- $logDir :=  default "" .Values.logDirectory -}}
 {{- $certDir := default "" .Values.certDirectory . -}}
 {{- $tlsServer := default "" .Values.tlsServer -}}

+{{- $policy := default "" .Values.policies -}}
+

 apiVersion: apps/v1
 kind: Deployment
 metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
 apiVersion: apps/v1
 kind: Deployment
 metadata: {{- include "common.resourceMetadata" . | nindent 2 }}


@@ -180,14 +268,19 @@ spec:
         - mountPath: /opt/app/osaaf
           name: tls-info
       {{- end }}
         - mountPath: /opt/app/osaaf
           name: tls-info
       {{- end }}

+      {{ include "dcaegen2-services-common._certPostProcessor" .  | nindent 4 }}

       containers:
       - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}
         env:
       containers:
       - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}
         env:

+        {{- range $cred := .Values.credentials }}
+        - name: {{ $cred.name }}
+          {{- include "common.secret.envFromSecretFast" (dict "global" $ "uid" $cred.uid "key" $cred.key) | indent 10 }}
+        {{- end }}

         {{- if $certDir }}
         - name: DCAE_CA_CERTPATH
         {{- if $certDir }}
         - name: DCAE_CA_CERTPATH

-          value: {{ $certDir}}/cacert.pem
+          value: {{ $certDir }}/cacert.pem

         {{- end }}
         - name: CONSUL_HOST
           value: consul-server.onap
         {{- end }}
         - name: CONSUL_HOST
           value: consul-server.onap


@@ -225,8 +318,11 @@ spec:
           {{- end }}
         {{- end }}
         resources: {{ include "common.resources" . | nindent 2 }}
           {{- end }}
         {{- end }}
         resources: {{ include "common.resources" . | nindent 2 }}

-        {{- if or $logDir $certDir  }}

         volumeMounts:
         volumeMounts:

+        - mountPath: /app-config
+          name: app-config
+        - mountPath: /app-config-input
+          name: app-config-input

         {{- if $logDir }}
         - mountPath: {{ $logDir}}
           name: component-log
         {{- if $logDir }}
         - mountPath: {{ $logDir}}
           name: component-log


@@ -234,8 +330,15 @@ spec:
         {{- if $certDir }}
         - mountPath: {{ $certDir }}
           name: tls-info
         {{- if $certDir }}
         - mountPath: {{ $certDir }}
           name: tls-info

+          {{- if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}}
+          {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}}
+          {{- end -}}

         {{- end }}
         {{- end }}

+        {{- if $policy }}
+        - name: policy-shared
+          mountPath: /etc/policies

         {{- end }}
         {{- end }}

+        {{- include "dcaegen2-services-common._externalVolumeMounts" . | nindent 8 }}

       {{- if $logDir }}
       - image: {{ include "repositoryGenerator.image.logging" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
       {{- if $logDir }}
       - image: {{ include "repositoryGenerator.image.logging" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}


@@ -256,6 +359,53 @@ spec:
           name: filebeat-conf
           subPath: filebeat.yml
       {{- end }}
           name: filebeat-conf
           subPath: filebeat.yml
       {{- end }}

+      {{- if $policy }}
+      - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.dcaePolicySyncImage }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: policy-sync
+        env:
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: POLICY_SYNC_PDP_USER
+          valueFrom:
+            secretKeyRef:
+              name: onap-policy-xacml-pdp-api-creds
+              key: login
+        - name: POLICY_SYNC_PDP_PASS
+          valueFrom:
+            secretKeyRef:
+              name: onap-policy-xacml-pdp-api-creds
+              key: password
+        - name: POLICY_SYNC_PDP_URL
+          value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969
+        - name: POLICY_SYNC_OUTFILE
+          value : "/etc/policies/policies.json"
+        - name: POLICY_SYNC_V1_DECISION_ENDPOINT
+          value : "policy/pdpx/v1/decision"
+        {{- if $policy.filter }}
+        - name: POLICY_SYNC_FILTER
+          value: {{ $policy.filter }}
+        {{- end -}}
+        {{- if $policy.policyID }}
+        - name: POLICY_SYNC_ID
+          value: {{ $policy.policyID }}
+        {{- end -}}
+        {{- if $policy.duration }}
+        - name: POLICY_SYNC_DURATION
+          value: {{ $policy.duration }}
+        {{- end }}
+        resources: {{ include "common.resources" . | nindent 2 }}
+        volumeMounts:
+        - mountPath: /etc/policies
+          name: policy-shared
+        {{- if $certDir }}
+        - mountPath: /opt/ca-certificates/
+          name: tls-info
+        {{- end }}
+      {{- end }}

       hostname: {{ include "common.name" . }}
       volumes:
       - configMap:
       hostname: {{ include "common.name" . }}
       volumes:
       - configMap:


@@ -278,7 +428,74 @@ spec:
       {{- if $certDir }}
       - emptyDir: {}
         name: tls-info
       {{- if $certDir }}
       - emptyDir: {}
         name: tls-info

+        {{ if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}}
+        {{ include "common.certManager.volumesReadOnly" . | nindent 6 }}
+        {{- end }}
+      {{- end }}
+      {{- if $policy }}
+      - name: policy-shared
+        emptyDir: {}

       {{- end }}
       {{- end }}

+      {{- include "dcaegen2-services-common._externalVolumes" . | nindent 6 }}

       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
 {{ end -}}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
 {{ end -}}

+
+{{/*
+  For internal use
+
+  Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore
+  and swaps keystore files.
+*/}}
+{{- define "dcaegen2-services-common._certPostProcessor" -}}
+  {{- $certDir := default "" .Values.certDirectory . -}}
+  {{- if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}}
+    {{- $cmpv2Certificate := (index .Values.certificates 0) -}}
+    {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}}
+    {{- $certType := "pem" -}}
+    {{- if $cmpv2Certificate.keystore -}}
+      {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}}
+    {{- end -}}
+    {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "cacert.pem" -}}
+    {{- $truststoresPasswordPaths := ":" -}}
+    {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "cert.pem" $cmpv2CertificateDir "key.pem" -}}
+    {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}}
+    {{- if not (eq $certType "pem") -}}
+      {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}}
+      {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}}
+      {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}}
+      {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}}
+    {{- end }}
+  - name: cert-post-processor
+    image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }}
+    imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+    resources:
+      {{- include "common.resources" . | nindent 4 }}
+    volumeMounts:
+    - mountPath: {{ $certDir }}
+      name: tls-info
+      {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }}
+    env:
+    - name: TRUSTSTORES_PATHS
+      value: {{ $truststoresPaths | quote}}
+    - name: TRUSTSTORES_PASSWORDS_PATHS
+      value: {{ $truststoresPasswordPaths | quote }}
+    - name: KEYSTORE_SOURCE_PATHS
+      value: {{ $keystoreSourcePaths | quote }}
+    - name: KEYSTORE_DESTINATION_PATHS
+      value: {{ $keystoreDestinationPaths | quote }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+  Template returns string "true" if CMPv2 certificates should be used and nothing (so it can be used in with statements)
+  when they shouldn't. Example use:
+    {{- if (include "dcaegen2-services-common.shouldUseCmpv2Certificates" .) -}}
+
+*/}}
+{{- define "dcaegen2-services-common.shouldUseCmpv2Certificates" -}}
+  {{- $certDir := default "" .Values.certDirectory . -}}
+  {{- if (and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration .Values.useCmpv2Certificates) -}}
+  true
+  {{- end -}}
+{{- end -}}