From 9234bdec7f994e8b11953fdbc358768defba8fc7 Mon Sep 17 00:00:00 2001 From: Ravi Geda Date: Tue, 30 Oct 2018 10:03:44 +0000 Subject: [PATCH] Add Pluggable Security to Champ Note that by default this feature is turned off. To enable update the installSidecarSecurity in aai/values.yaml to true Change-Id: I19d4755a58041c58070e0cd36d263e4e49b3f743 Issue-ID: AAF-587 Signed-off-by: Ravi Geda --- .../resources/fproxy/config/auth/client-cert.p12 | Bin 0 -> 2556 bytes .../resources/fproxy/config/auth/tomcat_keystore | Bin 0 -> 3659 bytes .../resources/fproxy/config/fproxy.properties | 2 + .../resources/fproxy/config/logback-spring.xml | 48 +++++++++ .../aai-champ/resources/fproxy/config/readme.txt | 1 + .../resources/rproxy/config/auth/client-cert.p12 | Bin 0 -> 2556 bytes .../resources/rproxy/config/auth/tomcat_keystore | Bin 0 -> 3594 bytes .../rproxy/config/auth/uri-authorization.json | 99 +++++++++++++++++++ .../resources/rproxy/config/cadi.properties | 25 +++++ .../rproxy/config/forward-proxy.properties | 4 + .../resources/rproxy/config/logback-spring.xml | 48 +++++++++ .../rproxy/config/primary-service.properties | 3 + .../aai-champ/resources/rproxy/config/readme.txt | 1 + .../rproxy/config/reverse-proxy.properties | 1 + .../resources/rproxy/config/security/keyfile | 27 ++++++ .../aai/charts/aai-champ/templates/configmap.yaml | 34 +++++++ .../aai/charts/aai-champ/templates/deployment.yaml | 108 +++++++++++++++++++++ .../aai/charts/aai-champ/templates/secrets.yaml | 29 ++++++ .../aai/charts/aai-champ/templates/service.yaml | 13 +++ 19 files changed, 443 insertions(+) create mode 100644 kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12 create mode 100644 kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore create mode 100644 kubernetes/aai/charts/aai-champ/resources/fproxy/config/fproxy.properties create mode 100644 kubernetes/aai/charts/aai-champ/resources/fproxy/config/logback-spring.xml create mode 100644 kubernetes/aai/charts/aai-champ/resources/fproxy/config/readme.txt create mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12 create mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystore create mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json create mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties create mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/forward-proxy.properties create mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/logback-spring.xml create mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/primary-service.properties create mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/readme.txt create mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/reverse-proxy.properties create mode 100644 kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12 new file mode 100644 index 0000000000000000000000000000000000000000..dbf4fcacecf190fb0244dce0d1b438e6fea4500d GIT binary patch literal 2556 zcmY+EdpHw{8^>p6vvN1q+;S^Iwz0#F1O>%q@$`lt@_`#}p!mZsr!v zrA;)F+=b00##|C}&vBmT_dDk~f4tB8JfH9PegFKR2+$26A3ur!eGP_c+_bv6F3bnv zqY$7^K?G>QJ|?3G0>A$!5^w_%1YGv9lQ! z2xbYdREtLj!#tMeXTuU~Y}^mN=>q~m01yH6;iwV9rpF(${h@HJ?@grEMCee9ri-P) zwzE2^?>3>tjiqo5*=`e>dbXiy^X|@E0$!PKLudIJtgh4W8suwce{PMLt2sx-*UI6F z!=)~#bGYY1wTtBr?TXBfjP2}S>r)?dXjlH6NdFDxJivFEjLiGlmGFMS9SiW?*?m-# z6vbW7ozLnRpnP1x;1qCc*giY4axyE6+VS)Ztd?rL6ea=|uIDxv(Z78GS8#VoK1cJ8 z!FSDn*aO*Dx^Bf(*PeI%;F-7^_85~7(P(TNt(ZEztJE{opI(0q0k#DB4{pJ@<7p|) zpZtoQpC34>S1l`7lj$C)&u8Bd-;@;d-QOjbY?tfoBF&HJ^-Eb@v9|e~4pp?YJgza+-^?9hj4GbOZGiTk*` zAbxe_30a7E8x*F}ckf`o3;K=T_4}P|dc-SD@KbApw{&dRXeRFAiP&yTX{gAZtFhiU;|2D-kJHZr4^2}y z-yy;3?Oqd%Tw_%HZhrrHwr3!+%>6}3Z#<07>lT!6<@ucUdq}KG>~?qu!KmL5y8*bE zLav3Fm)&ApK@K!c7u`27&VN1E-;l89F>JcyJToKFXt1jFa!+dZZf`;1)h>Zi`b+$| zOatMJv&P|yQuXMBaP1FqCUN`b9IyHbW9vytIu}WAz32`X(@&jJe|%8_c9qTdYIHw z3fZtxHhk>d{+J@y6QH!L5;&97BmG4fersW56HO~_aff2xrb14q;B$h>Dl>!u-0^#3 zNM)Lp-+>qA%2{haKilb6wE~VGeF98WyTD%5*2t#3y@legMFULBxF@-nUq$W=S2R<) zI48ac)-CNcs?~L2;SJ0qALf6G&Rw5L^MCbG^vC>37XW*fZee2c>60$!G%;(z%l36t zVR3dNTR{B=kNDllFa+A>A}pnZyHmD?-})}8SjYUd6ghk(<8u1b8VN5Z(jz!uX<@xQ z?gc*Y;wbUR8lJ2rgmFlsgovS9poe; z%0J?oiYmm1E;^?_bV$$TeAa6(KcIHD^=++kgqXG4qb+YU#nLPjzn3`@-VW&ZQ;i&q zQ+=P9?vT$%MXeFKXZMQjXR(BZ77X~0DuFSsn@PzYuW*6-_qZ0DEnz99sZ)ti;* z%*hSuCsbrr8!5ub?T^D8^E{C%|5*w!^qc(G$nIGG>bz3GL;o&GkPg9Z*648Z&9>g4 zxgSFPB5mlK@GzB8nxxlmWRilyg#ccoTDp=D`f8@fW=Uharxj&N8gb2qChAMuxN-e` z@z=#64FA;6o|9IL_x#8ZI(1z(LlCrbIV;B|yf?ti?AILK$%L3pqW_gUAxcv+G_s$C z>&IhLG?_i%%Moj~pI!leKDom7$j?gD`J@t-uW%TSMtJ1I5Y>bsno58xjYj38Ok z#dww61flet6${l96L3ai^70CVZGPYGD<*B_QpKhmaPi`3gUVa&Rkow~faF)WiAIf{ zw!VVbLBOewjxYw*#ZPy-u+{ImT1YqQ$$b;6$<*anGHM4j&i57=^Z96?+pCw6>}QGd-<8Iza65dzA2s5Elcr`LwveyTFFUwuyNMqbe>8zPTb$EBtzuSv%NFNd5cYEh{uDhjr)({@X`vvX!;d%ccy~WAQpexeVZ|F3K zh+iEDrjnV#qVX%yh#DKUexv+rS0|4)+YYs{K9=l0;8pDe`nY>J&-|1qBOe zitqzv1OOly$@=nb#PO1w+DFZwsfNPY!%h`*Aebw;+{L0$LiiNyc&sYG#@NT=%=+JI F_zSHP#{>WX literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore new file mode 100644 index 0000000000000000000000000000000000000000..f3ac0701a2286029795567d25498d3d2eb1e35ab GIT binary patch literal 3659 zcmb`JcU)7+7RPhbAe7KUhtR8VLlXrNq+@6TQdJNFvKmV09fATv1QA#Ziy%$Fg7hXu zKt(_Vq=-uurS~GJloxd0?!JBP^FE*V$J{$-=6vp)JLh-4Gkc4Bix3C|N^QXR#_d9M za`GaQG>Ig+?_D`h4<|1? z97{(WB<3G&K1Xsn-LrR^?bcV060;|USAS!CosumuhRp7Xrj@?ms1pr zuk6Zq&0E@roFu+d2)D3Sl?J3;R*U7vyYV>dk ze`=<*H(^^kNQHYLI`8RSUS#!IF~227R5kgfvfdxs8vdw{bwJf57Ta!)YysS5Oj24fXHn8?SC1{dD znH1<s=1gs;qH6y_4GYFh0fg&~&(Eve=U zwuaNYESYwWPrV|C&CEm&Bi5Yv0<-OiK2HIou;Kj|&NaS8knWoLXwgpkGx)Q28_Xgy zMAH22Z*Pnjm#2f#mu1FsGh7fdLpnwRqOXOu^YBfx*xF9~=x9;I)Ctr3skY>c?3mcN zMC9cpS@uY1y=2PU7!F&}ZK3%dxs;ib*SBv^daId+af@{}u|NVFP;nNuF`Mpo0d^&mg8GsM$t^r=%Qq8OGEJF~f+tq&sD6bVn!^5XOND!oLL z+PXA3-*zHiq2GOtS|TE2xrHJXTf%x|AxG5>5d#g^>Lis8c_IqxZz14TxuQ{({+6Q! z2y0pOk*ejs_SDR*i(^5@gPgDz6lk93)7pkh_STN5koYuN0h9f#Z7rSV8+|*MNC*k8 z;GqX*f^U?-qq!THYugrDg0Z|b46^30Ql|2)19K^-9wvbi#VlqLTE&Mm9jb-hAQ3d^ zqtXr5wjDr4g&tR*!#VwrWMS?B!KOvQ+dvuFguM)MdpJrxpeQj_HejIAJ7nnRhUZIh znK!37>d2OuIh|YW`eM^(V?(S1roFHV>A1bHTe}@zyLp|o=_wqAbi)Px7W}-QY>XzP z5*Zr~JM~|zfBmkkKBU4mbRv)mQQ4?hNo>?#`0EGf{AR`hb9b*u)#RvfO z2neW;qX$t)m=zq!2DP%lF@p351|0+3)I`e+hXxrAOnL@{sfCu79*!I2Jg{L5%2(AGMK0|hu4ajKvSsEkuqratYc<`Ga?5%-%3I{(LoghA|&h5kL~|0x(2 zkm*M-wBHYeLqrlt2893ogH-y%$N&?BI!*^A0{~=6>G~~LUD$BR_?cI)1u`i-xbsXr zL>@gMD|rs(U6sSLkuzL|g4RJrHmU|+hjuoU-j!>f$tbLSzGoO(9U>j<%6bWE=gO;g zrwF(2JggzsQv~t;Nh#ro=R&+&zT?HCF&mkP`Ovs%-PqAqLHY5VmsZ@CPb4htmK?%$ zIsI!w#~Awx93YO}gV)^m@+Ygb>IR{2Q`6h^C@zhxZsV`ir%u{>cW^@422?o}nk!D7 zav&DYNYQl5H_P8pxOsDN8|IV(+Yd6<%+0vaZ-owD1|=j)f=VtD@_Azl*z^o~LO4{& znL|VNWp)_L8{_J@iY{rU)A{#z13RnNtjgarLSX;|$RPuc)E#m7o_BsWI243{EJ&1N zi~$g{eF6aBa2OQX1SOo-%0DZX3_z&|KJ}|i0I+`$Ib!@r5Mpo)$d06?-UJW` z8W`|<4+=UTxU;|=Ksz#;NbvD-aw8lfdHPZHOy;59E}XpF<$TK8nZZ!vmYs)q?yPxrkeE@R=-o?juRJY)m3XFdIV zoJF;jen#zFz;3hrVnIoA!B3PhNs_hrk?CsZcUqlO(S9$I{cRjalZn8oqBlT-td~U!E-kp5wYjFl6H! z+62R<%1-(ZI;?Kk7Ti{<{yFX9oIU!!@bj;|)7_SS{n(%<$8@i9epu~I#`m7p8CWY~ z5R=@x6F58m*j8v(FCTpZjM8{=S7i2vkuu@z*Ip1ww@+|PqGf7;?^4y{! z$a>(wc2Lr^Ad>om0+4?!b0Fp~nt_q2KB-JS_??;r({mD(M+T_K02zD}p2gi%*S}3~ zq2kzsQ4@3rWqJ5&{kd=HD7IW25-V7xqt2FXF)9>4C4B}|858mFmf{Yr}nLWaf$`Is!`QeIjMUTExMiGd zS8ik+t&Fm-X%TZtJKgGQdVWS_o9@Og+p}4OCR0@+DsFfQqd8?@y8bETy0BDqRpI)P z+$(EopC$cOu-J~~6vk6KK80Sp%;F=Zw@O71CG!-^0W2{$3z;=pqm`CfA1=)sur(=< zgv-%Akb3ffKXw^|;?{tFQLq%=HrA8v+e^5=?uw}o8ta&s{PfYVuK$Z6mjjFInZi(` zA$^|E+_K>=e+A*x93Rx2lIV%-YQp_j6Tu?U^ug$1Kp!pSc=vfZGP0yt4SS>NDgF&%qq%IO_KfO sXQg0u{z})d^!K(al^fhw^Kuf+W$H9H4YW@B|03)e$NKDe-fKAiZ$`cB*#H0l literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/fproxy.properties b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/fproxy.properties new file mode 100644 index 0000000000..f512fb71a6 --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/fproxy.properties @@ -0,0 +1,2 @@ +credential.cache.timeout.ms=180000 +transactionid.header.name=X-TransactionId \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/logback-spring.xml b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/logback-spring.xml new file mode 100644 index 0000000000..4fae434edd --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/logback-spring.xml @@ -0,0 +1,48 @@ + + + + + + + + + + %d{ISO8601} %-5level [%t] %C{1.}: %msg%n%throwable + + + + + + ${LOGS}/${FILEPREFIX}.log + + %d %p %C{1.} [%t] %m%n + + + + + ${LOGS}/archived/${FILEPREFIX}-%d{yyyy-MM-dd}.%i.log + + + 10MB + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/readme.txt b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/readme.txt new file mode 100644 index 0000000000..79cf29e73c --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/readme.txt @@ -0,0 +1 @@ +Relevant configuration files need to be copied here to successfully run this service locally. \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12 new file mode 100644 index 0000000000000000000000000000000000000000..dbf4fcacecf190fb0244dce0d1b438e6fea4500d GIT binary patch literal 2556 zcmY+EdpHw{8^>p6vvN1q+;S^Iwz0#F1O>%q@$`lt@_`#}p!mZsr!v zrA;)F+=b00##|C}&vBmT_dDk~f4tB8JfH9PegFKR2+$26A3ur!eGP_c+_bv6F3bnv zqY$7^K?G>QJ|?3G0>A$!5^w_%1YGv9lQ! z2xbYdREtLj!#tMeXTuU~Y}^mN=>q~m01yH6;iwV9rpF(${h@HJ?@grEMCee9ri-P) zwzE2^?>3>tjiqo5*=`e>dbXiy^X|@E0$!PKLudIJtgh4W8suwce{PMLt2sx-*UI6F z!=)~#bGYY1wTtBr?TXBfjP2}S>r)?dXjlH6NdFDxJivFEjLiGlmGFMS9SiW?*?m-# z6vbW7ozLnRpnP1x;1qCc*giY4axyE6+VS)Ztd?rL6ea=|uIDxv(Z78GS8#VoK1cJ8 z!FSDn*aO*Dx^Bf(*PeI%;F-7^_85~7(P(TNt(ZEztJE{opI(0q0k#DB4{pJ@<7p|) zpZtoQpC34>S1l`7lj$C)&u8Bd-;@;d-QOjbY?tfoBF&HJ^-Eb@v9|e~4pp?YJgza+-^?9hj4GbOZGiTk*` zAbxe_30a7E8x*F}ckf`o3;K=T_4}P|dc-SD@KbApw{&dRXeRFAiP&yTX{gAZtFhiU;|2D-kJHZr4^2}y z-yy;3?Oqd%Tw_%HZhrrHwr3!+%>6}3Z#<07>lT!6<@ucUdq}KG>~?qu!KmL5y8*bE zLav3Fm)&ApK@K!c7u`27&VN1E-;l89F>JcyJToKFXt1jFa!+dZZf`;1)h>Zi`b+$| zOatMJv&P|yQuXMBaP1FqCUN`b9IyHbW9vytIu}WAz32`X(@&jJe|%8_c9qTdYIHw z3fZtxHhk>d{+J@y6QH!L5;&97BmG4fersW56HO~_aff2xrb14q;B$h>Dl>!u-0^#3 zNM)Lp-+>qA%2{haKilb6wE~VGeF98WyTD%5*2t#3y@legMFULBxF@-nUq$W=S2R<) zI48ac)-CNcs?~L2;SJ0qALf6G&Rw5L^MCbG^vC>37XW*fZee2c>60$!G%;(z%l36t zVR3dNTR{B=kNDllFa+A>A}pnZyHmD?-})}8SjYUd6ghk(<8u1b8VN5Z(jz!uX<@xQ z?gc*Y;wbUR8lJ2rgmFlsgovS9poe; z%0J?oiYmm1E;^?_bV$$TeAa6(KcIHD^=++kgqXG4qb+YU#nLPjzn3`@-VW&ZQ;i&q zQ+=P9?vT$%MXeFKXZMQjXR(BZ77X~0DuFSsn@PzYuW*6-_qZ0DEnz99sZ)ti;* z%*hSuCsbrr8!5ub?T^D8^E{C%|5*w!^qc(G$nIGG>bz3GL;o&GkPg9Z*648Z&9>g4 zxgSFPB5mlK@GzB8nxxlmWRilyg#ccoTDp=D`f8@fW=Uharxj&N8gb2qChAMuxN-e` z@z=#64FA;6o|9IL_x#8ZI(1z(LlCrbIV;B|yf?ti?AILK$%L3pqW_gUAxcv+G_s$C z>&IhLG?_i%%Moj~pI!leKDom7$j?gD`J@t-uW%TSMtJ1I5Y>bsno58xjYj38Ok z#dww61flet6${l96L3ai^70CVZGPYGD<*B_QpKhmaPi`3gUVa&Rkow~faF)WiAIf{ zw!VVbLBOewjxYw*#ZPy-u+{ImT1YqQ$$b;6$<*anGHM4j&i57=^Z96?+pCw6>}QGd-<8Iza65dzA2s5Elcr`LwveyTFFUwuyNMqbe>8zPTb$EBtzuSv%NFNd5cYEh{uDhjr)({@X`vvX!;d%ccy~WAQpexeVZ|F3K zh+iEDrjnV#qVX%yh#DKUexv+rS0|4)+YYs{K9=l0;8pDe`nY>J&-|1qBOe zitqzv1OOly$@=nb#PO1w+DFZwsfNPY!%h`*Aebw;+{L0$LiiNyc&sYG#@NT=%=+JI F_zSHP#{>WX literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystore new file mode 100644 index 0000000000000000000000000000000000000000..99129c145f6069a2038983022d440917e1b61fd5 GIT binary patch literal 3594 zcmcJRc{mhY-^XXhSjUpazJ!#eGG+|f8A7s0ma=55qb%7a!eozZ*}~YeQ-&e?zGWFC zM8=XOB^22;9^Lo-+}Hg)@B7dD$NR^*&iS7GI@kC2J0J2oc^v=%fc`GDXtaZuy{DHg z8UO&=fA~hz1)wy8Nx@|S07_LjmQo3hr4Y)Y00BWDS^)0VdRq~(CJW9$MSCe+GklK$ z2!v1q;8zfgaC#~VV=#oCQr}2LMFYVAhy2!b^k98G6$1nWPWxL@K|#hw@N?`82pPB} zTnZtHkdlzO!_I(|fg_QKzvTaMH!SGOaM3*LK+jVuV%5^l*4uhB`dQ$Ki3n*i!ELLq zNB-zZdNyh)0`W*Kff2eh&+RIpA!;|N8`{-xHuf;0c%#PH|en8Gm;$ z{q6vt21xinZFm|Lr#1uvl==EFul=%hE0wt%(F!eMhJC%%_sANRQnQh+f=F@VcG?(4 znlF{hAv2vaVNRW2#-Ht>q)9CwY_@ppZn0ZR;#vxfqppoAd)4ZXaY4BipOk&I9 z=j*QA^?@wy4u{m8SMd1shl8v#^5(q9K`yu3h1#-yrMxQ!=eT>$a(ep3WMo#Tqw|ln z`Ufl9EYwSKapusZfs19qUr-%g5_8q=55fqIbu#?jPv_z;ge@7wGAsM#WEXA`$Ne6y z-tUX!D4Q&g&hoA4Jm()JWUTeNzFGVFpql{jM_;YRSSsV3Z`7_-0~eT}^D;Z)9_6Kg zNAg1w0V0+YOpHHCyYs=U%VA=7X2FzrUstqJn^8i%Y!a&SMdhGhHZi6OXLmRP$lB#Ze3+nNe7;l%Ps7Y3AEqyCoB^M+ zHs4J;@vwV`pXOO0fXd6w#TM;#+BC<5cf?LJD+rDSlTZCacbN(Z23`U&15fi77z_T2 zAkWW{G|#fB#6kOgzTTIfqLqS|Lyq|P7GB~iEZ69=%Zr9YbeLx*K9hUU+GBpB*~z%!~52GYEGn6&UV(ewMvF{DMP75-~$5MKNdl0~xGRmC}FV%wW|^ zs*JA1&*#Jm%$?_Z995=;-ij`@gP@nsmAO1O~~n*DCF zyPx$bEmOPG*84fmdyMjxB=NDtT)xh#gmtgSsNF5($yQQZd}yQ+#sWfW?JGQ>X3uM` zO9@?}8PWc{8VYg1JZSVwmraXyzVc}F5zpvugX=(cYwXZB4U2X98r1S!E6J%LDAv*7 zy_{!wz%rxJmjUo3$Pt)|X6Pp+x19$If{Thsdj=v61y7m3M++YSt^U{4NyT zUpPO~aL>$gUspwb!S~KgcLQy!ec+q`$I&iVtnWO-FgjI01WzUcOh{|2x zesVZJzVQ+C0#6st;Q@X9VmB=``=`mi44J)dm`-nP$?pZ@Rn|7jA1R!lu1mlEz}4~I z#uHDMP8e(i4aR+LvKqDjYVNW^zB#+Mm4dhdVD4NUkngj9tX`n}4CgJO*1Q0JK6|$B zI@sxi%d?sVFF(n{l8;oFa@;l%^^Lg<@NaBO_#tS)%br_5f8g;5yIoj+ZnyBU~+#`!&iX#L30bl$pe|(jTdSVc2Q6OiSs3RX+ zF^OV7N)w(an-PoL*F}a^O5EWr%l4;lz48RtzF$%G>aN}=NSk9~ zsdlyZD`)vGI-+8w8%l%UQb-!ZKr)Xi`Ld$cEs;b*Ss{)$GZV@-`r(F?fSC7)N?N4$KC*7a=NKf8e zq({9-7;n;E~hWWA2n1xDDTF^Xx{kN=jy9RaGs%Wfo&5y*c%;&b z#8>hNB>ku>JMZ_&Bf+}E=_InK;oL#1ToxIURyve{jj2RBChN67X???E(wMP!J7fzY z%e~99&1?mkDgJSPe8yUbQ?zHwg42D0q90gzFDY$4kDy-^a+A!$>Ml*1=0R=m%kYfl zZxNrIblXUB$uG+doRp-d(kVsH`@0_Bio2>Sr*x?q`L(nC8tm;$7u!*j*eBxgZDkq< zw+(~2swxR!=L7?)Ro*FCCzm$I>#W!Fb+m3mJib3?E1!NqkpiQhyX$k%!pVq%2;l-& zx+sjl4vA@%cCNn7f0C4Gom_Xzu&hJsPmU9S^ZkS4K785_lOLrKt$lpnHM+I@Q!I!{ z?7v(?@%!y8R&2B%F0%~c=o_xuW~1KCG;Zp67(sC~zNWAAeJzJ}_QFTKpwxk*F)Ogu zoq_&iMZY7r6JXhA@tndH;n>VA-bsO9VkMI;Az}FOz#$;|`>-x3cJt;)p$s*zYD@F4 zSOsNf(Ty8`euW2)+1*t@ajmf)bW4rlWgIU_Z=J!sVn^NWepjZCm`}s|w%hrUDQl2? zpZ7bsio*~5-)KiDBP6A#L5PM{I3VmfAo#ED|f?w@Kyf7HbYn>c( zqR_o}V5!$RE+HXZ1m!#b_^!XbAa3Uo%`~l#ju5U%NLh7Btr0s#J-#BZDg5B^JbR`h bHA4n}c7Wg6kSx#03G;5$(TcY1CK35B0yZ&e literal 0 HcmV?d00001 diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json new file mode 100644 index 0000000000..2865e01cd6 --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json @@ -0,0 +1,99 @@ + [ + { + "uri": "\/not\/allowed\/at\/all$", + "permissions": [ + "test.auth.access.ifYouLikedItYouShouldHavePutAPermissionOnIt" + ] + }, + { + "uri": "\/one\/auth\/required$", + "permissions": [ + "test.auth.access.aSimpleSingleAuth" + ] + }, + { + "uri": "\/multi\/auth\/required$", + "permissions": [ + "test.auth.access.aMultipleAuth1", + "test.auth.access.aMultipleAuth2", + "test.auth.access.aMultipleAuth3" + ] + }, + { + "uri": "\/one\/[^\/]+\/required$", + "permissions": [ + "test.auth.access.aSimpleSingleAuth" + ] + }, + { + "uri": "\/services\/getAAFRequest$", + "permissions": [ + "test.auth.access|services|GET,PUT" + ] + }, + { + "uri": "\/admin\/getAAFRequest$", + "permissions": [ + "test.auth.access|admin|GET,PUT,POST" + ] + }, + { + "uri": "\/service\/aai\/webapp\/index.html$", + "permissions": [ + "test.auth.access|services|GET,PUT" + ] + }, + { + "uri": "\/services\/aai\/webapp\/index.html$", + "permissions": [ + "test.auth.access|services|GET,PUT" + ] + }, + { + "uri": "\/$", + "permissions": [ + "\\|services\\|GET", + "test\\.auth\\.access\\|services\\|GET,PUT" + ] + }, + { + "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions$", + "permissions": [ + "test\\.auth\\.access\\|rest\\|read" + ] + }, + { + "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+$*", + "permissions": [ + "test.auth.access|clouds|read", + "test.auth.access|tenants|read" + ] + }, + { + "uri": "\/aai\/v10\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+\/tenants/tenant/[^\/]+/vservers/vserver/[^\/]+$", + "permissions": [ + "test.auth.access|clouds|read", + "test.auth.access|tenants|read", + "test.auth.access|vservers|read" + ] + }, + { + "uri": "\/backend$", + "permissions": [ + "test\\.auth\\.access\\|services\\|GET,PUT", + "\\|services\\|GET" + ] + }, + { + "uri": "\/services\/inventory\/.*", + "permissions": [ + "org\\.access\\|\\*\\|\\*" + ] + }, + { + "uri": "\/services\/champ-service\/.*", + "permissions": [ + "org\\.access\\|\\*\\|\\*" + ] + } + ] diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties new file mode 100644 index 0000000000..33daa73b67 --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties @@ -0,0 +1,25 @@ +# This is a normal Java Properties File +# Comments are with Pound Signs at beginning of lines, +# and multi-line expression of properties can be obtained by backslash at end of line + +#hostname is used for local testing where you may have to set your hostname to **.att.com or **.sbc.com. The example given below +#will allow for an ATT cross domain cookie to be used for GLO. If you are running on Windows corp machine, your machine name +#may be used automatically by cadi. However, if it is not, you will need to use hostname=mywebserver.att.com and add mywebserver.att.com +#to your hosts file on your machine. +#hostname=test.aic.cip.att.com + +cadi_loglevel=DEBUG +cadi_keyfile=/opt/app/rproxy/config/security/keyfile + +cadi_truststore=/opt/app/rproxy/config/auth/tomcat_keystore +cadi_truststore_password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10 + +# Configure AAF +aaf_url=https://{{.Values.global.aaf.serverHostname}}:{{.Values.global.aaf.serverPort}} +aaf_env=DEV + +aaf_id=demo@people.osaaf.org +aaf_password=enc:92w4px0y_rrm265LXLpw58QnNPgDXykyA1YTrflbAKz + +# This is a colon separated list of client cert issuers +cadi_x509_issuers=CN=ONAP, OU=ONAP, O=ONAP, L=Ottawa, ST=Ontario, C=CA \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/forward-proxy.properties b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/forward-proxy.properties new file mode 100644 index 0000000000..1b58d4235c --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/forward-proxy.properties @@ -0,0 +1,4 @@ +forward-proxy.protocol = https +forward-proxy.host = localhost +forward-proxy.port = 10680 +forward-proxy.cacheurl = /credential-cache \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/logback-spring.xml b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/logback-spring.xml new file mode 100644 index 0000000000..fc04a978bb --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/logback-spring.xml @@ -0,0 +1,48 @@ + + + + + + + + + + %d{ISO8601} %-5level [%t] %C{1.}: %msg%n%throwable + + + + + + ${LOGS}/${FILEPREFIX}.log + + %d %p %C{1.} [%t] %m%n + + + + + ${LOGS}/archived/${FILEPREFIX}-%d{yyyy-MM-dd}.%i.log + + + 10MB + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/primary-service.properties b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/primary-service.properties new file mode 100644 index 0000000000..8d64529da9 --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/primary-service.properties @@ -0,0 +1,3 @@ +primary-service.protocol = https +primary-service.host = localhost +primary-service.port = 9522 \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/readme.txt b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/readme.txt new file mode 100644 index 0000000000..79cf29e73c --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/readme.txt @@ -0,0 +1 @@ +Relevant configuration files need to be copied here to successfully run this service locally. \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/reverse-proxy.properties b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/reverse-proxy.properties new file mode 100644 index 0000000000..8d46e1f429 --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/reverse-proxy.properties @@ -0,0 +1 @@ +transactionid.header.name=X-TransactionId \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile new file mode 100644 index 0000000000..6cd12fcfb4 --- /dev/null +++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile @@ -0,0 +1,27 @@ +bZNOXiGDJ2_eiKBKWYLIFx27URvb-SWfmOl2d-QKetcVKIupOrsG-ScS_VXOtKN3Yxfb2cR6t7oM +1RNpDnhsKAxDLM6A62IkS_h_Rp3Q9c2JeyomVmyiuHR7a2ARbelaMrX8WDrxXI_t9ce4pIHDVE29 +xiQm3Bdp7d7IiKkgg-ipvOU7Y6NEzeQbvHlHvRTJ3ZZMSwHxBOA5M8DhKN-AF1sqwozEVaNAuJxK +BVdh72A6KTW7ieb_GvVQQp8h32BuOz8oJhZV7KaGXsWTEvXg9ImboY0h7Sl9hufgn1ZtDK1jxzGm +6O6LBg1qezzZaFGTXRmHvaeYmEeYSu0bGsU4x-JCU0RyhNTzFhkhjNoccaqPXBdcJymLf096mD99 +QLS8nyji_KtLQJL1fqr500c8p6SOURLPgG6Gzkn4ghgFYlfgve92xs1R3ggHKhNTLV4HJ4O6iSDm +zCoHeRbsZR1JER9yxT-v8NtcHOMAZe1oDQeY6jVyxb-bhaonN6eZPI4nyF6MHJQtWKhGARC_kOs6 +x9E0ZdAEp5TrX7F7J5PwkXzbCOuSiTVftOBum43iUB4q9He8tn2tJ0X4LtLHT3bPl16wWnZm9RPf +8wBtTJh4QP_cTStPq1ftSaLIAuqVFpbiC2DxGemXZn3QvykuYqa-rKeYPoIJ5dtWd5rNb_hhcSIz +FakKTELb0HWYGji98TBF6PaStea2f2m-wGX_uQGD7_Dijl6AgnV9koKVs1bN1XljLtNMPbLdD8sz +UCvc5lwvCFyyeunljI7os1fgwBmaMyckflq5VfZv9kFxom6jFLbcozylQ_uBg4j7oCP79IXVUI-r +banZltOSmm8zHGc2R9UlUyxJWBi01yxwi1hUtn9g1H4RtncQpu3BY0Qvu5YLAmS5imivUnGVZWbv +6wcqnJt5HwaVatE9NHONSLNTViQPsUOutWZBZxhJtAncdZuWOYZSh4TPzUJWvt6zT0E3YMBc_UuG +yPmdLyqo7qGHR8YWRqq_vq6ISJqENMnVD6X9-BeI6KM4GPEAlDWyhgENXxQFjG45ufg3UpP8LBTB +xDntlfkphRumsd13-8IlvwVtlpgnbuCMbwP_-lNVeNJcdA1InPt79oY-SEVZ-RVM1881ZASCnFeB +lh3BTc_bGQ8YoC9s6iHtcCK_1SdbwzBfQBJUqqcYsa8hJLe-j8di7KCaFzI3a-UXWKuuWljpbKbq +ibd48UFJt_34_GxkD6bmLxycuNH-og2Sd2VcYU0o5UarcrY4-2sgFPE7Mzxovrl98uayfgNF9DqE +fJ4MwFGqLRtEHlm4zfuMxQ5Rh_giMUHDJApc1DYRkxdGbNUd4bC4aRBln2IhN-rNKbSVtiW_uT6v +1KTMGmElvktjPWybJd2SvhT5qOLUM81-cmZzAsNa04jxZLBlQn_1fel3IroVos4Ohbdhar2NG6T5 +liten9RZ9P4Cg9RWhgeQonAD5kqLWXAHnCfffb5CVcAU5PHqkCgCbdThvD0-zIGETLO9AE0jKISc +0o67CUZn3MzJ9pP_3gh-ALr2w-KAwqasqCf0igf1wmEDijv9wEDcgDm39ERIElTpGKgfyuVl4F8u +PrpK5ZfpUYySUB6CZFQVVz0MvH6E7orQk4dCKFIimV_XwEtGijBttrTvyV6xYNScAEw_olt-0mdm +8UEKSsuqSyDMxUWLjKJT19rNedahYJNtI87WR9Fhhjsrai9Or3a-srOYa56wcvSj2ZHbkevbO9Xv +dQ2wzWCGEAMQSpSr83n0XEpR2pZT19Z19Svbhr08mnt2JNykCk60FLCeDTUOylJtYw6YOjqBizQZ +-85B51BCbSEaAKJkgT9-8n_-LGW5aPBrBB_9FT7UIYczNEt3B1Lqr2s4ipPI_36JecEfqaS2cNLn +c0ObAtNGAONkhO5LYLneMR3fZPMFuOX1-rMObPgE0i9dYqWDZ_30w9rpRsmiWyxYi5lvWDxU5L1J +uJxwREz3oa_VgpSC3Y2oxCufdQwzBk57iVLDOb1qs_Hwj1SWd1nukWyAo2-g5sR1folAEcao \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/templates/configmap.yaml b/kubernetes/aai/charts/aai-champ/templates/configmap.yaml index b2f16d9034..db77ae2c27 100644 --- a/kubernetes/aai/charts/aai-champ/templates/configmap.yaml +++ b/kubernetes/aai/charts/aai-champ/templates/configmap.yaml @@ -51,3 +51,37 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/log/*").AsConfig . | indent 2 }} +{{ if .Values.global.installSidecarSecurity }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-fproxy-config + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/fproxy/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-fproxy-log-config + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/fproxy/config/logback-spring.xml").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-rproxy-config + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/rproxy/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-rproxy-log-config + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/rproxy/config/logback-spring.xml").AsConfig . | indent 2 }} +{{ end }} \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/templates/deployment.yaml b/kubernetes/aai/charts/aai-champ/templates/deployment.yaml index 4e1866c8b9..aa9157fe47 100644 --- a/kubernetes/aai/charts/aai-champ/templates/deployment.yaml +++ b/kubernetes/aai/charts/aai-champ/templates/deployment.yaml @@ -31,6 +31,12 @@ spec: app: {{ include "common.name" . }} release: {{ .Release.Name }} spec: + {{ if .Values.global.installSidecarSecurity }} + hostAliases: + - ip: {{ .Values.global.aaf.serverIp }} + hostnames: + - {{ .Values.global.aaf.serverHostname }} + {{ end }} initContainers: - command: - /root/ready.py @@ -46,6 +52,13 @@ spec: image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + {{ if .Values.global.installSidecarSecurity }} + - name: {{ .Values.global.tproxyConfig.name }} + image: "{{ include "common.repository" . }}/{{ .Values.global.tproxyConfig.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + securityContext: + privileged: true + {{ end }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -123,6 +136,78 @@ spec: name: {{ include "common.fullname" . }}-logs - mountPath: /usr/share/filebeat/data name: aai-filebeat + {{ if .Values.global.installSidecarSecurity }} + - name: {{ .Values.global.rproxy.name }} + image: "{{ include "common.repository" . }}/{{ .Values.global.rproxy.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: CONFIG_HOME + value: "/opt/app/rproxy/config" + - name: KEY_STORE_PASSWORD + value: {{ .Values.config.keyStorePassword }} + - name: spring_profiles_active + value: {{ .Values.global.rproxy.activeSpringProfiles }} + volumeMounts: + - name: {{ include "common.fullname" . }}-rproxy-config + mountPath: /opt/app/rproxy/config/forward-proxy.properties + subPath: forward-proxy.properties + - name: {{ include "common.fullname" . }}-rproxy-config + mountPath: /opt/app/rproxy/config/primary-service.properties + subPath: primary-service.properties + - name: {{ include "common.fullname" . }}-rproxy-config + mountPath: /opt/app/rproxy/config/reverse-proxy.properties + subPath: reverse-proxy.properties + - name: {{ include "common.fullname" . }}-rproxy-config + mountPath: /opt/app/rproxy/config/cadi.properties + subPath: cadi.properties + - name: {{ include "common.fullname" . }}-rproxy-log-config + mountPath: /opt/app/rproxy/config/logback-spring.xml + subPath: logback-spring.xml + - name: {{ include "common.fullname" . }}-rproxy-auth-config + mountPath: /opt/app/rproxy/config/auth/tomcat_keystore + subPath: tomcat_keystore + - name: {{ include "common.fullname" . }}-rproxy-auth-config + mountPath: /opt/app/rproxy/config/auth/client-cert.p12 + subPath: client-cert.p12 + - name: {{ include "common.fullname" . }}-rproxy-auth-config + mountPath: /opt/app/rproxy/config/auth/uri-authorization.json + subPath: uri-authorization.json + #- name: {{ include "common.fullname" . }}-rproxy-auth-config + # mountPath: /opt/app/rproxy/config/auth/aaf_truststore.jks + # subPath: aaf_truststore.jks + - name: {{ include "common.fullname" . }}-rproxy-security-config + mountPath: /opt/app/rproxy/config/security/keyfile + subPath: keyfile + + ports: + - containerPort: {{ .Values.global.rproxy.port }} + + - name: {{ .Values.global.fproxy.name }} + image: "{{ include "common.repository" . }}/{{ .Values.global.fproxy.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: CONFIG_HOME + value: "/opt/app/fproxy/config" + - name: KEY_STORE_PASSWORD + value: {{ .Values.config.keyStorePassword }} + - name: spring_profiles_active + value: {{ .Values.global.fproxy.activeSpringProfiles }} + volumeMounts: + - name: {{ include "common.fullname" . }}-fproxy-config + mountPath: /opt/app/fproxy/config/fproxy.properties + subPath: fproxy.properties + - name: {{ include "common.fullname" . }}-fproxy-log-config + mountPath: /opt/app/fproxy/config/logback-spring.xml + subPath: logback-spring.xml + - name: {{ include "common.fullname" . }}-fproxy-auth-config + mountPath: /opt/app/fproxy/config/auth/tomcat_keystore + subPath: tomcat_keystore + - name: {{ include "common.fullname" . }}-fproxy-auth-config + mountPath: /opt/app/fproxy/config/auth/client-cert.p12 + subPath: client-cert.p12 + ports: + - containerPort: {{ .Values.global.fproxy.port }} + {{ end }} volumes: - name: localtime @@ -156,5 +241,28 @@ spec: name: aai-filebeat - name: aai-filebeat emptyDir: {} + {{ if .Values.global.installSidecarSecurity }} + - name: {{ include "common.fullname" . }}-rproxy-config + configMap: + name: {{ include "common.fullname" . }}-rproxy-config + - name: {{ include "common.fullname" . }}-rproxy-log-config + configMap: + name: {{ include "common.fullname" . }}-rproxy-log-config + - name: {{ include "common.fullname" . }}-rproxy-auth-config + secret: + secretName: {{ include "common.fullname" . }}-rproxy-auth-config + - name: {{ include "common.fullname" . }}-rproxy-security-config + secret: + secretName: {{ include "common.fullname" . }}-rproxy-security-config + - name: {{ include "common.fullname" . }}-fproxy-config + configMap: + name: {{ include "common.fullname" . }}-fproxy-config + - name: {{ include "common.fullname" . }}-fproxy-log-config + configMap: + name: {{ include "common.fullname" . }}-fproxy-log-config + - name: {{ include "common.fullname" . }}-fproxy-auth-config + secret: + secretName: {{ include "common.fullname" . }}-fproxy-auth-config + {{ end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aai/charts/aai-champ/templates/secrets.yaml b/kubernetes/aai/charts/aai-champ/templates/secrets.yaml index dddf15609b..a0a1519c26 100644 --- a/kubernetes/aai/charts/aai-champ/templates/secrets.yaml +++ b/kubernetes/aai/charts/aai-champ/templates/secrets.yaml @@ -37,3 +37,32 @@ data: KEY_STORE_PASSWORD: {{ .Values.config.keyStorePassword | b64enc | quote }} KEY_MANAGER_PASSWORD: {{ .Values.config.keyManagerPassword | b64enc | quote }} +{{ if .Values.global.installSidecarSecurity }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-fproxy-auth-config + namespace: {{ include "common.namespace" . }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/fproxy/config/auth/*").AsSecrets . | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-rproxy-auth-config + namespace: {{ include "common.namespace" . }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/rproxy/config/auth/*").AsSecrets . | indent 2 }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-rproxy-security-config + namespace: {{ include "common.namespace" . }} +type: Opaque +data: +{{ tpl (.Files.Glob "resources/rproxy/config/security/*").AsSecrets . | indent 2 }} +{{ end }} \ No newline at end of file diff --git a/kubernetes/aai/charts/aai-champ/templates/service.yaml b/kubernetes/aai/charts/aai-champ/templates/service.yaml index eeb27edffb..e67d42a5ff 100644 --- a/kubernetes/aai/charts/aai-champ/templates/service.yaml +++ b/kubernetes/aai/charts/aai-champ/templates/service.yaml @@ -26,6 +26,18 @@ metadata: spec: type: {{ .Values.service.type }} ports: + {{ if .Values.global.installSidecarSecurity }} + {{if eq .Values.service.type "NodePort" -}} + - port: {{ .Values.service.internalPort }} + nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} + targetPort: {{ .Values.global.rproxy.port }} + name: {{ .Values.service.portName }} + {{- else -}} + - port: {{ .Values.service.externalPort }} + targetPort: {{ .Values.global.rproxy.port }} + name: {{ .Values.service.portName }} + {{- end}} + {{ else }} {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.internalPort}} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort}} @@ -35,6 +47,7 @@ spec: targetPort: {{ .Values.service.internalPort }} name: {{ .Values.service.portName }} {{- end}} + {{ end }} selector: app: {{ include "common.name" . }} release: {{ .Release.Name }} -- 2.16.6