Code Review / oom.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 213f6d8)
[AAI] Fix truststore password to avoid exceptions 06/120406/4
authorKrzysztof Opasiak <k.opasiak@samsung.com>
Fri, 2 Apr 2021 06:56:15 +0000 (08:56 +0200)
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>
Wed, 14 Apr 2021 13:12:34 +0000 (13:12 +0000)
Deployment of aai-resources sometimes fails with exception:

org.springframework.expression.ParseException:
Expression [BH#{XS@*#xoUULIO)eQkxaBA] @2: No ending suffix
'}' for expression starting at character 2: #{XS@*#xoUULIO)eQkxaBA

which basically means that aai-resources (and probably aai-traversal)
are unable to handle special characters that AAF is putting into cert
passwords. To avoid random AAI failures let's use a know method
proposed by Sylvain Desbureaux and just set passwords that contains
only alphanumeric characters.

Issue-ID: OOM-1
Change-Id: I248c2de6e59e4fc073b5a06f6409802634b254cf
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
kubernetes/aai/components/aai-resources/values.yaml patch | blob | history
kubernetes/aai/components/aai-traversal/values.yaml patch | blob | history

diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml
index b1d8a0a..7509cb3 100644 (file)
--- a/kubernetes/aai/components/aai-resources/values.yaml
+++ b/kubernetes/aai/components/aai-resources/values.yaml
@@ -137,9 +137,24 @@ certInitializer:
   credsPath: /opt/app/osaaf/local
   fqi_namespace: org.onap.aai-resources
   aaf_add_config: |
-    echo "*** writing passwords into prop file"
-    echo "KEYSTORE_PASSWORD=${cadi_keystore_password_p12}" > {{ .Values.credsPath }}/mycreds.prop
-    echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> {{ .Values.credsPath }}/mycreds.prop
+    echo "*** changing them into shell safe ones"
+    export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    cd {{ .Values.credsPath }}
+    keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+      -storepass "${cadi_keystore_password_p12}" \
+      -keystore {{ .Values.fqi_namespace }}.p12
+    keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
+      -storepass "${cadi_truststore_password}" \
+      -keystore {{ .Values.fqi_namespace }}.trust.jks
+    echo "*** set key password as same password as keystore password"
+    keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \
+      -keystore {{ .Values.fqi_namespace }}.p12 \
+      -keypass "${cadi_keystore_password_p12}" \
+      -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }}
+    echo "*** save the generated passwords"
+    echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
+    echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
     echo "*** change ownership of certificates to targeted user"
     chown -R 1000 {{ .Values.credsPath }}
 
diff --git a/kubernetes/aai/components/aai-traversal/values.yaml b/kubernetes/aai/components/aai-traversal/values.yaml
index 8a063c2..253f9b9 100644 (file)
--- a/kubernetes/aai/components/aai-traversal/values.yaml
+++ b/kubernetes/aai/components/aai-traversal/values.yaml
@@ -123,9 +123,24 @@ certInitializer:
   credsPath: /opt/app/osaaf/local
   fqi_namespace: org.onap.aai-traversal
   aaf_add_config: |
-    echo "*** writing passwords into prop file"
-    echo "KEYSTORE_PASSWORD=${cadi_keystore_password_p12}" > {{ .Values.credsPath }}/mycreds.prop
-    echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> {{ .Values.credsPath }}/mycreds.prop
+    echo "*** changing them into shell safe ones"
+    export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    cd {{ .Values.credsPath }}
+    keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+      -storepass "${cadi_keystore_password_p12}" \
+      -keystore {{ .Values.fqi_namespace }}.p12
+    keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
+      -storepass "${cadi_truststore_password}" \
+      -keystore {{ .Values.fqi_namespace }}.trust.jks
+    echo "*** set key password as same password as keystore password"
+    keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \
+      -keystore {{ .Values.fqi_namespace }}.p12 \
+      -keypass "${cadi_keystore_password_p12}" \
+      -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }}
+    echo "*** save the generated passwords"
+    echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
+    echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> mycreds.prop
     echo "*** change ownership of certificates to targeted user"
     chown -R 1000 {{ .Values.credsPath }}
 
Introduces the ONAP Platform OOM (ONAP Operations Manager) to efficiently Deploy, Manage, Operate the ONAP platform and its components (e.g. MSO, DCAE, SDC, etc.) and infrastructure (VMs, Containers).