From cc3141d86b6b9c18948b067d59387f7a3acaa39a Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Mon, 8 Feb 2021 15:59:33 +0100 Subject: [PATCH] [VID] Automatically retrieve certificates Use certInitializer in order to retrieve the certificates instead of hardcoding them. Issue-ID: VID-959 Signed-off-by: Sylvain Desbureaux Change-Id: I72eb09cd2719995ee05141034936f8e0589c7ad1 --- kubernetes/vid/requirements.yaml | 5 ++- kubernetes/vid/resources/certs/org.onap.vid.jks | Bin 3597 -> 0 bytes .../vid/resources/certs/org.onap.vid.trust.jks | Bin 1413 -> 0 bytes kubernetes/vid/templates/deployment.yaml | 29 +++++++----- kubernetes/vid/templates/secrets.yaml | 15 +------ kubernetes/vid/values.yaml | 49 ++++++++++++++++++++- 6 files changed, 72 insertions(+), 26 deletions(-) delete mode 100644 kubernetes/vid/resources/certs/org.onap.vid.jks delete mode 100644 kubernetes/vid/resources/certs/org.onap.vid.trust.jks diff --git a/kubernetes/vid/requirements.yaml b/kubernetes/vid/requirements.yaml index c6554cada2..34ad968757 100644 --- a/kubernetes/vid/requirements.yaml +++ b/kubernetes/vid/requirements.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -19,6 +20,9 @@ dependencies: # a part of this chart's package and will not # be published independently to a repo (at this point) repository: '@local' + - name: certInitializer + version: ~7.x-0 + repository: '@local' - name: mariadb-galera version: ~7.x-0 repository: '@local' @@ -30,4 +34,3 @@ dependencies: - name: repositoryGenerator version: ~7.x-0 repository: '@local' - diff --git a/kubernetes/vid/resources/certs/org.onap.vid.jks b/kubernetes/vid/resources/certs/org.onap.vid.jks deleted file mode 100644 index a05f12d8577fd6faa581a66a6028a497962af859..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3597 zcmb`JcTiN>wud{?Kof0jqLPDz_B2RVi4r9?NJg8Sx|=9L9i&x|93)2xf(%I&U>$J-KzV?s&js4?X&kjXRY<^b-Z=F1p2@jFiFQu$yKjJwu#B)f!sZ`YF6A%OrphI z#P==Kdx^2}h3MYKXTd>S!tBM4z8(RlRzT^9b~yzs7&^vrg2VY~XlXZJ6jnoEKgJGx0?bm7vedQyMr z?~%VzC_-8#Sp%`m6Sjis_|MJK4ocR;7S*ilEqklJfKUxqcs%RhtdZCmu;q#hW#>?FQXNWqzpK6ZJW(_vGu16py#4w{@W-gS{dhujpLTE# z#AB$kGU^zQb6p&$C?=M@)*oT}gmz+VdQfMUbWk#q`JlkBC23wyP4ib-<>2#lNxDI= zJZx@1sersX0P=Nck}Do23Rb34^wM<7F{mqiHD<(lArApK&(V8y9BuvPnZ%a)@{g4U z%jPcIVzXCXUxyz|Tc2wZd~flswk3EbH2-b;ndI zu(OJCu=kOzkYb|AlC(a`CJ8+?Hsq0eucnIO?^YHX#`@MBx42Vwqh$iqJ~syK_cv9_ z+SJ#4HLlq)+ZH#qJ4DkyoetYL7230Z2rXT^|14#F`Re&<^4$1{53S4?n`T?L5-&CJ)6lq;aYzk2`Tbr@@Xo1T8C z>uxVwJHNr?UQ|V(N`FwKjrkf!G&!z{4uv}oCyGE)VtE<4SFy$x`TphDX&<+Qvu4R< zG$pyhwz*Y*u@Y{Hkp&b%AebB#h|&NV%Jmou0Yf0PQly24bsv5U02pcL#KU#M_ZY!o zBpd{2W03$I4b&V)gMygju#5omM9?$9j11L`u}lENi9|BMjc{seT3Aki{X|0VCAv0SeXlo)>Mi8Ndi__27vy@%TOxBv1b78A5*ja z6YENvSFZi9mH)A^pEnJV!2&;j7M1)^GME`eeNGP{gTbJ&mE3se_)7I<_kNgE%NE64 zhuQCtQZ{;e=%Ikmg5m5&vteLzrpqU<$9HyR8rXRrt!#dKZqgoIU$%Tk#Ld5dgJG`K zvSxwldiBWgUFWz@X}vd%Z>?oh7{!B2;?=nd=t!v<%+Rg)5dRtB3*8~&20gF`1)JBot?@ZpliE;?c7GcVGb${dbIMx&g(f8zj zVs#~5rB+r~zQ`Jx)3v)0N7D9MEV1Phz9ZMPmVVK&>E0)1yg1vFe7hh-OyY9TzNmr` z5A$WT5M}`A-(?Hi%dlZ- zd>J#pV`{%{=>Ayaa`{|7P=o;_|C8vE!3f~Y$*fE;G>q-Q?WNFjCiU~Cox?R3S01!y za(PJu*G}B5FeAVqjF*7-^~5+~2zVmi)!A3o+nMC;<%}Wu;qfjQM-qX2l3Qf%lP&@8 z?T+ztCs5r^&IHomO#_+s#Cg&}{G2n?QlRDx7$o5q(K-Rbg=v!`HrQ@u!lf;CCJyT% z!L^lHF~+kY)(kV7&^19%iANfQBb67PF2}RP{HLwnu>fJFbx2Qgb8u#8t8~xIdxpPI zJ%+7P0ErQdAEdl|&~;ekPj_f(<>aAU@M6%MHPN88!fxZI`@f=KhO* zg_5kX*C!G93(5M6@7+c9mk)`U1)a{)Indt#38n%h03bu`egK3TrGJp)KZ^1R9JmR6fX`;6dgm`QPKvzk@;5h|jCUy84D01Hqu*#m^=C%qPmzz&KT=4MZC~eXjWJYcF9KTdrZ?|}#d~PY;aYO44*~lOest96Q zR>k?!RLn|k^ChlWCIx9pY-bxHPpy#tV2HZQpj@eL-uCW@yk6>J{^i4Ld(x`1o%)0? zz2ZtAXX=31L%qQlTDtD@)|O?XjzP+$I@22EOmDK8zV&?$RciC{}GGFvJMog+Zf-*bA zu(v+0Z|MT3P6nV(ctH!$P%jWL_+Oa<4*#)+@c#>xe@!YV83G0|qkJ>@Vyj&1w*^K+ z!mGtyNS!hMJ_@nmr$><`qr+ab`LVBUKe9xh)xq}%oi0+oW9QhP*Pc;S@-pyHsn7p6 zUgn-IA?0Vtx>-Hbh6Un|sky2g@@Ta=quIn%pI`q9W5P9$+pqN8QPt$$Vm`*xkesRC zXK~hPev*sACYq;hpYu$?H={2fruTdu!gqj&^A)=q4POIQB-dykoOd?w%O&+rm(}$dVu4@&BdMWd2IQ%j?Fh{Hr5-H{$@v%d zUlVUP-!o22O4JhNN7zSsCQrUNeU^5A)Xz)4$CA`Je$O@>3Sv{}j44^+{oI-`_{tF^ZRi!h~IVU5xa z1rK#XQbaaYT6|U~WE{NoF70O}>~tG6AVju2v`inKrK>1_;KqG5rb5ogbmRebS)YwW zgq>7hFnUeCHm=)St&>kXA7NlWX)uyzgnlD^I5%AuHp)3?UN{`Z5gk!V!Eyh{E2)o>vhSAx$0_`3mk14SJ$M1&*CW`5ZMxzdv|9xhAM72Q6yY6A1z1F F{10lg-c|qr diff --git a/kubernetes/vid/resources/certs/org.onap.vid.trust.jks b/kubernetes/vid/resources/certs/org.onap.vid.trust.jks deleted file mode 100644 index 4caf7be6528f488678373331e4a4f5a1fe877819..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1413 zcmb7DYdF&j9NvEy9hYrM&2kBmvmEL_Yc)li6*(>;&4jQDt3>L^{TVxLvB)jAGS?1a zVKMjXQtoT=q>~5ZQBTToi7pazIM4aehx6rp_&x9QzQ6bRJ--j{E1#9mLLd<6#sL4I z(s_n=K+t(cfH$}y`Ih!pj6x7@`-q?!1cIP~Y{XHJ4KvJ#K>;XK5t3Um+g>6O@j;}5 zq7m1I`xOZQ$_NN(j7Nbg3NRX6Sq0(fVrglOM}o?mTuBA)c+%1duM8?~QUx_A%>~@0 zj>MC|10WH908ca}xvL`yB#=PB|4aYpH8ynjkM95o2#gIyLqIlE3Ce~7kan|T8`bJ+ z1~zcllT>D-R@NmOtc#wz=2_AA<*3pcew_`CDvwyEkY4hdJej$(7#O9}Aq%h?SDI6s z%bZv4iNjr7Hs;TD*z;Q(8koVVqptP?u?FrFEaJ~PE7*hL{-6RU6cYSo&+6}P59 z#omK{7pPvi{<_STTTiEblVnEJ9N%prDmI zs)#dA5h3nSAtqa$g@Tn!ntQD#{OROFq3aB0_8K%E+g!$PI5lPdni*FW+ z+1Xz;oWubN(lKb}cHZdc!JfgMOrkJ)LXG|vl_MpTM=Re)(G3{L&T^x&s-V|3wgV(j zcnhXCfgFNisFWdp6Q)zJ7g-h~^M-V{;M}qN#FkoXcXd#bR=9LXXw+k8zh&jDza%t* zNt228KbuUqq2={OTb!%D`KU;L_<}Jg_7pwujX$=ck5_4FPjvlqZw&Ax{47D-BUB5*uz8moHe{fnA3IiZO(Rq*oYHvhP8wJO}x4X~? zi*_?oXJJR!y$&2ca{j~Yub|H6S|5%DF){ybKyMn<0AL-C0AU*dqBaHerU2h42=~Vr zZnR<}h5&@D)6J|5%X6qAYxpzFTTM=NcWt>Ox2__N#|7#W_DhzshG1Et3RhNCmB^@6 z&HPxFU6;2wRfEpEoFz=-Q1^Lcw9T!^4fUFI1DP#z=NJl)hS6NribQret*D_u_gy#oeAK!UBEa866BP&MHciZ0ns&-GS(t=zM zwY0uH8#UlH_7C!IT|yW|MIIS2jl!KBMx#EB zeVK^a@s?xaJ`P6+LjxH{+g(zU&A1tD0(7yFJch-wbT$0tWB+nUvS2$dkjL@5GJlS( zAxqF%e^^qAAv{&aE#bxjrK!d10W32OVG1Epvp2Nf9H;wNVfG0%5n=z7pUj7Be!TcW zsUBTzu+^XXmYENfF85B2kZarbev{bczjn(wRluJ)IR?>wRIqTvr*0a{WNQr$AEwXq zDZ$xaPDe{8uRSht@HCLd?{2!cjK1F`m>ko}m@)k+rG^@CT<%1!zt@J*>%2LB+1dAu zKZhcjBD2=cCD6^cea1$~?F14bNB>lE5mBtwI2w5a{T{P3>K%Xn#jA^2>LJ{s523k| TonDPFT;^JDJ&?Vc8Y2B0TWn;V diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml index 2e74daa730..8872863e42 100644 --- a/kubernetes/vid/templates/deployment.yaml +++ b/kubernetes/vid/templates/deployment.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Copyright © 2020 Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,7 +37,7 @@ spec: app: {{ include "common.name" . }} release: {{ include "common.release" . }} spec: - initContainers: + initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }} - command: - /app/ready.py args: @@ -55,6 +56,15 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if .Values.global.aafEnabled }} + command: + - sh + args: + - -c + - | + export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0) + /tmp/vid/localize.sh + {{- end }} ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger @@ -100,8 +110,6 @@ spec: value: "{{ .Values.config.roleaccesscentralized }}" - name: VID_CONTACT_US_LINK value: "{{ .Values.config.vidcontactuslink }}" - - name: VID_KEYSTORE_PASSWORD - value: {{ .Values.config.vidkeystorepassword | quote }} - name: VID_UEB_URL_LIST value: message-router.{{ include "common.namespace" . }} - name: VID_MYSQL_HOST @@ -116,9 +124,13 @@ spec: {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 14 }} - name: VID_MYSQL_MAXCONNECTIONS value: "{{ .Values.config.vidmysqlmaxconnections }}" - volumeMounts: - - mountPath: /opt/app/vid/etc - name: vid-certs + {{- if .Values.global.aafEnabled }} + - name: VID_KEYSTORE_FILENAME + value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks" + - name: VID_TRUSTSTORE_FILENAME + value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks" + {{- end }} + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -149,10 +161,7 @@ spec: name: vid-logs - mountPath: /usr/share/filebeat/data name: vid-data-filebeat - volumes: - - name: vid-certs - secret: - secretName: {{ include "common.fullname" . }}-certs + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime hostPath: path: /etc/localtime diff --git a/kubernetes/vid/templates/secrets.yaml b/kubernetes/vid/templates/secrets.yaml index 72934fffd8..670838c6cf 100644 --- a/kubernetes/vid/templates/secrets.yaml +++ b/kubernetes/vid/templates/secrets.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2017 Amdocs, Bell Canada # Copyright © 2020 Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,17 +17,3 @@ */}} {{ include "common.secretFast" . }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.fullname" . }}-certs - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml index 8e8a17ae84..4510dc6908 100644 --- a/kubernetes/vid/values.yaml +++ b/kubernetes/vid/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada # Copyright © 2020 Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -36,6 +37,53 @@ secrets: login: '{{ .Values.config.db.userName }}' password: '{{ .Values.config.db.userPassword }}' +################################################################# +# AAF part +################################################################# +certInitializer: + nameOverride: vid-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: vid + fqi: vid@vid.onap.org + public_fqdn: vid.onap.org + fqi_namespace: "org.onap.vid" + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: | + echo "*** retrieving password for keystore and trustore" + export $(/opt/app/aaf_config/bin/agent.sh local showpass \ + {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) + if [ -z "$cadi_keystore_password" ] + then + echo " /!\ certificates retrieval failed" + exit 1 + else + echo "*** changing them into shell safe ones" + export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + export TRUSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + cd {{ .Values.credsPath }} + keytool -storepasswd -new "${KEYSTORE_PASSWD}" \ + -storepass "${cadi_keystore_password_jks}" \ + -keystore {{ .Values.fqi_namespace }}.jks + keytool -storepasswd -new "${TRUSTORE_PASSWD}" \ + -storepass "${cadi_truststore_password}" \ + -keystore {{ .Values.fqi_namespace }}.trust.jks + echo "*** set key password as same password as keystore password" + keytool -keypasswd -new "${KEYSTORE_PASSWD}" \ + -keystore {{ .Values.fqi_namespace }}.jks \ + -keypass "${cadi_keystore_password_jks}" \ + -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }} + echo "*** save the generated passwords" + echo "VID_KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop + echo "VID_TRUSTSTORE_PASSWORD=${TRUSTORE_PASSWD}" >> mycreds.prop + echo "*** change ownership of certificates to targeted user" + chown -R 1000 . + fi + subChartsOnly: enabled: true @@ -49,7 +97,6 @@ config: userName: vidadmin # userCredentialsExternalSecret: some secret # userPassword: password - vidkeystorepassword: 'F:.\,csU\&ew8\;tdVitnfo\}O\!g' asdcclientrestauth: "Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU=" asdcclientrestport: "8443" vidaaiport: "8443" -- 2.16.6