From fde94076e689727e8a2c3c5147ce1242dc225f87 Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Fri, 19 Mar 2021 15:06:41 +0100 Subject: [PATCH] [SO] Use truststore all keystore MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Truststore given by AAF is only giving ONAP root_ca. In order to have access to other platforms, we must also have all the other ones. As ONAP root ÇA and all known CAs are present in truststore All, let's use it. Issue-ID: OOM-2688 Signed-off-by: Sylvain Desbureaux Change-Id: I551b8e4a316dcf4f2dee1bf6c45327496a488cdd --- .../so-appc-orchestrator/templates/deployment.yaml | 3 +-- .../so-bpmn-infra/templates/deployment.yaml | 3 +-- .../so-catalog-db-adapter/templates/deployment.yaml | 3 +-- .../so-cnf-adapter/templates/deployment.yaml | 4 +--- .../so-etsi-nfvo-ns-lcm/templates/deployment.yaml | 3 +-- .../so-monitoring/templates/deployment.yaml | 2 +- .../so-nssmf-adapter/templates/deployment.yaml | 3 +-- .../so-openstack-adapter/templates/deployment.yaml | 3 +-- .../so-request-db-adapter/templates/deployment.yaml | 3 +-- .../so-sdc-controller/templates/deployment.yaml | 3 +-- .../so-sdnc-adapter/templates/deployment.yaml | 3 +-- .../so-vfc-adapter/templates/deployment.yaml | 3 +-- .../so-vnfm-adapter/templates/deployment.yaml | 3 +-- .../so/components/soHelpers/templates/_cadiValues.tpl | 4 ++-- .../components/soHelpers/templates/_certificates.tpl | 4 ++-- kubernetes/so/components/soHelpers/values.yaml | 19 +++---------------- kubernetes/so/templates/deployment.yaml | 3 +-- kubernetes/so/values.yaml | 6 ------ 18 files changed, 21 insertions(+), 54 deletions(-) diff --git a/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml b/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml index 917c067681..142ae725d6 100644 --- a/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml +++ b/kubernetes/so/components/so-appc-orchestrator/templates/deployment.yaml @@ -55,8 +55,7 @@ spec: - | export ACTUATOR_PASSWORD="$(cat /tmp/app/encoded)" {{- if .Values.global.aafEnabled }} - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml b/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml index 3fee225c03..6e117cd8bf 100755 --- a/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml +++ b/kubernetes/so/components/so-bpmn-infra/templates/deployment.yaml @@ -52,8 +52,7 @@ spec: args: - -c - | - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml b/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml index 75e6b1ee62..f756448e2b 100755 --- a/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-catalog-db-adapter/templates/deployment.yaml @@ -52,8 +52,7 @@ spec: args: - -c - | - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml b/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml index 4518a5f607..0d80b2a9ae 100755 --- a/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-cnf-adapter/templates/deployment.yaml @@ -63,8 +63,7 @@ spec: export AAF_AUTH=$(echo "Basic ${AAF_BASE64}") export AAI_AUTH=$(cat /input/.aai_creds) {{- if .Values.global.aafEnabled }} - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password}" {{- end }} @@ -116,4 +115,3 @@ spec: medium: Memory imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" - diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml index 2cf23e23be..c33dcb7f32 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml @@ -39,8 +39,7 @@ spec: - | export ETSI_NFVO_PASSWORD=`htpasswd -bnBC 10 "" $ETSI_NFVO_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` {{- if .Values.global.aafEnabled }} - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/components/so-monitoring/templates/deployment.yaml b/kubernetes/so/components/so-monitoring/templates/deployment.yaml index dc80d426fc..ca108ac5cd 100644 --- a/kubernetes/so/components/so-monitoring/templates/deployment.yaml +++ b/kubernetes/so/components/so-monitoring/templates/deployment.yaml @@ -66,7 +66,7 @@ spec: export SO_MONITORING_PASSWORD=`htpasswd -bnBC 10 "" $SO_MON_PASS | tr -d ':\n' | sed 's/\$2y/\$2a/'` {{- if .Values.global.aafEnabled }} export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/org.onap.so.cred.props | xargs -0) - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) export KEYSTORE=file://$cadi_keystore export KEYSTORE_PASSWORD=$cadi_keystore_password_p12 export TRUSTSTORE=file://$cadi_truststore diff --git a/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml b/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml index 75d831eba6..dde03a4aad 100755 --- a/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-nssmf-adapter/templates/deployment.yaml @@ -42,8 +42,7 @@ spec: export BPEL_PASSWORD=`htpasswd -bnBC 10 "" $BPEL_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` export ACTUATOR_PASSWORD=`htpasswd -bnBC 10 "" $ACTUATOR_PASSWORD_INPUT | tr -d ':\n' | sed 's/\$2y/\$2a/'` {{- if .Values.global.aafEnabled }} - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml b/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml index 3fee225c03..6e117cd8bf 100755 --- a/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-openstack-adapter/templates/deployment.yaml @@ -52,8 +52,7 @@ spec: args: - -c - | - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml b/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml index 75e6b1ee62..f756448e2b 100755 --- a/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-request-db-adapter/templates/deployment.yaml @@ -52,8 +52,7 @@ spec: args: - -c - | - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml index 3fee225c03..6e117cd8bf 100755 --- a/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml +++ b/kubernetes/so/components/so-sdc-controller/templates/deployment.yaml @@ -52,8 +52,7 @@ spec: args: - -c - | - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml b/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml index 6f9d7f7b16..5a98828c1a 100755 --- a/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-sdnc-adapter/templates/deployment.yaml @@ -50,8 +50,7 @@ spec: args: - -c - | - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/components/so-vfc-adapter/templates/deployment.yaml b/kubernetes/so/components/so-vfc-adapter/templates/deployment.yaml index 7c10e7f8ed..c769961059 100755 --- a/kubernetes/so/components/so-vfc-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-vfc-adapter/templates/deployment.yaml @@ -52,8 +52,7 @@ spec: args: - -c - | - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/components/so-vnfm-adapter/templates/deployment.yaml b/kubernetes/so/components/so-vnfm-adapter/templates/deployment.yaml index 8abd9a9796..29ebd97229 100755 --- a/kubernetes/so/components/so-vnfm-adapter/templates/deployment.yaml +++ b/kubernetes/so/components/so-vnfm-adapter/templates/deployment.yaml @@ -50,8 +50,7 @@ spec: args: - -c - | - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" export KEYSTORE="{{ .Values.soHelpers.certInitializer.credsPath }}/org.onap.so.p12" /app/start-app.sh diff --git a/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl b/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl index d16b4f7cf8..7e04706d4a 100644 --- a/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl +++ b/kubernetes/so/components/soHelpers/templates/_cadiValues.tpl @@ -2,8 +2,8 @@ {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.soHelpers .initRoot -}} cadiLoglevel: {{ $initRoot.cadi.logLevel }} -cadiKeyFile: {{ $initRoot.certInitializer.credsPath }}/{{ $initRoot.aaf.keyFile }} -cadiTrustStore: {{ $initRoot.certInitializer.credsPath }}/{{ $initRoot.aaf.trustore }} +cadiKeyFile: {{ $initRoot.certInitializer.credsPath }}/{{ $initRoot.certInitializer.fqi_namespace }}.keyfile +cadiTrustStore: {{ $initRoot.certInitializer.credsPath }}/truststoreONAPall.jks cadiTruststorePassword: ${TRUSTSTORE_PASSWORD} cadiLatitude: {{ $initRoot.cadi.latitude }} cadiLongitude: {{ $initRoot.cadi.longitude }} diff --git a/kubernetes/so/components/soHelpers/templates/_certificates.tpl b/kubernetes/so/components/soHelpers/templates/_certificates.tpl index f5b97d5c25..cda61b2cfa 100644 --- a/kubernetes/so/components/soHelpers/templates/_certificates.tpl +++ b/kubernetes/so/components/soHelpers/templates/_certificates.tpl @@ -25,10 +25,10 @@ {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} {{- if $dot.Values.global.aafEnabled }} - name: TRUSTSTORE - value: {{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.aaf.trustore }} + value: {{ $subchartDot.Values.certInitializer.credsPath }}/truststoreONAPall.jks {{- if $dot.Values.global.security.aaf.enabled }} - name: KEYSTORE - value: {{ $subchartDot.Values.certInitializer.credsPath }}/org.onap.so.p12 + value: {{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.certInitializer.fqi_namespace }}.p12 {{- end }} {{- end }} {{- end -}} diff --git a/kubernetes/so/components/soHelpers/values.yaml b/kubernetes/so/components/soHelpers/values.yaml index 612f7c1dee..938a6f9d00 100755 --- a/kubernetes/so/components/soHelpers/values.yaml +++ b/kubernetes/so/components/soHelpers/values.yaml @@ -23,16 +23,6 @@ global: enabled: false app: msoKey: 07a7159d3bf51a0e53be7a8f89699be7 - client: - certs: - truststore: /app/client/org.onap.so.trust.jks - keystore: /app/client/org.onap.so.jks - trustStorePassword: LHN4Iy5DKlcpXXdWZ0pDNmNjRkhJIzpI - keyStorePassword: c280b25hcA== - certificates: - path: /etc/ssl/certs - share_path: /usr/local/share/ca-certificates/ - ################################################################# # AAF part @@ -48,19 +38,16 @@ certInitializer: cadi_latitude: '0.0' app_ns: org.osaaf.aaf credsPath: /opt/app/osaaf/local - trustStoreAllPass: changeit + qi_namespace: org.onap.so aaf_add_config: | echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop - echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop + echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop + echo "TRUSTSTORE_PASSWORD={{ .Values.truststorePassword }}" >> {{ .Values.credsPath }}/mycreds.prop aafConfig: permission_user: 1000 permission_group: 999 -aaf: - trustore: org.onap.so.trust.jks - keyFile: org.onap.so.keyfile - ################################################################# # Application configuration defaults. ################################################################# diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml index 3fee225c03..6e117cd8bf 100755 --- a/kubernetes/so/templates/deployment.yaml +++ b/kubernetes/so/templates/deployment.yaml @@ -52,8 +52,7 @@ spec: args: - -c - | - export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) - export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export $(cat {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password_p12}" {{- end }} diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml index 1738b703ed..6bd6e26885 100755 --- a/kubernetes/so/values.yaml +++ b/kubernetes/so/values.yaml @@ -57,12 +57,6 @@ global: auth: 3EDC974C5CD7FE54C47C7490AF4D3B474CDD7D0FFA35A7ACDE3E209631E45F428976EAC0858874F17390A13149E63C90281DD8D20456 defaultCloudOwner: onap - client: - certs: - truststore: /app/client/org.onap.so.trust.jks - keystore: /app/client/org.onap.so.jks - trustStorePassword: LHN4Iy5DKlcpXXdWZ0pDNmNjRkhJIzpI - keyStorePassword: c280b25hcA== certificates: path: /etc/ssl/certs share_path: /usr/local/share/ca-certificates/ -- 2.16.6