From fd8e7fbf73b93b2dd302108c7a1bcebb132647cd Mon Sep 17 00:00:00 2001 From: "Lee, Tian (tl5884)" Date: Fri, 11 Jan 2019 16:52:27 +0000 Subject: [PATCH] Update Gizmo and Champ security config - Update rProxy to use AAF geo-locate endpoint rather than hard coded IP address - Update fProxy to use separate truststore - Restructure charts to reduce certificate duplication Change-Id: I1e63ceb0ebabd8bb3dfacc71dac841858279b6f1 Issue-ID: AAF-718 Signed-off-by: Lee, Tian (tl5884) --- .../resources/fproxy/config/auth/tomcat_keystore | Bin 3659 -> 0 bytes .../resources/rproxy/config/auth/client-cert.p12 | Bin 2556 -> 0 bytes .../rproxy/config/auth/uri-authorization.json | 16 ++++----- .../resources/rproxy/config/cadi.properties | 20 ++++++++++-- .../resources/rproxy/config/security/keyfile | 27 ---------------- .../aai/charts/aai-champ/templates/deployment.yaml | 36 +++++++++++---------- .../aai/charts/aai-champ/templates/secrets.yaml | 18 ----------- kubernetes/aai/charts/aai-champ/values.yaml | 1 + .../resources/rproxy/config/auth/client-cert.p12 | Bin 2556 -> 0 bytes .../resources/rproxy/config/auth/tomcat_keystore | Bin 3594 -> 0 bytes .../rproxy/config/auth/uri-authorization.json | 10 +++--- .../resources/rproxy/config/cadi.properties | 22 ++++++++++--- .../resources/rproxy/config/security/keyfile | 27 ---------------- .../aai/charts/aai-gizmo/templates/deployment.yaml | 33 ++++++++++--------- .../aai/charts/aai-gizmo/templates/secrets.yaml | 18 ----------- kubernetes/aai/charts/aai-gizmo/values.yaml | 1 + .../config/fproxy}/auth/client-cert.p12 | Bin .../resources/config/fproxy/auth/fproxy_truststore | Bin 0 -> 4639 bytes .../config/fproxy}/auth/tomcat_keystore | Bin .../config/rproxy}/auth/client-cert.p12 | Bin .../resources/config/rproxy/auth/org.onap.aai.p12 | Bin 0 -> 4158 bytes .../config/rproxy}/auth/tomcat_keystore | Bin .../aai/resources/config/rproxy/security/keyfile | 27 ++++++++++++++++ kubernetes/aai/templates/configmap.yaml | 30 ++++++++++++++++- 24 files changed, 143 insertions(+), 143 deletions(-) delete mode 100644 kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore delete mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12 delete mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile delete mode 100644 kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/client-cert.p12 delete mode 100644 kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/tomcat_keystore delete mode 100644 kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/security/keyfile rename kubernetes/aai/{charts/aai-gizmo/resources/fproxy/config => resources/config/fproxy}/auth/client-cert.p12 (100%) create mode 100644 kubernetes/aai/resources/config/fproxy/auth/fproxy_truststore rename kubernetes/aai/{charts/aai-gizmo/resources/fproxy/config => resources/config/fproxy}/auth/tomcat_keystore (100%) rename kubernetes/aai/{charts/aai-champ/resources/fproxy/config => resources/config/rproxy}/auth/client-cert.p12 (100%) create mode 100644 kubernetes/aai/resources/config/rproxy/auth/org.onap.aai.p12 rename kubernetes/aai/{charts/aai-champ/resources/rproxy/config => resources/config/rproxy}/auth/tomcat_keystore (100%) create mode 100644 kubernetes/aai/resources/config/rproxy/security/keyfile diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore deleted file mode 100644 index f3ac0701a2286029795567d25498d3d2eb1e35ab..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3659 zcmb`JcU)7+7RPhbAe7KUhtR8VLlXrNq+@6TQdJNFvKmV09fATv1QA#Ziy%$Fg7hXu zKt(_Vq=-uurS~GJloxd0?!JBP^FE*V$J{$-=6vp)JLh-4Gkc4Bix3C|N^QXR#_d9M za`GaQG>Ig+?_D`h4<|1? z97{(WB<3G&K1Xsn-LrR^?bcV060;|USAS!CosumuhRp7Xrj@?ms1pr zuk6Zq&0E@roFu+d2)D3Sl?J3;R*U7vyYV>dk ze`=<*H(^^kNQHYLI`8RSUS#!IF~227R5kgfvfdxs8vdw{bwJf57Ta!)YysS5Oj24fXHn8?SC1{dD znH1<s=1gs;qH6y_4GYFh0fg&~&(Eve=U zwuaNYESYwWPrV|C&CEm&Bi5Yv0<-OiK2HIou;Kj|&NaS8knWoLXwgpkGx)Q28_Xgy zMAH22Z*Pnjm#2f#mu1FsGh7fdLpnwRqOXOu^YBfx*xF9~=x9;I)Ctr3skY>c?3mcN zMC9cpS@uY1y=2PU7!F&}ZK3%dxs;ib*SBv^daId+af@{}u|NVFP;nNuF`Mpo0d^&mg8GsM$t^r=%Qq8OGEJF~f+tq&sD6bVn!^5XOND!oLL z+PXA3-*zHiq2GOtS|TE2xrHJXTf%x|AxG5>5d#g^>Lis8c_IqxZz14TxuQ{({+6Q! z2y0pOk*ejs_SDR*i(^5@gPgDz6lk93)7pkh_STN5koYuN0h9f#Z7rSV8+|*MNC*k8 z;GqX*f^U?-qq!THYugrDg0Z|b46^30Ql|2)19K^-9wvbi#VlqLTE&Mm9jb-hAQ3d^ zqtXr5wjDr4g&tR*!#VwrWMS?B!KOvQ+dvuFguM)MdpJrxpeQj_HejIAJ7nnRhUZIh znK!37>d2OuIh|YW`eM^(V?(S1roFHV>A1bHTe}@zyLp|o=_wqAbi)Px7W}-QY>XzP z5*Zr~JM~|zfBmkkKBU4mbRv)mQQ4?hNo>?#`0EGf{AR`hb9b*u)#RvfO z2neW;qX$t)m=zq!2DP%lF@p351|0+3)I`e+hXxrAOnL@{sfCu79*!I2Jg{L5%2(AGMK0|hu4ajKvSsEkuqratYc<`Ga?5%-%3I{(LoghA|&h5kL~|0x(2 zkm*M-wBHYeLqrlt2893ogH-y%$N&?BI!*^A0{~=6>G~~LUD$BR_?cI)1u`i-xbsXr zL>@gMD|rs(U6sSLkuzL|g4RJrHmU|+hjuoU-j!>f$tbLSzGoO(9U>j<%6bWE=gO;g zrwF(2JggzsQv~t;Nh#ro=R&+&zT?HCF&mkP`Ovs%-PqAqLHY5VmsZ@CPb4htmK?%$ zIsI!w#~Awx93YO}gV)^m@+Ygb>IR{2Q`6h^C@zhxZsV`ir%u{>cW^@422?o}nk!D7 zav&DYNYQl5H_P8pxOsDN8|IV(+Yd6<%+0vaZ-owD1|=j)f=VtD@_Azl*z^o~LO4{& znL|VNWp)_L8{_J@iY{rU)A{#z13RnNtjgarLSX;|$RPuc)E#m7o_BsWI243{EJ&1N zi~$g{eF6aBa2OQX1SOo-%0DZX3_z&|KJ}|i0I+`$Ib!@r5Mpo)$d06?-UJW` z8W`|<4+=UTxU;|=Ksz#;NbvD-aw8lfdHPZHOy;59E}XpF<$TK8nZZ!vmYs)q?yPxrkeE@R=-o?juRJY)m3XFdIV zoJF;jen#zFz;3hrVnIoA!B3PhNs_hrk?CsZcUqlO(S9$I{cRjalZn8oqBlT-td~U!E-kp5wYjFl6H! z+62R<%1-(ZI;?Kk7Ti{<{yFX9oIU!!@bj;|)7_SS{n(%<$8@i9epu~I#`m7p8CWY~ z5R=@x6F58m*j8v(FCTpZjM8{=S7i2vkuu@z*Ip1ww@+|PqGf7;?^4y{! z$a>(wc2Lr^Ad>om0+4?!b0Fp~nt_q2KB-JS_??;r({mD(M+T_K02zD}p2gi%*S}3~ zq2kzsQ4@3rWqJ5&{kd=HD7IW25-V7xqt2FXF)9>4C4B}|858mFmf{Yr}nLWaf$`Is!`QeIjMUTExMiGd zS8ik+t&Fm-X%TZtJKgGQdVWS_o9@Og+p}4OCR0@+DsFfQqd8?@y8bETy0BDqRpI)P z+$(EopC$cOu-J~~6vk6KK80Sp%;F=Zw@O71CG!-^0W2{$3z;=pqm`CfA1=)sur(=< zgv-%Akb3ffKXw^|;?{tFQLq%=HrA8v+e^5=?uw}o8ta&s{PfYVuK$Z6mjjFInZi(` zA$^|E+_K>=e+A*x93Rx2lIV%-YQp_j6Tu?U^ug$1Kp!pSc=vfZGP0yt4SS>NDgF&%qq%IO_KfO sXQg0u{z})d^!K(al^fhw^Kuf+W$H9H4YW@B|03)e$NKDe-fKAiZ$`cB*#H0l diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12 deleted file mode 100644 index dbf4fcacecf190fb0244dce0d1b438e6fea4500d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2556 zcmY+EdpHw{8^>p6vvN1q+;S^Iwz0#F1O>%q@$`lt@_`#}p!mZsr!v zrA;)F+=b00##|C}&vBmT_dDk~f4tB8JfH9PegFKR2+$26A3ur!eGP_c+_bv6F3bnv zqY$7^K?G>QJ|?3G0>A$!5^w_%1YGv9lQ! z2xbYdREtLj!#tMeXTuU~Y}^mN=>q~m01yH6;iwV9rpF(${h@HJ?@grEMCee9ri-P) zwzE2^?>3>tjiqo5*=`e>dbXiy^X|@E0$!PKLudIJtgh4W8suwce{PMLt2sx-*UI6F z!=)~#bGYY1wTtBr?TXBfjP2}S>r)?dXjlH6NdFDxJivFEjLiGlmGFMS9SiW?*?m-# z6vbW7ozLnRpnP1x;1qCc*giY4axyE6+VS)Ztd?rL6ea=|uIDxv(Z78GS8#VoK1cJ8 z!FSDn*aO*Dx^Bf(*PeI%;F-7^_85~7(P(TNt(ZEztJE{opI(0q0k#DB4{pJ@<7p|) zpZtoQpC34>S1l`7lj$C)&u8Bd-;@;d-QOjbY?tfoBF&HJ^-Eb@v9|e~4pp?YJgza+-^?9hj4GbOZGiTk*` zAbxe_30a7E8x*F}ckf`o3;K=T_4}P|dc-SD@KbApw{&dRXeRFAiP&yTX{gAZtFhiU;|2D-kJHZr4^2}y z-yy;3?Oqd%Tw_%HZhrrHwr3!+%>6}3Z#<07>lT!6<@ucUdq}KG>~?qu!KmL5y8*bE zLav3Fm)&ApK@K!c7u`27&VN1E-;l89F>JcyJToKFXt1jFa!+dZZf`;1)h>Zi`b+$| zOatMJv&P|yQuXMBaP1FqCUN`b9IyHbW9vytIu}WAz32`X(@&jJe|%8_c9qTdYIHw z3fZtxHhk>d{+J@y6QH!L5;&97BmG4fersW56HO~_aff2xrb14q;B$h>Dl>!u-0^#3 zNM)Lp-+>qA%2{haKilb6wE~VGeF98WyTD%5*2t#3y@legMFULBxF@-nUq$W=S2R<) zI48ac)-CNcs?~L2;SJ0qALf6G&Rw5L^MCbG^vC>37XW*fZee2c>60$!G%;(z%l36t zVR3dNTR{B=kNDllFa+A>A}pnZyHmD?-})}8SjYUd6ghk(<8u1b8VN5Z(jz!uX<@xQ z?gc*Y;wbUR8lJ2rgmFlsgovS9poe; z%0J?oiYmm1E;^?_bV$$TeAa6(KcIHD^=++kgqXG4qb+YU#nLPjzn3`@-VW&ZQ;i&q zQ+=P9?vT$%MXeFKXZMQjXR(BZ77X~0DuFSsn@PzYuW*6-_qZ0DEnz99sZ)ti;* z%*hSuCsbrr8!5ub?T^D8^E{C%|5*w!^qc(G$nIGG>bz3GL;o&GkPg9Z*648Z&9>g4 zxgSFPB5mlK@GzB8nxxlmWRilyg#ccoTDp=D`f8@fW=Uharxj&N8gb2qChAMuxN-e` z@z=#64FA;6o|9IL_x#8ZI(1z(LlCrbIV;B|yf?ti?AILK$%L3pqW_gUAxcv+G_s$C z>&IhLG?_i%%Moj~pI!leKDom7$j?gD`J@t-uW%TSMtJ1I5Y>bsno58xjYj38Ok z#dww61flet6${l96L3ai^70CVZGPYGD<*B_QpKhmaPi`3gUVa&Rkow~faF)WiAIf{ zw!VVbLBOewjxYw*#ZPy-u+{ImT1YqQ$$b;6$<*anGHM4j&i57=^Z96?+pCw6>}QGd-<8Iza65dzA2s5Elcr`LwveyTFFUwuyNMqbe>8zPTb$EBtzuSv%NFNd5cYEh{uDhjr)({@X`vvX!;d%ccy~WAQpexeVZ|F3K zh+iEDrjnV#qVX%yh#DKUexv+rS0|4)+YYs{K9=l0;8pDe`nY>J&-|1qBOe zitqzv1OOly$@=nb#PO1w+DFZwsfNPY!%h`*Aebw;+{L0$LiiNyc&sYG#@NT=%=+JI F_zSHP#{>WX diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json index 2865e01cd6..ca34049ec2 100644 --- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json +++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json @@ -82,18 +82,18 @@ "permissions": [ "test\\.auth\\.access\\|services\\|GET,PUT", "\\|services\\|GET" - ] + ] }, { "uri": "\/services\/inventory\/.*", "permissions": [ - "org\\.access\\|\\*\\|\\*" - ] + "org\\.onap\\.aai\\.resources\\|\\*\\|.*" + ] }, { - "uri": "\/services\/champ-service\/.*", - "permissions": [ - "org\\.access\\|\\*\\|\\*" - ] - } + "uri": "\/services\/champ-service\/.*", + "permissions": [ + "org\\.onap\\.aai\\.resources\\|\\*\\|.*" + ] + } ] diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties index 33daa73b67..1878a4de70 100644 --- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties +++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties @@ -9,13 +9,27 @@ #hostname=test.aic.cip.att.com cadi_loglevel=DEBUG -cadi_keyfile=/opt/app/rproxy/config/security/keyfile +# OAuth2 +aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.0/token +aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.0/introspect + +cadi_latitude=37.78187 +cadi_longitude=-122.26147 + +# Locate URL (which AAF Env) +aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 + +# AAF URL +aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.0 + +cadi_keyfile=/opt/app/rproxy/config/security/keyfile +cadi_keystore=/opt/app/rproxy/config/auth/org.onap.aai.p12 +cadi_keystore_password=enc:383RDJRFA6yQz9AOxUxC1iIg3xTJXityw05MswnpnEtelRQy2D4r5INQjrea7GTV +cadi_alias=aai@aai.onap.org cadi_truststore=/opt/app/rproxy/config/auth/tomcat_keystore cadi_truststore_password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 -# Configure AAF -aaf_url=https://{{.Values.global.aaf.serverHostname}}:{{.Values.global.aaf.serverPort}} aaf_env=DEV aaf_id=demo@people.osaaf.org diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile deleted file mode 100644 index 6cd12fcfb4..0000000000 --- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile +++ /dev/null @@ -1,27 +0,0 @@ -bZNOXiGDJ2_eiKBKWYLIFx27URvb-SWfmOl2d-QKetcVKIupOrsG-ScS_VXOtKN3Yxfb2cR6t7oM -1RNpDnhsKAxDLM6A62IkS_h_Rp3Q9c2JeyomVmyiuHR7a2ARbelaMrX8WDrxXI_t9ce4pIHDVE29 -xiQm3Bdp7d7IiKkgg-ipvOU7Y6NEzeQbvHlHvRTJ3ZZMSwHxBOA5M8DhKN-AF1sqwozEVaNAuJxK -BVdh72A6KTW7ieb_GvVQQp8h32BuOz8oJhZV7KaGXsWTEvXg9ImboY0h7Sl9hufgn1ZtDK1jxzGm -6O6LBg1qezzZaFGTXRmHvaeYmEeYSu0bGsU4x-JCU0RyhNTzFhkhjNoccaqPXBdcJymLf096mD99 -QLS8nyji_KtLQJL1fqr500c8p6SOURLPgG6Gzkn4ghgFYlfgve92xs1R3ggHKhNTLV4HJ4O6iSDm -zCoHeRbsZR1JER9yxT-v8NtcHOMAZe1oDQeY6jVyxb-bhaonN6eZPI4nyF6MHJQtWKhGARC_kOs6 -x9E0ZdAEp5TrX7F7J5PwkXzbCOuSiTVftOBum43iUB4q9He8tn2tJ0X4LtLHT3bPl16wWnZm9RPf -8wBtTJh4QP_cTStPq1ftSaLIAuqVFpbiC2DxGemXZn3QvykuYqa-rKeYPoIJ5dtWd5rNb_hhcSIz -FakKTELb0HWYGji98TBF6PaStea2f2m-wGX_uQGD7_Dijl6AgnV9koKVs1bN1XljLtNMPbLdD8sz -UCvc5lwvCFyyeunljI7os1fgwBmaMyckflq5VfZv9kFxom6jFLbcozylQ_uBg4j7oCP79IXVUI-r -banZltOSmm8zHGc2R9UlUyxJWBi01yxwi1hUtn9g1H4RtncQpu3BY0Qvu5YLAmS5imivUnGVZWbv -6wcqnJt5HwaVatE9NHONSLNTViQPsUOutWZBZxhJtAncdZuWOYZSh4TPzUJWvt6zT0E3YMBc_UuG -yPmdLyqo7qGHR8YWRqq_vq6ISJqENMnVD6X9-BeI6KM4GPEAlDWyhgENXxQFjG45ufg3UpP8LBTB -xDntlfkphRumsd13-8IlvwVtlpgnbuCMbwP_-lNVeNJcdA1InPt79oY-SEVZ-RVM1881ZASCnFeB -lh3BTc_bGQ8YoC9s6iHtcCK_1SdbwzBfQBJUqqcYsa8hJLe-j8di7KCaFzI3a-UXWKuuWljpbKbq -ibd48UFJt_34_GxkD6bmLxycuNH-og2Sd2VcYU0o5UarcrY4-2sgFPE7Mzxovrl98uayfgNF9DqE -fJ4MwFGqLRtEHlm4zfuMxQ5Rh_giMUHDJApc1DYRkxdGbNUd4bC4aRBln2IhN-rNKbSVtiW_uT6v -1KTMGmElvktjPWybJd2SvhT5qOLUM81-cmZzAsNa04jxZLBlQn_1fel3IroVos4Ohbdhar2NG6T5 -liten9RZ9P4Cg9RWhgeQonAD5kqLWXAHnCfffb5CVcAU5PHqkCgCbdThvD0-zIGETLO9AE0jKISc -0o67CUZn3MzJ9pP_3gh-ALr2w-KAwqasqCf0igf1wmEDijv9wEDcgDm39ERIElTpGKgfyuVl4F8u -PrpK5ZfpUYySUB6CZFQVVz0MvH6E7orQk4dCKFIimV_XwEtGijBttrTvyV6xYNScAEw_olt-0mdm -8UEKSsuqSyDMxUWLjKJT19rNedahYJNtI87WR9Fhhjsrai9Or3a-srOYa56wcvSj2ZHbkevbO9Xv -dQ2wzWCGEAMQSpSr83n0XEpR2pZT19Z19Svbhr08mnt2JNykCk60FLCeDTUOylJtYw6YOjqBizQZ --85B51BCbSEaAKJkgT9-8n_-LGW5aPBrBB_9FT7UIYczNEt3B1Lqr2s4ipPI_36JecEfqaS2cNLn -c0ObAtNGAONkhO5LYLneMR3fZPMFuOX1-rMObPgE0i9dYqWDZ_30w9rpRsmiWyxYi5lvWDxU5L1J -uJxwREz3oa_VgpSC3Y2oxCufdQwzBk57iVLDOb1qs_Hwj1SWd1nukWyAo2-g5sR1folAEcao \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/templates/deployment.yaml b/kubernetes/aai/charts/aai-champ/templates/deployment.yaml index aa9157fe47..537763a6db 100644 --- a/kubernetes/aai/charts/aai-champ/templates/deployment.yaml +++ b/kubernetes/aai/charts/aai-champ/templates/deployment.yaml @@ -31,12 +31,6 @@ spec: app: {{ include "common.name" . }} release: {{ .Release.Name }} spec: - {{ if .Values.global.installSidecarSecurity }} - hostAliases: - - ip: {{ .Values.global.aaf.serverIp }} - hostnames: - - {{ .Values.global.aaf.serverHostname }} - {{ end }} initContainers: - command: - /root/ready.py @@ -163,18 +157,18 @@ spec: - name: {{ include "common.fullname" . }}-rproxy-log-config mountPath: /opt/app/rproxy/config/logback-spring.xml subPath: logback-spring.xml - - name: {{ include "common.fullname" . }}-rproxy-auth-config + - name: {{ include "common.fullname" . }}-rproxy-auth-certs mountPath: /opt/app/rproxy/config/auth/tomcat_keystore subPath: tomcat_keystore - - name: {{ include "common.fullname" . }}-rproxy-auth-config + - name: {{ include "common.fullname" . }}-rproxy-auth-certs mountPath: /opt/app/rproxy/config/auth/client-cert.p12 subPath: client-cert.p12 + - name: {{ include "common.fullname" . }}-rproxy-auth-certs + mountPath: /opt/app/rproxy/config/auth/org.onap.aai.p12 + subPath: org.onap.aai.p12 - name: {{ include "common.fullname" . }}-rproxy-auth-config mountPath: /opt/app/rproxy/config/auth/uri-authorization.json subPath: uri-authorization.json - #- name: {{ include "common.fullname" . }}-rproxy-auth-config - # mountPath: /opt/app/rproxy/config/auth/aaf_truststore.jks - # subPath: aaf_truststore.jks - name: {{ include "common.fullname" . }}-rproxy-security-config mountPath: /opt/app/rproxy/config/security/keyfile subPath: keyfile @@ -189,7 +183,9 @@ spec: - name: CONFIG_HOME value: "/opt/app/fproxy/config" - name: KEY_STORE_PASSWORD - value: {{ .Values.config.keyStorePassword }} + value: {{ .Values.config.keyStorePassword }} + - name: TRUST_STORE_PASSWORD + value: {{ .Values.config.trustStorePassword }} - name: spring_profiles_active value: {{ .Values.global.fproxy.activeSpringProfiles }} volumeMounts: @@ -199,10 +195,13 @@ spec: - name: {{ include "common.fullname" . }}-fproxy-log-config mountPath: /opt/app/fproxy/config/logback-spring.xml subPath: logback-spring.xml - - name: {{ include "common.fullname" . }}-fproxy-auth-config + - name: {{ include "common.fullname" . }}-fproxy-auth-certs mountPath: /opt/app/fproxy/config/auth/tomcat_keystore subPath: tomcat_keystore - - name: {{ include "common.fullname" . }}-fproxy-auth-config + - name: {{ include "common.fullname" . }}-fproxy-auth-certs + mountPath: /opt/app/fproxy/config/auth/fproxy_truststore + subPath: fproxy_truststore + - name: {{ include "common.fullname" . }}-fproxy-auth-certs mountPath: /opt/app/fproxy/config/auth/client-cert.p12 subPath: client-cert.p12 ports: @@ -251,18 +250,21 @@ spec: - name: {{ include "common.fullname" . }}-rproxy-auth-config secret: secretName: {{ include "common.fullname" . }}-rproxy-auth-config + - name: {{ include "common.fullname" . }}-rproxy-auth-certs + secret: + secretName: aai-rproxy-auth-certs - name: {{ include "common.fullname" . }}-rproxy-security-config secret: - secretName: {{ include "common.fullname" . }}-rproxy-security-config + secretName: aai-rproxy-security-config - name: {{ include "common.fullname" . }}-fproxy-config configMap: name: {{ include "common.fullname" . }}-fproxy-config - name: {{ include "common.fullname" . }}-fproxy-log-config configMap: name: {{ include "common.fullname" . }}-fproxy-log-config - - name: {{ include "common.fullname" . }}-fproxy-auth-config + - name: {{ include "common.fullname" . }}-fproxy-auth-certs secret: - secretName: {{ include "common.fullname" . }}-fproxy-auth-config + secretName: aai-fproxy-auth-certs {{ end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aai/charts/aai-champ/templates/secrets.yaml b/kubernetes/aai/charts/aai-champ/templates/secrets.yaml index a0a1519c26..b0a62f63f6 100644 --- a/kubernetes/aai/charts/aai-champ/templates/secrets.yaml +++ b/kubernetes/aai/charts/aai-champ/templates/secrets.yaml @@ -41,28 +41,10 @@ data: --- apiVersion: v1 kind: Secret -metadata: - name: {{ include "common.fullname" . }}-fproxy-auth-config - namespace: {{ include "common.namespace" . }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/fproxy/config/auth/*").AsSecrets . | indent 2 }} ---- -apiVersion: v1 -kind: Secret metadata: name: {{ include "common.fullname" . }}-rproxy-auth-config namespace: {{ include "common.namespace" . }} type: Opaque data: {{ tpl (.Files.Glob "resources/rproxy/config/auth/*").AsSecrets . | indent 2 }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-rproxy-security-config - namespace: {{ include "common.namespace" . }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/rproxy/config/security/*").AsSecrets . | indent 2 }} {{ end }} \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/values.yaml b/kubernetes/aai/charts/aai-champ/values.yaml index b865b0050e..b1ce34dd1d 100644 --- a/kubernetes/aai/charts/aai-champ/values.yaml +++ b/kubernetes/aai/charts/aai-champ/values.yaml @@ -33,6 +33,7 @@ flavor: small config: keyStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 keyManagerPassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 + trustStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 # default number of instances replicaCount: 1 diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/client-cert.p12 deleted file mode 100644 index dbf4fcacecf190fb0244dce0d1b438e6fea4500d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2556 zcmY+EdpHw{8^>p6vvN1q+;S^Iwz0#F1O>%q@$`lt@_`#}p!mZsr!v zrA;)F+=b00##|C}&vBmT_dDk~f4tB8JfH9PegFKR2+$26A3ur!eGP_c+_bv6F3bnv zqY$7^K?G>QJ|?3G0>A$!5^w_%1YGv9lQ! z2xbYdREtLj!#tMeXTuU~Y}^mN=>q~m01yH6;iwV9rpF(${h@HJ?@grEMCee9ri-P) zwzE2^?>3>tjiqo5*=`e>dbXiy^X|@E0$!PKLudIJtgh4W8suwce{PMLt2sx-*UI6F z!=)~#bGYY1wTtBr?TXBfjP2}S>r)?dXjlH6NdFDxJivFEjLiGlmGFMS9SiW?*?m-# z6vbW7ozLnRpnP1x;1qCc*giY4axyE6+VS)Ztd?rL6ea=|uIDxv(Z78GS8#VoK1cJ8 z!FSDn*aO*Dx^Bf(*PeI%;F-7^_85~7(P(TNt(ZEztJE{opI(0q0k#DB4{pJ@<7p|) zpZtoQpC34>S1l`7lj$C)&u8Bd-;@;d-QOjbY?tfoBF&HJ^-Eb@v9|e~4pp?YJgza+-^?9hj4GbOZGiTk*` zAbxe_30a7E8x*F}ckf`o3;K=T_4}P|dc-SD@KbApw{&dRXeRFAiP&yTX{gAZtFhiU;|2D-kJHZr4^2}y z-yy;3?Oqd%Tw_%HZhrrHwr3!+%>6}3Z#<07>lT!6<@ucUdq}KG>~?qu!KmL5y8*bE zLav3Fm)&ApK@K!c7u`27&VN1E-;l89F>JcyJToKFXt1jFa!+dZZf`;1)h>Zi`b+$| zOatMJv&P|yQuXMBaP1FqCUN`b9IyHbW9vytIu}WAz32`X(@&jJe|%8_c9qTdYIHw z3fZtxHhk>d{+J@y6QH!L5;&97BmG4fersW56HO~_aff2xrb14q;B$h>Dl>!u-0^#3 zNM)Lp-+>qA%2{haKilb6wE~VGeF98WyTD%5*2t#3y@legMFULBxF@-nUq$W=S2R<) zI48ac)-CNcs?~L2;SJ0qALf6G&Rw5L^MCbG^vC>37XW*fZee2c>60$!G%;(z%l36t zVR3dNTR{B=kNDllFa+A>A}pnZyHmD?-})}8SjYUd6ghk(<8u1b8VN5Z(jz!uX<@xQ z?gc*Y;wbUR8lJ2rgmFlsgovS9poe; z%0J?oiYmm1E;^?_bV$$TeAa6(KcIHD^=++kgqXG4qb+YU#nLPjzn3`@-VW&ZQ;i&q zQ+=P9?vT$%MXeFKXZMQjXR(BZ77X~0DuFSsn@PzYuW*6-_qZ0DEnz99sZ)ti;* z%*hSuCsbrr8!5ub?T^D8^E{C%|5*w!^qc(G$nIGG>bz3GL;o&GkPg9Z*648Z&9>g4 zxgSFPB5mlK@GzB8nxxlmWRilyg#ccoTDp=D`f8@fW=Uharxj&N8gb2qChAMuxN-e` z@z=#64FA;6o|9IL_x#8ZI(1z(LlCrbIV;B|yf?ti?AILK$%L3pqW_gUAxcv+G_s$C z>&IhLG?_i%%Moj~pI!leKDom7$j?gD`J@t-uW%TSMtJ1I5Y>bsno58xjYj38Ok z#dww61flet6${l96L3ai^70CVZGPYGD<*B_QpKhmaPi`3gUVa&Rkow~faF)WiAIf{ zw!VVbLBOewjxYw*#ZPy-u+{ImT1YqQ$$b;6$<*anGHM4j&i57=^Z96?+pCw6>}QGd-<8Iza65dzA2s5Elcr`LwveyTFFUwuyNMqbe>8zPTb$EBtzuSv%NFNd5cYEh{uDhjr)({@X`vvX!;d%ccy~WAQpexeVZ|F3K zh+iEDrjnV#qVX%yh#DKUexv+rS0|4)+YYs{K9=l0;8pDe`nY>J&-|1qBOe zitqzv1OOly$@=nb#PO1w+DFZwsfNPY!%h`*Aebw;+{L0$LiiNyc&sYG#@NT=%=+JI F_zSHP#{>WX diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/tomcat_keystore deleted file mode 100644 index 99129c145f6069a2038983022d440917e1b61fd5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3594 zcmcJRc{mhY-^XXhSjUpazJ!#eGG+|f8A7s0ma=55qb%7a!eozZ*}~YeQ-&e?zGWFC zM8=XOB^22;9^Lo-+}Hg)@B7dD$NR^*&iS7GI@kC2J0J2oc^v=%fc`GDXtaZuy{DHg z8UO&=fA~hz1)wy8Nx@|S07_LjmQo3hr4Y)Y00BWDS^)0VdRq~(CJW9$MSCe+GklK$ z2!v1q;8zfgaC#~VV=#oCQr}2LMFYVAhy2!b^k98G6$1nWPWxL@K|#hw@N?`82pPB} zTnZtHkdlzO!_I(|fg_QKzvTaMH!SGOaM3*LK+jVuV%5^l*4uhB`dQ$Ki3n*i!ELLq zNB-zZdNyh)0`W*Kff2eh&+RIpA!;|N8`{-xHuf;0c%#PH|en8Gm;$ z{q6vt21xinZFm|Lr#1uvl==EFul=%hE0wt%(F!eMhJC%%_sANRQnQh+f=F@VcG?(4 znlF{hAv2vaVNRW2#-Ht>q)9CwY_@ppZn0ZR;#vxfqppoAd)4ZXaY4BipOk&I9 z=j*QA^?@wy4u{m8SMd1shl8v#^5(q9K`yu3h1#-yrMxQ!=eT>$a(ep3WMo#Tqw|ln z`Ufl9EYwSKapusZfs19qUr-%g5_8q=55fqIbu#?jPv_z;ge@7wGAsM#WEXA`$Ne6y z-tUX!D4Q&g&hoA4Jm()JWUTeNzFGVFpql{jM_;YRSSsV3Z`7_-0~eT}^D;Z)9_6Kg zNAg1w0V0+YOpHHCyYs=U%VA=7X2FzrUstqJn^8i%Y!a&SMdhGhHZi6OXLmRP$lB#Ze3+nNe7;l%Ps7Y3AEqyCoB^M+ zHs4J;@vwV`pXOO0fXd6w#TM;#+BC<5cf?LJD+rDSlTZCacbN(Z23`U&15fi77z_T2 zAkWW{G|#fB#6kOgzTTIfqLqS|Lyq|P7GB~iEZ69=%Zr9YbeLx*K9hUU+GBpB*~z%!~52GYEGn6&UV(ewMvF{DMP75-~$5MKNdl0~xGRmC}FV%wW|^ zs*JA1&*#Jm%$?_Z995=;-ij`@gP@nsmAO1O~~n*DCF zyPx$bEmOPG*84fmdyMjxB=NDtT)xh#gmtgSsNF5($yQQZd}yQ+#sWfW?JGQ>X3uM` zO9@?}8PWc{8VYg1JZSVwmraXyzVc}F5zpvugX=(cYwXZB4U2X98r1S!E6J%LDAv*7 zy_{!wz%rxJmjUo3$Pt)|X6Pp+x19$If{Thsdj=v61y7m3M++YSt^U{4NyT zUpPO~aL>$gUspwb!S~KgcLQy!ec+q`$I&iVtnWO-FgjI01WzUcOh{|2x zesVZJzVQ+C0#6st;Q@X9VmB=``=`mi44J)dm`-nP$?pZ@Rn|7jA1R!lu1mlEz}4~I z#uHDMP8e(i4aR+LvKqDjYVNW^zB#+Mm4dhdVD4NUkngj9tX`n}4CgJO*1Q0JK6|$B zI@sxi%d?sVFF(n{l8;oFa@;l%^^Lg<@NaBO_#tS)%br_5f8g;5yIoj+ZnyBU~+#`!&iX#L30bl$pe|(jTdSVc2Q6OiSs3RX+ zF^OV7N)w(an-PoL*F}a^O5EWr%l4;lz48RtzF$%G>aN}=NSk9~ zsdlyZD`)vGI-+8w8%l%UQb-!ZKr)Xi`Ld$cEs;b*Ss{)$GZV@-`r(F?fSC7)N?N4$KC*7a=NKf8e zq({9-7;n;E~hWWA2n1xDDTF^Xx{kN=jy9RaGs%Wfo&5y*c%;&b z#8>hNB>ku>JMZ_&Bf+}E=_InK;oL#1ToxIURyve{jj2RBChN67X???E(wMP!J7fzY z%e~99&1?mkDgJSPe8yUbQ?zHwg42D0q90gzFDY$4kDy-^a+A!$>Ml*1=0R=m%kYfl zZxNrIblXUB$uG+doRp-d(kVsH`@0_Bio2>Sr*x?q`L(nC8tm;$7u!*j*eBxgZDkq< zw+(~2swxR!=L7?)Ro*FCCzm$I>#W!Fb+m3mJib3?E1!NqkpiQhyX$k%!pVq%2;l-& zx+sjl4vA@%cCNn7f0C4Gom_Xzu&hJsPmU9S^ZkS4K785_lOLrKt$lpnHM+I@Q!I!{ z?7v(?@%!y8R&2B%F0%~c=o_xuW~1KCG;Zp67(sC~zNWAAeJzJ}_QFTKpwxk*F)Ogu zoq_&iMZY7r6JXhA@tndH;n>VA-bsO9VkMI;Az}FOz#$;|`>-x3cJt;)p$s*zYD@F4 zSOsNf(Ty8`euW2)+1*t@ajmf)bW4rlWgIU_Z=J!sVn^NWepjZCm`}s|w%hrUDQl2? zpZ7bsio*~5-)KiDBP6A#L5PM{I3VmfAo#ED|f?w@Kyf7HbYn>c( zqR_o}V5!$RE+HXZ1m!#b_^!XbAa3Uo%`~l#ju5U%NLh7Btr0s#J-#BZDg5B^JbR`h bHA4n}c7Wg6kSx#03G;5$(TcY1CK35B0yZ&e diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json index e468b3d7bd..54d5de2721 100644 --- a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json +++ b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json @@ -82,18 +82,18 @@ "permissions": [ "test\\.auth\\.access\\|services\\|GET,PUT", "\\|services\\|GET" - ] + ] }, { "uri": "\/services\/inventory\/.*", "permissions": [ - "org\\.access\\|\\*\\|\\*" - ] + "org\\.onap\\.aai\\.resources\\|\\*\\|.*" + ] }, { "uri": "\/services\/gizmo\/.*", "permissions": [ - "org\\.access\\|\\*\\|\\*" - ] + "org\\.onap\\.aai\\.resources\\|\\*\\|.*" + ] } ] diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/cadi.properties b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/cadi.properties index a82e38caf6..51ac56a88d 100644 --- a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/cadi.properties +++ b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/cadi.properties @@ -9,17 +9,31 @@ #hostname=test.aic.cip.att.com cadi_loglevel=DEBUG -cadi_keyfile=/opt/app/rproxy/config/security/keyfile +# OAuth2 +aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.0/token +aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.0/introspect + +cadi_latitude=37.78187 +cadi_longitude=-122.26147 + +# Locate URL (which AAF Env) +aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095 + +# AAF URL +aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.0 + +cadi_keyfile=/opt/app/rproxy/config/security/keyfile +cadi_keystore=/opt/app/rproxy/config/auth/org.onap.aai.p12 +cadi_keystore_password=enc:383RDJRFA6yQz9AOxUxC1iIg3xTJXityw05MswnpnEtelRQy2D4r5INQjrea7GTV +cadi_alias=aai@aai.onap.org cadi_truststore=/opt/app/rproxy/config/auth/tomcat_keystore cadi_truststore_password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 -# Configure AAF -aaf_url=https://{{.Values.global.aaf.serverHostname}}:{{.Values.global.aaf.serverPort}} aaf_env=DEV aaf_id=demo@people.osaaf.org aaf_password=enc:92w4px0y_rrm265LXLpw58QnNPgDXykyA1YTrflbAKz # This is a colon separated list of client cert issuers -cadi_x509_issuers=CN=ONAP, OU=ONAP, O=ONAP, L=Ottawa, ST=Ontario, C=CA +cadi_x509_issuers=CN=ONAP, OU=ONAP, O=ONAP, L=Ottawa, ST=Ontario, C=CA \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/security/keyfile b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/security/keyfile deleted file mode 100644 index 6cd12fcfb4..0000000000 --- a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/security/keyfile +++ /dev/null @@ -1,27 +0,0 @@ -bZNOXiGDJ2_eiKBKWYLIFx27URvb-SWfmOl2d-QKetcVKIupOrsG-ScS_VXOtKN3Yxfb2cR6t7oM -1RNpDnhsKAxDLM6A62IkS_h_Rp3Q9c2JeyomVmyiuHR7a2ARbelaMrX8WDrxXI_t9ce4pIHDVE29 -xiQm3Bdp7d7IiKkgg-ipvOU7Y6NEzeQbvHlHvRTJ3ZZMSwHxBOA5M8DhKN-AF1sqwozEVaNAuJxK -BVdh72A6KTW7ieb_GvVQQp8h32BuOz8oJhZV7KaGXsWTEvXg9ImboY0h7Sl9hufgn1ZtDK1jxzGm -6O6LBg1qezzZaFGTXRmHvaeYmEeYSu0bGsU4x-JCU0RyhNTzFhkhjNoccaqPXBdcJymLf096mD99 -QLS8nyji_KtLQJL1fqr500c8p6SOURLPgG6Gzkn4ghgFYlfgve92xs1R3ggHKhNTLV4HJ4O6iSDm -zCoHeRbsZR1JER9yxT-v8NtcHOMAZe1oDQeY6jVyxb-bhaonN6eZPI4nyF6MHJQtWKhGARC_kOs6 -x9E0ZdAEp5TrX7F7J5PwkXzbCOuSiTVftOBum43iUB4q9He8tn2tJ0X4LtLHT3bPl16wWnZm9RPf -8wBtTJh4QP_cTStPq1ftSaLIAuqVFpbiC2DxGemXZn3QvykuYqa-rKeYPoIJ5dtWd5rNb_hhcSIz -FakKTELb0HWYGji98TBF6PaStea2f2m-wGX_uQGD7_Dijl6AgnV9koKVs1bN1XljLtNMPbLdD8sz -UCvc5lwvCFyyeunljI7os1fgwBmaMyckflq5VfZv9kFxom6jFLbcozylQ_uBg4j7oCP79IXVUI-r -banZltOSmm8zHGc2R9UlUyxJWBi01yxwi1hUtn9g1H4RtncQpu3BY0Qvu5YLAmS5imivUnGVZWbv -6wcqnJt5HwaVatE9NHONSLNTViQPsUOutWZBZxhJtAncdZuWOYZSh4TPzUJWvt6zT0E3YMBc_UuG -yPmdLyqo7qGHR8YWRqq_vq6ISJqENMnVD6X9-BeI6KM4GPEAlDWyhgENXxQFjG45ufg3UpP8LBTB -xDntlfkphRumsd13-8IlvwVtlpgnbuCMbwP_-lNVeNJcdA1InPt79oY-SEVZ-RVM1881ZASCnFeB -lh3BTc_bGQ8YoC9s6iHtcCK_1SdbwzBfQBJUqqcYsa8hJLe-j8di7KCaFzI3a-UXWKuuWljpbKbq -ibd48UFJt_34_GxkD6bmLxycuNH-og2Sd2VcYU0o5UarcrY4-2sgFPE7Mzxovrl98uayfgNF9DqE -fJ4MwFGqLRtEHlm4zfuMxQ5Rh_giMUHDJApc1DYRkxdGbNUd4bC4aRBln2IhN-rNKbSVtiW_uT6v -1KTMGmElvktjPWybJd2SvhT5qOLUM81-cmZzAsNa04jxZLBlQn_1fel3IroVos4Ohbdhar2NG6T5 -liten9RZ9P4Cg9RWhgeQonAD5kqLWXAHnCfffb5CVcAU5PHqkCgCbdThvD0-zIGETLO9AE0jKISc -0o67CUZn3MzJ9pP_3gh-ALr2w-KAwqasqCf0igf1wmEDijv9wEDcgDm39ERIElTpGKgfyuVl4F8u -PrpK5ZfpUYySUB6CZFQVVz0MvH6E7orQk4dCKFIimV_XwEtGijBttrTvyV6xYNScAEw_olt-0mdm -8UEKSsuqSyDMxUWLjKJT19rNedahYJNtI87WR9Fhhjsrai9Or3a-srOYa56wcvSj2ZHbkevbO9Xv -dQ2wzWCGEAMQSpSr83n0XEpR2pZT19Z19Svbhr08mnt2JNykCk60FLCeDTUOylJtYw6YOjqBizQZ --85B51BCbSEaAKJkgT9-8n_-LGW5aPBrBB_9FT7UIYczNEt3B1Lqr2s4ipPI_36JecEfqaS2cNLn -c0ObAtNGAONkhO5LYLneMR3fZPMFuOX1-rMObPgE0i9dYqWDZ_30w9rpRsmiWyxYi5lvWDxU5L1J -uJxwREz3oa_VgpSC3Y2oxCufdQwzBk57iVLDOb1qs_Hwj1SWd1nukWyAo2-g5sR1folAEcao \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-gizmo/templates/deployment.yaml b/kubernetes/aai/charts/aai-gizmo/templates/deployment.yaml index 0a30388279..ba90fdc76b 100644 --- a/kubernetes/aai/charts/aai-gizmo/templates/deployment.yaml +++ b/kubernetes/aai/charts/aai-gizmo/templates/deployment.yaml @@ -32,11 +32,6 @@ spec: release: {{ .Release.Name }} spec: {{ if .Values.global.installSidecarSecurity }} - hostAliases: - - ip: {{ .Values.global.aaf.serverIp }} - hostnames: - - {{ .Values.global.aaf.serverHostname }} - initContainers: - name: {{ .Values.global.tproxyConfig.name }} image: "{{ include "common.repository" . }}/{{ .Values.global.tproxyConfig.image }}" @@ -154,18 +149,18 @@ spec: - name: {{ include "common.fullname" . }}-rproxy-log-config mountPath: /opt/app/rproxy/config/logback-spring.xml subPath: logback-spring.xml - - name: {{ include "common.fullname" . }}-rproxy-auth-config + - name: {{ include "common.fullname" . }}-rproxy-auth-certs mountPath: /opt/app/rproxy/config/auth/tomcat_keystore subPath: tomcat_keystore - - name: {{ include "common.fullname" . }}-rproxy-auth-config + - name: {{ include "common.fullname" . }}-rproxy-auth-certs mountPath: /opt/app/rproxy/config/auth/client-cert.p12 subPath: client-cert.p12 + - name: {{ include "common.fullname" . }}-rproxy-auth-certs + mountPath: /opt/app/rproxy/config/auth/org.onap.aai.p12 + subPath: org.onap.aai.p12 - name: {{ include "common.fullname" . }}-rproxy-auth-config mountPath: /opt/app/rproxy/config/auth/uri-authorization.json subPath: uri-authorization.json - - name: {{ include "common.fullname" . }}-rproxy-auth-config - mountPath: /opt/app/rproxy/config/auth/aaf_truststore.jks - subPath: aaf_truststore.jks - name: {{ include "common.fullname" . }}-rproxy-security-config mountPath: /opt/app/rproxy/config/security/keyfile subPath: keyfile @@ -181,6 +176,8 @@ spec: value: "/opt/app/fproxy/config" - name: KEY_STORE_PASSWORD value: {{ .Values.config.keyStorePassword }} + - name: TRUST_STORE_PASSWORD + value: {{ .Values.config.trustStorePassword }} - name: spring_profiles_active value: {{ .Values.global.fproxy.activeSpringProfiles }} volumeMounts: @@ -190,10 +187,13 @@ spec: - name: {{ include "common.fullname" . }}-fproxy-log-config mountPath: /opt/app/fproxy/config/logback-spring.xml subPath: logback-spring.xml - - name: {{ include "common.fullname" . }}-fproxy-auth-config + - name: {{ include "common.fullname" . }}-fproxy-auth-certs mountPath: /opt/app/fproxy/config/auth/tomcat_keystore subPath: tomcat_keystore - - name: {{ include "common.fullname" . }}-fproxy-auth-config + - name: {{ include "common.fullname" . }}-fproxy-auth-certs + mountPath: /opt/app/fproxy/config/auth/fproxy_truststore + subPath: fproxy_truststore + - name: {{ include "common.fullname" . }}-fproxy-auth-certs mountPath: /opt/app/fproxy/config/auth/client-cert.p12 subPath: client-cert.p12 ports: @@ -245,18 +245,21 @@ spec: - name: {{ include "common.fullname" . }}-rproxy-auth-config secret: secretName: {{ include "common.fullname" . }}-rproxy-auth-config + - name: {{ include "common.fullname" . }}-rproxy-auth-certs + secret: + secretName: aai-rproxy-auth-certs - name: {{ include "common.fullname" . }}-rproxy-security-config secret: - secretName: {{ include "common.fullname" . }}-rproxy-security-config + secretName: aai-rproxy-security-config - name: {{ include "common.fullname" . }}-fproxy-config configMap: name: {{ include "common.fullname" . }}-fproxy-config - name: {{ include "common.fullname" . }}-fproxy-log-config configMap: name: {{ include "common.fullname" . }}-fproxy-log-config - - name: {{ include "common.fullname" . }}-fproxy-auth-config + - name: {{ include "common.fullname" . }}-fproxy-auth-certs secret: - secretName: {{ include "common.fullname" . }}-fproxy-auth-config + secretName: aai-fproxy-auth-certs {{ end }} imagePullSecrets: diff --git a/kubernetes/aai/charts/aai-gizmo/templates/secrets.yaml b/kubernetes/aai/charts/aai-gizmo/templates/secrets.yaml index 7db76055d1..96c3424476 100644 --- a/kubernetes/aai/charts/aai-gizmo/templates/secrets.yaml +++ b/kubernetes/aai/charts/aai-gizmo/templates/secrets.yaml @@ -45,28 +45,10 @@ data: --- apiVersion: v1 kind: Secret -metadata: - name: {{ include "common.fullname" . }}-fproxy-auth-config - namespace: {{ include "common.namespace" . }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/fproxy/config/auth/*").AsSecrets . | indent 2 }} ---- -apiVersion: v1 -kind: Secret metadata: name: {{ include "common.fullname" . }}-rproxy-auth-config namespace: {{ include "common.namespace" . }} type: Opaque data: {{ tpl (.Files.Glob "resources/rproxy/config/auth/*").AsSecrets . | indent 2 }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-rproxy-security-config - namespace: {{ include "common.namespace" . }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/rproxy/config/security/*").AsSecrets . | indent 2 }} {{ end }} diff --git a/kubernetes/aai/charts/aai-gizmo/values.yaml b/kubernetes/aai/charts/aai-gizmo/values.yaml index 9d93663175..72da3292b9 100644 --- a/kubernetes/aai/charts/aai-gizmo/values.yaml +++ b/kubernetes/aai/charts/aai-gizmo/values.yaml @@ -29,6 +29,7 @@ flavor: small config: keyStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 keyManagerPassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 + trustStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 # default number of instances replicaCount: 1 diff --git a/kubernetes/aai/charts/aai-gizmo/resources/fproxy/config/auth/client-cert.p12 b/kubernetes/aai/resources/config/fproxy/auth/client-cert.p12 similarity index 100% rename from kubernetes/aai/charts/aai-gizmo/resources/fproxy/config/auth/client-cert.p12 rename to kubernetes/aai/resources/config/fproxy/auth/client-cert.p12 diff --git a/kubernetes/aai/resources/config/fproxy/auth/fproxy_truststore b/kubernetes/aai/resources/config/fproxy/auth/fproxy_truststore new file mode 100644 index 0000000000000000000000000000000000000000..f6ebc75ed85ccee1b82ae27fd24e0238976be3ad GIT binary patch literal 4639 zcmd6pc{tSV8pmg~4P%+Ila#ga8@os(`yd8oi!p{K`_NcIj7UgHs+0A#Wow}%7->{`g(L=YF31cR%yobALb2y*9o!4g!H7vkejpIogZt9SXb}9cyb7QJ0zsVs3e*muKyJvY z3T9!hd+@u7__GP!Fac3M4zwDetf;0404hpq_Iw;lY5*Fo_|5#gx2J%`e?Bl64uVp^ zoFIS#W`j_`U{D%Y0T6;UEOR>^Z~Lx{QzMFr=L6);vTnUn*)8GiDbv*@;=vzC$u5n= z^|)&_qD%FAGS(1Ril3)Z5^pJaq?$KG*H;PK)~1cwMa>{IguV#RavwqT6;6A0_PJmL zWFAo+1^nMbTfha!Qm*vp+_AV8Wx2LxtH0XYUSXZtMRnoVxic@K*B`nn3u=Dc)4E=C z`7)b!e1E9ViuE~Fvpw3f_mxJQ8ua9!=6U1WZO=w4oPSVauw-WyDOi5%4$Le0Ak(l2 zRfFjLz{7B>VJ^nR5@dW@<}1PU`Xn0`iw~T_Eou}?z*U$vd-}5VBFM8GsxLV%eDe_W|94M_gBwq z?c*2zZlX+98qN3V0)Hd-5=TO3q%=r^6y{u%6Wad4|eftLw)KaL-okN;NQhpKreCd0c zIno%)<0AS55=hOfX6wb=_=&mv`_q@LfBz|0<)&6P-{blV92Iq0=v;jfSoQW z1UuXUtE+49T~loA8xs3Np*C2CqSOIZKm|}&K`Wzaic(bi$pj3460{9=bEwTb2>^Wb zouTZ1I*6XGGn%H6zt+wRM=3k;n8Y^YW)#P$wgl!B3rCI(#Vlt$_-sm&bz7jz6aOGx z_Yvm6?j)JS7fwQms)AO7?vN)iVpc}8uW~&Zq$oOcyCb-HFuKdg+GT!Me%NtIe}!14 zw-K^CSk1AeO{F~0`;S)^2ON33ZZ9WGX!NQQg36P+kSN=c=@-{)BtK+T@qQ9wo&za$ zt-o`g-(A!m)j9p8I}b^YS4*oBIq3dm#4;w2Sos)naOXmj^e{iP-9MJ(!#3iHS%{M; zu91ALxscE}P>+n55plmUe@RCe-(Ygm*<8FuKPF@dkG~lc`<@H&hIV4}SsU=RbtBAoO&7!BUBn`#D1q4`|o zY{#tJO|Wp5O1y5w8X2?;^8mw5w9qF%G5B1ux8$8UvNdtC@63JYi0$I61R-$Ingwz_ z$Xh2~n#3YY?%FIcL4f**w9XEqoD&oVyXxRfE(8``6(Z#78;!J0bnuIV&HvmnGh3s>1T7l6Sk$DVz&0c!gNK$$vNTB{d;gwO+8n zuw%YHWNV#6=;B-qQ&jhX5e*U6jBNssmu$K2pkFoaJ9MI}aObmx_M<&AzpqbqB9{(A z*vCxzd#;YM-%ndwJ^z4537Pd}dvI1s@Pb*g{T&mtXcbn6yG;^qskY657Oumpi)GWMoxo8{-5rQ)soJX(2&@}USG4zUH^TIw{Dk?Ns(J+P9 zpmhM~Zzh2MOH7FaVjDmdU>whzq~lGJXAI@(t&Y4e$>U$3$qjIBpp4~vO8z6lCX~-# zf!2oimGwJ4eJ+}nD2R6D6!aD}*lwe+Rb^FGZ6tD--+0@hkmAGYMqjBbbILt;beuAZ zY96i`hgF}D4Rz=7g4nwYXPLPG<-kDdla~M?unhtf{%s8MeCn_ z*St-kKlibXfb}gYto?*zggzhnZrJY}9fgh{m$vS+#I=HfD&5*{$m@$~Ee45h^*kQ^ zPql_j?fhH$AgC^NKE=igD=SCuqG1{4Hibro3yPO7k1s-TDbV#0Go8GQqn$R$h)F<7 zsw||;lTaWOTZl3+YCo}6m6AoJI^4GBwZ71=g|2uZ%V}G1Z8i8=^^DD(UXBffQNS*= zOgS>zKoJxS0)PN+CRUeNBXI2EelVC0Af^X^(jQYCFiGB>7JdXDEEXeXNbn($XqTUx z7?waH6G&ou1X3W;ortH+{X|B`vd|%K_IL3`m?z_8(}4>Ir)6^h>kTrR0j7~#eud88 zfIRvC?s}xqu2*^o`vaZu{*50Y0pkU>FtO}n0>k0VQ1Fit1i;hXxnYigJq77a2nfJ= z5adX{$7$C(MUYl?I6tC%0MXmei{M7^_WeQTK(vV$=#Q$Uj@>%pAE(2*EScvW&2HlU@TLPCXl7~GP5@5?@J^=8DdrgPA0qr!M$S#sgA#BgcSAxVu- z)%YIWXG77)A0?CRq^f4X(!cfhQgAIR+0%-a=6mh(XIIiboE42cW!+@Fy&`2dB>TKo zvHcUSUHddK9sLoq_)$XzR0b^9eSu(%5~j`r;X}7g$=#0Ab9ROQP_Dj|>N)Cwye9te z>#I*~*2g==LT>HVKg0K7`c*RK)sX{TGsWx@(hFCENBVErZ67fxK<)>kv>$oRV;T73 z#o>tmhFsih6VgA(1?L4Qa2^`DzJ4PY)25XE9pq9(Yp7`aL9PuGu=z`JeQT%?>|C^y z>Cm1Z74t8^Vh7kZfCZ(w{YO@{q-ybh8cnx2#m=3x9+_8ad||L~RnMW(Lo+0@E+p=X zk;qbYQbW~4W(Q$imCJ^Cw$y`T32)$OpD!u;HLgU}@>8RN2lm%F4|bYM7?_yODKzmv zP@Z5JS#_midG?a2+2Nn3&kNwex4El+6ks!A`#`@Ua}*sPN~lPWU4vucT!srkQ`RrME)s(S-sI1Gy`Y>acis&T7So%#P@ zRn+nZtfFRts3{7|_wu6f(MP|cln{O4-yuwpzIgoCA4)JH5^yB^(Eu9PiFm><W+S?BKvhBtagK? zywBZz*U1kbAgjQqc=XrL@SPURX6FyMfo~MMXx`Mkg*$fdAfFOG#-KstH}X zr|<2NRlZojDZY#*c8n8Nm?k3&Y#W1jshoV~dLX9ZADng$(VQ=%5-JY{2BeG>Ju1DS z#1DIP!Q`c+y6w3daqdGd8UyFBje+%7s9q2o>Lh8BWh6)NOkP{1{WDKsiZb>#!z1d; N8`FEAT_yH${S$Z-vnv1q literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-gizmo/resources/fproxy/config/auth/tomcat_keystore b/kubernetes/aai/resources/config/fproxy/auth/tomcat_keystore similarity index 100% rename from kubernetes/aai/charts/aai-gizmo/resources/fproxy/config/auth/tomcat_keystore rename to kubernetes/aai/resources/config/fproxy/auth/tomcat_keystore diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12 b/kubernetes/aai/resources/config/rproxy/auth/client-cert.p12 similarity index 100% rename from kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12 rename to kubernetes/aai/resources/config/rproxy/auth/client-cert.p12 diff --git a/kubernetes/aai/resources/config/rproxy/auth/org.onap.aai.p12 b/kubernetes/aai/resources/config/rproxy/auth/org.onap.aai.p12 new file mode 100644 index 0000000000000000000000000000000000000000..023e2eaac62d7c00404e3a326f03edc553ef6ccd GIT binary patch literal 4158 zcmY+Gbx;%xx5jsY1s3TJ>0CfrmXKEI?vNCuRuGU*71t$2Lb_oA>F&h^C4>bLmhM(M zq(k8Io%!y4@0~Me&Y9;qbN+nh2SrfI-~sWW2uc7USTI~Y{EQ4p1k6KF{3bw9>_QO~ zn@|La$G;X~9)iU7uVjS>1pFN)|2jbET|$!oejo)BLdgk;)%p?|io1Uo;o%VjLJ=ea z4L9L|LI;dX=^pyY9i%r%o8K({2dFp1pWy>uy#-EtXl3sdYo|B{4amZ_)Ay~yUC-#3 zuy!s)ktn|lD+cP5@$5BZv%jfeXQufZW0GHN%1X0y1R%M?Js&q$l2lC8U>yS;Z(=oo z^=@9`yA0YO_O`ey*#qQw%K~`qW{z zTr>PfEi8%T=}j|Cu$$fV*f5>zUQGg55@#Zj1m)e_Lg4%gxi6PfWJN!AZs~hwl8syG zgm93zxkAj>1%0ZM823)h=oB}&*OZ3;7O z%ZiG@@Vq$SxhRoO9a79^$dhZHmnVMJCl?4W#nYCl!viU5!#3`_`*W|}0oX@!STcA& z9t7*VY0;A9w-bz8fC?|C{nC%FjYc@B@25|-3)0Wtj==9nw6AN~3CliJyB$QSIp|!9Zr#KX-6xoe6lEWe?-?&_YRHoSLLpG`4Q) z9LI)zp}BDz$+Vh7RuY4HzvwT&Zm{oUn=T5Gp};oH13V}o3&Z76Q;l{T85J8e>XIy? zPH<)$Mf@gnD3Nn}g${W}6p+x@|BaIB5RxwN5!n#S8`beGc{NU!q+4nwMZc9#3iy)Q zQr}mgF_mHRpxDFk7?K25u72(yP=dT{L5(s$Jdj{F{87Gz{4_*g8dX^@pSHsbu99js zUUMpKTI8rXAsm=C$YAqImg>Dby=bn!;Pd2TW_4Ea8GZShkpuXy!>?;U`4$a_wX9rV zw=KE60EQM5sN=uP@#r(zt{W>6gYuDl(5R7zl!No&TlOgF?-Iu%d}J5f?xyOMxP!M6 zIbp zv@s|Cw1jK{O9^8xgZ9Q1LSx?_&L4(FFhUhC?UumNgMJ@{Ht{5Iodqw1yC*l{6WB3i z1~!mU|H*!m#0TMFRcDKNK7!y2P;E#vdA)^QNXD&4lI~=9wxi9Ao#|sqycgjrJhbyS z{W4!lV2(BDI;)VUT^d@xXCoBxl*THK-Y@9~J7LG}!WJ%iRAB_cvhiVI$&=ipOVQ!{ znkw&}pW>Ax$Zrxk{LFPInaJ+bMm(hpwkIob@vktkz3n#FU#bW=>t?lq{c@_4{eI%E zjo)Of8+k_j@Q1a8H@~)CeBmc^Yq0$?UOAZ>KYd*+*>!sG{6wN8@q1T;CnUDN2RItW zjOuo1Nvw<=kVn@SLqR1fQej9rc%#JJ5V6=JF5KSYkn`#-r9mqYR`(?au>{QxY)xlY^z!~^MK7DzFodugGDLoa;ea*!r)2D0JIud^T$s&LzWR~vC=60R(kaWk;_bB~HGJ zq1$Hp=jtt;1rLuhD5y&lnv0^I0Qv0<512NfM`OCtCmxFsoCjneT+LH?W=w3H=2dVo z2~qjB^#;o{EGFf9us`HYvm#fM!YRu@>$yjW-C6Uw@LYdFq%^N;4W&aZ<^7wr#DOu4 z=x|q16Rt4qoF+%YAREvl{hl*ZqJ1pmq$Y8$5eNT`mUw#MH=jmnF zw?D(GyEYeW-5Jxkvk&>u))`Qq6a>z*ZBlrRbje{ z&-ME8+V0HtIl3LYieia7MHxF{3h5?#$*{~I<7olt$>I;Dp!c&qd||~dF?aUR>EHYX zB{RU#r##jRBG<237t*Q-Wzu#-do3~hx3bF?S?Ws=s)k^hw}K3Z92G$Zz}@F=QDv24 zo^h=pBg@XIlJHp%0b}BiEG9sI(_u-|@xFJNI0xi`V}6EC_%|z`Qs19)0lU)6-H*p& z@u@-_wTNT~q%u$Fx^CXXX}D)K2U--vIh53GaZr-YO1Nn-uPX6ADVMCJm)i2y=ofDf z_CU&IJZj=f4J!I%7w5EmOMVXa)wwD2wz^cm9}-TzPC3Y0f%3^uy2$k@ny#x;5s-g6NZ+b*tD znA4@WE`M3o_!ff5?0A~cKjYohHKIJX4c}GfKcVuNuu3;Gw}o~7@qA$3WoQLo7+$ee z)01Wn+_MFB=mRGOB?${!g=%!0DLvN(8Vgk=)oGVd5boOh!tv-D+~d`)L*ym;VfQmn zAuJXfwJy$v>om#iLWO$509NOw=z#M=%Dk~!7z;$VwoWjT4k^)Rm$+}V4t;>1LB z<1F!7_$Q017p-8jAq6$fRQE|^{tS(a4j1=0s@W@h?B%y-;- zAQ42gJ$^FVFPz2-3TLqsl(aB#bj;S}-}Wc)6DLk#;C@$TG$Yy}vS<7md-VKX?GACQ zpSvN*2EpLc7n8!b;y2%z11R3EYtvuI@!_5VQoD6Mb4<9c;7hNLCtOh+ihQp|H#&nk z#O1A#U+5+byho<;@%M;$2VJw1M(Xq+>mQp~qR>N7zPAtRSL>M2nrVBq(RQz(2$0wR z0n0oD$esWJdiqzk{M%-Pcm4-6Nq~5H2!cH*f?(_a(I@^t^qKo@QTSxnFYO=tBtQ`K zEm)UnTWv;Zi9-xg4hm#WX&yVT5f|B1QiysciNnNc5IY1AIiu_x+ zSbu$>-XF3OXkk;WPt%>~OkQwO6KJL7$FrFv&~YC;r{8xCcXHR?GOzVvn=Dn@I#Xr5tBA%)^Nje8E6m*(7^l(Jrbf|)iKw&}%+z`8 zM(fety8C9c@RO!mx#W7*$)AElWnVf zj-PW4!~$541Pch5zhxLBb98c+3a`y0e9!yVFuX*2HZ8AJvXL@^xdK@a+*E?ajY-YE ztxM6liM^g?C&!%}WU)nl37xvbb}wEI{p&Y$Hyrx9*vm6>{Vx>NSQt#LdgQkr+n2)+ z5<-=D+V0JFDy4~9QJw0sZ#BfecKhDEa;4>OX2y#?L1JEjlh1N5>sot?d%#lmxmZQC zQeAd~7|n<9g{gsQyH^Gn!Hv{-j`>mwBw1kjA9jJNw<~+WX&(wO9`*voBiW?8(CfF? z;31-q;jT<8R@(-{5Yjw3!8cZODUv?2@-x-#cbrSw{(xQmsFGpyG zf8`9C>O@@3XE&|CFI=d_Ny#>x*yEV$C`>lCFFGfkbx-IbdZQ@yR*_}@ZZ~YH zYk1${DQ5bNS|N!AG`4$pO5Qv_tl&!g>Q(G%LMy{JG2gX`FDq-jJ#y3aqna^|DM-%t z4ky0Vk82?ba=Zskwl*I#%MrRN6|C!Hh4YERO7y5m0dHqn`;tio7LRBZh_huiV5%u4 zDtx9cWO7M3S4=GlROv7hh%orMq`G2RuqQ8 zoFi!lBYJo`7<2lh=&nS8euw6j0lxQm>Uc25!d3ZA!(?7JGp`$bHVK6Hw5CEX@?D1u zD?r8Q`_RXM%>L@Vu@6)y_GPfaF^nTwsu)7LTPr$d_a;f^k@t%*72Qzh?O4wV>P#Ob zEb4P#4SFhQiyZGxO-ruco$SN&H7`BVEPG0eA7Bz)(|8F{i=|t%XXhq<@Sz?ukUkq&A zYifO__Ay(&8c>mck7z}?*f;=of9pBm(SPTCfCs?+@BR|-&*lYihKfQtp(23Um9FDOvBopkB9>SD1eVdHmjuKktVvT9$vJcX#Oi+l-?`Y= literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystore b/kubernetes/aai/resources/config/rproxy/auth/tomcat_keystore similarity index 100% rename from kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystore rename to kubernetes/aai/resources/config/rproxy/auth/tomcat_keystore diff --git a/kubernetes/aai/resources/config/rproxy/security/keyfile b/kubernetes/aai/resources/config/rproxy/security/keyfile new file mode 100644 index 0000000000..3416d4a737 --- /dev/null +++ b/kubernetes/aai/resources/config/rproxy/security/keyfile @@ -0,0 +1,27 @@ +2otP92kNFHdexroZxvgYY7ffslFiwCD3CiVYMIfUF2edqZK7972NwkvE_mbaBo6jh8lByLIqrWAf +jyzoiVsvQ_kCa0cS1xaRLpcxv3bx1b7o3hGPBqpd6vmSG4y2JLzNlCBZWuTJz827wr8p_fWrYuUm +4L1WoaEe8W5PRnXjl4hDqbJBAlEoRIBXugUDt_7O5wgx2Rl3HVoOczZtf0RzONZ1F0BmKf3QlAUe +moSbARitYRgIPt5sLbT7qPyoEpGDhQ1XBowR744-wsjBc-14yO62Ajp5xWKTp15uWn3_HHuw1SAf +GWSBRGlSlEVkXQqi9Hw5jDttKVzHX1ckwR0SQOirbtHPHplxPX3WKjKhSdSeMzw6LOAHIQYRMKBT +74oGnULAfPtV7TaGwOKriT3P49CoPdt9On89-LGyCZSxDWKH0K-rgB6I2_hPT2Uzr3jmXiMa-sfh +iMvyQ7ABBVx0OFsUuNb5mcU2O6dWiQreL5RerrloV_X3ZtnNjxENXKjQ5KBR1A5ISPjFFK-kf4Rb +p6FSII8LcsiqgdWuZ4GX_C6x8HX4A-vD0x3Uc9CfoXY-k23cNIy-R-W-oB-P2OgdWDNgZ7VaOLNt +3L-NwWpNblfYvs93cNmkbVAwCZ3r0OP7RFeuON84TRaynK_Fh2S3rypRyJcUmM1pvpZqJ5_-umSW +hUs1OqkdLv3xjlVzzK-3nMr0q3Zcyp4XdyLYtcX5I3Xqk9ZcsyAT7ghmHhV8KjUjue7OcfAWg0m7 +RJLGq6VC8HeK4HEMa4lF677Qh7DRufghIDEmQSIDfGA790WGSA8HqcOvAL4hURCHyCWiPa5i8ksX +xX4HyqF8PCVCLJ_ZhzcuIlc0jStAexWbJU_vcyX7XgUaHCkF-M-zv1FP6Z3DHBMD2QqSWjmyNCCk +8sIuwzs62P_j2o9jG33kssedCrUWOwZancU107-5H0Zw-UWvtCqUfmRZ7TsEbWY7lk_SKfLfAN5q +ncOQgU_VxDXUFDST4LN_WVECRafK3UtwWomxWSji25Lbf6NVni3ok-yLMDZR-wrE-54jLPES9j0i +5N0xrk9CfsvGUpUZ1_XQcgaxI6m27DtCCJXb5ywenPBiUIJCMCTq88CqNZxGpju2i4BJcUH2hUHe +GKhO8pgslwhtEVot9EDwdzSrJkWFCfb6ud4zMxrqdi7-mLWMOydg6lhpEFEX5wu2BLIujGsZlEGE +_K9jGfBypjXuJCKDZIuPfEnf_7idjKis_JcFB7x4Hx2HHDcBjlWWFZN_VIEnPkQSyZEC26RTFP3k +zkY3GwUfA36a4XW2pu3gE9wz-W6fkONfzOZ6YiyCm_dRFUVuGSdJG02Hh5iXYlMOGJltPzWH2jVf +S-QTOmXQTKSOheXoJO6O-9uQbsRf-kq-6w1pvIOp4ms35w4_0Xj0Xr2a9y-L9PdBZvrUsa-jxsZU +LyA-YY4Ej6QwDBDTD2MGjF1E5_ekYgjoNlltM9rJjofruM4ym0n7LPHC7YXXQSEFOZYeTKi6wUDw +hQ1DoWHgu4PQ2lexada8sxQdConbPe2iW16h-PrO5D12E4XbT00fqaMlBmjQwzdNRdCC2NRPIQ5W +nwaO8dZ9yjxsjT7ZVHb9-DRblb3XDocponzxVXqUGtJAie4WXQnerX0ApTWGaHEr5y56JJVS_3LP +bKrbXBXcs4jTUX4ECXRrOs8JQDQNysXhvTPCu0XUxNZpjx6KLxDs93k2OcESHjl5J6n6OKKJqqoN +JEyFO5LGXpnmUJbn0-CaHHPRI1mHwEu4brY8wDZd9A0PD1KGXDoCHMfEk1lGblQdyOcVrXZ6uSBk +Z6zHDnwSCHO1mPYqtelJQehZoFuPSv9PIgKLxs_qJOtZFnXII5YO1mGXgiIBWBjUFDR5HG4ENS6y +J4MCF-JLMp-PVMAkOaCIQRRDpRnMm_fT1sc_P562Diu_pcdt-r55pMFQYGoGfjRmxQBKk0-SsdnP +mlZIiis9DfQEN0q3QQdNRYBJD7tmhUwhAPZdLgXqJA8sZf8UyFQhhpsky79NT343YL9smUlF \ No newline at end of file diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml index a23ed5fdc7..651bf8dbba 100644 --- a/kubernetes/aai/templates/configmap.yaml +++ b/kubernetes/aai/templates/configmap.yaml @@ -72,4 +72,32 @@ type: Opaque data: {{ tpl (.Files.Glob "resources/config/aai/*").AsSecrets . | indent 2 }} - +{{ if .Values.global.installSidecarSecurity }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: aai-fproxy-auth-certs + namespace: {{ include "common.namespace" . }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/config/fproxy/auth/*").AsSecrets . | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: aai-rproxy-auth-certs + namespace: {{ include "common.namespace" . }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/config/rproxy/auth/*").AsSecrets . | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: aai-rproxy-security-config + namespace: {{ include "common.namespace" . }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/config/rproxy/security/*").AsSecrets . | indent 2 }} +{{ end }} \ No newline at end of file -- 2.16.6