From 31dceea4851d67ec706185f9d6f5bd0bf427b2c3 Mon Sep 17 00:00:00 2001 From: Piotr Marcinkiewicz Date: Tue, 29 Jun 2021 16:15:49 +0200 Subject: [PATCH] [CONTRIB] Introduce certificate update use case in CertService 1. Make changes in order to allow performing KUR/CR in EJBCA: - Add Certificate Update Admin role - Enable EndEntityAuthentication module - Create and set CA with constant UID - Add configuration for provider. 2. Update CertService, which provides with new certificate update endpoint. 3. Update release-notes. Issue-ID: OOM-2753 Issue-ID: OOM-2754 Signed-off-by: Piotr Marcinkiewicz Change-Id: I9cb0cb4d6d6939ad229a4ea254f2bc35d45a3d52 Signed-off-by: Joanna Jeremicz --- docs/release-notes-honolulu.rst | 162 +++++++++++++++++++++ docs/release-notes.rst | 76 +++------- kubernetes/common/cmpv2Config/values.yaml | 2 +- .../contrib/components/ejbca/requirements.yaml | 3 + .../components/ejbca/resources/ejbca-config.sh | 24 ++- .../components/ejbca/templates/deployment.yaml | 2 + .../components/dcae-datafile-collector/values.yaml | 2 +- .../components/dcae-hv-ves-collector/values.yaml | 2 +- .../components/dcae-ves-collector/values.yaml | 2 +- .../cmpv2-cert-provider/crds/cmpv2issuer.yaml | 5 +- .../templates/configuration.yaml | 1 + .../components/cmpv2-cert-provider/values.yaml | 3 +- .../resources/test/cmpServers.json | 6 +- .../components/oom-cert-service/values.yaml | 2 +- 14 files changed, 227 insertions(+), 65 deletions(-) create mode 100644 docs/release-notes-honolulu.rst diff --git a/docs/release-notes-honolulu.rst b/docs/release-notes-honolulu.rst new file mode 100644 index 0000000000..0c8d81f164 --- /dev/null +++ b/docs/release-notes-honolulu.rst @@ -0,0 +1,162 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 + International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ONAP Project and its contributors +.. _release_notes_honolulu: + +:orphan: + +************************************* +ONAP Operations Manager Release Notes +************************************* + +Previous Release Notes +====================== + +- :ref:`Guilin ` +- :ref:`Frankfurt ` +- :ref:`El Alto ` +- :ref:`Dublin ` +- :ref:`Casablanca ` +- :ref:`Beijing ` +- :ref:`Amsterdam ` + +Abstract +======== + +This document provides the release notes for the Honolulu release. + +Summary +======= + +The focus of this release is to strengthen the foundation of OOM installer. + +Release Data +============ + ++--------------------------------------+--------------------------------------+ +| **Project** | OOM | +| | | ++--------------------------------------+--------------------------------------+ +| **Docker images** | N/A | +| | | ++--------------------------------------+--------------------------------------+ +| **Release designation** | Honolulu | +| | | ++--------------------------------------+--------------------------------------+ +| **Release date** | 2021/04/29 | +| | | ++--------------------------------------+--------------------------------------+ + +New features +------------ + +* Kubernetes support for version up to 1.20 +* Helm support for version up to 3.5 +* Limits are set for most of the components +* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack +* CMPv2 external issuer implemented which extends Cert-Manager with ability to + enroll X.509 certificates from CMPv2 servers +* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual + Stack +* Bump version of common PostgreSQL and ElasticSearch +* Move to automatic certificates retrieval for 80% of the components +* Consistent retrieval of docker images, with ability to configure proxy for + the 4 repositories used by ONAP + +**Bug fixes** + +A list of issues resolved in this release can be found here: +https://jira.onap.org/projects/OOM/versions/11073 + +major issues solved: + +* Better handling of persistence on PostgreSQL +* Better Ingress templating +* Better Service templating + +**Known Issues** + +- `OOM-2554 `_ Common pods have java 8 +- `OOM-2435 `_ SDNC karaf shell: + log:list: Error executing command: Unrecognized configuration +- `OOM-2629 `_ NetBox demo entry setup + not complete +- `OOM-2706 `_ CDS Blueprint Processor + does not work with local DB +- `OOM-2713 `_ Problem on onboarding + custom cert to SDNC ONAP during deployment +- `OOM-2698 `_ SO helm override fails in + for value with multi-level replacement +- `OOM-2697 `_ SO with local MariaDB + deployment fails +- `OOM-2538 `_ strange error with + CertInitializer template +- `OOM-2547 `_ Health Check failures + seen after bringing down/up control plane & worker node VM instances on which + ONAP hosted +- `OOM-2699 `_ SO so-mariadb + readinessCheck fails for local MariaDB instance +- `OOM-2705 `_ SDNC DB installation fails + on local MariaDB instance +- `OOM-2603 `_ [SDNC] allign password for + scaleoutUser/restconfUser/odlUser + +Deliverables +------------ + +Software Deliverables +~~~~~~~~~~~~~~~~~~~~~ + +OOM provides `Helm charts `_ that needs to be +"compiled" into Helm package. see step 6 in +:doc:`quickstart guide `. + +Documentation Deliverables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- :doc:`Project Description ` +- :doc:`Cloud Setup Guide ` +- :doc:`Quick Start Guide ` +- :doc:`Setup Ingress Controller ` +- :doc:`Developer Guide ` +- :doc:`Hardcoded Certificates ` + +Known Limitations, Issues and Workarounds +========================================= + +Known Vulnerabilities +--------------------- + +- Hard coded password used for all OOM deployments + [`OJSI-188 `_] +- :doc:`Hard coded certificates ` in Helm packages + +Workarounds +----------- + +- ``_ + Workaround is to generate a password with "short" strenght or pregenerate + passwords without single quote in it. Default deployment is using "short" + password generation for mariadb. + +Security Notes +-------------- + +**Fixed Security Issues** + +References +========== + +For more information on the ONAP Frankfurt release, please see: + +#. `ONAP Home Page`_ +#. `ONAP Documentation`_ +#. `ONAP Release Downloads`_ +#. `ONAP Wiki Page`_ + + +.. _`ONAP Home Page`: https://www.onap.org +.. _`ONAP Wiki Page`: https://wiki.onap.org +.. _`ONAP Documentation`: https://docs.onap.org +.. _`ONAP Release Downloads`: https://git.onap.org diff --git a/docs/release-notes.rst b/docs/release-notes.rst index ae0ea457f5..730acd5eea 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -11,6 +11,7 @@ ONAP Operations Manager Release Notes Previous Release Notes ====================== +- :ref:`Honolulu ` - :ref:`Guilin ` - :ref:`Frankfurt ` - :ref:`El Alto ` @@ -22,12 +23,12 @@ Previous Release Notes Abstract ======== -This document provides the release notes for the Honolulu release. +This document provides the release notes for the Istanbul release. Summary ======= -The focus of this release is to strengthen the foundation of OOM installer. + Release Data ============ @@ -39,66 +40,25 @@ Release Data | **Docker images** | N/A | | | | +--------------------------------------+--------------------------------------+ -| **Release designation** | Honolulu | +| **Release designation** | Istanbul | | | | +--------------------------------------+--------------------------------------+ -| **Release date** | 2021/04/29 | +| **Release date** | | | | | +--------------------------------------+--------------------------------------+ New features ------------ -* Kubernetes support for version up to 1.20 -* Helm support for version up to 3.5 -* Limits are set for most of the components -* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack -* CMPv2 external issuer implemented which extends Cert-Manager with ability to - enroll X.509 certificates from CMPv2 servers -* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual - Stack -* Bump version of common PostgreSQL and ElasticSearch -* Move to automatic certificates retrieval for 80% of the components -* Consistent retrieval of docker images, with ability to configure proxy for - the 4 repositories used by ONAP **Bug fixes** A list of issues resolved in this release can be found here: -https://jira.onap.org/projects/OOM/versions/11073 - -major issues solved: +https://jira.onap.org/projects/OOM/versions/11074 -* Better handling of persistence on PostgreSQL -* Better Ingress templating -* Better Service templating **Known Issues** -- `OOM-2554 `_ Common pods have java 8 -- `OOM-2435 `_ SDNC karaf shell: - log:list: Error executing command: Unrecognized configuration -- `OOM-2629 `_ NetBox demo entry setup - not complete -- `OOM-2706 `_ CDS Blueprint Processor - does not work with local DB -- `OOM-2713 `_ Problem on onboarding - custom cert to SDNC ONAP during deployment -- `OOM-2698 `_ SO helm override fails in - for value with multi-level replacement -- `OOM-2697 `_ SO with local MariaDB - deployment fails -- `OOM-2538 `_ strange error with - CertInitializer template -- `OOM-2547 `_ Health Check failures - seen after bringing down/up control plane & worker node VM instances on which - ONAP hosted -- `OOM-2699 `_ SO so-mariadb - readinessCheck fails for local MariaDB instance -- `OOM-2705 `_ SDNC DB installation fails - on local MariaDB instance -- `OOM-2603 `_ [SDNC] allign password for - scaleoutUser/restconfUser/odlUser Deliverables ------------ @@ -126,17 +86,25 @@ Known Limitations, Issues and Workarounds Known Vulnerabilities --------------------- -- Hard coded password used for all OOM deployments - [`OJSI-188 `_] -- :doc:`Hard coded certificates ` in Helm packages Workarounds ----------- -- ``_ - Workaround is to generate a password with "short" strenght or pregenerate - passwords without single quote in it. Default deployment is using "short" - password generation for mariadb. +- `OOM-2754 `_ + Because of *updateEndpoint* property added to *cmpv2issuer* CRD + it is impossible to upgrade platform component from Honolulu to Istanbul + release without manual steps. Actions that should be performed: + + #. Update the CRD definition:: + + > kubectl -n onap apply -f cmpv2-cert-provider/crds/cmpv2issuer.yaml + #. Upgrade the component + #. Make sure that *cmpv2issuer* contains correct value for + *spec.updateEndpoint*. The value should be: *v1/certificate-update*. + If it's not, edit the resource:: + + > kubectl -n onap edit cmpv2issuer cmpv2-issuer-onap + Security Notes -------------- @@ -146,7 +114,7 @@ Security Notes References ========== -For more information on the ONAP Frankfurt release, please see: +For more information on the ONAP Istanbul release, please see: #. `ONAP Home Page`_ #. `ONAP Documentation`_ diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 02595b348d..4b8438ace2 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -35,5 +35,5 @@ global: truststorePasswordSecretName: oom-cert-service-truststore-password truststorePasswordSecretKey: password certPostProcessor: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 diff --git a/kubernetes/contrib/components/ejbca/requirements.yaml b/kubernetes/contrib/components/ejbca/requirements.yaml index 31db08aa3a..8762d969f9 100644 --- a/kubernetes/contrib/components/ejbca/requirements.yaml +++ b/kubernetes/contrib/components/ejbca/requirements.yaml @@ -26,3 +26,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: cmpv2Config + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh index ad10240b94..2c672e2f07 100755 --- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh +++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh @@ -8,16 +8,31 @@ waitForEjbcaToStart() { } configureEjbca() { + ejbca.sh ca init \ + --caname ManagementCA \ + --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ + --tokenType soft \ + --keyspec 3072 \ + --keytype RSA \ + -v 3652 \ + --policy null \ + -s SHA256WithRSA \ + -type "x509" ejbca.sh config cmp addalias --alias cmpRA ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' + ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth) ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles #Profile name taken from certprofile filename (certprofile_-.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER #ID taken from entityprofile filename (entityprofile_-.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 + caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') + ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" ejbca.sh config cmp dumpalias --alias cmpRA ejbca.sh config cmp addalias --alias cmp ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true @@ -27,6 +42,13 @@ configureEjbca() { ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN ejbca.sh config cmp dumpalias --alias cmp ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem + #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) + ejbca.sh roles addrole "Certificate Update Admin" + ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT + ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}" } diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml index 46f7d3521c..fc163ee2e2 100644 --- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml +++ b/kubernetes/contrib/components/ejbca/templates/deployment.yaml @@ -61,6 +61,8 @@ spec: env: - name: INITIAL_ADMIN value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;" + - name: NO_CREATE_CA + value: "true" - name: DATABASE_JDBC_URL value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }} - name: DATABASE_USER diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml index 838e49e9cc..670e6c17dc 100644 --- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml @@ -34,7 +34,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 -certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 ################################################################# # Application Configuration Defaults. diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index 9b943c4fcc..7f17532cb2 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -35,7 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 -certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 ################################################################# # Application configuration defaults. diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index 34adba7a3c..bfea92aeb9 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -35,7 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1 -certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0 ################################################################# # Application configuration defaults. diff --git a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml index 0bc24afe86..e8418355d3 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml @@ -56,7 +56,10 @@ spec: description: Path of health check endpoint. type: string certEndpoint: - description: Path of cerfificate signing enpoint. + description: Path of cerfificate signing endpoint. + type: string + updateEndpoint: + description: Path of certificate update endpoint. type: string caName: description: Name of the external CA server configured on CertService API side. diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml index ae4ae81f02..52e35375d3 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml @@ -25,6 +25,7 @@ spec: url: {{ .Values.cmpv2issuer.url }} healthEndpoint: {{ .Values.cmpv2issuer.healthcheckEndpoint }} certEndpoint: {{ .Values.cmpv2issuer.certEndpoint }} + updateEndpoint: {{ .Values.cmpv2issuer.updateEndpoint }} caName: {{ .Values.cmpv2issuer.caName }} certSecretRef: name: {{ .Values.cmpv2issuer.certSecretRef.name }} diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index 38bddfbdc3..2237811465 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -28,7 +28,7 @@ namespace: onap # Deployment configuration deployment: name: oom-certservice-cmpv2issuer - image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.3.2 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.4.0 proxyImage: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 # fol local development use IfNotPresent pullPolicy: Always @@ -50,6 +50,7 @@ cmpv2issuer: url: https://oom-cert-service:8443 healthcheckEndpoint: actuator/health certEndpoint: v1/certificate + updateEndpoint: v1/certificate-update caName: RA certSecretRef: name: oom-cert-service-client-tls-secret diff --git a/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json b/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json index 06e1087f60..5a967f0405 100644 --- a/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json +++ b/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json @@ -3,7 +3,7 @@ { "caName": "CLIENT", "url": "http://ejbca:8080/ejbca/publicweb/cmp/cmp", - "issuerDN": "CN=ManagementCA", + "issuerDN": "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345", "caMode": "CLIENT", "authentication": { "iak": "${CLIENT_IAK}", @@ -13,7 +13,7 @@ { "caName": "RA", "url": "http://ejbca:8080/ejbca/publicweb/cmp/cmpRA", - "issuerDN": "CN=ManagementCA", + "issuerDN": "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345", "caMode": "RA", "authentication": { "iak": "${RA_IAK}", @@ -21,4 +21,4 @@ } } ] -} \ No newline at end of file +} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 2e149683d7..fbd545c12e 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -34,7 +34,7 @@ service: # Deployment configuration repository: "nexus3.onap.org:10001" -image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3 +image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.4.0 pullPolicy: Always replicaCount: 1 -- 2.16.6