From: ChrisC <christophe.closset@intl.att.com>
Date: Wed, 19 Feb 2020 08:45:54 +0000 (+0100)
Subject: HTTPS/AAF auto cert gen for Portal SDK
X-Git-Tag: 6.0.0~332^2
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;ds=sidebyside;h=4993144c1f74bb4089fb83865d5a67120e2152b7;p=oom.git

HTTPS/AAF auto cert gen for Portal SDK

integrate portal-sdk with AAF agent init container.
add pv to store init-container certs generated at startup.
add aafEnabled flag to switch on/off aaf integration.
modify tomcat startup to load p12 and enable HTTPS based on flag.

Issue-ID: PORTAL-261
Signed-off-by: ChrisC <christophe.closset@intl.att.com>
Change-Id: Ia2b05b8661bf9e0c03a60467212e80d1c9d02bac
---

diff --git a/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
index 3bbb1a7f9b..063ba3d122 100755
--- a/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
+++ b/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties
@@ -81,3 +81,14 @@ authenticate_user_server=http://{{.Values.global.portalHostName}}:8383/openid-co
 
 #cookie domain
 cookie_domain = onap.org
+
+{{- if .Values.global.aafEnabled }}
+# External Access System Basic Auth Credentials & Rest endpoint(These credentials doesn't work as these are place holders for now)
+ext_central_access_user_name = aaf_admin@people.osaaf.org
+ext_central_access_password = thiswillbereplacedatruntime
+ext_central_access_url = {{ .Values.aafURL }}/authz/
+ext_central_access_user_domain = @people.osaaf.org
+
+# External Central Auth system access
+remote_centralized_system_access = true
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/portal/charts/portal-sdk/resources/server/server.xml b/kubernetes/portal/charts/portal-sdk/resources/server/server.xml
new file mode 100644
index 0000000000..506a1ca4cd
--- /dev/null
+++ b/kubernetes/portal/charts/portal-sdk/resources/server/server.xml
@@ -0,0 +1,155 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+
+  Modifications to this file for use in ONAP are also subject to the Apache-2.0 license.
+-->
+<!-- Note:  A "Server" is not itself a "Container", so you may not
+     define subcomponents such as "Valves" at this level.
+     Documentation at /docs/config/server.html
+ -->
+<Server port="8005" shutdown="SHUTDOWN">
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" logArgs="false"/>
+  <!-- Security listener. Documentation at /docs/config/listeners.html
+  <Listener className="org.apache.catalina.security.SecurityListener" />
+  -->
+  <!--APR library loader. Documentation at /docs/apr.html -->
+  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
+  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
+  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
+
+  <!-- Global JNDI resources
+       Documentation at /docs/jndi-resources-howto.html
+  -->
+  <GlobalNamingResources>
+    <!-- Editable user database that can also be used by
+         UserDatabaseRealm to authenticate users
+    -->
+    <Resource name="UserDatabase" auth="Container"
+              type="org.apache.catalina.UserDatabase"
+              description="User database that can be updated and saved"
+              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
+              pathname="conf/tomcat-users.xml" />
+  </GlobalNamingResources>
+
+  <!-- A "Service" is a collection of one or more "Connectors" that share
+       a single "Container" Note:  A "Service" is not itself a "Container",
+       so you may not define subcomponents such as "Valves" at this level.
+       Documentation at /docs/config/service.html
+   -->
+  <Service name="Catalina">
+
+    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
+    <!--
+    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+        maxThreads="150" minSpareThreads="4"/>
+    -->
+
+
+    <!-- A "Connector" represents an endpoint by which requests are received
+         and responses are returned. Documentation at :
+         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+         Java AJP  Connector: /docs/config/ajp.html
+         APR (HTTP/AJP) Connector: /docs/apr.html
+         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
+    -->
+    <Connector port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+    {{ if .Values.global.aafEnabled }}
+               redirectPort="8443"
+    {{ end }}
+    />
+    <!-- A "Connector" using the shared thread pool-->
+    <!--
+    <Connector executor="tomcatThreadPool"
+               port="8080" protocol="HTTP/1.1"
+               connectionTimeout="20000"
+               redirectPort="8443" />
+    -->
+    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
+         This connector uses the NIO implementation that requires the JSSE
+         style configuration. When using the APR/native implementation, the
+         OpenSSL style configuration is required as described in the APR/native
+         documentation -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
+               clientAuth="false" sslProtocol="TLS" />
+    -->
+    {{ if .Values.global.aafEnabled }}
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
+               keystoreFile="{{.Values.persistence.aafCredsPath}}/{{.Values.aafConfig.keystoreFile}}"
+               keystorePass="${javax.net.ssl.keyStorePassword}"
+               clientAuth="false" sslProtocol="TLS" />
+    {{ end }}
+    <!-- Define an AJP 1.3 Connector on port 8009 -->
+    <Connector port="8009" protocol="AJP/1.3"
+    {{ if .Values.global.aafEnabled }}
+              redirectPort="8443"
+    {{ end }}
+    />
+
+
+    <!-- An Engine represents the entry point (within Catalina) that processes
+         every request.  The Engine implementation for Tomcat stand alone
+         analyzes the HTTP headers included with the request, and passes them
+         on to the appropriate Host (virtual host).
+         Documentation at /docs/config/engine.html -->
+
+    <!-- You should set jvmRoute to support load-balancing via AJP ie :
+    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
+    -->
+    <Engine name="Catalina" defaultHost="localhost">
+
+      <!--For clustering, please take a look at documentation at:
+          /docs/cluster-howto.html  (simple how to)
+          /docs/config/cluster.html (reference documentation) -->
+      <!--
+      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
+      -->
+
+      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
+           via a brute-force attack -->
+      <Realm className="org.apache.catalina.realm.LockOutRealm">
+        <!-- This Realm uses the UserDatabase configured in the global JNDI
+             resources under the key "UserDatabase".  Any edits
+             that are performed against this UserDatabase are immediately
+             available for use by the Realm.  -->
+        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+               resourceName="UserDatabase"/>
+      </Realm>
+
+      <Host name="localhost"  appBase="webapps"
+            unpackWARs="true" autoDeploy="true">
+
+        <!-- SingleSignOn valve, share authentication between web applications
+             Documentation at: /docs/config/valve.html -->
+        <!--
+        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+        -->
+        <!-- Access log processes all example.
+             Documentation at: /docs/config/valve.html
+             Note: The pattern used is equivalent to using pattern="common" -->
+        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
+               prefix="localhost_access_log" suffix=".txt"
+               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
+      </Host>
+    </Engine>
+  </Service>
+</Server>
\ No newline at end of file
diff --git a/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml b/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml
index 51346197db..154276ea26 100644
--- a/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml
+++ b/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml
@@ -25,3 +25,4 @@ metadata:
     heritage: {{ .Release.Service }}
 data:
 {{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTALSDK/*").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }}
\ No newline at end of file
diff --git a/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml b/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml
index ccdd013cbc..09080fca94 100644
--- a/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml
+++ b/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml
@@ -1,5 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
-# Modifications Copyright © 2018 AT&T
+# Modifications Copyright © 2018,2020 AT&T
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -46,14 +46,75 @@ spec:
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
+      {{- if .Values.global.aafEnabled }}
+      - name: {{ include "common.name" . }}-aaf-readiness
+        image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        command:
+          - /root/ready.py
+        args:
+          - --container-name
+          - aaf-locate
+          - --container-name
+          - aaf-cm
+        env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+      - name: {{ include "common.name" . }}-aaf-config
+        image: "{{ include "common.repository" . }}/{{ .Values.global.aafAgentImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        command: ["bash","-c"]
+        args: ["/opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \
+        {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.persistence.aafCredsPath }}/mycreds.prop"]
+        volumeMounts:
+          - mountPath: {{ .Values.persistence.aafCredsPath }}
+            name: {{ include "common.fullname" . }}-aaf-config-vol
+        env:
+          - name: APP_FQI
+            value: "{{ .Values.aafConfig.fqi }}"
+          - name: aaf_locate_url
+            value: "https://aaf-locate.{{ .Release.Namespace }}:8095"
+          - name: aaf_locator_container
+            value: "{{ .Values.global.aafLocatorContainer }}"
+          - name: aaf_locator_container_ns
+            value: "{{ .Release.Namespace }}"
+          - name: aaf_locator_fqdn
+            value: "{{ .Values.aafConfig.fqdn }}"
+          - name: aaf_locator_public_fqdn
+            value: "{{.Values.aafConfig.publicFqdn}}"
+          - name: aaf_locator_app_ns
+            value: "{{ .Values.global.aafAppNs }}"
+          - name: DEPLOY_FQI
+            {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aaf-deploy-creds" "key" "login") | indent 12 }}
+          - name: DEPLOY_PASSWORD
+            {{- include "common.secret.envFromSecret" (dict "global" . "uid" "aaf-deploy-creds" "key" "password") | indent 12 }}
+          - name: cadi_longitude
+            value: "{{ .Values.aafConfig.cadiLongitude }}"
+          - name: cadi_latitude
+            value: "{{ .Values.aafConfig.cadiLatitude }}"
+      {{ end }}
       containers:
       - name: {{ include "common.name" . }}
         image: "{{ include "common.repository" . }}/{{ .Values.image }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        command:
-          - /start-apache-tomcat.sh
-          - -b
-          - "{{ .Values.global.env.tomcatDir }}"
+        command: ["bash","-c"]
+        {{- if .Values.global.aafEnabled }}
+        args: ["export $(grep '^c' {{ .Values.persistence.aafCredsPath }}/mycreds.prop | xargs -0);\
+        export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \
+        -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\
+        cat /dev/null > {{ .Values.persistence.aafCredsPath }}/mycreds.prop;\
+        /start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"]
+        env:
+          - name: _CATALINA_OPTS
+            value: >
+              -Djavax.net.ssl.keyStore="{{ .Values.persistence.aafCredsPath }}/{{ .Values.aafConfig.keystoreFile }}"
+              -Djavax.net.ssl.trustStore="{{ .Values.persistence.aafCredsPath }}/{{ .Values.aafConfig.truststoreFile }}"
+        {{- else }}
+        args: ["/start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"]
+        {{- end }}
         ports:
         - containerPort: {{ .Values.service.internalPort }}
         {{- if eq .Values.liveness.enabled true }}
@@ -69,6 +130,13 @@ spec:
           initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
           periodSeconds: {{ .Values.readiness.periodSeconds }}
         volumeMounts:
+        {{- if .Values.global.aafEnabled }}
+        - mountPath: {{ .Values.persistence.aafCredsPath }}
+          name: {{ include "common.fullname" . }}-aaf-config-vol
+        {{- end }}
+        - name: properties-onapportalsdk
+          mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml"
+          subPath: server.xml
         - mountPath: /etc/localtime
           name: localtime
           readOnly: true
@@ -129,5 +197,10 @@ spec:
           emptyDir: {}
         - name: portal-tomcat-logs
           emptyDir: {}
+        {{- if .Values.global.aafEnabled }}
+        - name: {{ include "common.fullname" . }}-aaf-config-vol
+          emptyDir:
+            medium: Memory
+        {{- end }}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/portal/charts/portal-sdk/templates/secrets.yaml b/kubernetes/portal/charts/portal-sdk/templates/secrets.yaml
new file mode 100644
index 0000000000..b79179bc6b
--- /dev/null
+++ b/kubernetes/portal/charts/portal-sdk/templates/secrets.yaml
@@ -0,0 +1,15 @@
+# Copyright (c) 2020 AT&T Intellectual Property. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secret" . }}
diff --git a/kubernetes/portal/charts/portal-sdk/values.yaml b/kubernetes/portal/charts/portal-sdk/values.yaml
index 8572ff83da..34c29b5be1 100644
--- a/kubernetes/portal/charts/portal-sdk/values.yaml
+++ b/kubernetes/portal/charts/portal-sdk/values.yaml
@@ -1,5 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
-# Modifications Copyright © 2018 AT&T
+# Modifications Copyright © 2018, 2020 AT&T
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,15 +22,48 @@ global:
   readinessImage: readiness-check:2.0.0
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
-
+  persistence: {}
+  #AAF global config overrides
+  aafEnabled: true
+  aafAgentImage: onap/aaf/aaf_agent:2.1.15
+  aafAppNs: org.osaaf.aaf
+  aafLocatorContainer: oom
 #################################################################
 # Application configuration defaults.
 #################################################################
+secrets:
+  - uid: aaf-deploy-creds
+    type: basicAuth
+    externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDiabled" .Values.global.aafEnabled }}'
+    login: '{{ .Values.aafConfig.aafDeployFqi }}'
+    password: '{{ .Values.aafConfig.aafDeployPass }}'
+    passwordPolicy: required
+
+## Persist cert data to a memory volume
+persistence:
+  aafCredsPath: /opt/app/osaaf/local
+
 # application image
 repository: nexus3.onap.org:10001
 image: onap/portal-sdk:2.6.0
 pullPolicy: Always
 
+#AAF service
+aafURL: https://aaf-service:8100/
+aafLocateUrl: https://aaf-locate:8095
+
+#AAF local config
+aafConfig:
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  fqdn: portal
+  fqi: portal@portal.onap.org
+  publicFqdn: portal.onap.org
+  cadiLatitude: 0.0
+  cadiLongitude: 0.0
+  keystoreFile: "org.onap.portal.p12"
+  truststoreFile: "org.onap.portal.trust.jks"
+
 # flag to enable debugging - application support required
 debugEnabled: false
 
@@ -57,8 +90,8 @@ service:
   type: NodePort
   name: portal-sdk
   portName: portal-sdk
-  internalPort: 8080
-  externalPort: 8080
+  internalPort: 8443
+  externalPort: 8443
   nodePort: 12
 
 mariadb:
@@ -85,7 +118,7 @@ ingress:
   service:
     - baseaddr: portalsdk
       name: "portal-sdk"
-      port: 8080
+      port: 8443
   config:
     ssl: "none"