.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
+.. _tls_enablement:
TLS Support
===========
k8splugin version 2.0.0 uses an init container to supply the CA certificates.
-External TLS Support
---------------------
+External TLS Support - using Cloudify
+-------------------------------------
External TLS support was introduced in order to integrate DCAE with CertService to acquire operator certificates meant to protect external traffic between DCAE's components (VES collector, HV-VES, RestConf collector and DFC) and xNFs. For that reason K8s plugin which creates K8s resources from Cloudify blueprints was enhanced with new TLS properties support. New TLS properties are meant to control CertService's client call in init containers section and environment variables which are passed to it.
This external TLS support doesn't influence ONAP internal traffic which is protected by certificates issued by AAF's CertMan. External TLS Support was introduced in k8splugin 3.1.0.
+From k8splugin 3.4.1 when external TLS is enabled (use_external_tls=true), keystore contains only certificate from CMPv2 server. Keystore issued by CertMan has appended .bak extension and is not used.
+
1. Certificate setup:
- To create certificate artifacts, AAF CertService must obtain the certificate details. Common name and list of Subject Alternative Names (SANs) are set in blueprint as described in step 3.
+ To create certificate artifacts, OOM CertService must obtain the certificate details. Common name and list of Subject Alternative Names (SANs) are set in blueprint as described in step 3.
The following parameters with default values are stored in OOM in k8splugin configuration file (k8splugin.json) in group ``external_cert``:
* A string ``image_tag`` that indicates CertService client image name and version
.. code-block:: JSON
{
- "image_tag": "nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION",
- "request_url": "https://aaf-cert-service:8443/v1/certificate/",
+ "image_tag": "nexus3.onap.org:10001/onap/org.onap.oom.platform.certservice.oom-certservice-client:$VERSION",
+ "request_url": "https://oom-cert-service:8443/v1/certificate/",
"timeout": "30000",
"country": "US",
"organization": "Linux-Foundation",
2. Certificate generation and retrieval:
When a DCAE component that needs an external TLS certificate is launched, a Kubernetes init container runs before the main
- component container is launched. The init container contacts the AAF CertService.
+ component container is launched. The init container contacts the OOM CertService.
DCAE service components (sometimes called "microservices") are deployed via Cloudify using blueprints. This is described
in more detail in the next section.
* A string (``output_type``) that indicates certificate output type.
* A dictionary (``external_certificate_parameters``) with two elements:
* A string (``common_name``) that indicates common name which should be present in certificate. Specific for every blueprint (e.g. dcae-ves-collector for VES).
- * A string (``sans``) that indicates list of Subject Alternative Names (SANs) which should be present in certificate. Delimiter - : Should contain common_name value and other FQDNs under which given component is accessible.
+ * A string (``sans``) that indicates list of Subject Alternative Names (SANs) which should be present in certificate. Delimiter - , Should contain common_name value and other FQDNs under which given component is accessible. The following SANs types are supported: DNS names, IPs, URIs, emails.
As a final step of the plugin the generated CMPv2 truststore entries will be appended to AAF CA truststore (see certificate artifacts below).
cert_type: "P12"
external_certificate_parameters:
common_name: "simpledemo.onap.org"
- sans: "simpledemo.onap.org;ves.simpledemo.onap.org;ves.onap.org"
+ sans: "simpledemo.onap.org,ves.simpledemo.onap.org,ves.onap.org"
For this example the certificates are mounted into ``/opt/app/dcae-certificate/external`` directory within the container.
During deployment Kubernetes plugin (referenced in blueprint) will check if the ``external_cert`` property is set and ``use_external_tls`` is set to true, then the plugin will add some elements to the Kubernetes Deployment for the component:
* A Kubernetes volume (``tls-volume``) that will hold the certificate artifacts
* A Kubernetes initContainer (``cert-service-client``)
- * A Kubernetes volumeMount for the initContainer that mounts the ``tls-volume`` volume at ``/etc/onap/aaf/certservice/certs/``.
+ * A Kubernetes volumeMount for the initContainer that mounts the ``tls-volume`` volume at ``/etc/onap/oom/certservice/certs/``.
* A Kubernetes volumeMount for the main container that mounts the ``tls-info`` volume at the mount point specified in the ``external_cert_directory`` property.
Kurbernetes volumeMount tls-info is shared with TLS init container for internal traffic.
* ``trust.jks.bak``: The (original) file with the AAF CA certificate only.
* ``trust.pass``: A text file with a single line that contains the password for ``trust.jks`` and ``trust.jks.bak`` file.
* ``cacert.pem``: The AAF CA certificate, in PEM form.
+
+.. _external-tls-helm:
+
+External TLS Support - Helm based deployment
+--------------------------------------------
+
+CMPv2 certificates can be enabled and configured via helm values. The feature is switched on only when:
+ * ``global.cmpv2Enabled`` flag is set to true
+ * ``certDirectory`` directory where TLS certs should be stored is set (in a specific component)
+ * flag ``useCmpv2Certificates`` is set to true (in a specific component)
+
+Default values for certificates are defined in ``global.certificate.default`` and can be overriden during onap installation process.
+
+ .. code-block:: yaml
+
+ global:
+ certificate:
+ default:
+ renewBefore: 720h #30 days
+ duration: 8760h #365 days
+ subject:
+ organization: "Linux-Foundation"
+ country: "US"
+ locality: "San-Francisco"
+ province: "California"
+ organizationalUnit: "ONAP"
+ issuer:
+ group: certmanager.onap.org
+ kind: CMPv2Issuer
+ name: cmpv2-issuer-onap
+
+CMPv2 settings can be changed in Helm values.
+ * ``mountPath`` - the directory within the container where certificates should be mounted
+ * ``commonName`` - indicates common name which should be present in certificate
+ * ``dnsNames`` - list of DNS names which should be present in certificate
+ * ``ipAddresses`` - list of IP addresses which should be present in certificate
+ * ``uris`` - list of uris which should be present in certificate
+ * ``emailAddresses`` - list of email addresses which should be present in certificate
+ * ``outputType`` - indicates certificate output type (jks or p12)
+
+ .. code-block:: yaml
+
+ certificates:
+ - mountPath: <PATH>
+ commonName: <COMMON-NAME>
+ dnsNames:
+ - <DNS-NAME-1>
+ - <DNS-NAME-2>
+ ...
+ ipAddresses:
+ ...
+ uris:
+ ...
+ emailAddresses:
+ ...
+ keystore:
+ outputType:
+ - <OUTPUT-TYPE>
+ passwordSecretRef:
+ name: <SECRET-NAME>
+ key: <PASSWORD-KEY>
+ create: <SHOULD-CREATE>
+
+The values can be changed by upgrading a component with modified values, eg.
+
+ .. code-block:: bash
+
+ helm -n onap upgrade <deploymant name> --values <path to updated values>
Code Review / dcaegen2.git / blobdiff