# ============LICENSE_START=======================================================
# org.onap.dcae
# ================================================================================
-# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2018-2020 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2019 Pantheon.tech. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# See the License for the specific language governing permissions and
# limitations under the License.
# ============LICENSE_END=========================================================
-#
-# ECOMP is a trademark and service mark of AT&T Intellectual Property.
_CONFIG_PATH = "/opt/onap/config.txt" # Path to config file on the Cloudify Manager host
_CONSUL_KEY = "k8s-plugin" # Key under which CM configuration is stored in Consul
DCAE_NAMESPACE = "dcae"
CONSUL_DNS_NAME = "consul"
DEFAULT_K8S_LOCATION = "central"
+DEFAULT_MAX_WAIT = 1800
FB_LOG_PATH = "/var/log/onap"
FB_DATA_PATH = "/usr/share/filebeat/data"
FB_CONFIG_MAP = "filebeat-conf"
FB_IMAGE = "docker.elastic.co/beats/filebeat:5.5.0"
-TLS_CERT_PATH = "/opt/tls/shared"
-TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.0"
-TLS_CA_CERT_PATH = "/opt/dcae/cacert/cacert.pem"
+TLS_CERT_PATH = "/opt/app/osaaf"
+TLS_IMAGE = "nexus3.onap.org:10001/onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0"
+TLS_COMP_CERT_PATH = "/opt/dcae/cacert"
TLS_CA_CONFIGMAP = "dcae-cacert-configmap"
CBS_BASE_URL = "https://config-binding-service:10443/service_component_all"
"consul_dns_name" : CONSUL_DNS_NAME, # k8s internal DNS name for Consul
"default_k8s_location" : DEFAULT_K8S_LOCATION, # default k8s location to deploy components
"image_pull_secrets" : [], # list of k8s secrets for accessing Docker registries
+ "max_wait": DEFAULT_MAX_WAIT, # Default maximum time to wait for component to become healthy (secs)
"filebeat": { # Configuration for setting up filebeat container
"log_path" : FB_LOG_PATH, # mount point for log volume in filebeat container
"data_path" : FB_DATA_PATH, # mount point for data volume in filebeat container
"tls": { # Configuration for setting up TLS
"cert_path" : TLS_CERT_PATH, # mount point for certificate volume in TLS init container
"image": TLS_IMAGE, # Docker image to use for TLS init container
- "component_ca_cert_path": TLS_CA_CERT_PATH, # Mount point for CA cert for components that are clients only
- "ca_cert_configmap": TLS_CA_CONFIGMAP # ConfigMap holding CA cert for components that are clients only
+ "component_cert_dir": TLS_COMP_CERT_PATH # default mount point for certificate volume in component container
},
"cbs": {
"base_url" : CBS_BASE_URL # URL prefix for accessing config binding service
k8s:
executor: 'central_deployment_agent'
package_name: k8splugin
- package_version: 1.7.2
+ package_version: 2.0.0
data_types:
# ============LICENSE_START=======================================================
# org.onap.dcae
# ================================================================================
-# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2019-2020 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Pantheon.tech. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
containers.append(_create_container_object("filebeat", filebeat["image"], False, volume_mounts=sidecar_volume_mounts))
def _add_tls_init_container(init_containers, volumes, volume_mounts, tls_info, tls_config):
- # Two different ways of doing this, depending on whether the container will act as a TLS server or as a client only
- # If a server, then tls_info will be passed, and tls_info["use_tls"] will be set to true. We create an InitContainer
- # that sets up the CA cert, the server cert, and the keys.
- # If a client only, only the CA cert is needed. We mount the CA cert from a ConfigMap that has been created as part
- # of the installation process. If there is cert_directory information in tls_info, we use that directory in the mount path.
- # Otherwise, we use the configured default path in tls_config.
- cert_directory = None
- if tls_info:
- cert_directory = tls_info.get("cert_directory")
- if cert_directory and tls_info.get("use_tls"):
- # Use an InitContainer to set up the certificate information
- # Create the certificate volume and volume mounts
- volumes.append(client.V1Volume(name="tls-info", empty_dir=client.V1EmptyDirVolumeSource()))
- volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=cert_directory))
- init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_config["cert_path"])]
-
- # Just create the init container
- init_containers.append(_create_container_object("init-tls", tls_config["image"], False, volume_mounts=init_volume_mounts))
- return
-
- # Use a config map
- # Create the CA cert volume
- volumes.append(client.V1Volume(name="tls-cacert", config_map=client.V1ConfigMapVolumeSource(name=tls_config["ca_cert_configmap"])))
-
- # Create the volume mount
- mount_path = cert_directory or os.path.dirname(tls_config["component_ca_cert_path"])
- volume_mounts.append(client.V1VolumeMount(name="tls-cacert", mount_path=mount_path))
+ # Adds an InitContainer to the pod to set up TLS certificate information. For components that act as a
+ # server(tls_info["use_tls"] is True), the InitContainer will populate a directory with server and CA certificate
+ # materials in various formats. For other components (tls_info["use_tls"] is False, or tls_info is not specified),
+ # the InitContainer will populate a directory with CA certificate materials in PEM and JKS formats.
+ # In either case, the certificate directory is mounted onto the component container filesystem at the location
+ # specified by tls_info["component_cert_dir"], if present, otherwise at the configured default mount point
+ # (tls_config["component_cert_dir"]).
+
+ cert_directory = tls_info.get("cert_directory") or tls_config.get("component_cert_dir")
+ env = {}
+ env["TLS_SERVER"] = "true" if tls_info.get("use_tls") else "false"
+
+ # Create the certificate volume and volume mounts
+ volumes.append(client.V1Volume(name="tls-info", empty_dir=client.V1EmptyDirVolumeSource()))
+ volume_mounts.append(client.V1VolumeMount(name="tls-info", mount_path=cert_directory))
+ init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_config["cert_path"])]
+
+ # Create the init container
+ init_containers.append(_create_container_object("init-tls", tls_config["image"], False, volume_mounts=init_volume_mounts, env=env))
def _process_port_map(port_map):
service_ports = [] # Ports exposed internally on the k8s network
- tls: a dictionary of TLS-related information:
"cert_path": mount point for certificate volume in init container
"image": Docker image to use for TLS init container
- "component_ca_cert_path" : mount point for CA cert for client-only containers
- "ca_cert_configmap": the name of the ConfigMap where the CA cert is stored
+ "component_cert_dir" : default mount point for certs
kwargs may have:
- volumes: array of volume objects, where a volume object is:
{"host":{"path": "/path/on/host"}, "container":{"bind":"/path/on/container","mode":"rw_or_ro"}
# ============LICENSE_START=======================================================
# org.onap.dcae
# ================================================================================
-# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2017-2020 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Pantheon.tech. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# See the License for the specific language governing permissions and
# limitations under the License.
# ============LICENSE_END=========================================================
-#
-# ECOMP is a trademark and service mark of AT&T Intellectual Property.
# Lifecycle interface calls for containerized components
CONSUL_HOST = plugin_conf.get("consul_host")
CONSUL_INTERNAL_NAME = plugin_conf.get("consul_dns_name")
DCAE_NAMESPACE = plugin_conf.get("namespace")
-DEFAULT_MAX_WAIT = plugin_conf.get("max_wait", 1800)
+DEFAULT_MAX_WAIT = plugin_conf.get("max_wait")
DEFAULT_K8S_LOCATION = plugin_conf.get("default_k8s_location")
-COMPONENT_CA_CERT_PATH = plugin_conf.get("tls").get("component_ca_cert_path")
+COMPONENT_CERT_DIR = plugin_conf.get("tls",{}).get("component_cert_dir")
CBS_BASE_URL = plugin_conf.get("cbs").get("base_url")
# Used to construct delivery urls for data router subscribers. Data router in FTL
- liveness: object with information needed to create a liveness check
- k8s_location: name of the Kubernetes location (cluster) where the component is to be deployed
'''
- tls_info = kwargs.get("tls_info")
+ tls_info = kwargs.get("tls_info") or {}
+ cert_dir = tls_info.get("cert_directory") or COMPONENT_CERT_DIR
env = { "CONSUL_HOST": CONSUL_INTERNAL_NAME,
"CONFIG_BINDING_SERVICE": "config-binding-service",
- "DCAE_CA_CERTPATH" : "{0}/cacert.pem".format(tls_info["cert_directory"]) if (tls_info and tls_info["cert_directory"]) else COMPONENT_CA_CERT_PATH,
+ "DCAE_CA_CERTPATH" : "{0}/cacert.pem".format(cert_dir),
"CBS_CONFIG_URL" : "{0}/{1}".format(CBS_BASE_URL, container_name)
}
env.update(kwargs.get("envs", {}))
See the License for the specific language governing permissions and
limitations under the License.
============LICENSE_END=========================================================
-
-ECOMP is a trademark and service mark of AT&T Intellectual Property.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.onap.dcaegen2.platform.plugins</groupId>
<artifactId>k8s</artifactId>
<name>k8s-plugin</name>
- <version>1.7.2-SNAPSHOT</version>
+ <version>2.0.0-SNAPSHOT</version>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+setuptools<45.0.0
python-consul>=0.6.0
onap-dcae-dcaepolicy-lib>=2.4.1
kubernetes>=9.0.0
# ============LICENSE_START=======================================================
# org.onap.dcae
# ================================================================================
-# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (c) 2017-2020 AT&T Intellectual Property. All rights reserved.
# Copyright (c) 2020 Pantheon.tech. All rights reserved.
# ================================================================================
# Licensed under the Apache License, Version 2.0 (the "License");
# See the License for the specific language governing permissions and
# limitations under the License.
# ============LICENSE_END=========================================================
-#
-# ECOMP is a trademark and service mark of AT&T Intellectual Property.
from setuptools import setup
setup(
name='k8splugin',
description='Cloudify plugin for containerized components deployed using Kubernetes',
- version="1.7.2",
+ version="2.0.0",
author='J. F. Lucas, Michael Hwang, Tommy Carpenter',
packages=['k8splugin','k8sclient','msb','configure'],
zip_safe=False,
"tls" : {
"cert_path": "/opt/certs",
"image": "tlsrepo/tls-init-container:1.2.3",
- "component_ca_cert_path": "/opt/dcae/cacert/cacert.pem",
- "ca_cert_configmap": "dcae-cacert-configmap"
+ "component_cert_dir": "/opt/dcae/cacert"
},
"cbs": {
"base_url": "https://config-binding-service:10443/service_component_all/test-component"
Code Review / dcaegen2 / platform / plugins.git / commitdiff