From: Andreas Geissler Date: Thu, 30 Mar 2023 11:20:33 +0000 (+0000) Subject: Merge "[SDC] Update docker images" X-Git-Tag: 12.0.0~77 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=d1499210a2014d91a9ab64d6d408027a968319db;hp=8b1f08592c26fe53e93d38c09c100e021947f328;p=oom.git Merge "[SDC] Update docker images" --- diff --git a/docs/sections/guides/infra_guides/oom_base_optional_addons.rst b/docs/sections/guides/infra_guides/oom_base_optional_addons.rst index f795a8664a..b55ed0ef66 100644 --- a/docs/sections/guides/infra_guides/oom_base_optional_addons.rst +++ b/docs/sections/guides/infra_guides/oom_base_optional_addons.rst @@ -127,12 +127,20 @@ Install Istio Gateway > kubectl label namespace istio-ingress istio-injection=enabled -- Install the Istio Gateway chart,replacing the +- To expose additional ports besides HTTP/S (e.g. for external Kafka access) + create an override file (e.g. istio-ingress.yaml) + + .. collapse:: istio-ingress.yaml + + .. include:: ../../resources/yaml/istio-ingress.yaml + :code: yaml + +- Install the Istio Gateway chart using the override file, replacing the with the version defined in the :ref:`versions_table` table:: > helm upgrade -i istio-ingress istio/gateway -n istio-ingress - --version --wait + --version -f ingress-istio.yaml --wait Kiali Installation ================== diff --git a/docs/sections/resources/yaml/envoyfilter-case.yaml b/docs/sections/resources/yaml/envoyfilter-case.yaml index c919319ecc..31e80374e2 100644 --- a/docs/sections/resources/yaml/envoyfilter-case.yaml +++ b/docs/sections/resources/yaml/envoyfilter-case.yaml @@ -21,6 +21,49 @@ spec: name: preserve_case typed_config: '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig + - applyTo: NETWORK_FILTER + match: + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + patch: + operation: MERGE + value: + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig +--- +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: header-casing-outbound + namespace: istio-config + #annotations: + # argocd.argoproj.io/hook: PostSync +spec: + configPatches: + - applyTo: CLUSTER + match: + context: SIDECAR_OUTBOUND + patch: + operation: MERGE + value: + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + use_downstream_protocol_config: + http_protocol_options: + header_key_format: + stateful_formatter: + name: preserve_case + typed_config: + '@type': type.googleapis.com/envoy.extensions.http.header_formatters.preserve_case.v3.PreserveCaseFormatterConfig - applyTo: NETWORK_FILTER match: listener: diff --git a/docs/sections/resources/yaml/istio-ingress.yaml b/docs/sections/resources/yaml/istio-ingress.yaml new file mode 100644 index 0000000000..5f000d306d --- /dev/null +++ b/docs/sections/resources/yaml/istio-ingress.yaml @@ -0,0 +1,32 @@ +service: + # Type of service. Set to "None" to disable the service entirely + type: LoadBalancer + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + - name: kafka-bootstrap + port: 9010 + targetPort: 9010 + protocol: TCP + - name: kafka-0 + port: 9000 + targetPort: 9000 + protocol: TCP + - name: kafka-1 + port: 9001 + targetPort: 9001 + protocol: TCP + - name: kafka-2 + port: 9002 + targetPort: 9002 + protocol: TCP \ No newline at end of file diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index 30ef02295f..a9ffd70f96 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -102,18 +102,20 @@ true */}} {{- define "istio.config.port" -}} {{- $dot := default . .dot -}} -{{- if .exposedPort }} - number: {{ .exposedPort }} -{{- if .exposedProtocol }} - name: {{ .baseaddr }} - protocol: {{ .exposedProtocol }} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the name of the port, is required." .protocol) -}} +{{- if $dot.exposedPort }} + number: {{ $dot.exposedPort }} +{{- if $dot.exposedProtocol }} + name: {{ $protocol }}-{{ $dot.exposedPort }} + protocol: {{ $dot.exposedProtocol }} {{- else }} - name: http + name: {{ $protocol }} protocol: HTTP {{- end -}} {{- else }} number: 80 - name: http + name: {{ $protocol }} protocol: HTTP {{- end -}} {{- end -}} @@ -148,25 +150,47 @@ true Istio Helper function to add the route to the service */}} {{- define "istio.config.route" -}} -{{- $dot := default . .dot -}} - http: +{{- $dot := default . .dot -}} +{{- $protocol := (required "'protocol' param, is required." .protocol) -}} +{{- if eq $protocol "tcp" }} + - match: + - port: {{ $dot.exposedPort }} + route: + - destination: + port: + {{- if $dot.plain_port }} + {{- if kindIs "string" $dot.plain_port }} + name: {{ $dot.plain_port }} + {{- else }} + number: {{ $dot.plain_port }} + {{- end }} + {{- else }} + {{- if kindIs "string" $dot.port }} + name: {{ $dot.port }} + {{- else }} + number: {{ $dot.port }} + {{- end }} + {{- end }} + host: {{ $dot.name }} +{{- else if eq $protocol "http" }} - route: - destination: port: - {{- if .plain_port }} - {{- if kindIs "string" .plain_port }} - name: {{ .plain_port }} + {{- if $dot.plain_port }} + {{- if kindIs "string" $dot.plain_port }} + name: {{ $dot.plain_port }} {{- else }} - number: {{ .plain_port }} + number: {{ $dot.plain_port }} {{- end }} {{- else }} - {{- if kindIs "string" .port }} - name: {{ .port }} + {{- if kindIs "string" $dot.port }} + name: {{ $dot.port }} {{- else }} - number: {{ .port }} + number: {{ $dot.port }} {{- end }} {{- end }} - host: {{ .name }} + host: {{ $dot.name }} +{{- end -}} {{- end -}} {{/* @@ -239,13 +263,28 @@ true {{- end -}} {{- end -}} +{{/* + Create Port entry in the Gateway resource +*/}} +{{- define "istio.config.gatewayPort" -}} +{{- $dot := default . .dot -}} +{{- $service := (required "'service' param, set to the specific service, is required." .service) -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} +{{- $protocol := (required "'protocol' param, set to the specific port, is required." .protocol) -}} + - port: + {{- include "istio.config.port" (dict "dot" $service "baseaddr" $baseaddr "protocol" $protocol) }} + hosts: + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{- include "istio.config.tls" (dict "dot" $dot "service" $service "baseaddr" $baseaddr) }} +{{- end -}} + {{/* Create Istio Ingress resources per defined service */}} {{- define "common.istioIngress" -}} -{{- $dot := default . .dot -}} -{{ range $dot.Values.ingress.service }} -{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} +{{- $dot := default . .dot -}} +{{ range $dot.Values.ingress.service }} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} --- apiVersion: networking.istio.io/v1beta1 kind: Gateway @@ -255,11 +294,17 @@ spec: selector: istio: ingress # use Istio default gateway implementation servers: - - port: - {{- include "istio.config.port" . }} - hosts: - - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- include "istio.config.tls" (dict "dot" $dot "service" . "baseaddr" $baseaddr) }} +{{- if .tcpRoutes }} +{{ range .tcpRoutes }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "tcp") | trim }} +{{ end -}} +{{- else }} + {{- if .protocol }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" .protocol) | trim }} + {{- else }} + {{ include "istio.config.gatewayPort" (dict "dot" $dot "service" . "baseaddr" $baseaddr "protocol" "http") | trim }} + {{ end }} +{{ end }} --- apiVersion: networking.istio.io/v1beta1 kind: VirtualService @@ -270,8 +315,21 @@ spec: - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} gateways: - {{ $baseaddr }}-gateway - {{ include "istio.config.route" . | trim }} -{{- end -}} +{{- if .tcpRoutes }} + tcp: +{{ range .tcpRoutes }} + {{ include "istio.config.route" (dict "dot" . "protocol" "tcp") | trim }} +{{ end -}} +{{- else }} + {{- if .protocol }} + {{ .protocol }}: + {{ include "istio.config.route" (dict "dot" . "protocol" .protocol) | trim }} + {{- else }} + http: + {{ include "istio.config.route" (dict "dot" . "protocol" "http") | trim }} + {{ end }} +{{ end }} +{{- end -}} {{- end -}} {{/* diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl index a685a73627..fe2424cc85 100644 --- a/kubernetes/common/common/templates/_serviceMesh.tpl +++ b/kubernetes/common/common/templates/_serviceMesh.tpl @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Amdocs, Bell Canada, Orange +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -66,3 +67,83 @@ exit "$RCODE" fieldPath: metadata.namespace {{- end }} {{- end }} + +{{/* + Use Authorization Policies or not. +*/}} +{{- define "common.useAuthorizationPolicies" -}} +{{- if (include "common.onServiceMesh" .) }} +{{- if .Values.global.authorizationPolicies -}} +{{- if (default false .Values.global.authorizationPolicies.enabled) -}} +true +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* + Create Authorization Policy template. + If common.useAuthorizationPolicies returns true: + Will create authorization policy, provided with array of authorized principals in .Values.serviceMesh.authorizationPolicy.authorizedPrincipals + in the format: + authorizedPrincipals: + - serviceAccount: (Mandatory) + namespace: (Optional, will default to onap) + allowedOperationMethods: ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service") + + If common.useAuthorizationPolicies returns false: + Will create an authorization policy without rules, i.e., an allow-all policy +*/}} +{{- define "common.authorizationPolicy" -}} +{{- $dot := default . .dot -}} +{{- $trustedDomain := default "cluster.local" $dot.Values.serviceMesh.authorizationPolicy.trustedDomain -}} +{{- $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}} +{{- $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}} +{{- $relName := include "common.release" . -}} +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: {{ include "common.fullname" (dict "suffix" "authz" "dot" . )}} + namespace: {{ include "common.namespace" . }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ include "common.servicename" . }} + action: ALLOW + rules: +{{- if (include "common.useAuthorizationPolicies" .) }} +{{- if $authorizedPrincipals }} +{{- range $principal := $authorizedPrincipals }} + - from: + - source: + principals: +{{- $namespace := default "onap" $principal.namespace -}} +{{- if eq "onap" $namespace }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $relName }}-{{ $principal.serviceAccount }}" +{{- else }} + - "{{ $trustedDomain }}/ns/{{ $namespace }}/sa/{{ $principal.serviceAccount }}" +{{- end }} + to: + - operation: + methods: +{{- if $principal.allowedOperationMethods }} +{{- range $method := $principal.allowedOperationMethods }} + - {{ $method }} +{{- end }} +{{- else }} +{{- range $method := $defaultOperationMethods }} + - {{ $method }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} +{{- else }} + - {} +{{- end }} +{{- end -}} diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index c7399b3f1b..40ac5edab6 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -1,6 +1,7 @@ # Copyright © 2019 Amdocs, Bell Canada # Copyright (c) 2020 Nordix Foundation, Modifications # Modifications Copyright © 2020-2021 Nokia +# Modifications Copyright © 2023 Nordix Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -187,6 +188,10 @@ global: # be aware that linkerd is not well tested engine: "istio" # valid value: istio or linkerd + # Global Istio Authorization Policy configuration + authorizationPolicies: + enabled: false + # metrics part # If enabled, exporters (for prometheus) will be deployed # if custom resources set to yes, CRD from prometheus operartor will be diff --git a/kubernetes/so/templates/authorizationpolicy.yaml b/kubernetes/so/templates/authorizationpolicy.yaml new file mode 100644 index 0000000000..7158c0263f --- /dev/null +++ b/kubernetes/so/templates/authorizationpolicy.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2023 Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "common.authorizationPolicy" . }} \ No newline at end of file diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 014cbadbab..a35fe3274a 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -599,6 +599,15 @@ ingress: name: 'so' port: 8080 +serviceMesh: + authorizationPolicy: + authorizedPrincipals: + - serviceAccount: consul-read + - serviceAccount: consul-server-read + - serviceAccount: nbi-read + - serviceAccount: istio-ingress + namespace: istio-ingress + mso: adapters: requestDb: diff --git a/kubernetes/strimzi/templates/strimzi-kafka.yaml b/kubernetes/strimzi/templates/strimzi-kafka.yaml index 99252ec3e6..3ce7b1d627 100644 --- a/kubernetes/strimzi/templates/strimzi-kafka.yaml +++ b/kubernetes/strimzi/templates/strimzi-kafka.yaml @@ -36,9 +36,9 @@ spec: - name: external port: 9094 type: {{ if (include "common.ingressEnabled" .) }}cluster-ip{{ else }}nodeport{{ end }} - tls: true + tls: {{ if (include "common.ingressEnabled" .) }}false{{ else }}true{{ end }} authentication: - type: tls + type: {{ if (include "common.ingressEnabled" .) }}{{ .Values.config.saslMechanism }}{{ else }}tls{{ end }} configuration: {{- if not (include "common.ingressEnabled" .) }} bootstrap: diff --git a/kubernetes/strimzi/values.yaml b/kubernetes/strimzi/values.yaml index ec1ed887a7..057f2003c7 100644 --- a/kubernetes/strimzi/values.yaml +++ b/kubernetes/strimzi/values.yaml @@ -19,6 +19,12 @@ global: nodePortPrefixExt: 304 persistence: mountPath: /dockerdata-nfs + ingress: + virtualhost: + baseurl: &baseurl "simpledemo.onap.org" + preaddr: &preaddr "" + postaddr: &postaddr "" + ################################################################# # Application configuration defaults. ################################################################# @@ -66,23 +72,23 @@ ingress: - baseaddr: "kafka-bootstrap-api" name: "onap-strimzi-kafka-external-bootstrap" port: 9094 + protocol: tcp exposedPort: 9010 exposedProtocol: TLS - - baseaddr: "kafka-0-api" - name: "onap-strimzi-kafka-0" - port: 9094 - exposedPort: *advertizedPortBroker0 - exposedProtocol: TLS - - baseaddr: "kafka-1-api" - name: "onap-strimzi-kafka-1" - port: 9094 - exposedPort: *advertizedPortBroker1 - exposedProtocol: TLS - - baseaddr: "kafka-2-api" - name: "onap-strimzi-kafka-2" - port: 9094 - exposedPort: *advertizedPortBroker2 - exposedProtocol: TLS + - baseaddr: "kafka-api" + tcpRoutes: + - name: "onap-strimzi-kafka-0" + port: 9094 + exposedPort: *advertizedPortBroker0 + exposedProtocol: TLS + - name: "onap-strimzi-kafka-1" + port: 9094 + exposedPort: *advertizedPortBroker1 + exposedProtocol: TLS + - name: "onap-strimzi-kafka-2" + port: 9094 + exposedPort: *advertizedPortBroker2 + exposedProtocol: TLS ###################### # Component overrides