blueprint and inputs for 4.3.0 policy-handler

- set up tls on policy-handler
- policy-handler expecting the deployment process
  to mount certs at /opt/app/policy_handler/etc/tls/certs/
  = cert_directory : /opt/app/policy_handler/etc/tls/certs/
  = cacert : cacert.pem

- new optional fields tls_ca_mode in config on consul that
  specify where to find the cacert.pem for tls per each https/web-socket
    values are:
    "cert_directory" - use the cacert.pem stored locally in cert_directory
                       this is the default if cacert.pem file is found
    "os_ca_bundle"   - use the public ca_bundle provided by linux system.
                       this is the default if cacert.pem file not found
    "do_not_verify"  - special hack to turn off the verification by cacert
                       and hostname
- config on consul now has 2 new fields for policy_engine
  = "tls_ca_mode" : "cert_directory"
  = "tls_wss_ca_mode" : "cert_directory"
- config on consul now has 1 new field for deploy_handler
  = "tls_ca_mode" : "cert_directory"

Change-Id: Ida2d058cad93ddd1a583e1922bc5dc33c145fcba
Signed-off-by: Alex Shatov <alexs@att.com>
Issue-ID: DCAEGEN2-611

diff --git a/blueprints/k8s-policy_handler.yaml-template b/blueprints/k8s-policy_handler.yaml-template
index 62f605a..e5ea8c7 100644 (file)
--- a/blueprints/k8s-policy_handler.yaml-template
+++ b/blueprints/k8s-policy_handler.yaml-template
@@ -32,7 +32,7 @@ inputs:
 
   policy_handler_image:
     description: Docker image for policy_handler
-    default: '{{ ONAPTEMPLATE_DOCKERREGURL_org_onap_dcaegen2_releases }}/onap/org.onap.dcaegen2.platform.policy-handler:4.2.0'
+    default: '{{ ONAPTEMPLATE_DOCKERREGURL_org_onap_dcaegen2_releases }}/onap/org.onap.dcaegen2.platform.policy-handler:4.3.0'
 
   application_config:
     description: policy handler application configuration - requires info on policy-engine
@@ -55,3 +55,6 @@ node_templates:
         log_info:
             log_directory: '/opt/app/policy_handler/logs'
         container_port: 25577
+        tls_info:
+          cert_directory: '/opt/app/policy_handler/etc/tls/certs/'
+          use_tls: true

diff --git a/blueprints/policy_handler.yaml-template b/blueprints/policy_handler.yaml-template
index b897958..4a8d26d 100644 (file)
--- a/blueprints/policy_handler.yaml-template
+++ b/blueprints/policy_handler.yaml-template
@@ -39,7 +39,7 @@ inputs:
 
   policy_handler_image:
     description: Docker image for policy_handler
-    default: '{{ ONAPTEMPLATE_DOCKERREGURL_org_onap_dcaegen2_releases }}/onap/org.onap.dcaegen2.platform.policy-handler:4.2.0'
+    default: '{{ ONAPTEMPLATE_DOCKERREGURL_org_onap_dcaegen2_releases }}/onap/org.onap.dcaegen2.platform.policy-handler:4.3.0'
 
   application_config:
     description: policy handler application configuration - requires info on policy-engine

diff --git a/input-templates/phinputs.yaml b/input-templates/phinputs.yaml
index e23d051..850f935 100644 (file)
--- a/input-templates/phinputs.yaml
+++ b/input-templates/phinputs.yaml
@@ -56,6 +56,18 @@ application_config:
             Authorization : "Basic dGVzdHBkcDphbHBoYTEyMw=="
             Environment : "TEST"
         target_entity : "policy_engine"
+        # optional tls_ca_mode specifies where to find the cacert.pem for tls
+        #   can be one of these:
+        #       "cert_directory" - use the cacert.pem stored locally in cert_directory.
+        #                          this is the default if cacert.pem file is found
+        #
+        #       "os_ca_bundle"     - use the public ca_bundle provided by linux system.
+        #                          this is the default if cacert.pem file not found
+        #
+        #       "do_not_verify"  - special hack to turn off the verification by cacert and hostname
+        tls_ca_mode : "cert_directory"
+        # optional tls_wss_ca_mode specifies the same for the tls based web-socket
+        tls_wss_ca_mode : "cert_directory"
     # deploy_handler config
     #    changed from string "deployment_handler" in 2.3.1 to structure in 2.4.0
     deploy_handler :
@@ -71,3 +83,13 @@ application_config:
             # optionally specify the tenant name for the cloudify under deployment-handler
             #    if not specified the "default_tenant" is used by the deployment-handler
             cfy_tenant_name : "default_tenant"
+        # optional tls_ca_mode specifies where to find the cacert.pem or skip tls verification
+        #   can be one of these:
+        #       "cert_directory" - use the cacert.pem stored locally in cert_directory.
+        #                          this is the default if cacert.pem file is found
+        #
+        #       "os_ca_bundle"     - use the public ca_bundle provided by linux system.
+        #                          this is the default if cacert.pem file not found
+        #
+        #       "do_not_verify"  - special hack to turn off the verification by cacert and hostname
+        tls_ca_mode : "cert_directory"