Merge "config seg aai resources and traversal"

diff --git a/resources/config/haproxy/haproxy.cfg b/resources/config/haproxy/haproxy.cfg
new file mode 100644 (file)
index 0000000..d777327
--- /dev/null
+++ b/resources/config/haproxy/haproxy.cfg
@@ -0,0 +1,121 @@
+global
+        log /dev/log    local0
+        stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin
+        stats timeout 30s
+        user root
+        group root
+        daemon
+        #################################
+        # Default SSL material locations#
+        #################################
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+
+        # Default ciphers to use on SSL-enabled listening sockets.
+        # For more information, see ciphers(1SSL). This list is from:
+        # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        # An alternative list with additional directives can be obtained from
+        # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
+        tune.ssl.default-dh-param 2048
+
+defaults
+        log     global
+        mode    http
+        option  httplog
+#       option  dontlognull
+#       errorfile 400 /etc/haproxy/errors/400.http
+#       errorfile 403 /etc/haproxy/errors/403.http
+#       errorfile 408 /etc/haproxy/errors/408.http
+#       errorfile 500 /etc/haproxy/errors/500.http
+#       errorfile 502 /etc/haproxy/errors/502.http
+#       errorfile 503 /etc/haproxy/errors/503.http
+#       errorfile 504 /etc/haproxy/errors/504.http
+
+        option  http-server-close
+        option forwardfor except 127.0.0.1
+        retries 6
+        option redispatch
+        maxconn 50000
+        timeout connect 50000
+        timeout client  480000
+        timeout server  480000
+        timeout http-keep-alive 30000
+
+
+frontend IST_8443
+        mode http
+        bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem
+#       log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r
+        log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"
+        option httplog
+        log global
+        option logasap
+        option forwardfor
+        capture request header  Host len 100
+        capture response header Host len 100
+        option log-separate-errors
+        option forwardfor
+        http-request set-header X-Forwarded-Proto https if { ssl_fc }
+        http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used }
+        http-request set-header X-AAI-SSL                       %[ssl_fc]
+        http-request set-header X-AAI-SSL-Client-Verify         %[ssl_c_verify]
+        http-request set-header X-AAI-SSL-Client-DN             %{+Q}[ssl_c_s_dn]
+        http-request set-header X-AAI-SSL-Client-CN             %{+Q}[ssl_c_s_dn(cn)]
+        http-request set-header X-AAI-SSL-Issuer                %{+Q}[ssl_c_i_dn]
+        http-request set-header X-AAI-SSL-Client-NotBefore      %{+Q}[ssl_c_notbefore]
+        http-request set-header X-AAI-SSL-Client-NotAfter       %{+Q}[ssl_c_notafter]
+        http-request set-header X-AAI-SSL-ClientCert-Base64   %{+Q}[ssl_c_der,base64]
+        http-request set-header X-AAI-SSL-Client-OU             %{+Q}[ssl_c_s_dn(OU)]
+        http-request set-header X-AAI-SSL-Client-L              %{+Q}[ssl_c_s_dn(L)]
+        http-request set-header X-AAI-SSL-Client-ST             %{+Q}[ssl_c_s_dn(ST)]
+        http-request set-header X-AAI-SSL-Client-C              %{+Q}[ssl_c_s_dn(C)]
+        http-request set-header X-AAI-SSL-Client-O              %{+Q}[ssl_c_s_dn(O)]
+        reqadd X-Forwarded-Proto:\ https
+        reqadd X-Forwarded-Port:\ 8443
+
+#######################
+#ACLS FOR PORT 8446####
+#######################
+
+        acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$
+        acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$
+        acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$
+        acl is_named-query path_beg -i /aai/search/named-query
+        acl is_search-model path_beg -i /aai/search/model
+        use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model
+
+        default_backend IST_Default_8447
+
+
+#######################
+#DEFAULT BACKEND 847###
+#######################
+
+backend IST_Default_8447
+        balance roundrobin
+        http-request set-header X-Forwarded-Port %[src_port]
+        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+        server aai-resources.onap-aai  aai-resources.onap-aai:8447  port 8447 ssl verify none
+
+#######################
+# BACKEND 8446#########
+#######################
+
+backend IST_AAI_8446
+        balance roundrobin
+        http-request set-header X-Forwarded-Port %[src_port]
+        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
+        server aai-traversal.onap-aai aai-traversal.onap-aai:8446  port 8446 ssl verify none
+
+listen IST_AAI_STATS
+        mode http
+        bind *:8080
+        stats uri /stats
+        stats enable
+        stats refresh 30s
+        stats hide-version
+        stats auth admin:admin
+        stats show-legends
+        stats show-desc IST AAI APPLICATION NODES
+        stats admin if TRUE
+

diff --git a/templates/aai-deployment-configmap.yaml b/templates/aai-deployment-configmap.yaml
new file mode 100644 (file)
index 0000000..40d4909
--- /dev/null
+++ b/templates/aai-deployment-configmap.yaml
@@ -0,0 +1,9 @@
+#{{ if not .Values.disableAaiAaiService }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: aai-deployment-configmap
+  namespace: {{ .Values.nsPrefix }}-aai
+data:
+{{ tpl (.Files.Glob "resources/config/haproxy/*").AsConfig . | indent 2 }}
+#{{ end }}

diff --git a/templates/aai-deployment.yaml b/templates/aai-deployment.yaml
index a65cf44..e0e422b 100644 (file)
--- a/templates/aai-deployment.yaml
+++ b/templates/aai-deployment.yaml
@@ -42,6 +42,7 @@ spec:
         - mountPath: /dev/log
           name: aai-service-log
         - mountPath: /usr/local/etc/haproxy/haproxy.cfg
+          subPath: haproxy.cfg
           name: haproxy-cfg
         ports:
         - containerPort: 8080
@@ -59,8 +60,8 @@ spec:
           hostPath:
             path: "/dev/log"
         - name: haproxy-cfg
-          hostPath:
-            path: "/dockerdata-nfs/{{ .Values.nsPrefix }}/aai/haproxy/haproxy.cfg"
+          configMap:
+            name: aai-deployment-configmap
       restartPolicy: Always
       imagePullSecrets:
       - name: "{{ .Values.nsPrefix }}-docker-registry-key"

diff --git a/templates/hbase-deployment.yaml b/templates/hbase-deployment.yaml
index acb29da..3c1949c 100644 (file)
--- a/templates/hbase-deployment.yaml
+++ b/templates/hbase-deployment.yaml
@@ -41,7 +41,7 @@ spec:
       volumes:
       - name: hbase-data
         hostPath:
-          path: /dockerdata-nfs/onap/aai/hbase
+          path: /dockerdata-nfs/{{ .Values.nsPrefix }}/aai/hbase
       - name: localtime
         hostPath:
           path: /etc/localtime