From 2578aa1bb72e71823df701aa10a3b87dcce66202 Mon Sep 17 00:00:00 2001 From: Ravi Geda Date: Wed, 7 Nov 2018 22:37:16 +0000 Subject: [PATCH] Add Pluggable Security to aai-resources Note that by default this feature is turned off. To enable update the installSidecarSecurity in aai/values.yaml to true. Change-Id: If5d2be859ead2f0bd81aabb4fde749f105974bcf Issue-ID: AAF-616 Signed-off-by: Ravi Geda --- .../resources/config/auth/aai_policy.json | 298 +++++++++++++++++++++ .../resources/fproxy/config/auth/client-cert.p12 | Bin 0 -> 3617 bytes .../resources/fproxy/config/auth/fproxy_truststore | Bin 0 -> 4639 bytes .../resources/fproxy/config/auth/tomcat_keystore | Bin 0 -> 2214 bytes .../resources/fproxy/config/fproxy.properties | 2 + .../resources/fproxy/config/logback-spring.xml | 48 ++++ .../resources/fproxy/config/readme.txt | 1 + .../resources/rproxy/config/auth/client-cert.p12 | Bin 0 -> 4291 bytes .../resources/rproxy/config/auth/org.onap.aai.p12 | Bin 0 -> 4158 bytes .../resources/rproxy/config/auth/tomcat_keystore | Bin 0 -> 4943 bytes .../rproxy/config/auth/uri-authorization.json | 99 +++++++ .../resources/rproxy/config/cadi.properties | 39 +++ .../rproxy/config/forward-proxy.properties | 4 + .../resources/rproxy/config/logback-spring.xml | 48 ++++ .../rproxy/config/primary-service.properties | 3 + .../resources/rproxy/config/readme.txt | 1 + .../rproxy/config/reverse-proxy.properties | 1 + .../resources/rproxy/config/security/keyfile | 27 ++ .../charts/aai-resources/templates/configmap.yaml | 85 ++++++ .../charts/aai-resources/templates/deployment.yaml | 123 +++++++++ kubernetes/aai/charts/aai-resources/values.yaml | 5 + .../config/haproxy/haproxy-pluggable-security.cfg | 138 ++++++++++ kubernetes/aai/templates/configmap.yaml | 4 + kubernetes/aai/templates/deployment.yaml | 8 + 24 files changed, 934 insertions(+) create mode 100644 kubernetes/aai/charts/aai-resources/resources/config/auth/aai_policy.json create mode 100644 kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/client-cert.p12 create mode 100644 kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/fproxy_truststore create mode 100644 kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/tomcat_keystore create mode 100644 kubernetes/aai/charts/aai-resources/resources/fproxy/config/fproxy.properties create mode 100644 kubernetes/aai/charts/aai-resources/resources/fproxy/config/logback-spring.xml create mode 100644 kubernetes/aai/charts/aai-resources/resources/fproxy/config/readme.txt create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/client-cert.p12 create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/org.onap.aai.p12 create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/tomcat_keystore create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/cadi.properties create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/forward-proxy.properties create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/logback-spring.xml create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/primary-service.properties create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/readme.txt create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties create mode 100644 kubernetes/aai/charts/aai-resources/resources/rproxy/config/security/keyfile create mode 100644 kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg diff --git a/kubernetes/aai/charts/aai-resources/resources/config/auth/aai_policy.json b/kubernetes/aai/charts/aai-resources/resources/config/auth/aai_policy.json new file mode 100644 index 0000000000..65f13eff5f --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/config/auth/aai_policy.json @@ -0,0 +1,298 @@ +{ + "roles": [ + { + "name": "admin", + "functions": [ + { + "name": "actions", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "servers", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "cloudinfra", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "cloud-infrastructure", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "sdandc", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "service-design-and-creation", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "business", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "network", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "search", + "methods": [ + { + "name": "GET" + }, + { + "name": "POST" + } + ] + }, + { + "name": "util", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "license-management", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + }, + { + "name": "examples", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "resources", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "generateurl", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "bulkadd", + "methods": [ + { + "name": "PUT" + } + ] + }, + { + "name": "nodes", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "query", + "methods": [ + { + "name": "PUT" + } + ] + }, + { + "name": "dbquery", + "methods": [ + { + "name": "PUT" + } + ] + }, + { + "name": "bulk", + "methods": [ + { + "name": "POST" + } + ] + }, + { + "name": "bulkprocess", + "methods": [ + { + "name": "PUT" + } + ] + }, + { + "name": "recents", + "methods": [ + { + "name": "GET" + } + ] + }, + { + "name": "dsl", + "methods": [ + { + "name": "PUT" + } + ] + }, + { + "name": "common", + "methods": [ + { + "name": "GET" + }, + { + "name": "DELETE" + }, + { + "name": "PUT" + } + ] + } + ], + "users": [ + { + "username": "CN=aai, OU=OSAAF, OU=aai@aai.onap.org, O=ONAP, C=US" + } + ] + }, + { + "name": "basicauth", + "functions": [ + { + "name": "util", + "methods": [ + { + "name": "GET" + } + ] + } + ], + "users": [ + { + "user": "aai", + "pass": "OBF:1u2a1t2v1vgb1s3g1s3m1vgj1t3b1u30" + } + ] + }, + { + "name": "HAProxy", + "functions": [ + { + "name": "util", + "methods": [ + { + "name": "GET" + } + ] + } + ], + "users": [ + { + "username": "CN=haproxyuser, OU=OSAAF, OU=aai@aai.onap.org, O=ONAP, C=US" + } + ] + } + ] +} diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/client-cert.p12 new file mode 100644 index 0000000000000000000000000000000000000000..d9fe86e4ece3713ea5bae80fd9219344f8289ad1 GIT binary patch literal 3617 zcmY+EbyO1$_r^CElfj07BSuNXq(*}X(y5e4Bb`G*5fB`pqgxo#B`F9ZF+xgOq(fqK zBN9$Z`t|*t_xF9zd+xdCx##oTd;fe;SSnT$ASnt9n*c*@g=vNz!+_U-xmZ{a2n*}@ zi(64xvgrS@$S@!**^9sU`QP>gQ~u`)N&zIv#e&XISkN&F38wge{P#IC2;RZyy&ntP z^$1MAV^yVg11N_p&>$fNbm)Vypsy>*CL+9{DZ0ZsAzP}YINc2ycqbt28uuYL8!tBxW8JScQ0yJ1ZER?K!J&C#R zOW-Zx?>+rJ$qa!#d6P!F%Zw8=v-fg-zgevZ~t5d>~ve(O0jTXthkTtC1;uw@EdFxr!Bgn(`VG{Ug;2lGT}a#{mz1 z=;=~BA1&R4PUnA&-`w_icoR5};C${^{8i>aKHU(>REYr}7sm(j0Sz#W#7&IP!#*2e zXw|fFl74*8q*7&0RAk(mtE;`v@9?P#nFkXM?CmArAa);Ti3}RMOyN@g7F>nSv_Do1 zZHMX2%9C#6O#_k((~`9Y1`E4l=r!otZjN@^!1f(FRtDYO)0clL9HH~)BvxJC>$BNI_i}I!=to>CT^ng3E+QA3YT2l@mruD$>XX$)YG~8;Rb#x5Mn~-Ew zGp=3gtEJ;5)|bH_WjPVA;t!qNY`eCe+=ArYag0-EyF}NnzMs$w|G@~A5~KMEEXuJh zLnq&}INSGsw{%U2b{=f;yc``&`#|jl%(;l6YiB&C%M0ro|HtcOPt2&?Y=E_S>t553 zqqX%}%j>yJDY48Osphsd(Fc=?8fyzbYWFzH>@f&*dZEG{j?Nbs2CGWSPsU?w-FU#Q1LC(HKIk{sfk%@Zosfz{jx#64;g zl%`n{Y(z7II9U7%m6zk(o2(Ie+8w(C*tbmtdZOA{@gAh&Xs72+TR}8Y zU?0A8mTI=zl!&(n&CSV|_Fje<3)OC^M&=?{mkEnUK4ux;WjIX+hYXOB`w1_j6`@dpGg}u&+V(^AoR2}&hJ7lOL%eKiP%I&Q-Md2)-2usz zRVW!Lbsv5k+)2>Go@^jus0MtsKQ~&pIXdgBtGlc!aj#HrUpflDe6+Migv!h7%`@C> z7#T4XYSD}9^jb4L;`@=Q?5^q2yVDr8uAlN%qHDK-C9QDrBCEvF{BzsT7o|);4v6J& zdL?@AyF1UF5TG)QimZH3IF0MJz6{(y8*#PI;cCPSZhBWHkn!lczM2AF*@LN))w2 z$^R3T5V$CcO&DPNw_E{=|50Ip2jI!y*%R>Z=^4Nozz*R5hapiM|2?M@g@b5~Tpv5K zi%Lp}iJ>IL#APK>k|->>;6F>(z`0m**1rfr0tEaO+W$Jh|H)wRzcct2pR$y_U4YHn zuSo7PWj~|Lc023;%iveoYg3=VG}EYW8uB$48pF_pn1rTTKmF@la{`NQ@a#(D2d=|v z=u`EUzToLfRlNV1Bo=L zokXh>X0S|(O~mW8H@-8_a`}FaYWZCktESmakzoIYs$2J-O26HF*l?4LNJC-e$Z5u3 zL0rBZ#mbU*xkJOeQ#)l;L}FjA(N85!C{;_E2?N?lsKeZVZa;CIj<-*<&e<~XK5oNZ zR)Km$d6$uNYEPW1;WN=MC6?orWVBMP#ZF~4Wc@DkSrneV+6C%1X4bUDd3P)qy2R!W z)*9G*+k{r3{T21tna@3X*`iu_N*9}i1dtnG58I^jLz&fTyZ#e$gI^MDB4r~mWrcLy zWQ8lzuqenV+x&L7S3%}t`9X8hs>vn&0^!(js6j--N2yfP$P`Tz{?yrCm~IRRqJ>BX zj_Q!W!rHD_WsWHKXw`BcvwFkI46RpDqg^NT2(=`s+oxEi3cHX9&d-ph3XAo+XB5{( zG-KC!OhumSce|a5qWtCvjnXz53^8{?ALdHJy zoEE=u_5%yd3ePyFO)wB&rD`kyF^jHPEX7x z(4Re+b{=^`1*76sHgDcW5flE@t(blx*eO#TuL(=j5G@+HOmxo-^B%pIqt~s_%siq- zH{?0KKNMb;vn2$?X1FP5MFxU5NV1l4y`EgCbq{y16uuAiM%gMY{$jJl+9)jfd}d&C z2+TonP0iqwiYwtkC+&4k3WCsrS09AnDlIkv(#f$-2+AShV9Fcms^>SG{cxM@Sl=EU zfi6Xo=Jiz!cZFfoRnCiqgvHkd(07|=83#9?sHTmLs%q*DjdQF(up9NdgwxssMR&`Q_RDdil8sBVQi}}1@=?E36-^p7 zOz9pK$aIq-;JAjrUOa;JK8}yuOrniUTwD^)T(U@=PpnMd!`8^j^pp ziLrjaFymI=3MnmI*lJ)KtH%q~GYQY!kiRIKOEEOQ5?ArBpF7(yb3V@_9e73&k??Y- zm9w9x=JQMy9r&ba*}VUg&#kTy)jWexa?4T1+&U=*=NLKKx?e@6<1#*dxMLpr!}Bcr zjLHlEOJs6qK6n6CrWE@oCUG$w#N_Y76~s2Bv0)ST#rmKN){hAqungVyEq#r1lp7ly zOZfDG7#f~BX^^k5DSOT!e{0Vvb7VWj7^3n^`ypw&x~=d*f4f{Kbu(|SJ3uaH%LPfj zfF~@{(wT<6ZZvm`e(wqYogiR6dxt}6B&Z90R6{N39E1^5^nB{>>Xv)+g>aGKGilTu zUuuUjk!!-lw7nkm1JROg+=a`_%PKeksQW!JUGwnRPHPJEj0t_VD14&K2&cfq}W%&txD z)b0QknP+UypJ=IHXf~MgjmZh4o;~e1!yM~7*|_eAH&iryHDYN>yYk?GT2Y*4)-#M% zL@qB$&zh)5lZlOok4OYk)(}93lAp-%l(%LZ;*ie4zViCIDBaDy@^}?e*#=6ct{N)g zy|MItqFVfsN?cejN{uMOTOXEBqT-f=C(HB=FPxuB;Omv)p#|dUUtUeb#>}EuH^lkG z^B2pQA0CZy8uL?c#+8wtQ?REp3DQAB*(=QVk>CJe<{o}3PLL_pDh`b?1}JEX(|;H2 z(#%fp*3wu$4^SmPOO!14tTw6jfq!9m9CU^4NSV_Pq_G~)RyJXs(EMmlvHFg0uHV~j zaCU|GWu_D#6*oUb{m@)>uq+GQ)XKF+spUZ{=F)soG=iP<2^1cX88J!4M!+8~na{0d zHR8ZMrCG95E7ULT!%lApVFP1xI_nSA(c$P%O}l*+ z?#z+5dq=~$Sd$|qjt3uToZ$>U=C?7YM@z4-g#_0JOY~I^@QOZ3G`)|IBV<)yguf`Z zUNBH!5eP3G)!a*y>dlrNx$z;(^!K}KHF|Cq^W~>H;>9bb`U}1FHTmgE>{=)V6bA|d zCKI3{C1D~1fZ(rus6rs}yhG&{^4a)r)N`nma(xh-6j+A6%;p>Qbc*DVj(%8_5jKe- JAq9rz{tI2+vm*ci literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/fproxy_truststore b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/fproxy_truststore new file mode 100644 index 0000000000000000000000000000000000000000..f6ebc75ed85ccee1b82ae27fd24e0238976be3ad GIT binary patch literal 4639 zcmd6pc{tSV8pmg~4P%+Ila#ga8@os(`yd8oi!p{K`_NcIj7UgHs+0A#Wow}%7->{`g(L=YF31cR%yobALb2y*9o!4g!H7vkejpIogZt9SXb}9cyb7QJ0zsVs3e*muKyJvY z3T9!hd+@u7__GP!Fac3M4zwDetf;0404hpq_Iw;lY5*Fo_|5#gx2J%`e?Bl64uVp^ zoFIS#W`j_`U{D%Y0T6;UEOR>^Z~Lx{QzMFr=L6);vTnUn*)8GiDbv*@;=vzC$u5n= z^|)&_qD%FAGS(1Ril3)Z5^pJaq?$KG*H;PK)~1cwMa>{IguV#RavwqT6;6A0_PJmL zWFAo+1^nMbTfha!Qm*vp+_AV8Wx2LxtH0XYUSXZtMRnoVxic@K*B`nn3u=Dc)4E=C z`7)b!e1E9ViuE~Fvpw3f_mxJQ8ua9!=6U1WZO=w4oPSVauw-WyDOi5%4$Le0Ak(l2 zRfFjLz{7B>VJ^nR5@dW@<}1PU`Xn0`iw~T_Eou}?z*U$vd-}5VBFM8GsxLV%eDe_W|94M_gBwq z?c*2zZlX+98qN3V0)Hd-5=TO3q%=r^6y{u%6Wad4|eftLw)KaL-okN;NQhpKreCd0c zIno%)<0AS55=hOfX6wb=_=&mv`_q@LfBz|0<)&6P-{blV92Iq0=v;jfSoQW z1UuXUtE+49T~loA8xs3Np*C2CqSOIZKm|}&K`Wzaic(bi$pj3460{9=bEwTb2>^Wb zouTZ1I*6XGGn%H6zt+wRM=3k;n8Y^YW)#P$wgl!B3rCI(#Vlt$_-sm&bz7jz6aOGx z_Yvm6?j)JS7fwQms)AO7?vN)iVpc}8uW~&Zq$oOcyCb-HFuKdg+GT!Me%NtIe}!14 zw-K^CSk1AeO{F~0`;S)^2ON33ZZ9WGX!NQQg36P+kSN=c=@-{)BtK+T@qQ9wo&za$ zt-o`g-(A!m)j9p8I}b^YS4*oBIq3dm#4;w2Sos)naOXmj^e{iP-9MJ(!#3iHS%{M; zu91ALxscE}P>+n55plmUe@RCe-(Ygm*<8FuKPF@dkG~lc`<@H&hIV4}SsU=RbtBAoO&7!BUBn`#D1q4`|o zY{#tJO|Wp5O1y5w8X2?;^8mw5w9qF%G5B1ux8$8UvNdtC@63JYi0$I61R-$Ingwz_ z$Xh2~n#3YY?%FIcL4f**w9XEqoD&oVyXxRfE(8``6(Z#78;!J0bnuIV&HvmnGh3s>1T7l6Sk$DVz&0c!gNK$$vNTB{d;gwO+8n zuw%YHWNV#6=;B-qQ&jhX5e*U6jBNssmu$K2pkFoaJ9MI}aObmx_M<&AzpqbqB9{(A z*vCxzd#;YM-%ndwJ^z4537Pd}dvI1s@Pb*g{T&mtXcbn6yG;^qskY657Oumpi)GWMoxo8{-5rQ)soJX(2&@}USG4zUH^TIw{Dk?Ns(J+P9 zpmhM~Zzh2MOH7FaVjDmdU>whzq~lGJXAI@(t&Y4e$>U$3$qjIBpp4~vO8z6lCX~-# zf!2oimGwJ4eJ+}nD2R6D6!aD}*lwe+Rb^FGZ6tD--+0@hkmAGYMqjBbbILt;beuAZ zY96i`hgF}D4Rz=7g4nwYXPLPG<-kDdla~M?unhtf{%s8MeCn_ z*St-kKlibXfb}gYto?*zggzhnZrJY}9fgh{m$vS+#I=HfD&5*{$m@$~Ee45h^*kQ^ zPql_j?fhH$AgC^NKE=igD=SCuqG1{4Hibro3yPO7k1s-TDbV#0Go8GQqn$R$h)F<7 zsw||;lTaWOTZl3+YCo}6m6AoJI^4GBwZ71=g|2uZ%V}G1Z8i8=^^DD(UXBffQNS*= zOgS>zKoJxS0)PN+CRUeNBXI2EelVC0Af^X^(jQYCFiGB>7JdXDEEXeXNbn($XqTUx z7?waH6G&ou1X3W;ortH+{X|B`vd|%K_IL3`m?z_8(}4>Ir)6^h>kTrR0j7~#eud88 zfIRvC?s}xqu2*^o`vaZu{*50Y0pkU>FtO}n0>k0VQ1Fit1i;hXxnYigJq77a2nfJ= z5adX{$7$C(MUYl?I6tC%0MXmei{M7^_WeQTK(vV$=#Q$Uj@>%pAE(2*EScvW&2HlU@TLPCXl7~GP5@5?@J^=8DdrgPA0qr!M$S#sgA#BgcSAxVu- z)%YIWXG77)A0?CRq^f4X(!cfhQgAIR+0%-a=6mh(XIIiboE42cW!+@Fy&`2dB>TKo zvHcUSUHddK9sLoq_)$XzR0b^9eSu(%5~j`r;X}7g$=#0Ab9ROQP_Dj|>N)Cwye9te z>#I*~*2g==LT>HVKg0K7`c*RK)sX{TGsWx@(hFCENBVErZ67fxK<)>kv>$oRV;T73 z#o>tmhFsih6VgA(1?L4Qa2^`DzJ4PY)25XE9pq9(Yp7`aL9PuGu=z`JeQT%?>|C^y z>Cm1Z74t8^Vh7kZfCZ(w{YO@{q-ybh8cnx2#m=3x9+_8ad||L~RnMW(Lo+0@E+p=X zk;qbYQbW~4W(Q$imCJ^Cw$y`T32)$OpD!u;HLgU}@>8RN2lm%F4|bYM7?_yODKzmv zP@Z5JS#_midG?a2+2Nn3&kNwex4El+6ks!A`#`@Ua}*sPN~lPWU4vucT!srkQ`RrME)s(S-sI1Gy`Y>acis&T7So%#P@ zRn+nZtfFRts3{7|_wu6f(MP|cln{O4-yuwpzIgoCA4)JH5^yB^(Eu9PiFm><W+S?BKvhBtagK? zywBZz*U1kbAgjQqc=XrL@SPURX6FyMfo~MMXx`Mkg*$fdAfFOG#-KstH}X zr|<2NRlZojDZY#*c8n8Nm?k3&Y#W1jshoV~dLX9ZADng$(VQ=%5-JY{2BeG>Ju1DS z#1DIP!Q`c+y6w3daqdGd8UyFBje+%7s9q2o>Lh8BWh6)NOkP{1{WDKsiZb>#!z1d; N8`FEAT_yH${S$Z-vnv1q literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/auth/tomcat_keystore new file mode 100644 index 0000000000000000000000000000000000000000..9eec841aa2c1243b5ca3e22b0b116e5bca2afd49 GIT binary patch literal 2214 zcmcJQXHyf35{AvG`{CJ{ot=GmXP3T7-vj^vpko357Sz|n&7RYU`$h=up~Z`{XDvR*`$ zzz#)47haP~tv|D6mK5}zGvJ;XTcs8(8BRtSutt0nY_g%MoRa|;|Md5m6Fh;Jq2N{Y z_@3}C$JB}YtUs*Za?s`JeoMO1+r=63TnZY#qy*QgQqWyhEkSt;6nsS%)@q-fP~E0k z;;U!hctBy*u?73i4m--P-{w7I}r@otzjdND9D8ErKeeYe+W~WR6XoY%67E(c zKG2?clD{PU%-x8D{xsDjm8_i!Iz*!~sprgz-pbd|wD(J^B61Y&c8N|WjVZ|w(#tL3 z);vAKL47*5^D&KRS;w=+hJbeg9DS27bTdLTKaF?v@IGVZYIWHjnM2&;#FbO!hU2qE z+bdse`Ua`*ZDSbQ2`zDZPe8T@&;k+)>fplIw{8rpK#w_^oyy@JG-<*ytx4iE#yxnm0w= zsQ3mhmsjlZsqDe$)4tZiZ8RyqHRA(V@Z-;JVxjT&?A7`G1xSuj{d4T^ z`)2$ClX^CNSj2ZA7>6eiBWnlCZ#_k7+R{j3Zs3k}#59ZG%&egH70h}?*UV&AM*Nux zftp}&{@Bu4uYsw@OI5B^W#l8Gva3CRE@@gldvhn`*Zk<$Y0#?*w(wKl@IPPerG#ew zF#ma(&R;XYX7qXa!7I*7ye&-MlMsvA*gq!(+D7brD%esfz4f5p*wqG`A;*o|ZZ!I} z+5PP#v@U?VeeENz+c5~Ar}mueC$HJKfJ&S_*{uz6VF>tC@l@c(g?Mr?%9Bnz=F$N% zGJwGPmUyvf1q#=GQSz;4>Y0n!PhQ=nPlaG+ZKuVDSYCSTCB@@0XY72sTWR}GFu0sM zuJU)M7B9no2}*V)H*Q$sZ4bK=uc;9Z#*YlOBsxVL(zz4`vhyg-qhWGi7huPU<11)Y5*UN!14#^-uFzS7BV58VKr zEA@&jM5+va6#HX6u>AXmQdEdZs8yblX}kfBR64HCf0!aQRy-pc`BR7Bd{w0`La7pI zkm=yi-+ve=rYfwtttUgeMdb|Jcjx%UI#bu~NFgHk+;KiDl~>v4d7X3w z9rc55$0f!7n&sJ9{L+P^xOe}Ks>QqeF)(&V{YCm!er2w>_iX(t_Tivuge8N>R-3qr~xQviRhIz7E zmF2Mnc|_>mPq`r8ijUH>?@90qr{15OW~Xm0vAh-gzs|zfiNZj${Gzru|mOS5GWjURRewE_Y};HIkp*=k2hBQiz7ez0-g*`J z;kBFnkU1$tF0Q3m>%h|VsX%2p1>*X`1iB_Xsp#U?;-t;1ook?X4d(qVk*{RR6P$!( zp1b3J(1hT0hDnnDpuGp1ZS=|N6}7K@$PGzIw|!Z2!?d{VA_xow0CUArqA20xnF@14 z_#iwJi$B9~LoCv7gCyLen@bi+ATHT|ns~f5$0h;+Rx~^Phbuh2WcIpC_L=IRX6m;L zysyK_ECDymj03FucK5@FeBsQGhhk{RwcU?BM=B2vJs7~^Rk^HuniMI0TX6bN0{i~@uuQZjr@ z0~JCi^gFuj9Za{klpnkui<5%Dg>7HPFqAv?53G&aN9E0RU&+ronb{ED1*wh|l;Zsh_>tSL literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/fproxy.properties b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/fproxy.properties new file mode 100644 index 0000000000..f512fb71a6 --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/fproxy.properties @@ -0,0 +1,2 @@ +credential.cache.timeout.ms=180000 +transactionid.header.name=X-TransactionId \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/logback-spring.xml b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/logback-spring.xml new file mode 100644 index 0000000000..4fae434edd --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/logback-spring.xml @@ -0,0 +1,48 @@ + + + + + + + + + + %d{ISO8601} %-5level [%t] %C{1.}: %msg%n%throwable + + + + + + ${LOGS}/${FILEPREFIX}.log + + %d %p %C{1.} [%t] %m%n + + + + + ${LOGS}/archived/${FILEPREFIX}-%d{yyyy-MM-dd}.%i.log + + + 10MB + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-resources/resources/fproxy/config/readme.txt b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/readme.txt new file mode 100644 index 0000000000..79cf29e73c --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/fproxy/config/readme.txt @@ -0,0 +1 @@ +Relevant configuration files need to be copied here to successfully run this service locally. \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/client-cert.p12 new file mode 100644 index 0000000000000000000000000000000000000000..071d407de519f9703d1ae5431205dfe60694ff25 GIT binary patch literal 4291 zcmY+EbyO387REAjKlULLn$za1j)ae{EYZ0x#tM zB0LXV1Rm_K?ew?p@QMF@MM8vyjY8mFgAuqFU;%uh|JZ+@Gvm@&vu>v&6Aj&zW_PY9 z9E>Qte+Y77;{duKxCq=nAKApJC-P`1i}tGS4RfWydv;-$-YgRKGj8)?0oz&rd-w9Y zSN$|}>cze{_jSmj13;=d!JjW~2?gXqtMpC-``HmcWV@57?*x{JDTfF!ML7pjWyv#g zyM1(~bG2SRMtnuAf=6FUlJ?>B7p1lor~PK6Q%VAlXtJ7N!~L`5g#sQ~~bK_-L4tMesucvnOfR zUy#H;Oux6;87_fWDD3_*-}Xt0SQT`gQGCVnq+e@R*_CG4=iUXeGo?1LjWc0G<;u0C zHU%I_!*4u4D%P#EmfsxH-7rRO0x>FBbY&(ZA z5^2CwYPa@k`3s^+t5-YQHc~(gSbuy;u{cvJ`I!Z>Ger_-IgS9Q(+Rp3!YHT3W8W$w}9OvEFr)#u3C0*!%WU3MJjX%3D zs3;yh?jh^SBRj&T^6Mp=xpj@rY?_MEGU3y|FC4^sN~@PADudliE|E=l015CGe4po% zy~Qm%B$t&ZHpv4`{e51SM@PvYs|Z>x9SM${t+pnnvX;m+csO#1-f^O@;< z)MKrVfJaEIF$0{ZTKw{mq0p=MV}5MUjI#itJpB|bg#(KYm)=R+?Rf)5l)eTGLUK*{ zN4gIUNGnH-tl@;i{(D)l5lxn*g6$Y1GbWX<D`I+O2f2ppK9K1T{LB+H@@m!Yd^E7-7<~G!?l(U( z1p0!yeQGf#ljOa}pW95Usf{DQWn*3<04&iCahddevay7$MSr0w zm=<;8J$?cC3}sUsD{CZgUQ?vw*T|cR)Dv^i)Pi5cjUO)q_V$9%yJBY!9PAhV z-|9MovpedKTfLWlFh5wX$)Aq=3}h*2J-9n}X{7D}+)L2-^SSh@51zXMuP8eA$v7k5VvQ3-KTaTys28L*_d z6c|A?_unM~d=!Fc_^;KEjRp8CU;me2{U3Gl|4Chjiuuvwu}hY2-p?4#But{G%cH4( zQ8yex6t}9IH^%mB9g1+ygy+(C7y)y#TEiDH337boivYIXr z3ou&|_coXlu$`y{dR3@Emy2;?#Cp@YPEQ=nF@NA99qNCMZd=e zG?GNNhhD<6v^c7Ba@$P!mX(Mmk{pl_=(LUJyhRgVQ^PL{P<%p+NM?6tz0r ze)fBv)n!V0sNVOf;W^O!R@KZwAqFv8>a4*r$McQQ1;e4npy~&0LhrHpT|71!yRFSY zVu{#M_tG79GI~3uzhNn^V&YHSRFtil`uD)i019%+!M zGRhBp=DV+O=bb@3nG{fJkVnu2VMv*xz%EXU&IH1r`zBOvj0N7#E}jhgYxFm(Yg&8Y z6$4~y!b<^Olj7;s^TX(b{z;{%W6`)=+=_**45Mo{KMvwKr2xGH9 zAC7XFtX=)Mm@w?pq}M;OOJ`E&n;6x)xYAe6%j>@SDMqrUU_l?_Hd{HF{1hsdWFCnU z@^aMJq~cOtWF0Ne#(AV@H7wn=5@;< z?>yA9`3Y}R-11O`lM&Kbz@=q#wq~u*&W{KxXJIbxTa-Q8A9+pBEIClBxSvqZm~rh- zHr;nAG$pYY5I%7ka(J3cHr@jVyS`#3;fmD|4Pp@>UTRvJ{5X{a5$v(Z<>Av#yd-Xt z*L(byBabPamOu!8wIx#=on*nj-f5SJo7QK1PKb=my-%joE} z87{+e*|>4#Dl=hl(r2<%)@+Vb$I8kfbyKg76thkJd8``jeie5xf2+ledYsO5^4cLt zY@C3&u8z;g;ZCHIfN0z8mPN-}b>A+=FDsX@@j%Hz^8u6lLhz|PKVv%GPl}wf8(OJ>a42@T9H^LFI zCGIoBEjy($cHFiCgMK8~U1zZa-z_-p@VK5B(Yq&HMeX-Qo>K~aE?^v}ta8*Fd2><{ zYJNDqDU?z~S`$ucImMV)YaU-C}76>6T=$q2QurZI|U( zif7BI&O0oxPCM&QcID`ha@MLCNO1F6rum+wQ@nDDQhfIPL`!$#s}11lvD%_E@z*Aw z=K_8h7JH!dvLOy`%ZoI40(&SO)*x*kIVkoGRVM9ONQm`*<}8wFyY;r*?(ox#CMPy@ z4dtdAiyVUwmaBOj3%1;lsQpx_wkz5`cWb-3Nk6GiJ6a(V;F*-X5}IrW!+h`48&TdB9qcVdmPI|%Pp_p zc&Gby)S9A~Pofw|#4AosUd@q)f`Gbd{3I`IuOFkILDkJ|*bsoBD{sz9DLUt5`Zs8*t3)A+ zW%$K<@D@kYs2ol|Z$scYfA*nt`ZjKMzVFm{Ty;rMWS$-ck2DmlqgWg0{D+0$Q%ZVZ z;UaZ0@GQg($40WNEcDrFSwujFiQyIf7l|h)PqsK}tVq;blh{bzOvP=du9P*$)TvgG zdfgx=2{(qbtYzV(*R8&gDg-|usroGvLonV4PJm&a`}=cZTj zQE6%@7bHe;+l8koJY;cwZ&_B?b8ry7@?2H`Y{kFUMeed(KiVCm?~A9ue3t>msc z0exllCO3ElZ>#TyJm?^ylRK6_O#?KY`D9YAqe-^dtE5KO`;g{5V|H@CH0JZTJr`1LGIlj&{aD^gV}%g2XPC+MJg2Ue z9xaIwml#{J;1*8{ar!o2F**d;#vJL;1?PNwlOjY%G%MmAS=Hdf10b!njFa;BVy6}% z=5m$boRVq8S~7JI229lq0`U#XW(m47chdQ&*J} z)GPcxQgD8170%u;x%NFDoIW}9iI-gXg4h2Iz@tU zqWTHi)*_X###*zU+Q(0-rFL{bM;g5oQn~jvSJl=1X55CO)5qO~RZ!)iU00)g-S;(e z0?Sjy@vt392ptAM(bN2LG0CfrSq3@3gfPK5ZeF% literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/org.onap.aai.p12 b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/org.onap.aai.p12 new file mode 100644 index 0000000000000000000000000000000000000000..023e2eaac62d7c00404e3a326f03edc553ef6ccd GIT binary patch literal 4158 zcmY+Gbx;%xx5jsY1s3TJ>0CfrmXKEI?vNCuRuGU*71t$2Lb_oA>F&h^C4>bLmhM(M zq(k8Io%!y4@0~Me&Y9;qbN+nh2SrfI-~sWW2uc7USTI~Y{EQ4p1k6KF{3bw9>_QO~ zn@|La$G;X~9)iU7uVjS>1pFN)|2jbET|$!oejo)BLdgk;)%p?|io1Uo;o%VjLJ=ea z4L9L|LI;dX=^pyY9i%r%o8K({2dFp1pWy>uy#-EtXl3sdYo|B{4amZ_)Ay~yUC-#3 zuy!s)ktn|lD+cP5@$5BZv%jfeXQufZW0GHN%1X0y1R%M?Js&q$l2lC8U>yS;Z(=oo z^=@9`yA0YO_O`ey*#qQw%K~`qW{z zTr>PfEi8%T=}j|Cu$$fV*f5>zUQGg55@#Zj1m)e_Lg4%gxi6PfWJN!AZs~hwl8syG zgm93zxkAj>1%0ZM823)h=oB}&*OZ3;7O z%ZiG@@Vq$SxhRoO9a79^$dhZHmnVMJCl?4W#nYCl!viU5!#3`_`*W|}0oX@!STcA& z9t7*VY0;A9w-bz8fC?|C{nC%FjYc@B@25|-3)0Wtj==9nw6AN~3CliJyB$QSIp|!9Zr#KX-6xoe6lEWe?-?&_YRHoSLLpG`4Q) z9LI)zp}BDz$+Vh7RuY4HzvwT&Zm{oUn=T5Gp};oH13V}o3&Z76Q;l{T85J8e>XIy? zPH<)$Mf@gnD3Nn}g${W}6p+x@|BaIB5RxwN5!n#S8`beGc{NU!q+4nwMZc9#3iy)Q zQr}mgF_mHRpxDFk7?K25u72(yP=dT{L5(s$Jdj{F{87Gz{4_*g8dX^@pSHsbu99js zUUMpKTI8rXAsm=C$YAqImg>Dby=bn!;Pd2TW_4Ea8GZShkpuXy!>?;U`4$a_wX9rV zw=KE60EQM5sN=uP@#r(zt{W>6gYuDl(5R7zl!No&TlOgF?-Iu%d}J5f?xyOMxP!M6 zIbp zv@s|Cw1jK{O9^8xgZ9Q1LSx?_&L4(FFhUhC?UumNgMJ@{Ht{5Iodqw1yC*l{6WB3i z1~!mU|H*!m#0TMFRcDKNK7!y2P;E#vdA)^QNXD&4lI~=9wxi9Ao#|sqycgjrJhbyS z{W4!lV2(BDI;)VUT^d@xXCoBxl*THK-Y@9~J7LG}!WJ%iRAB_cvhiVI$&=ipOVQ!{ znkw&}pW>Ax$Zrxk{LFPInaJ+bMm(hpwkIob@vktkz3n#FU#bW=>t?lq{c@_4{eI%E zjo)Of8+k_j@Q1a8H@~)CeBmc^Yq0$?UOAZ>KYd*+*>!sG{6wN8@q1T;CnUDN2RItW zjOuo1Nvw<=kVn@SLqR1fQej9rc%#JJ5V6=JF5KSYkn`#-r9mqYR`(?au>{QxY)xlY^z!~^MK7DzFodugGDLoa;ea*!r)2D0JIud^T$s&LzWR~vC=60R(kaWk;_bB~HGJ zq1$Hp=jtt;1rLuhD5y&lnv0^I0Qv0<512NfM`OCtCmxFsoCjneT+LH?W=w3H=2dVo z2~qjB^#;o{EGFf9us`HYvm#fM!YRu@>$yjW-C6Uw@LYdFq%^N;4W&aZ<^7wr#DOu4 z=x|q16Rt4qoF+%YAREvl{hl*ZqJ1pmq$Y8$5eNT`mUw#MH=jmnF zw?D(GyEYeW-5Jxkvk&>u))`Qq6a>z*ZBlrRbje{ z&-ME8+V0HtIl3LYieia7MHxF{3h5?#$*{~I<7olt$>I;Dp!c&qd||~dF?aUR>EHYX zB{RU#r##jRBG<237t*Q-Wzu#-do3~hx3bF?S?Ws=s)k^hw}K3Z92G$Zz}@F=QDv24 zo^h=pBg@XIlJHp%0b}BiEG9sI(_u-|@xFJNI0xi`V}6EC_%|z`Qs19)0lU)6-H*p& z@u@-_wTNT~q%u$Fx^CXXX}D)K2U--vIh53GaZr-YO1Nn-uPX6ADVMCJm)i2y=ofDf z_CU&IJZj=f4J!I%7w5EmOMVXa)wwD2wz^cm9}-TzPC3Y0f%3^uy2$k@ny#x;5s-g6NZ+b*tD znA4@WE`M3o_!ff5?0A~cKjYohHKIJX4c}GfKcVuNuu3;Gw}o~7@qA$3WoQLo7+$ee z)01Wn+_MFB=mRGOB?${!g=%!0DLvN(8Vgk=)oGVd5boOh!tv-D+~d`)L*ym;VfQmn zAuJXfwJy$v>om#iLWO$509NOw=z#M=%Dk~!7z;$VwoWjT4k^)Rm$+}V4t;>1LB z<1F!7_$Q017p-8jAq6$fRQE|^{tS(a4j1=0s@W@h?B%y-;- zAQ42gJ$^FVFPz2-3TLqsl(aB#bj;S}-}Wc)6DLk#;C@$TG$Yy}vS<7md-VKX?GACQ zpSvN*2EpLc7n8!b;y2%z11R3EYtvuI@!_5VQoD6Mb4<9c;7hNLCtOh+ihQp|H#&nk z#O1A#U+5+byho<;@%M;$2VJw1M(Xq+>mQp~qR>N7zPAtRSL>M2nrVBq(RQz(2$0wR z0n0oD$esWJdiqzk{M%-Pcm4-6Nq~5H2!cH*f?(_a(I@^t^qKo@QTSxnFYO=tBtQ`K zEm)UnTWv;Zi9-xg4hm#WX&yVT5f|B1QiysciNnNc5IY1AIiu_x+ zSbu$>-XF3OXkk;WPt%>~OkQwO6KJL7$FrFv&~YC;r{8xCcXHR?GOzVvn=Dn@I#Xr5tBA%)^Nje8E6m*(7^l(Jrbf|)iKw&}%+z`8 zM(fety8C9c@RO!mx#W7*$)AElWnVf zj-PW4!~$541Pch5zhxLBb98c+3a`y0e9!yVFuX*2HZ8AJvXL@^xdK@a+*E?ajY-YE ztxM6liM^g?C&!%}WU)nl37xvbb}wEI{p&Y$Hyrx9*vm6>{Vx>NSQt#LdgQkr+n2)+ z5<-=D+V0JFDy4~9QJw0sZ#BfecKhDEa;4>OX2y#?L1JEjlh1N5>sot?d%#lmxmZQC zQeAd~7|n<9g{gsQyH^Gn!Hv{-j`>mwBw1kjA9jJNw<~+WX&(wO9`*voBiW?8(CfF? z;31-q;jT<8R@(-{5Yjw3!8cZODUv?2@-x-#cbrSw{(xQmsFGpyG zf8`9C>O@@3XE&|CFI=d_Ny#>x*yEV$C`>lCFFGfkbx-IbdZQ@yR*_}@ZZ~YH zYk1${DQ5bNS|N!AG`4$pO5Qv_tl&!g>Q(G%LMy{JG2gX`FDq-jJ#y3aqna^|DM-%t z4ky0Vk82?ba=Zskwl*I#%MrRN6|C!Hh4YERO7y5m0dHqn`;tio7LRBZh_huiV5%u4 zDtx9cWO7M3S4=GlROv7hh%orMq`G2RuqQ8 zoFi!lBYJo`7<2lh=&nS8euw6j0lxQm>Uc25!d3ZA!(?7JGp`$bHVK6Hw5CEX@?D1u zD?r8Q`_RXM%>L@Vu@6)y_GPfaF^nTwsu)7LTPr$d_a;f^k@t%*72Qzh?O4wV>P#Ob zEb4P#4SFhQiyZGxO-ruco$SN&H7`BVEPG0eA7Bz)(|8F{i=|t%XXhq<@Sz?ukUkq&A zYifO__Ay(&8c>mck7z}?*f;=of9pBm(SPTCfCs?+@BR|-&*lYihKfQtp(23Um9FDOvBopkB9>SD1eVdHmjuKktVvT9$vJcX#Oi+l-?`Y= literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/tomcat_keystore new file mode 100644 index 0000000000000000000000000000000000000000..6ad5f51ad32b4e98bc42492c5611f2cd290778d4 GIT binary patch literal 4943 zcmcIoXH*nj5}m{lh9H7NmLy39dKi(MB}i5zD4+~50!q%J2#jPw1SBXqOOzZXOOT96 z&XPd^K_m)0p!==+t!K~KAN!+Ezj{?&@AW%%tMBc@FNa@1AP@w9K~L_)7|dNqtb?No z1_T0QhdvX%0}<%)2?8P@5P>X!Baj4eP|ids1Pp-?gW~hP)Ma#)!~tY*;`6>rzT0GA zFoFOCTttxrq;RM<3_(hup(P`ufFc7B$2JKmOha8p6NLbXk4-ogL|Y3uOGAbd1}*`D zs7ok80pVLTWN2XkjYj=4|Ho`N2;1-50TY0rI0yv@z(GhLI0zV2Cz7s2SyY6fwLaSz zW?sn{eNTy2i}e*X1j#DZYSbFy zy+60b&c(RZdeyj^iVAZ($}t_)POo#fraT0>n44vr;kXp1mZ^g|9>!8$81bo4NW-1p zyQZ?YxjV|Ds{NW4u_2S^Wn-}s7xj9A(nK$>dCH#&?XE zLd@LXDcNW*d^rU6){G@+BqbvDp`hHI^_F&0#w_mJHTB4r+G~N&+>dm)$7e!qHp&a- zz1977GOA15g8b^kjwrAtQ^T4A1y5Nr8l~TMDDQDRvR%W4KagR^Jd=oQIGv@TeVKt* zb+4eK?ghuX?2}DWU%h(YvIoplMx}zDKawf0b;-XLvMd_O7|@;7fZkQ@6BJ&o*_d5V z$GzO9*KDwa_l!fLr~}8gdf)fHj}k0!pQ6&;CXekwXS*X}$aT+Q$lhh2&&szME>`Xo zHh@(l+k&K=kQmY|GRJ}lX<7>piIFu5wOaKhPgfBrRau^au zt)-3LP+94@R#5Nys-7G5aBca^Re<@}%?_glke+`Ipg0bo0)vlW1OOC&1IUjjD2^v! zc!2o+UWRy7;L8vUl45Q(f8&~d{+-V4-*A2WMT@dag%cmb%ySjJC$y&u?ZC<@96{~66-6ybN|Lx7Y zq%ZApDh+p|w(@}IFCTQA5f;;DI`FW%Sn!%J(u89fh8(sab4;SyZ zhR|jY<^;yMlr)}o3*gjNep6AcqS#@>3jW$!s?ZljKIszhU9gfKR;-$u;CGMU{G*3r zodS=z4F@R5zm0#N@;o!=!+UE2Mo{2ljghR=3Vkl(8(Et}k$(Qr)5Awbhx5YMjvc4x zIn>HG5vkHTp4~2$#9_V2>q&7d>f<1$+@y79 zqq0R>a~xyufT-?ToV4A`?>F3grtJ$e)C|t`1h7@T+M$SP$(bH!j9d{Q3N4nkymF{1 zRsO0L$@8 zA#Ux%pamn1lP|us65JP{**nfQlMJWiFBHp5C?h@2%m!7mIxIb?S~I;$-C7!aqoalV$ulmv?~Evw zQqiTW3z9j2J$=S1-|GrRjv>j7`J3`36PY$}L`g`-wz=u1cxq|dQ)2R2Y-m|uaKE72 zizt-AWZ>Nn^^d#VI=lXSTt01n%;l@dcWvw~bcfubx00yGS&38%3|$qd~up4$M@V_zwoXY$w-OB&7nh>Okrf(xlyc0eQ zHnp93N=#92vGH+|?jE^V{y2YMSQ2w%Vdxjf$I{<7&_^5LbGH)3n0{=<6@9r-?9d!JQWfplD&z;Ka`>x zaA{9)l4#xR;KgnpI^cV@`TRh)UhV!~Mdsi|0_mi~zO#-viP@|ikef@~gik^r>{@d@ z84=nI?5w>+5%$WFVe;s6#tyCZ^V=S1vE)0J0(VC~2_yCxI9sBsmv71&?YF$RCWYA@ zJWx|$Yd&ilOCds^lvZ5ZuRWbOQ*LhVOg_fdK^3IiT*01)_~yuFHLgab&1WTBpG+Oa zSC1J@EAp?gKqbkBNe1i(IcPP?7n&J=N4bmj88GG~kJ*w?Ufd z^)OYj;M_rJn*C_5f$T9}{~aZaxtv6$pJ*YUYJ#b0SJ%E9izL&P4P~A~Bro~P0n}@h zG&8?itpzbS*_)u={Pej+tk}BsM?i(V zwbK#W_@FCGrN}AIQtTZ`mqfmev;vDEr;s_>xPCz9()^VsfjA?lq`WNh`029?0YYvd zz1Y=?u!E)9__tdnHM4!EEJb1s#I|40((&^7*peFLr4c>0@w<9I`XXz+e1Nh^TezL? z`2FEg(!;eGqErSwD)CnvX}kPgN0<8#;tzjB-YQlu3*xJ~UFh;w7;*c^j_)E}_zi8E zuDO@9A*i$5!4P9uo^gDfz}jZ3%t>ebC)I=+;%VkhJZF>nNi|{em@)RheNO?y-)N+q z4C>U$_ZLP)MW|uzh_Sb@K~dnJz_Uz3D!7KDBgO^u7Yn8O$wGgTQpCTT(4XcBEfoST z2?z-QfFN4vn3f6wD3ri2^Z&g(4*Z`y7JSTO!FV1E27_Wwr2`MN6bnq90(B+|C`7#A zr$0eP_ho9)1^JAu;a|(M*<3%_hZ;3l9QkKdp53h#jXOj{XLZKlg7VR35$g3%YRedP zs$y1ddTk&?7``)ZQr%iKaPr(oh-oI51^!V%y=8aVz%u#p5lU80fNs#_9R<)*TuSFG4aoo!J9c)y z$GV#-{*fz)6z7jy@wt0LET4&c2>dPyjX+S9wE)QHMRA-Pyz&NB@$2NWAPj zjmP8OPb`Are>+k@@i!o9YyE|?Us~_)QjiXyIYuRv^wjTb%gNk9{ZfLL@k&qtB_b$- zha5@-k3Br-PE0`izb^DEF@p3I{>`NE7oUwa#+J{<-t0f*C@Dbla}Q8_7#>pp9cpb6 z;M!fQw$k?YRLE;__=lgA*b74;&VD?m%xRaSlYbsX^&-D zY>tV|^u8xjm$6;Wf5t`Y>cy@%n}q$-v+E-%6+325@XG~*&H_rwl<`^#9_OBw#QlUC z4!ny$sjU;`&O`-+03d)8PHg0>1oqvL1%r<@54;XQ|7(g2#)&+qVT-la(o$tn#9CwR z@ik`3qJ_10#@e&UVeK6)?pok^F!nbD*M=#Tk2v^{DQ1;uUrpH)q7*C(0B#)XDt4F} zpyEkQ|54Z8R=LkCb7gwW7**)kbGVk31f=r)Z+{7JV939#HG-+1o8W*U0ctoAo`w?; z5JJI!jUa&6{_!p-VP2bn*E){qpXG(4IUYG!SlL=)O|e!sf7Kk0;n;z({j-z)*y;3V zAIC{XEXLl%+yQ@97ADv~=4Uz%GdIRK{Mmhy#mpXSWoco3oCa(E$1EpdSWAq9qlJmX z$(nx(`y1jBrYEg1M|hDkl1A31*xH3D!@`9|h3(u_ThxI^>x&u)I)j zd`C^`E3r1(E9wkmU$nSpj`pu9lF(oN7(o7&Vd(5ve!G;{rUvcnYzwhTSJN2JN^uzW zt1Yus(dqdRZh9=JTxt=IZU~mQ&=aYl8sW=NMt5NtHH50de{=8J-lYW iMzoYnACTHp8sjdLHg{xN{XRUB%h~qD8>*_&t$zUUC>5vx literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json new file mode 100644 index 0000000000..e23c03d833 --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/auth/uri-authorization.json @@ -0,0 +1,99 @@ +[ + { + "uri": "\/not\/allowed\/at\/all$", + "permissions": [ + "test.auth.access.ifYouLikedItYouShouldHavePutAPermissionOnIt" + ] + }, + { + "uri": "\/one\/auth\/required$", + "permissions": [ + "test.auth.access.aSimpleSingleAuth" + ] + }, + { + "uri": "\/multi\/auth\/required$", + "permissions": [ + "test.auth.access.aMultipleAuth1", + "test.auth.access.aMultipleAuth2", + "test.auth.access.aMultipleAuth3" + ] + }, + { + "uri": "\/one\/[^\/]+\/required$", + "permissions": [ + "test.auth.access.aSimpleSingleAuth" + ] + }, + { + "uri": "\/services\/getAAFRequest$", + "permissions": [ + "test.auth.access|services|GET,PUT" + ] + }, + { + "uri": "\/admin\/getAAFRequest$", + "permissions": [ + "test.auth.access|admin|GET,PUT,POST" + ] + }, + { + "uri": "\/service\/aai\/webapp\/index.html$", + "permissions": [ + "test.auth.access|services|GET,PUT" + ] + }, + { + "uri": "\/services\/aai\/webapp\/index.html$", + "permissions": [ + "test.auth.access|services|GET,PUT" + ] + }, + { + "uri": "\/$", + "permissions": [ + "\\|services\\|GET", + "test\\.auth\\.access\\|services\\|GET,PUT" + ] + }, + { + "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions$", + "permissions": [ + "test\\.auth\\.access\\|rest\\|read" + ] + }, + { + "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+$*", + "permissions": [ + "test.auth.access|clouds|read", + "test.auth.access|tenants|read" + ] + }, + { + "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+\/tenants/tenant/[^\/]+/vservers/vserver/[^\/]+$", + "permissions": [ + "test.auth.access|clouds|read", + "test.auth.access|tenants|read", + "test.auth.access|vservers|read" + ] + }, + { + "uri": "\/backend$", + "permissions": [ + "test\\.auth\\.access\\|services\\|GET,PUT", + "\\|services\\|GET" + ] + }, + { + "uri": "\/aai\/.*", + "permissions": [ + "org\\.onap\\.aai\\.resources\\|\\*\\|.*" + ] + }, + { + "uri": "\/aai\/util\/echo", + "permissions": [ + "org\\.onap\\.aai\\.resources\\|\\*\\|.*" + ] + } +] diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/cadi.properties b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/cadi.properties new file mode 100644 index 0000000000..c2b628dbb3 --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/cadi.properties @@ -0,0 +1,39 @@ +# This is a normal Java Properties File +# Comments are with Pound Signs at beginning of lines, +# and multi-line expression of properties can be obtained by backslash at end of line + +#hostname is used for local testing where you may have to set your hostname to **.att.com or **.sbc.com. The example given below +#will allow for an ATT cross domain cookie to be used for GLO. If you are running on Windows corp machine, your machine name +#may be used automatically by cadi. However, if it is not, you will need to use hostname=mywebserver.att.com and add mywebserver.att.com +#to your hosts file on your machine. +#hostname=test.aic.cip.att.com + +cadi_loglevel=DEBUG + +# OAuth2 +aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.0/token +aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.0/introspect + +cadi_latitude=37.78187 +cadi_longitude=-122.26147 + +# Locate URL (which AAF Env) +aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 + +# AAF URL +aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.0 + +cadi_keyfile=/opt/app/rproxy/config/security/keyfile +cadi_keystore=/opt/app/rproxy/config/auth/org.onap.aai.p12 +cadi_keystore_password=enc:383RDJRFA6yQz9AOxUxC1iIg3xTJXityw05MswnpnEtelRQy2D4r5INQjrea7GTV +cadi_alias=aai@aai.onap.org +cadi_truststore=/opt/app/rproxy/config/auth/tomcat_keystore +cadi_truststore_password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 + +aaf_env=DEV + +aaf_id=demo@people.osaaf.org +aaf_password=enc:92w4px0y_rrm265LXLpw58QnNPgDXykyA1YTrflbAKz + +# This is a colon separated list of client cert issuers +cadi_x509_issuers=CN=ONAP, OU=ONAP, O=ONAP, L=Ottawa, ST=Ontario, C=CA diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/forward-proxy.properties b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/forward-proxy.properties new file mode 100644 index 0000000000..1b58d4235c --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/forward-proxy.properties @@ -0,0 +1,4 @@ +forward-proxy.protocol = https +forward-proxy.host = localhost +forward-proxy.port = 10680 +forward-proxy.cacheurl = /credential-cache \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/logback-spring.xml b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/logback-spring.xml new file mode 100644 index 0000000000..57bc4e268f --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/logback-spring.xml @@ -0,0 +1,48 @@ + + + + + + + + + + %d{ISO8601} %-5level [%t] %C{1.}: %msg%n%throwable + + + + + + ${LOGS}/${FILEPREFIX}.log + + %d %p %C{1.} [%t] %m%n + + + + + ${LOGS}/archived/${FILEPREFIX}-%d{yyyy-MM-dd}.%i.log + + + 10MB + + + + + + + + + + + + + + + + + diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/primary-service.properties b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/primary-service.properties new file mode 100644 index 0000000000..2c89d28180 --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/primary-service.properties @@ -0,0 +1,3 @@ +primary-service.protocol = https +primary-service.host = localhost +primary-service.port = 8447 diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/readme.txt b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/readme.txt new file mode 100644 index 0000000000..79cf29e73c --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/readme.txt @@ -0,0 +1 @@ +Relevant configuration files need to be copied here to successfully run this service locally. \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties new file mode 100644 index 0000000000..8d46e1f429 --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/reverse-proxy.properties @@ -0,0 +1 @@ +transactionid.header.name=X-TransactionId \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-resources/resources/rproxy/config/security/keyfile b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/security/keyfile new file mode 100644 index 0000000000..3416d4a737 --- /dev/null +++ b/kubernetes/aai/charts/aai-resources/resources/rproxy/config/security/keyfile @@ -0,0 +1,27 @@ +2otP92kNFHdexroZxvgYY7ffslFiwCD3CiVYMIfUF2edqZK7972NwkvE_mbaBo6jh8lByLIqrWAf +jyzoiVsvQ_kCa0cS1xaRLpcxv3bx1b7o3hGPBqpd6vmSG4y2JLzNlCBZWuTJz827wr8p_fWrYuUm +4L1WoaEe8W5PRnXjl4hDqbJBAlEoRIBXugUDt_7O5wgx2Rl3HVoOczZtf0RzONZ1F0BmKf3QlAUe +moSbARitYRgIPt5sLbT7qPyoEpGDhQ1XBowR744-wsjBc-14yO62Ajp5xWKTp15uWn3_HHuw1SAf +GWSBRGlSlEVkXQqi9Hw5jDttKVzHX1ckwR0SQOirbtHPHplxPX3WKjKhSdSeMzw6LOAHIQYRMKBT +74oGnULAfPtV7TaGwOKriT3P49CoPdt9On89-LGyCZSxDWKH0K-rgB6I2_hPT2Uzr3jmXiMa-sfh +iMvyQ7ABBVx0OFsUuNb5mcU2O6dWiQreL5RerrloV_X3ZtnNjxENXKjQ5KBR1A5ISPjFFK-kf4Rb +p6FSII8LcsiqgdWuZ4GX_C6x8HX4A-vD0x3Uc9CfoXY-k23cNIy-R-W-oB-P2OgdWDNgZ7VaOLNt +3L-NwWpNblfYvs93cNmkbVAwCZ3r0OP7RFeuON84TRaynK_Fh2S3rypRyJcUmM1pvpZqJ5_-umSW +hUs1OqkdLv3xjlVzzK-3nMr0q3Zcyp4XdyLYtcX5I3Xqk9ZcsyAT7ghmHhV8KjUjue7OcfAWg0m7 +RJLGq6VC8HeK4HEMa4lF677Qh7DRufghIDEmQSIDfGA790WGSA8HqcOvAL4hURCHyCWiPa5i8ksX +xX4HyqF8PCVCLJ_ZhzcuIlc0jStAexWbJU_vcyX7XgUaHCkF-M-zv1FP6Z3DHBMD2QqSWjmyNCCk +8sIuwzs62P_j2o9jG33kssedCrUWOwZancU107-5H0Zw-UWvtCqUfmRZ7TsEbWY7lk_SKfLfAN5q +ncOQgU_VxDXUFDST4LN_WVECRafK3UtwWomxWSji25Lbf6NVni3ok-yLMDZR-wrE-54jLPES9j0i +5N0xrk9CfsvGUpUZ1_XQcgaxI6m27DtCCJXb5ywenPBiUIJCMCTq88CqNZxGpju2i4BJcUH2hUHe +GKhO8pgslwhtEVot9EDwdzSrJkWFCfb6ud4zMxrqdi7-mLWMOydg6lhpEFEX5wu2BLIujGsZlEGE +_K9jGfBypjXuJCKDZIuPfEnf_7idjKis_JcFB7x4Hx2HHDcBjlWWFZN_VIEnPkQSyZEC26RTFP3k +zkY3GwUfA36a4XW2pu3gE9wz-W6fkONfzOZ6YiyCm_dRFUVuGSdJG02Hh5iXYlMOGJltPzWH2jVf +S-QTOmXQTKSOheXoJO6O-9uQbsRf-kq-6w1pvIOp4ms35w4_0Xj0Xr2a9y-L9PdBZvrUsa-jxsZU +LyA-YY4Ej6QwDBDTD2MGjF1E5_ekYgjoNlltM9rJjofruM4ym0n7LPHC7YXXQSEFOZYeTKi6wUDw +hQ1DoWHgu4PQ2lexada8sxQdConbPe2iW16h-PrO5D12E4XbT00fqaMlBmjQwzdNRdCC2NRPIQ5W +nwaO8dZ9yjxsjT7ZVHb9-DRblb3XDocponzxVXqUGtJAie4WXQnerX0ApTWGaHEr5y56JJVS_3LP +bKrbXBXcs4jTUX4ECXRrOs8JQDQNysXhvTPCu0XUxNZpjx6KLxDs93k2OcESHjl5J6n6OKKJqqoN +JEyFO5LGXpnmUJbn0-CaHHPRI1mHwEu4brY8wDZd9A0PD1KGXDoCHMfEk1lGblQdyOcVrXZ6uSBk +Z6zHDnwSCHO1mPYqtelJQehZoFuPSv9PIgKLxs_qJOtZFnXII5YO1mGXgiIBWBjUFDR5HG4ENS6y +J4MCF-JLMp-PVMAkOaCIQRRDpRnMm_fT1sc_P562Diu_pcdt-r55pMFQYGoGfjRmxQBKk0-SsdnP +mlZIiis9DfQEN0q3QQdNRYBJD7tmhUwhAPZdLgXqJA8sZf8UyFQhhpsky79NT343YL9smUlF \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-resources/templates/configmap.yaml b/kubernetes/aai/charts/aai-resources/templates/configmap.yaml index 001f5ead65..4fd939dbd0 100644 --- a/kubernetes/aai/charts/aai-resources/templates/configmap.yaml +++ b/kubernetes/aai/charts/aai-resources/templates/configmap.yaml @@ -136,3 +136,88 @@ data: {{ tpl (.Files.Glob "resources/config/aaf/org.onap.aai.p12").AsSecrets . | indent 2 }} {{ tpl (.Files.Glob "resources/config/aaf/truststoreONAPall.jks").AsSecrets . | indent 2 }} {{ tpl (.Files.Glob "resources/config/aaf/bath_config.csv").AsSecrets . | indent 2 }} + +{{ if .Values.global.installSidecarSecurity }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-aai-policy-configmap + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/config/auth/aai_policy.json").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-fproxy-config + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/fproxy/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-fproxy-log-config + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/fproxy/config/logback-spring.xml").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-fproxy-auth-config + namespace: {{ include "common.namespace" . }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/fproxy/config/auth/*").AsSecrets . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-rproxy-config + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/rproxy/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-rproxy-log-config + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/rproxy/config/logback-spring.xml").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-rproxy-auth-config + namespace: {{ include "common.namespace" . }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/rproxy/config/auth/*").AsSecrets . | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-rproxy-security-config + namespace: {{ include "common.namespace" . }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/rproxy/config/security/*").AsSecrets . | indent 2 }} +{{ end }} diff --git a/kubernetes/aai/charts/aai-resources/templates/deployment.yaml b/kubernetes/aai/charts/aai-resources/templates/deployment.yaml index 4dcfa2cf9c..8d7b740276 100644 --- a/kubernetes/aai/charts/aai-resources/templates/deployment.yaml +++ b/kubernetes/aai/charts/aai-resources/templates/deployment.yaml @@ -419,6 +419,12 @@ spec: spec: hostname: aai-resources {{ if .Values.global.initContainers.enabled }} + {{ if .Values.global.installSidecarSecurity }} + hostAliases: + - ip: {{ .Values.global.aaf.serverIp }} + hostnames: + - {{ .Values.global.aaf.serverHostname }} + {{ end }} initContainers: - command: {{ if .Values.global.jobs.createSchema.enabled }} @@ -441,6 +447,13 @@ spec: image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + {{ if .Values.global.installSidecarSecurity }} + - name: {{ .Values.global.tproxyConfig.name }} + image: "{{ include "common.repository" . }}/{{ .Values.global.tproxyConfig.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + privileged: true + {{ end }} {{ end }} containers: - name: {{ include "common.name" . }} @@ -475,6 +488,11 @@ spec: - mountPath: /opt/app/aai-resources/resources/etc/auth/realm.properties name: {{ include "common.fullname" . }}-realm-conf subPath: realm.properties + {{ if .Values.global.installSidecarSecurity }} + - mountPath: /opt/app/aai-resources/resources/etc/auth/aai_policy.json + name: {{ include "common.fullname" . }}-aai-policy + subPath: aai_policy.json + {{ end }} - mountPath: /opt/app/aai-resources/resources/aaf/org.onap.aai.keyfile name: {{ include "common.fullname" . }}-aaf-certs subPath: org.onap.aai.keyfile @@ -548,6 +566,85 @@ spec: name: {{ include "common.fullname" . }}-logs - mountPath: /usr/share/filebeat/data name: {{ include "common.fullname" . }}-filebeat + {{ if .Values.global.installSidecarSecurity }} + - name: {{ .Values.global.rproxy.name }} + image: "{{ include "common.repository" . }}/{{ .Values.global.rproxy.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: CONFIG_HOME + value: "/opt/app/rproxy/config" + - name: KEY_STORE_PASSWORD + value: {{ .Values.sidecar.keyStorePassword }} + - name: spring_profiles_active + value: {{ .Values.global.rproxy.activeSpringProfiles }} + volumeMounts: + - name: {{ include "common.fullname" . }}-rproxy-config + mountPath: /opt/app/rproxy/config/forward-proxy.properties + subPath: forward-proxy.properties + - name: {{ include "common.fullname" . }}-rproxy-config + mountPath: /opt/app/rproxy/config/primary-service.properties + subPath: primary-service.properties + - name: {{ include "common.fullname" . }}-rproxy-config + mountPath: /opt/app/rproxy/config/reverse-proxy.properties + subPath: reverse-proxy.properties + - name: {{ include "common.fullname" . }}-rproxy-config + mountPath: /opt/app/rproxy/config/cadi.properties + subPath: cadi.properties + - name: {{ include "common.fullname" . }}-rproxy-log-config + mountPath: /opt/app/rproxy/config/logback-spring.xml + subPath: logback-spring.xml + - name: {{ include "common.fullname" . }}-rproxy-auth-config + mountPath: /opt/app/rproxy/config/auth/tomcat_keystore + subPath: tomcat_keystore + - name: {{ include "common.fullname" . }}-rproxy-auth-config + mountPath: /opt/app/rproxy/config/auth/client-cert.p12 + subPath: client-cert.p12 + - name: {{ include "common.fullname" . }}-rproxy-auth-config + mountPath: /opt/app/rproxy/config/auth/uri-authorization.json + subPath: uri-authorization.json + - name: {{ include "common.fullname" . }}-rproxy-auth-config + mountPath: /opt/app/rproxy/config/auth/aaf_truststore.jks + subPath: aaf_truststore.jks + - name: {{ include "common.fullname" . }}-rproxy-security-config + mountPath: /opt/app/rproxy/config/security/keyfile + subPath: keyfile + - name: {{ include "common.fullname" . }}-rproxy-auth-config + mountPath: /opt/app/rproxy/config/auth/org.onap.aai.p12 + subPath: org.onap.aai.p12 + ports: + - containerPort: {{ .Values.global.rproxy.port }} + + - name: {{ .Values.global.fproxy.name }} + image: "{{ include "common.repository" . }}/{{ .Values.global.fproxy.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: CONFIG_HOME + value: "/opt/app/fproxy/config" + - name: KEY_STORE_PASSWORD + value: {{ .Values.sidecar.keyStorePassword }} + - name: TRUST_STORE_PASSWORD + value: {{ .Values.sidecar.trustStorePassword }} + - name: spring_profiles_active + value: {{ .Values.global.fproxy.activeSpringProfiles }} + volumeMounts: + - name: {{ include "common.fullname" . }}-fproxy-config + mountPath: /opt/app/fproxy/config/fproxy.properties + subPath: fproxy.properties + - name: {{ include "common.fullname" . }}-fproxy-log-config + mountPath: /opt/app/fproxy/config/logback-spring.xml + subPath: logback-spring.xml + - name: {{ include "common.fullname" . }}-fproxy-auth-config + mountPath: /opt/app/fproxy/config/auth/fproxy_truststore + subPath: fproxy_truststore + - name: {{ include "common.fullname" . }}-fproxy-auth-config + mountPath: /opt/app/fproxy/config/auth/tomcat_keystore + subPath: tomcat_keystore + - name: {{ include "common.fullname" . }}-fproxy-auth-config + mountPath: /opt/app/fproxy/config/auth/client-cert.p12 + subPath: client-cert.p12 + ports: + - containerPort: {{ .Values.global.fproxy.port }} + {{ end }} volumes: - name: localtime @@ -595,6 +692,32 @@ spec: - key: {{ . }} path: {{ . }} {{ end }} + {{ if .Values.global.installSidecarSecurity }} + - name: {{ include "common.fullname" . }}-aai-policy + configMap: + name: {{ include "common.fullname" . }}-aai-policy-configmap + - name: {{ include "common.fullname" . }}-rproxy-config + configMap: + name: {{ include "common.fullname" . }}-rproxy-config + - name: {{ include "common.fullname" . }}-rproxy-log-config + configMap: + name: {{ include "common.fullname" . }}-rproxy-log-config + - name: {{ include "common.fullname" . }}-rproxy-auth-config + secret: + secretName: {{ include "common.fullname" . }}-rproxy-auth-config + - name: {{ include "common.fullname" . }}-rproxy-security-config + secret: + secretName: {{ include "common.fullname" . }}-rproxy-security-config + - name: {{ include "common.fullname" . }}-fproxy-config + configMap: + name: {{ include "common.fullname" . }}-fproxy-config + - name: {{ include "common.fullname" . }}-fproxy-log-config + configMap: + name: {{ include "common.fullname" . }}-fproxy-log-config + - name: {{ include "common.fullname" . }}-fproxy-auth-config + secret: + secretName: {{ include "common.fullname" . }}-fproxy-auth-config + {{ end }} restartPolicy: {{ .Values.restartPolicy }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aai/charts/aai-resources/values.yaml b/kubernetes/aai/charts/aai-resources/values.yaml index d7813ead11..3fd5a89a98 100644 --- a/kubernetes/aai/charts/aai-resources/values.yaml +++ b/kubernetes/aai/charts/aai-resources/values.yaml @@ -68,6 +68,11 @@ readiness: initialDelaySeconds: 60 periodSeconds: 10 +# application configuration +sidecar: + keyStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 + keyManagerPassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 + trustStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 service: type: ClusterIP diff --git a/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg new file mode 100644 index 0000000000..1c82050db0 --- /dev/null +++ b/kubernetes/aai/resources/config/haproxy/haproxy-pluggable-security.cfg @@ -0,0 +1,138 @@ +# Copyright © 2018 Amdocs, Bell Canada, AT&T +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +global + log /dev/log local0 + stats socket /usr/local/etc/haproxy/haproxy.socket mode 660 level admin + stats timeout 30s + user root + group root + daemon + ################################# + # Default SSL material locations# + ################################# + ca-base /etc/ssl/certs + crt-base /etc/ssl/private + + # Default ciphers to use on SSL-enabled listening sockets. + # For more information, see ciphers(1SSL). This list is from: + # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + # An alternative list with additional directives can be obtained from + # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy + tune.ssl.default-dh-param 2048 + +defaults + log global + mode http + option httplog + option ssl-hello-chk + option httpchk GET /aai/util/echo HTTP/1.1\r\nHost:\ aai\r\nX-TransactionId:\ haproxy-0111\r\nX-FromAppId:\ haproxy\r\nAccept:\ application/json\r\nAuthorization:\ Basic\ YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ== + default-server init-addr none +# option dontlognull +# errorfile 400 /etc/haproxy/errors/400.http +# errorfile 403 /etc/haproxy/errors/403.http +# errorfile 408 /etc/haproxy/errors/408.http +# errorfile 500 /etc/haproxy/errors/500.http +# errorfile 502 /etc/haproxy/errors/502.http +# errorfile 503 /etc/haproxy/errors/503.http +# errorfile 504 /etc/haproxy/errors/504.http + + option http-server-close + option forwardfor except 127.0.0.1 + retries 6 + option redispatch + maxconn 50000 + timeout connect 50000 + timeout client 480000 + timeout server 480000 + timeout http-keep-alive 30000 + + +frontend IST_8443 + mode http + bind 0.0.0.0:8443 name https ssl crt /etc/ssl/private/aai.pem +# log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],%{+Q}[ssl_c_i_dn]}\ %{+Q}r + log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC \ %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r" + option httplog + log global + option logasap + option forwardfor + capture request header Host len 100 + capture response header Host len 100 + option log-separate-errors + option forwardfor + http-request set-header X-Forwarded-Proto https if { ssl_fc } + http-request set-header X-AAI-Client-SSL TRUE if { ssl_c_used } + http-request set-header X-AAI-SSL %[ssl_fc] + http-request set-header X-AAI-SSL-Client-Verify %[ssl_c_verify] + http-request set-header X-AAI-SSL-Client-DN %{+Q}[ssl_c_s_dn] + http-request set-header X-AAI-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)] + http-request set-header X-AAI-SSL-Issuer %{+Q}[ssl_c_i_dn] + http-request set-header X-AAI-SSL-Client-NotBefore %{+Q}[ssl_c_notbefore] + http-request set-header X-AAI-SSL-Client-NotAfter %{+Q}[ssl_c_notafter] + http-request set-header X-AAI-SSL-ClientCert-Base64 %{+Q}[ssl_c_der,base64] + http-request set-header X-AAI-SSL-Client-OU %{+Q}[ssl_c_s_dn(OU)] + http-request set-header X-AAI-SSL-Client-L %{+Q}[ssl_c_s_dn(L)] + http-request set-header X-AAI-SSL-Client-ST %{+Q}[ssl_c_s_dn(ST)] + http-request set-header X-AAI-SSL-Client-C %{+Q}[ssl_c_s_dn(C)] + http-request set-header X-AAI-SSL-Client-O %{+Q}[ssl_c_s_dn(O)] + reqadd X-Forwarded-Proto:\ https + reqadd X-Forwarded-Port:\ 8443 + +####################### +#ACLS FOR PORT 8446#### +####################### + + acl is_Port_8446_generic path_reg -i ^/aai/v[0-9]+/search/generic-query$ + acl is_Port_8446_nodes path_reg -i ^/aai/v[0-9]+/search/nodes-query$ + acl is_Port_8446_version path_reg -i ^/aai/v[0-9]+/query$ + acl is_named-query path_beg -i /aai/search/named-query + acl is_search-model path_beg -i /aai/search/model + use_backend IST_AAI_8446 if is_Port_8446_generic or is_Port_8446_nodes or is_Port_8446_version or is_named-query or is_search-model + + default_backend IST_Default_8447 + + +####################### +#DEFAULT BACKEND 847### +####################### + +backend IST_Default_8447 + balance roundrobin + http-request set-header X-Forwarded-Port %[src_port] + http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; + server aai-resources.{{.Release.Namespace}} aai-resources.{{.Release.Namespace}}.svc.cluster.local:8447 resolvers kubernetes check check-ssl port 8447 ssl verify none + + +####################### +# BACKEND 8446######### +####################### + +backend IST_AAI_8446 + balance roundrobin + http-request set-header X-Forwarded-Port %[src_port] + http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload; + server aai-traversal.{{.Release.Namespace}} aai-traversal.{{.Release.Namespace}}.svc.cluster.local:8446 resolvers kubernetes check check-ssl port 8446 ssl verify none + +listen IST_AAI_STATS + mode http + bind *:8080 + stats uri /stats + stats enable + stats refresh 30s + stats hide-version + stats auth admin:admin + stats show-legends + stats show-desc IST AAI APPLICATION NODES + stats admin if TRUE diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml index 212f9cdc4c..a23ed5fdc7 100644 --- a/kubernetes/aai/templates/configmap.yaml +++ b/kubernetes/aai/templates/configmap.yaml @@ -37,7 +37,11 @@ metadata: release: {{ .Release.Name }} heritage: {{ .Release.Service }} data: +{{ if .Values.global.installSidecarSecurity }} +{{ tpl (.Files.Glob "resources/config/haproxy/haproxy-pluggable-security.cfg").AsConfig . | indent 2 }} +{{ else }} {{ tpl (.Files.Glob "resources/config/haproxy/haproxy.cfg").AsConfig . | indent 2 }} +{{ end }} --- apiVersion: v1 kind: Secret diff --git a/kubernetes/aai/templates/deployment.yaml b/kubernetes/aai/templates/deployment.yaml index 3f16e25ffd..1f337e4374 100644 --- a/kubernetes/aai/templates/deployment.yaml +++ b/kubernetes/aai/templates/deployment.yaml @@ -64,7 +64,11 @@ spec: - mountPath: /dev/log name: aai-service-log - mountPath: /usr/local/etc/haproxy/haproxy.cfg + {{ if .Values.global.installSidecarSecurity }} + subPath: haproxy-pluggable-security.cfg + {{ else }} subPath: haproxy.cfg + {{ end }} name: haproxy-cfg ports: - containerPort: {{ .Values.service.internalPort }} @@ -86,6 +90,10 @@ spec: httpHeaders: - name: X-FromAppId value: OOM_ReadinessCheck + {{ if .Values.global.installSidecarSecurity }} + - name: Authorization + value: Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ== + {{ end }} - name: X-TransactionId value: {{ uuidv4 }} - name: Accept -- 2.16.6