The format is based on [Keep a Changelog](http://keepachangelog.com/)
and this project adheres to [Semantic Versioning](http://semver.org/).
-## []
+## [1.3.0]
* Add non-root user in Docker image so that the inventory service can be run in non-privileged mode for security reasons DCAEGEN2-1555
* Change base image to alpine based DCAEGEN2-1566
+* Support calling inventory using HTTPS DCAEGEN2-1597
## [1.1.3]
```
java -jar dcae-service-change-handler-0.1.0.jar prod http://consul:8500/v1/kv/service-change-handler?raw=true
```
+
+#### Use script
+
+[`sch.sh`](resources/sch.sh) is a script to run service change handler that connects with inventory using HTTPS. The script attempts to add a custom CA cert to the OS's key store `/etc/ssl/certs/java/cacerts` and then launches service change handler. The custom CA cert is used to validate the server-side cert provided by inventory at runtime.
+
+The script uses the following environment variables:
+
+Name | Description | Default
+---- | ----------- | -------
+`PATH_TO_CACERT` | Local file path to the CA cert that needs to be added to the keystore | `/opt/cert/cacert.pem`
+`SCH_ARGS` | Args to be passed into the SCH run command | `prod http://consul:8500/v1/kv/service-change-handler?raw=true`
<groupId>org.onap.dcaegen2.platform</groupId>
<artifactId>servicechange-handler</artifactId>
- <version>1.2.0-SNAPSHOT</version>
+ <version>1.3.0-SNAPSHOT</version>
<!-- Not sure why clojure-maven-plugin says packaging should be "clojure" -->
<packaging>jar</packaging>
<baseImage>openjdk:8-jre-alpine</baseImage>
<user>sch</user>
<runs>
+ <run>apk update</run>
+ <run>apk add bash</run>
+ <run>chmod 666 /etc/ssl/certs/java/cacerts</run>
<run>addgroup -S sch</run>
<run>adduser -S -G sch sch</run>
</runs>
<!-- NOTE: Couldn't figure out how to package the jar to be named: ${project.build.finalName}. This might be
because of the clojure maven plugin -->
- <cmd>["java", "-jar", "/opt/servicechange-handler.jar", "prod", "http://consul:8500/v1/kv/service-change-handler?raw=true"]</cmd>
+ <cmd>["sch.sh"]</cmd>
<!-- copy the service's jar file from target into the root directory of the image -->
<resources>
<resource>
<targetPath>/opt</targetPath>
<directory>${project.basedir}/resources</directory>
<include>health.sh</include>
+ <include>sch.sh</include>
</resource>
</resources>
<exposes>
; Using lein for REPL and testing because couldn't get Maven clojure plugin to work
; for these functional areas.
-(defproject service-change-handler "0.1.0"
+(defproject service-change-handler "1.3.0"
:description "Service change handler"
:dependencies [[org.clojure/clojure "1.8.0"]
[cheshire/cheshire "5.8.0"]
--- /dev/null
+#!/bin/bash
+# ================================================================================
+# Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+
+# The following variables are checked if set, if not set then an error is raised
+# PATH_TO_CACERT is the full file path to the cacert that must be added to the
+# existing keystore
+if [ -z "$PATH_TO_CACERT" ]; then
+ # TODO: Make this variable not required and thus not do the keytool call
+ echo "Missing required environment variable: PATH_TO_CACERT"
+ echo "Please set this variable to the full local path of the CA cert pem file that is to be added"
+ echo "Example: PATH_TO_CACERT=/opt/cert/cacert.pem"
+ exit 1
+fi
+
+# SCH_ARGS are all the args to be passed into the SCH java run command
+if [ -z "$SCH_ARGS" ]; then
+ echo "Missing required environment variable: SCH_ARGS"
+ echo "Please set this variable to the command-line args to be used to run service change handler"
+ echo "Example: SCH_ARGS=prod /opt/config.json"
+ echo "Example: SCH_ARGS=prod http://consul:8500/v1/kv/service-change-handler?raw=true"
+ exit 1
+fi
+
+# Add the cacert to validate inventory's cert to support TLS. This command is
+# allowed to fail when there is no need for https.
+# NOTE: This user must have permission to write to /etc/ssl/certs/java/cacerts
+keytool -importcert -file $PATH_TO_CACERT -keystore /etc/ssl/certs/java/cacerts -alias "inventory" -noprompt -storepass changeit
+
+# Now launch SCH
+java -jar /opt/servicechange-handler.jar $SCH_ARGS
+
major=1
-minor=2
+minor=3
patch=0
base_version=${major}.${minor}.${patch}
release_version=${base_version}
Code Review / dcaegen2 / platform / servicechange-handler.git / commitdiff