From 798144599328ad1a17830a297a0539553f35f97b Mon Sep 17 00:00:00 2001 From: osgn422w Date: Fri, 25 Sep 2020 02:28:02 +0200 Subject: [PATCH] [CLAMP] AAF certificate using certinializer(2) use of auto-generated certificates via AAF side-car at OOM deployment time for CLAMP dashboard part. Issue-ID: CLAMP-884 Change-Id: If1c1cfb7d218060dde129546cadf38647a8d496e Signed-off-by: osgn422w --- .../components/clamp-dash-es/requirements.yaml | 3 ++ .../resources/config/elasticsearch.yml | 14 ++++++-- .../clamp-dash-es/templates/deployment.yaml | 16 +++++++-- .../clamp/components/clamp-dash-es/values.yaml | 38 ++++++++++++++++++++++ .../components/clamp-dash-kibana/requirements.yaml | 3 ++ .../clamp-dash-kibana/resources/config/kibana.yml | 6 +++- .../clamp-dash-kibana/templates/deployment.yaml | 5 +-- .../clamp/components/clamp-dash-kibana/values.yaml | 38 ++++++++++++++++++++++ .../clamp-dash-logstash/requirements.yaml | 3 ++ .../resources/config/pipeline.conf | 16 +++++++++ .../clamp-dash-logstash/templates/deployment.yaml | 5 +-- .../components/clamp-dash-logstash/values.yaml | 38 ++++++++++++++++++++++ 12 files changed, 176 insertions(+), 9 deletions(-) diff --git a/kubernetes/clamp/components/clamp-dash-es/requirements.yaml b/kubernetes/clamp/components/clamp-dash-es/requirements.yaml index caff1e5dc4..317d5b5d79 100644 --- a/kubernetes/clamp/components/clamp-dash-es/requirements.yaml +++ b/kubernetes/clamp/components/clamp-dash-es/requirements.yaml @@ -17,3 +17,6 @@ dependencies: - name: common version: ~6.x-0 repository: '@local' + - name: certInitializer + version: ~6.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml b/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml index 1eb20fce89..9e04d5ae01 100644 --- a/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml +++ b/kubernetes/clamp/components/clamp-dash-es/resources/config/elasticsearch.yml @@ -106,14 +106,24 @@ transport.tcp.port: {{.Values.service.externalPort2}} ######## Start OpenDistro for Elasticsearch Security Demo Configuration ######## # WARNING: revise all the lines below before you go into production +{{- if .Values.global.aafEnabled }} +opendistro_security.ssl.transport.pemcert_filepath: {{ .Values.certInitializer.clamp_pem }} +opendistro_security.ssl.transport.pemkey_filepath: {{ .Values.certInitializer.clamp_key }} +opendistro_security.ssl.transport.pemtrustedcas_filepath: {{ .Values.certInitializer.clamp_ca_certs_pem }} +opendistro_security.ssl.http.pemcert_filepath: {{ .Values.certInitializer.clamp_pem }} +opendistro_security.ssl.http.pemkey_filepath: {{ .Values.certInitializer.clamp_key }} +opendistro_security.ssl.http.pemtrustedcas_filepath: {{ .Values.certInitializer.clamp_ca_certs_pem }} +{{- else }} opendistro_security.ssl.transport.pemcert_filepath: esnode.pem opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem -opendistro_security.ssl.transport.enforce_hostname_verification: false -opendistro_security.ssl.http.enabled: {{.Values.security.ssl.enabled}} opendistro_security.ssl.http.pemcert_filepath: esnode.pem opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem +{{- end }} +opendistro_security.ssl.transport.enforce_hostname_verification: false +opendistro_security.ssl.http.enabled: {{.Values.security.ssl.enabled}} + opendistro_security.allow_unsafe_democertificates: true opendistro_security.allow_default_init_securityindex: true opendistro_security.authcz.admin_dn: diff --git a/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml b/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml index 0ec38b08e3..0e37df7ddc 100644 --- a/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml +++ b/kubernetes/clamp/components/clamp-dash-es/templates/deployment.yaml @@ -59,10 +59,22 @@ spec: mountPath: /usr/share/elasticsearch/logs/ - name: {{ include "common.fullname" . }}-data mountPath: /usr/share/elasticsearch/data/ +{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_key }} /usr/share/elasticsearch/config/{{ .Values.certInitializer.clamp_key }} + cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_pem }} /usr/share/elasticsearch/config/{{ .Values.certInitializer.clamp_pem }} + cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_ca_certs_pem }} /usr/share/elasticsearch/config/{{ .Values.certInitializer.clamp_ca_certs_pem }} + /usr/local/bin/docker-entrypoint.sh + {{- end }} ports: - containerPort: {{ .Values.service.internalPort }} name: {{ include "common.servicename" . }} @@ -85,7 +97,7 @@ spec: periodSeconds: {{ .Values.readiness.periodSeconds }} timeoutSeconds: {{ .Values.readiness.timeoutSeconds }} env: - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -104,7 +116,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/clamp/components/clamp-dash-es/values.yaml b/kubernetes/clamp/components/clamp-dash-es/values.yaml index 27158a6668..a4ff555e83 100644 --- a/kubernetes/clamp/components/clamp-dash-es/values.yaml +++ b/kubernetes/clamp/components/clamp-dash-es/values.yaml @@ -20,6 +20,44 @@ global: nodePortPrefix: 302 repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ== persistence: {} + centralizedLoggingEnabled: true + #AAF service + aafEnabled: true + +################################################################# +# AAF part +################################################################# +certInitializer: + permission_user: 1000 + permission_group: 999 + addconfig: true + keystoreFile: "org.onap.clamp.p12" + truststoreFile: "org.onap.clamp.trust.jks" + keyFile: "org.onap.clamp.keyfile" + truststoreFileONAP: "truststoreONAPall.jks" + clamp_key: "org.onap.clamp.crt.key" + clamp_pem: "org.onap.clamp.key.pem" + clamp_ca_certs_pem: "clamp-ca-certs.pem" + nameOverride: clamp-es-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: clamp + fqi: clamp@clamp.onap.org + public_fqdn: clamp.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: > + /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; + export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0); + cd {{ .Values.credsPath }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -cacerts -nokeys -chain -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_ca_certs_pem }}; + chmod a+rx *; + flavor: small ################################################################# diff --git a/kubernetes/clamp/components/clamp-dash-kibana/requirements.yaml b/kubernetes/clamp/components/clamp-dash-kibana/requirements.yaml index caff1e5dc4..317d5b5d79 100644 --- a/kubernetes/clamp/components/clamp-dash-kibana/requirements.yaml +++ b/kubernetes/clamp/components/clamp-dash-kibana/requirements.yaml @@ -17,3 +17,6 @@ dependencies: - name: common version: ~6.x-0 repository: '@local' + - name: certInitializer + version: ~6.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/clamp/components/clamp-dash-kibana/resources/config/kibana.yml b/kubernetes/clamp/components/clamp-dash-kibana/resources/config/kibana.yml index db81e3da00..acfb4cc081 100644 --- a/kubernetes/clamp/components/clamp-dash-kibana/resources/config/kibana.yml +++ b/kubernetes/clamp/components/clamp-dash-kibana/resources/config/kibana.yml @@ -18,9 +18,13 @@ server.host: "0" server.port: {{.Values.service.externalPort}} server.ssl.enabled: {{.Values.config.sslEnabled}} +{{- if .Values.global.aafEnabled }} +server.ssl.certificate: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_pem }} +server.ssl.key: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_key }} +{{ else }} server.ssl.certificate: {{.Values.config.sslPemCertFilePath}} server.ssl.key: {{.Values.config.sslPemkeyFilePath}} - +{{- end }} # The URL of the Elasticsearch instance to use for all your queries. elasticsearch.hosts: ${elasticsearch_base_url} diff --git a/kubernetes/clamp/components/clamp-dash-kibana/templates/deployment.yaml b/kubernetes/clamp/components/clamp-dash-kibana/templates/deployment.yaml index 0e5f65cabb..d9a3035123 100644 --- a/kubernetes/clamp/components/clamp-dash-kibana/templates/deployment.yaml +++ b/kubernetes/clamp/components/clamp-dash-kibana/templates/deployment.yaml @@ -49,6 +49,7 @@ spec: image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness +{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -73,7 +74,7 @@ spec: env: - name: elasticsearch_base_url value: "{{ternary "https" "http" .Values.security.ssl.enabled}}://{{.Values.config.elasticsearchServiceName}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.config.elasticsearchPort}}" - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -90,7 +91,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/clamp/components/clamp-dash-kibana/values.yaml b/kubernetes/clamp/components/clamp-dash-kibana/values.yaml index 11f29570bd..73cf1bdff7 100644 --- a/kubernetes/clamp/components/clamp-dash-kibana/values.yaml +++ b/kubernetes/clamp/components/clamp-dash-kibana/values.yaml @@ -21,6 +21,44 @@ global: repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ== readinessImage: onap/oom/readiness:3.0.1 persistence: {} + centralizedLoggingEnabled: true + #AAF service + aafEnabled: true + +################################################################# +# AAF part +################################################################# +certInitializer: + permission_user: 1000 + permission_group: 999 + addconfig: true + keystoreFile: "org.onap.clamp.p12" + truststoreFile: "org.onap.clamp.trust.jks" + keyFile: "org.onap.clamp.keyfile" + truststoreFileONAP: "truststoreONAPall.jks" + clamp_key: "org.onap.clamp.crt.key" + clamp_pem: "org.onap.clamp.key.pem" + clamp_ca_certs_pem: "clamp-ca-certs.pem" + nameOverride: clamp-kibana-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: clamp + fqi: clamp@clamp.onap.org + public_fqdn: clamp.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: > + /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; + export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0); + cd {{ .Values.credsPath }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -cacerts -nokeys -chain -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_ca_certs_pem }}; + chmod a+rx *; + flavor: small ################################################################# diff --git a/kubernetes/clamp/components/clamp-dash-logstash/requirements.yaml b/kubernetes/clamp/components/clamp-dash-logstash/requirements.yaml index caff1e5dc4..317d5b5d79 100644 --- a/kubernetes/clamp/components/clamp-dash-logstash/requirements.yaml +++ b/kubernetes/clamp/components/clamp-dash-logstash/requirements.yaml @@ -17,3 +17,6 @@ dependencies: - name: common version: ~6.x-0 repository: '@local' + - name: certInitializer + version: ~6.x-0 + repository: '@local' \ No newline at end of file diff --git a/kubernetes/clamp/components/clamp-dash-logstash/resources/config/pipeline.conf b/kubernetes/clamp/components/clamp-dash-logstash/resources/config/pipeline.conf index c005fcca3e..2364e5548a 100644 --- a/kubernetes/clamp/components/clamp-dash-logstash/resources/config/pipeline.conf +++ b/kubernetes/clamp/components/clamp-dash-logstash/resources/config/pipeline.conf @@ -46,7 +46,11 @@ input { request_timeout => 30 schedule => { "every" => "1m" } codec => "plain" +{{- if .Values.global.aafEnabled }} + cacert => "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_ca_certs_pem }}" +{{- else }} cacert => "/certs.d/aafca.pem" +{{- end }} } } @@ -218,7 +222,11 @@ output { if "error" in [tags] { elasticsearch { codec => "json" +{{- if .Values.global.aafEnabled }} + cacert => "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_ca_certs_pem }}" +{{- else }} cacert => "/clamp-cert/ca-certs.pem" +{{- end }} ssl_certificate_verification => false hosts => ["${elasticsearch_base_url}"] user => ["${logstash_user}"] @@ -231,7 +239,11 @@ output { elasticsearch { codec => "json" hosts => ["${elasticsearch_base_url}"] +{{- if .Values.global.aafEnabled }} + cacert => "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_ca_certs_pem }}" +{{- else }} cacert => "/clamp-cert/ca-certs.pem" +{{- end }} ssl_certificate_verification => false user => ["${logstash_user}"] password => ["${logstash_pwd}"] @@ -245,7 +257,11 @@ output { elasticsearch { codec => "json" hosts => ["${elasticsearch_base_url}"] +{{- if .Values.global.aafEnabled }} + cacert => "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.clamp_ca_certs_pem }}" +{{- else }} cacert => "/clamp-cert/ca-certs.pem" +{{- end }} ssl_certificate_verification => false user => ["${logstash_user}"] password => ["${logstash_pwd}"] diff --git a/kubernetes/clamp/components/clamp-dash-logstash/templates/deployment.yaml b/kubernetes/clamp/components/clamp-dash-logstash/templates/deployment.yaml index acd108d2cf..887f722179 100644 --- a/kubernetes/clamp/components/clamp-dash-logstash/templates/deployment.yaml +++ b/kubernetes/clamp/components/clamp-dash-logstash/templates/deployment.yaml @@ -49,6 +49,7 @@ spec: image: "{{ include "common.repository" . }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness +{{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -91,7 +92,7 @@ spec: periodSeconds: {{ .Values.liveness.periodSeconds }} timeoutSeconds: {{ .Values.liveness.timeoutSeconds }} {{ end -}} - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -111,7 +112,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/clamp/components/clamp-dash-logstash/values.yaml b/kubernetes/clamp/components/clamp-dash-logstash/values.yaml index c2a522b1c8..8bccbcb92e 100644 --- a/kubernetes/clamp/components/clamp-dash-logstash/values.yaml +++ b/kubernetes/clamp/components/clamp-dash-logstash/values.yaml @@ -21,6 +21,44 @@ global: repositorySecret: eyJuZXh1czMub25hcC5vcmc6MTAwMDEiOnsidXNlcm5hbWUiOiJkb2NrZXIiLCJwYXNzd29yZCI6ImRvY2tlciIsImVtYWlsIjoiQCIsImF1dGgiOiJaRzlqYTJWeU9tUnZZMnRsY2c9PSJ9fQ== readinessImage: onap/oom/readiness:3.0.1 persistence: {} + centralizedLoggingEnabled: true + #AAF service + aafEnabled: true + +################################################################# +# AAF part +################################################################# +certInitializer: + permission_user: 1000 + permission_group: 999 + addconfig: true + keystoreFile: "org.onap.clamp.p12" + truststoreFile: "org.onap.clamp.trust.jks" + keyFile: "org.onap.clamp.keyfile" + truststoreFileONAP: "truststoreONAPall.jks" + clamp_key: "org.onap.clamp.crt.key" + clamp_pem: "org.onap.clamp.key.pem" + clamp_ca_certs_pem: "clamp-ca-certs.pem" + nameOverride: clamp-logstash-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: clamp + fqi: clamp@clamp.onap.org + public_fqdn: clamp.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: > + /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop; + export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0); + cd {{ .Values.credsPath }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }}; + openssl pkcs12 -in {{ .Values.keystoreFile }} -cacerts -nokeys -chain -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_ca_certs_pem }}; + chmod a+rx *; + flavor: small ################################################################# -- 2.16.6