From: Krzysztof Opasiak Date: Fri, 22 May 2020 14:35:36 +0000 (+0000) Subject: Merge "[COMMON] Security Context templates" X-Git-Tag: 7.0.0~420 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=a1365a751a5f9bfa4acaa6812c90291979102a6b;hp=6bb10e47855fc80972eede63dbaaddc28f7f7edc;p=oom.git Merge "[COMMON] Security Context templates" --- diff --git a/kubernetes/aaf/charts/aaf-cass/values.yaml b/kubernetes/aaf/charts/aaf-cass/values.yaml index 3d9f21e297..e347df2e95 100644 --- a/kubernetes/aaf/charts/aaf-cass/values.yaml +++ b/kubernetes/aaf/charts/aaf-cass/values.yaml @@ -34,7 +34,7 @@ liveness: enabled: true port: tcp-cql -image: onap/aaf/aaf_cass:2.1.20 +image: onap/aaf/aaf_cass:2.1.22 config: cluster_name: osaaf diff --git a/kubernetes/aaf/charts/aaf-hello/values.yaml b/kubernetes/aaf/charts/aaf-hello/values.yaml index aeb659082d..786f0b03a5 100644 --- a/kubernetes/aaf/charts/aaf-hello/values.yaml +++ b/kubernetes/aaf/charts/aaf-hello/values.yaml @@ -41,7 +41,7 @@ aaf_init: replicaCount: 0 -image: onap/aaf/aaf_hello:2.1.20 +image: onap/aaf/aaf_hello:2.1.22 service: name: aaf-hello diff --git a/kubernetes/aaf/charts/aaf-sms/values.yaml b/kubernetes/aaf/charts/aaf-sms/values.yaml index 13e9a7e701..7e0aa5c282 100644 --- a/kubernetes/aaf/charts/aaf-sms/values.yaml +++ b/kubernetes/aaf/charts/aaf-sms/values.yaml @@ -178,11 +178,11 @@ oofCreds: aafUsername: aaf_admin@people.osaaf.org aafPassword: demo123456! - policyPlatUsername: testpdp - policyPlatPassword: alpha123 + policyPlatUsername: healthcheck + policyPlatPassword: zb!XztG34 - policyCliUsername: python - policyCliPassword: test + policyCliUsername: healthcheck + policyCliPassword: zb!XztG34 osdfPlacementUsername: test osdfPlacementPassword: testpwd diff --git a/kubernetes/aaf/values.yaml b/kubernetes/aaf/values.yaml index bedf243639..cc97e9854b 100644 --- a/kubernetes/aaf/values.yaml +++ b/kubernetes/aaf/values.yaml @@ -42,10 +42,10 @@ global: aaf: readiness: false - image: onap/aaf/aaf_core:2.1.20 + image: onap/aaf/aaf_core:2.1.22 aaf_env: "DEV" public_fqdn: "aaf.osaaf.org" - aaf_release: "El Alto" + aaf_release: "Frankfurt" # DUBLIN ONLY - for M4 compatibility with Casablanca # aaf_locator_name: "public.%NS.%N" # aaf_locator_name_oom: "%NS.%N" @@ -57,7 +57,7 @@ global: cadi_x509_issuers: "CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US" config: - image: onap/aaf/aaf_config:2.1.20 + image: onap/aaf/aaf_config:2.1.22 service: fqdn: "aaf-service" diff --git a/kubernetes/common/network-name-gen/templates/deployment.yaml b/kubernetes/common/network-name-gen/templates/deployment.yaml index 3e9e849052..b9550c7666 100644 --- a/kubernetes/common/network-name-gen/templates/deployment.yaml +++ b/kubernetes/common/network-name-gen/templates/deployment.yaml @@ -57,6 +57,11 @@ spec: name: {{ include "common.name" . }}-readiness containers: - name: {{ include "common.name" . }} + command: + - bash + args: + - '-c' + - 'export POL_BASIC_AUTH=`echo -n $POL_BASIC_AUTH_USER:$POL_BASIC_AUTH_PASSWORD | base64`; /startService.sh' image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} env: @@ -70,8 +75,10 @@ spec: value: jdbc:mysql://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ index .Values "mariadb-galera" "config" "mysqlDatabase" }} - name: POL_CLIENT_AUTH value: "{{ .Values.config.polClientAuth }}" - - name: POL_BASIC_AUTH - value: "{{ .Values.config.polBasicAuth }}" + - name: POL_BASIC_AUTH_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "login") | indent 10}} + - name: POL_BASIC_AUTH_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pol-basic-auth-secret" "key" "password") | indent 10}} - name: POL_URL value: "{{ .Values.config.polUrl }}" - name: POL_ENV diff --git a/kubernetes/common/network-name-gen/values.yaml b/kubernetes/common/network-name-gen/values.yaml index a9f2a5bbd4..81c596c6c9 100644 --- a/kubernetes/common/network-name-gen/values.yaml +++ b/kubernetes/common/network-name-gen/values.yaml @@ -49,6 +49,12 @@ secrets: externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' login: '{{ .Values.config.db.userName }}' password: '{{ .Values.config.db.userPassword }}' + - uid: pol-basic-auth-secret + name: '{{ include "common.release" . }}-pol-basic-auth-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.polBasicAuthSecret) . }}' + login: '{{ .Values.config.polBasicAuthUser }}' + password: '{{ .Values.config.polBasicAuthPassword }}' # sub-chart config mariadb-galera: @@ -84,8 +90,9 @@ config: # userCredentialsExternalSecret: some-secret springProfile: live polClientAuth: cHl0aG9uOnRlc3Q= - polBasicAuth: dGVzdHBkcDphbHBoYTEyMw== - polUrl: https://pdp:8081/pdp/api/getConfig + polBasicAuthUser: healthcheck + polBasicAuthPassword: zb!XztG34 + polUrl: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision polEnv: TEST polReqId: xx aaiCertPass: changeit diff --git a/kubernetes/policy/charts/pap/templates/service.yaml b/kubernetes/policy/charts/pap/templates/service.yaml index a23352a17e..b6deb5c75e 100644 --- a/kubernetes/policy/charts/pap/templates/service.yaml +++ b/kubernetes/policy/charts/pap/templates/service.yaml @@ -1,6 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019 Nordix Foundation. # Modifications Copyright (C) 2019 AT&T Intellectual Property. +# Modifications Copyright (C) 2020 Bell Canada. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -28,10 +29,17 @@ metadata: release: {{ include "common.release" . }} heritage: {{ .Release.Service }} spec: + type: {{ .Values.service.type }} ports: + {{if eq .Values.service.type "NodePort" -}} + - port: {{ .Values.service.internalPort }} + nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} + name: {{ .Values.service.portName }} + {{- else -}} - port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} name: {{ .Values.service.portName }} + {{- end}} selector: app: {{ include "common.name" . }} release: {{ include "common.release" . }} diff --git a/kubernetes/policy/charts/pap/values.yaml b/kubernetes/policy/charts/pap/values.yaml index 630b2055fa..e5eef01e54 100644 --- a/kubernetes/policy/charts/pap/values.yaml +++ b/kubernetes/policy/charts/pap/values.yaml @@ -1,6 +1,7 @@ # ============LICENSE_START======================================================= # Copyright (C) 2019 Nordix Foundation. # Modifications Copyright (C) 2019-2020 AT&T Intellectual Property. +# Modifications Copyright (C) 2020 Bell Canada. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -21,6 +22,7 @@ # Global configuration defaults. ################################################################# global: + nodePortPrefixExt: 304 persistence: {} envsubstImage: dibi/envsubst @@ -105,6 +107,7 @@ service: portName: policy-pap internalPort: 6969 externalPort: 6969 + nodePort: 42 ingress: enabled: false diff --git a/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties b/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties index aeef85e54c..b5b4e48b97 100755 --- a/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties +++ b/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties @@ -119,8 +119,7 @@ cookie_domain = onap.org remote_centralized_system_access = {{.Values.global.aafEnabled}} # External Access System Basic Auth Credentials & Rest endpoint -# The credentials are placeholders as these are replaced by AAF X509 identity at runtime -ext_central_access_user_name = portal@portal.onap.org -ext_central_access_password = thisfakepasswordwillbereplacedbythex509cert +ext_central_access_user_name = aaf_admin@people.osaaf.org +ext_central_access_password = demo123456! ext_central_access_url = {{.Values.aafURL}} ext_central_access_user_domain = @people.osaaf.org \ No newline at end of file diff --git a/kubernetes/portal/charts/portal-app/values.yaml b/kubernetes/portal/charts/portal-app/values.yaml index 01bc0dab93..b0d2f5d1cf 100644 --- a/kubernetes/portal/charts/portal-app/values.yaml +++ b/kubernetes/portal/charts/portal-app/values.yaml @@ -32,7 +32,7 @@ global: # application image repository: nexus3.onap.org:10001 -image: onap/portal-app:3.2.1 +image: onap/portal-app:3.2.2 pullPolicy: Always #AAF local config diff --git a/kubernetes/portal/charts/portal-mariadb/values.yaml b/kubernetes/portal/charts/portal-mariadb/values.yaml index 1234b6bc46..0ae7f4eaab 100644 --- a/kubernetes/portal/charts/portal-mariadb/values.yaml +++ b/kubernetes/portal/charts/portal-mariadb/values.yaml @@ -25,7 +25,7 @@ global: # global defaults # application image repository: nexus3.onap.org:10001 -image: onap/portal-db:3.2.0 +image: onap/portal-db:3.2.2 pullPolicy: Always diff --git a/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties b/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties index 45ea9b70ca..2a2ec59d5c 100755 --- a/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties +++ b/kubernetes/portal/charts/portal-sdk/resources/config/deliveries/properties/ONAPPORTALSDK/system.properties @@ -86,8 +86,8 @@ cookie_domain = onap.org remote_centralized_system_access = {{.Values.global.aafEnabled}} # External Access System Basic Auth Credentials & Rest endpoint -# The credentials are placeholders as these are replaced by AAF X509 identity at runtime -ext_central_access_user_name = portal@portal.onap.org -ext_central_access_password = thisfakepasswordwillbereplacedbythex509cert +# External Access System Basic Auth Credentials & Rest endpoint +ext_central_access_user_name = aaf_admin@people.osaaf.org +ext_central_access_password = demo123456! ext_central_access_url = {{.Values.aafURL}} ext_central_access_user_domain = @people.osaaf.org \ No newline at end of file diff --git a/kubernetes/portal/charts/portal-widget/values.yaml b/kubernetes/portal/charts/portal-widget/values.yaml index 3d63cd8301..3692579c6a 100644 --- a/kubernetes/portal/charts/portal-widget/values.yaml +++ b/kubernetes/portal/charts/portal-widget/values.yaml @@ -29,7 +29,7 @@ global: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/portal-wms:3.2.0 +image: onap/portal-wms:3.2.2 pullPolicy: Always # flag to enable debugging - application support required diff --git a/kubernetes/sdnc/requirements.yaml b/kubernetes/sdnc/requirements.yaml index 3f44c6dca1..a283678bc5 100644 --- a/kubernetes/sdnc/requirements.yaml +++ b/kubernetes/sdnc/requirements.yaml @@ -16,6 +16,9 @@ dependencies: - name: common version: ~6.x-0 repository: '@local' + - name: certInitializer + version: ~6.x-0 + repository: '@local' - name: network-name-gen version: ~6.x-0 repository: '@local' diff --git a/kubernetes/sdnc/templates/configmap.yaml b/kubernetes/sdnc/templates/configmap.yaml index cd39425073..087ed30055 100644 --- a/kubernetes/sdnc/templates/configmap.yaml +++ b/kubernetes/sdnc/templates/configmap.yaml @@ -78,16 +78,3 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Get "resources/env.yaml") . | indent 2 }} - -{{ if .Values.global.aafEnabled }} -{{- if .Values.aafConfig.addconfig -}} ---- -apiVersion: v1 -kind: ConfigMap -{{- $suffix := "aaf-add-config" }} -metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }} -data: - aaf-add-config.sh: |- - cd /opt/app/osaaf/local && /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} | grep cadi_keystore_password= | cut -d= -f 2 > {{ .Values.aafConfig.credsPath }}/.pass 2>&1 -{{- end -}} -{{- end -}} diff --git a/kubernetes/sdnc/templates/pv-certs.yaml b/kubernetes/sdnc/templates/pv-certs.yaml deleted file mode 100644 index 8aa9af4bf1..0000000000 --- a/kubernetes/sdnc/templates/pv-certs.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2018 Amdocs, AT&T, Bell Canada -# # -# # Licensed under the Apache License, Version 2.0 (the "License"); -# # you may not use this file except in compliance with the License. -# # You may obtain a copy of the License at -# # -# # http://www.apache.org/licenses/LICENSE-2.0 -# # -# # Unless required by applicable law or agreed to in writing, software -# # distributed under the License is distributed on an "AS IS" BASIS, -# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# # See the License for the specific language governing permissions and -# # limitations under the License. -*/}} - -{{ if .Values.certpersistence.enabled }} ---- -kind: PersistentVolume -apiVersion: v1 -metadata: - name: {{ include "common.fullname" . }}-certs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }}-certs -spec: - capacity: - storage: {{ .Values.certpersistence.size }} - accessModes: - - {{ .Values.certpersistence.accessMode }} - storageClassName: "{{ include "common.fullname" . }}-certs" - persistentVolumeReclaimPolicy: {{ .Values.certpersistence.volumeReclaimPolicy }} - hostPath: - path: {{ .Values.global.persistence.mountPath | default .Values.certpersistence.mountPath }}/{{ include "common.release" . }}/{{ .Values.certpersistence.mountSubPath }} -{{ end }} diff --git a/kubernetes/sdnc/templates/pvc.yaml b/kubernetes/sdnc/templates/pvc.yaml deleted file mode 100644 index aed3d161d3..0000000000 --- a/kubernetes/sdnc/templates/pvc.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if and .Values.certpersistence.enabled (not .Values.certpersistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "common.fullname" .}}-certs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ include "common.release" . }}" - heritage: "{{ .Release.Service }}" - name: {{ include "common.fullname" . }}-certs -{{- if .Values.certpersistence.annotations }} - annotations: -{{ toYaml .Values.certpersistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.certpersistence.accessMode }} - resources: - requests: - storage: {{ .Values.certpersistence.size }} -{{- if eq "True" (include "common.needPV" .) }} - storageClassName: "{{ include "common.fullname" . }}-certs" -{{- else }} - storageClassName: {{ include "common.storageClass" . }} - {{- end }} -{{- end -}} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 58ca866fca..6b2f6628f3 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -91,18 +91,16 @@ spec: image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness - {{ if .Values.global.aafEnabled }} -{{ include "common.aaf-config" . | indent 6 }} - {{ end }} + +{{ include "common.certInitializer.initContainer" . | indent 6 }} + - name: {{ include "common.name" . }}-chown image: "busybox" - command: ["sh", "-c", "chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }} ; chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certpersistence.certPath }}"] + command: ["sh", "-c", "chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }} ; chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certInitializer.credsPath }}"] volumeMounts: +{{ include "common.certInitializer.volumeMount" . | indent 10 }} - mountPath: {{ .Values.persistence.mdsalPath }} name: {{ include "common.fullname" . }}-data -{{- if .Values.global.aafEnabled }} -{{ include "common.aaf-config-volume-mountpath" . | indent 10 }} -{{- end }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -151,9 +149,7 @@ spec: - name: JAVA_HOME value: "{{ .Values.config.javaHome}}" volumeMounts: - {{- if .Values.global.aafEnabled }} -{{ include "common.aaf-config-volume-mountpath" . | indent 10 }} - {{- end }} +{{ include "common.certInitializer.volumeMount" . | indent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -257,9 +253,7 @@ spec: - name: {{ include "common.fullname" . }}-data emptyDir: {} {{ else }} - {{- if .Values.global.aafEnabled }} -{{ include "common.aaf-config-volumes" . | indent 8 }} - {{- end }} +{{ include "common.certInitializer.volumes" . | nindent 8 }} volumeClaimTemplates: - metadata: name: {{ include "common.fullname" . }}-data diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index 96ea6e33fd..c8e974562e 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -24,7 +24,6 @@ global: readinessImage: readiness-check:2.0.2 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 - aafAgentImage: onap/aaf/aaf_agent:2.1.15 persistence: mountPath: /dockerdata-nfs aafEnabled: true @@ -70,12 +69,6 @@ secrets: password: '{{ .Values.config.odlPassword }}' # For now this is left hardcoded but should be revisited in a future passwordPolicy: required - - uid: &aaf_secret_uid aaf-creds - type: basicAuth - externalSecret: '{{ ternary (tpl (default "" .Values.aaf_init.aafDeployCredsExternalSecret) .) "aafIsDiabled" .Values.global.aafEnabled }}' - login: '{{ .Values.aaf_init.deploy_fqi }}' - password: '{{ .Values.aaf_init.deploy_pass }}' - passwordPolicy: required - uid: netbox-apikey type: password externalSecret: '{{ .Values.config.netboxApikeyExternalSecret }}' @@ -195,8 +188,8 @@ config: numberGGLogFiles: 10 # dependency / sub-chart configuration -aafConfig: - addconfig: true +certInitializer: + nameOverride: sdnc-cert-initializer fqdn: "sdnc" app_ns: "org.osaaf.aaf" fqi: "sdnc@sdnc.onap.org" @@ -206,19 +199,10 @@ aafConfig: aafDeployPass: demo123456! cadi_latitude: "38.0" cadi_longitude: "-72.0" - secret_uid: *aaf_secret_uid credsPath: /opt/app/osaaf/local - -aaf_init: - agentImage: onap/aaf/aaf_agent:2.1.15 - app_ns: "org.osaaf.aaf" - fqi: "sdnc@sdnc.onap.org" - fqdn: "sdnc" - public_fqdn: "sdnc.onap.org" - deploy_fqi: "deployer@people.osaaf.org" - deploy_pass: "demo123456!" - cadi_latitude: "38.0" - cadi_longitude: "-72.0" + aaf_add_config: > + cd /opt/app/osaaf/local; + /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1 mariadb-galera: &mariadbGalera nameOverride: sdnc-db @@ -414,22 +398,6 @@ persistence: mountSubPath: sdnc/mdsal mdsalPath: /opt/opendaylight/current/daexim -certpersistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - volumeReclaimPolicy: Retain - accessMode: ReadWriteOnce - size: 50Mi - mountPath: /dockerdata-nfs - mountSubPath: sdnc/certs - certPath: /opt/app/osaaf - ##storageClass: "manual" - ingress: enabled: false service: