The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).
+## [3.9.0]
+* OOM-2712 Add a configuration of certificates for communication between external-tls init container and CertService API
+
+## [3.8.0]
+* Update policy lib to 2.5.1
+
+## [3.7.0]
+* Update to python3 version of policy lib
+
## [3.6.0]
* DCAEGEN2-2440 - Add integration with cert-manager.
* Enable creation of certificate custom resource instead cert-service-client container,
EXT_TLS_ORGANIZATIONAL_UNIT = "ONAP"
EXT_TLS_LOCATION = "San-Francisco"
EXT_TLS_CERT_SECRET_NAME = "oom-cert-service-client-tls-secret"
-EXT_TLS_KEYSTORE_PASSWORD = "secret"
-EXT_TLS_TRUSTSTORE_PASSWORD = "secret"
+EXT_TLS_KEYSTORE_PASSWORD_SECRET_NAME = "oom-cert-service-keystore-password"
+EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_NAME = "oom-cert-service-truststore-password"
+EXT_TLS_KEYSTORE_SECRET_KEY = "keystore.jks"
+EXT_TLS_TRUSTSTORE_SECRET_KEY = "truststore.jks"
+EXT_TLS_KEYSTORE_PASSWORD_SECRET_KEY = "password"
+EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_KEY = "password"
CERT_POST_PROCESSOR_IMAGE = "nexus3.onap.org:10001/onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.1.0"
CBS_BASE_URL = "https://config-binding-service:10443/service_component_all"
"organizational_unit" : EXT_TLS_ORGANIZATIONAL_UNIT, # Organizational unit name, for which certificate will be created
"location" : EXT_TLS_LOCATION, # Location name, for which certificate will be created
"cert_secret_name": EXT_TLS_CERT_SECRET_NAME, # Name of secret containing keystore and truststore for secure communication of Cert Service Client and Cert Service
- "keystore_password" : EXT_TLS_KEYSTORE_PASSWORD, # Password to keystore file
- "truststore_password" : EXT_TLS_TRUSTSTORE_PASSWORD # Password to truststore file
+ "keystore_secret_key" : EXT_TLS_KEYSTORE_SECRET_KEY, # Key for keystore value exists in secret (cert_secret_name)
+ "truststore_secret_key" : EXT_TLS_TRUSTSTORE_SECRET_KEY, # Key for truststore value exists in secret (cert_secret_name)
+ "keystore_password_secret_name": EXT_TLS_KEYSTORE_PASSWORD_SECRET_NAME, # Name of secret containing password for keystore for secure communication of Cert Service Client and Cert Service
+ "truststore_password_secret_name": EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_NAME, # Name of secret containing password for truststore for secure communication of Cert Service Client and Cert Service
+ "keystore_password_secret_key" : EXT_TLS_KEYSTORE_PASSWORD_SECRET_KEY, # Key for keystore password value exists in secret (keystore_password_secret_name)
+ "truststore_password_secret_key" : EXT_TLS_TRUSTSTORE_PASSWORD_SECRET_KEY # Key for truststore password value exists in secret (truststore_password_secret_name)
+
},
"cert_post_processor": {
"image_tag": CERT_POST_PROCESSOR_IMAGE # Docker image to use for cert post processor init container
# Constants for external_cert
MOUNT_PATH = "/etc/onap/oom/certservice/certs/"
-KEYSTORE_PATH = MOUNT_PATH + "certServiceClient-keystore.jks"
-TRUSTSTORE_PATH = MOUNT_PATH + "truststore.jks"
DEFAULT_CERT_TYPE = "p12"
# Copy any passed in environment variables
env = kwargs.get('env') or {}
env_vars = [client.V1EnvVar(name=k, value=env[k]) for k in env]
+
# Add POD_IP with the IP address of the pod running the container
pod_ip = client.V1EnvVarSource(field_ref=client.V1ObjectFieldSelector(field_path="status.podIP"))
env_vars.append(client.V1EnvVar(name="POD_IP", value_from=pod_ip))
+ # Add envs from Secret
+ if 'env_from_secret' in kwargs:
+ for env in kwargs.get('env_from_secret').values():
+ secret_key_selector = client.V1SecretKeySelector(key=env["secret_key"], name=env["secret_name"])
+ env_var_source = client.V1EnvVarSource(secret_key_ref=secret_key_selector)
+ env_vars.append(client.V1EnvVar(name=env["env_name"], value_from=env_var_source))
+
# If a health check is specified, create a readiness/liveness probe
# (For an HTTP-based check, we assume it's at the first container port)
readiness = kwargs.get('readiness')
ctx.logger.info("Creating init container: external TLS \n * [" + docker_image + "]")
env = {}
+ env_from_secret = {}
output_path = external_cert.get("external_cert_directory")
if not output_path.endswith('/'):
output_path += '/'
+ keystore_secret_key = external_tls_config.get("keystore_secret_key")
+ truststore_secret_key = external_tls_config.get("truststore_secret_key")
+
env["REQUEST_URL"] = external_tls_config.get("request_url")
env["REQUEST_TIMEOUT"] = external_tls_config.get("timeout")
env["OUTPUT_PATH"] = output_path + "external"
env["STATE"] = external_tls_config.get("state")
env["COUNTRY"] = external_tls_config.get("country")
env["SANS"] = external_cert.get("external_certificate_parameters").get("sans")
- env["KEYSTORE_PATH"] = KEYSTORE_PATH
- env["KEYSTORE_PASSWORD"] = external_tls_config.get("keystore_password")
- env["TRUSTSTORE_PATH"] = TRUSTSTORE_PATH
- env["TRUSTSTORE_PASSWORD"] = external_tls_config.get("truststore_password")
-
+ env["KEYSTORE_PATH"] = MOUNT_PATH + keystore_secret_key
+ env["TRUSTSTORE_PATH"] = MOUNT_PATH + truststore_secret_key
+ env_from_secret["KEYSTORE_PASSWORD"] = \
+ {"env_name": "KEYSTORE_PASSWORD",
+ "secret_name": external_tls_config.get("keystore_password_secret_name"),
+ "secret_key": external_tls_config.get("keystore_password_secret_key")}
+ env_from_secret["TRUSTSTORE_PASSWORD"] = \
+ {"env_name": "TRUSTSTORE_PASSWORD",
+ "secret_name": external_tls_config.get("truststore_password_secret_name"),
+ "secret_key": external_tls_config.get("truststore_password_secret_key")}
# Create the volumes and volume mounts
- sec = client.V1SecretVolumeSource(secret_name=external_tls_config.get("cert_secret_name"))
- volumes.append(client.V1Volume(name="tls-volume", secret=sec))
+ projected_volume = _create_projected_tls_volume(external_tls_config.get("cert_secret_name"),
+ keystore_secret_key,
+ truststore_secret_key)
+
+ volumes.append(client.V1Volume(name="tls-volume", projected=projected_volume))
init_volume_mounts = [
client.V1VolumeMount(name="tls-info", mount_path=external_cert.get("external_cert_directory")),
client.V1VolumeMount(name="tls-volume", mount_path=MOUNT_PATH)]
# Create the init container
init_containers.append(
- _create_container_object("cert-service-client", docker_image, False, volume_mounts=init_volume_mounts, env=env))
+ _create_container_object("cert-service-client", docker_image, False, volume_mounts=init_volume_mounts, env=env, env_from_secret=env_from_secret))
+
+
+def _create_projected_tls_volume(secret_name, keystore_secret_key, truststore_secret_key):
+ items = [
+ client.V1KeyToPath(key=keystore_secret_key, path=keystore_secret_key),
+ client.V1KeyToPath(key=truststore_secret_key, path=truststore_secret_key)]
+ secret_projection = client.V1SecretProjection(name=secret_name, items=items)
+ volume_projection = [client.V1VolumeProjection(secret=secret_projection)]
+ projected_volume = client.V1ProjectedVolumeSource(sources=volume_projection)
+ return projected_volume
def _add_cert_post_processor_init_container(ctx, init_containers, tls_info, tls_config, external_cert,
k8s:
executor: 'central_deployment_agent'
package_name: k8splugin
- package_version: 3.8.0
+ package_version: 3.9.0
data_types:
<groupId>org.onap.dcaegen2.platform.plugins</groupId>
<artifactId>k8s</artifactId>
<name>k8s-plugin</name>
- <version>3.8.0-SNAPSHOT</version>
+ <version>3.9.0-SNAPSHOT</version>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
setup(
name='k8splugin',
description='Cloudify plugin for containerized components deployed using Kubernetes',
- version="3.8.0",
- author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek, Jan Malkiewicz, Remigiusz Janeczek, Piotr Marcinkiewicz',
+ version="3.9.0",
+ author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek, Jan Malkiewicz, Remigiusz Janeczek, Piotr Marcinkiewicz, Tomasz Wrobel',
packages=['k8splugin','k8sclient','configure'],
zip_safe=False,
install_requires=[
"STATE": "California",
"COUNTRY": "US",
"SANS": "mysans",
- "KEYSTORE_PATH": "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks",
- "KEYSTORE_PASSWORD": "secret1",
- "TRUSTSTORE_PATH": "/etc/onap/oom/certservice/certs/truststore.jks",
- "TRUSTSTORE_PASSWORD": "secret2"}
+ "KEYSTORE_PATH": "/etc/onap/oom/certservice/certs/keystore.jks",
+ "TRUSTSTORE_PATH": "/etc/onap/oom/certservice/certs/truststore.jks"}
+
envs = {k.name: k.value for k in cert_container.env}
for k in expected_envs:
assert (k in envs and expected_envs[k] == envs[k])
+ envs_from_source = {k.name: k.value_from for k in cert_container.env}
+ expected_secret_key_ref = {
+ "KEYSTORE_PASSWORD": "oom-cert-service-client-tls-secret-password",
+ "TRUSTSTORE_PASSWORD": "oom-cert-service-client-tls-secret-password"
+ }
+ for key, value in expected_secret_key_ref.items():
+ assert (key in envs_from_source and str(envs_from_source[key]).__contains__(value))
+
def verify_cert_post_processor(dep):
cert_container = dep.spec.template.spec.init_containers[2]
"state": "California",
"organizational_unit": "ONAP",
"location": "San-Francisco",
- "keystore_password": "secret1",
- "truststore_password": "secret2"
+ "cert_secret_name": "oom-cert-service-client-tls-secret",
+ "keystore_secret_key" : "keystore.jks",
+ "truststore_secret_key" : "truststore.jks",
+ "keystore_password_secret_name": "oom-cert-service-client-tls-secret-password",
+ "truststore_password_secret_name": "oom-cert-service-client-tls-secret-password",
+ "keystore_password_secret_key" : "password",
+ "truststore_password_secret_key" : "password"
},
"cert_post_processor": {
"image_tag": "repo/oom-cert-post-processor:2.1.0"
Code Review / dcaegen2 / platform / plugins.git / commitdiff