Add TLS server support for CM and CBS

author Jack Lucas <jflucas@research.att.com>

Fri, 31 May 2019 12:35:34 +0000 (08:35 -0400)

committer Jack Lucas <jflucas@research.att.com>

Thu, 27 Jun 2019 15:41:04 +0000 (15:41 +0000)
author Jack Lucas <jflucas@research.att.com>
Fri, 31 May 2019 12:35:34 +0000 (08:35 -0400)
committer Jack Lucas <jflucas@research.att.com>
Thu, 27 Jun 2019 15:41:04 +0000 (15:41 +0000)
diff --git a/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml b/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml

index e40a030..2718e18 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml
@@ -24,7 +24,7 @@ external_tls_port: {{ .Values.config.address.dashboard.portSecure }}
  database_cluster_name: {{ .Values.postgres.service.name2 }}.{{ include "common.namespace" . }}
  database_cluster_fqdn: {{ .Values.postgres.service.name2 }}.{{ include "common.namespace" . }}.{{ .Values.postgres.suffix }}
  database_name: "dashboard_pg"
-cloudify_ip: {{ .Values.config.address.cm }}
+cloudify_ip: {{ .Values.config.address.cm.host }}
  cloudify_user: "admin"
  cloudify_password: "admin"
  consul_url:  {{ .Values.config.address.consul_ui }}
diff --git a/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml

index 0463655..be5a769 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml
@@ -61,6 +61,19 @@ spec:
              fieldRef:\r
                apiVersion: v1\r
                fieldPath: metadata.namespace\r
+      - name: init-tls\r
+        env:\r
+        - name: POD_IP\r
+          valueFrom:\r
+            fieldRef:\r
+              apiVersion: v1\r
+              fieldPath: status.podIP\r
+        image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}\r
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}\r
+        resources: {}\r
+        volumeMounts:\r
+        - mountPath: /opt/tls/shared\r
+          name: tls-info\r
        containers:\r
          - name: {{ include "common.name" . }}\r
            image: "{{ include "common.repository" . }}/{{ .Values.image }}"\r
@@ -75,14 +88,21 @@ spec:
              - mountPath: /etc/localtime\r
                name: localtime\r
                readOnly: true\r
+            - mountPath: /certs\r
+              name: tls-info\r
+              readOnly: true\r
            env:\r
              - name: CMADDR\r
-              value: {{ .Values.config.address.cm }}\r
+              value: {{ .Values.config.address.cm.host }}\r
              - name: CMPASS\r
                valueFrom:\r
                  secretKeyRef:\r
                    name: {{ include "common.name" . }}-cmpass\r
                    key: password\r
+            - name: CMPROTO\r
+              value: {{ .Values.config.address.cm.proto }}\r
+            - name: CMPORT\r
+              value: !!string {{ .Values.config.address.cm.port }}\r
              - name: CONSUL\r
                value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }}\r
              - name: DCAE_NAMESPACE\r
@@ -99,5 +119,7 @@ spec:
          - name: localtime\r
            hostPath:\r
              path: /etc/localtime\r
+        - name: tls-info\r
+          emptyDir: {}\r
        imagePullSecrets:\r
          - name: "{{ include "common.namespace" . }}-docker-registry-key"\r
diff --git a/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml

index aec082f..882cf37 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml
@@ -38,7 +38,10 @@ config:
        host: consul-server
        port: 8500
      consul_ui: consul-server-ui
-    cm: dcae-cloudify-manager
+    cm:
+      host: dcae-cloudify-manager
+      port: 443
+      proto: https
      dashboard:
        port: 30418
        portSecure: 30419
@@ -90,7 +93,7 @@ postgres:
  
  # application image
  repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.4.18
+image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.6.0-STAGING-latest
  default_k8s_location: central
  
  # DCAE component images to be deployed via Cloudify Manager
diff --git a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml

index d6c58cd..b3e90a2 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
@@ -34,6 +34,12 @@ spec:
          app: {{ include "common.name" . }}
          release: {{ .Release.Name }}
      spec:
+      # host alias allows local 'cfy' command to use https and match
+      # the host name in the certificate
+      hostAliases:
+      - ip: "127.0.0.1"
+        hostnames:
+        - "dcae-cloudify-manager"
        initContainers:
        - name: {{ include "common.name" . }}-multisite-init
          image: {{ include "common.repository" . }}/{{ .Values.multisiteInitImage }}
@@ -44,10 +50,26 @@ spec:
            - --configmap
            - {{ .Values.multisiteConfigMapName }}
          restartPolicy: Never
+      - name: init-tls
+        env:
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.podIP
+        image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        resources: {}
+        volumeMounts:
+            - mountPath: /opt/tls/shared
+              name: tls-info
        containers:
          - name: {{ include "common.name" . }}
            image: "{{ include "common.repository" . }}/{{ .Values.image }}"
            imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          env:
+            - name: REQUESTS_CA_BUNDLE
+              value: "/opt/onap/certs/cacert.pem"
            resources:
  {{ include "common.resources" . | indent 12 }}
            ports:
@@ -86,6 +108,8 @@ spec:
              readOnly: true
            - mountPath: /cfy-persist
              name: cm-persistent
+          - mountPath: /opt/onap/certs
+            name: tls-info
            securityContext:
              privileged: True
        volumes:
@@ -107,5 +131,7 @@ spec:
          - name: cm-persistent
            persistentVolumeClaim:
              claimName: {{ include "common.fullname" . }}-data
+        - emptyDir: {}
+          name: tls-info
        imagePullSecrets:
        - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml

index 41f0750..b015143 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml
@@ -44,7 +44,7 @@ config:
  #################################################################
  # application image
  repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.deployments.cm-container:1.6.2
+image: onap/org.onap.dcaegen2.deployments.cm-container:2.0.0-STAGING-latest
  pullPolicy: Always
  
  # name of shared ConfigMap with kubeconfig for multiple clusters
@@ -69,8 +69,8 @@ readiness:
  service:
    type: ClusterIP
    name: dcae-cloudify-manager
-  externalPort: 80
-  internalPort: 80
+  externalPort: 443
+  internalPort: 443
  
  # Resource Limit flavor -By Default using small
  flavor: small
diff --git a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml

index a968204..19fe038 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml
@@ -50,36 +50,60 @@ spec:
                fieldRef:
                  apiVersion: v1
                  fieldPath: metadata.namespace
+        {{- if .Values.service.secure.enabled }}
+        - name: init-tls
+          env:
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: status.podIP
+          image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }}
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          resources: {}
+          volumeMounts:
+            - mountPath: /opt/tls/shared
+              name: tls-info
+        {{ end  }}
        containers:
+        {{- if .Values.service.secure.enabled }}
          - name: {{ include "common.name" . }}
            image: "{{ include "common.repository" . }}/{{ .Values.image }}"
            imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
            resources:
  {{ include "common.resources" . | indent 12 }}
            ports:
-          - containerPort: {{ .Values.service.internalPort }}
+          - containerPort: {{ .Values.service.secure.internalPort }}
            # disable liveness probe when breakpoints set in debugger
            # so K8s doesn't restart unresponsive container
            {{- if eq .Values.liveness.enabled true }}
            livenessProbe:
              tcpSocket:
-              port: {{ .Values.service.internalPort }}
+              port: {{ .Values.service.secure.internalPort }}
              initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
              periodSeconds: {{ .Values.liveness.periodSeconds }}
            {{ end -}}
            readinessProbe:
              httpGet:
+              scheme: "HTTPS"
                path: {{ .Values.readiness.path }}
-              port: {{ .Values.service.internalPort }}
+              port: {{ .Values.service.secure.internalPort }}
              initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
              periodSeconds: {{ .Values.readiness.periodSeconds }}
            volumeMounts:
            - name: {{ include "common.fullname" . }}-logs
              mountPath: /opt/logs
+          - name: tls-info
+            mountPath: /opt/tls
            env:
              - name: CONSUL_HOST
                value: consul.{{ include "common.namespace" . }}
-
+            - name: USE_HTTPS
+              value: "1"
+            - name: HTTPS_CERT_PATH
+              value: "/opt/tls/cert.pem"
+            - name: HTTPS_KEY_PATH
+              value: "/opt/tls/key.pem"
          - name: {{ include "common.name" . }}-filebeat-onap
            image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
            imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -91,13 +115,67 @@ spec:
              mountPath: /usr/share/filebeat/data
            - name: {{ include "common.fullname" . }}-logs
              mountPath: /var/log/onap
+        {{ end }}
+        {{- if .Values.service.insecure.enabled }}
+        - name: {{ include "common.name" . }}-insecure
+          image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          resources:
+{{ include "common.resources" . | indent 12 }}
+          ports:
+          - containerPort: {{ .Values.service.insecure.internalPort }}
+          # disable liveness probe when breakpoints set in debugger
+          # so K8s doesn't restart unresponsive container
+          {{- if eq .Values.liveness.enabled true }}
+          livenessProbe:
+            tcpSocket:
+              port: {{ .Values.service.insecure.internalPort }}
+            initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.liveness.periodSeconds }}
+          {{ end -}}
+          readinessProbe:
+            httpGet:
+              scheme: "HTTP"
+              path: {{ .Values.readiness.path }}
+              port: {{ .Values.service.insecure.internalPort }}
+            initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.readiness.periodSeconds }}
+          volumeMounts:
+          - name: {{ include "common.fullname" . }}-logs-insecure
+            mountPath: /opt/logs
+          env:
+            - name: CONSUL_HOST
+              value: consul.{{ include "common.namespace" . }}
+        - name: {{ include "common.name" . }}-filebeat-onap-insecure
+          image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          volumeMounts:
+          - name: {{ include "common.fullname" . }}-filebeat-conf
+            mountPath: /usr/share/filebeat/filebeat.yml
+            subPath: filebeat.yml
+          - name: {{ include "common.fullname" . }}-data-filebeat-insecure
+            mountPath: /usr/share/filebeat/data
+          - name: {{ include "common.fullname" . }}-logs-insecure
+            mountPath: /var/log/onap
+        {{ end }}
        volumes:
          - name: {{ include "common.fullname" . }}-filebeat-conf
            configMap:
              name: {{ .Release.Name }}-cbs-filebeat-configmap
+        {{- if .Values.service.secure.enabled }}
          - name: {{ include "common.fullname" . }}-data-filebeat
            emptyDir: {}
          - name:  {{ include "common.fullname" . }}-logs
            emptyDir: {}
+        - name: tls-info
+          emptyDir: {}
+        {{ end }}
+        {{- if .Values.service.insecure.enabled }}
+        - name: {{ include "common.fullname" . }}-data-filebeat-insecure
+          emptyDir: {}
+        - name:  {{ include "common.fullname" . }}-logs-insecure
+          emptyDir: {}
+        {{ end }}
+
        imagePullSecrets:
        - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml

index 794b896..8176e77 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml
@@ -28,16 +28,29 @@ metadata:
  spec:
    type: {{ .Values.service.type }}
    ports:
-    {{if eq .Values.service.type "NodePort" -}}
-    - port: {{ .Values.service.externalPort }}
-      nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }}
-      name: {{ .Values.service.name }}
+    {{ if eq .Values.service.type "NodePort" -}}
+    {{ if .Values.service.insecure.enabled -}}
+    - port: {{ .Values.service.insecure.externalPort }}
+      nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.insecure.nodePort }}
+      name: {{ .Values.service.name }}-insecure
+    {{- end }}
+    {{ if .Values.service.secure.enabled -}}
+    - port: {{ .Values.service.secure.externalPort }}
+      nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.secure.nodePort }}
+      name: {{ .Values.service.name }}-secure
+    {{- end }}
      {{- else -}}
-    - port: {{ .Values.service.externalPort }}
-      targetPort: {{ .Values.service.internalPort }}
-      name: {{ .Values.service.name }}
-    {{- end}}
+    {{ if .Values.service.insecure.enabled -}}
+    - port: {{ .Values.service.insecure.externalPort }}
+      targetPort: {{ .Values.service.insecure.internalPort }}
+      name: {{ .Values.service.name }}-insecure
+    {{- end }}
+    {{ if .Values.service.secure.enabled -}}
+    - port: {{ .Values.service.secure.externalPort }}
+      targetPort: {{ .Values.service.secure.internalPort }}
+      name: {{ .Values.service.name }}-secure
+    {{- end }}
+    {{- end }}
    selector:
      app: {{ include "common.name" . }}
      release: {{ .Release.Name }}
-
diff --git a/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml b/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml

index 4605e88..9adbffd 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml
@@ -25,6 +25,8 @@ global:
    readinessImage: readiness-check:2.0.0
    loggingRepository: docker.elastic.co
    loggingImage: beats/filebeat:5.5.0
+  tlsRepository: nexus3.onap.org:10001
+  tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3
    repositoryCred:
      user: docker
      password: docker
@@ -43,7 +45,7 @@ config:
  #################################################################
  # application image
  repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.configbinding.app-app:2.3.0
+image: onap/org.onap.dcaegen2.platform.configbinding:2.5.1-STAGING-latest
  pullPolicy: Always
  
  # probe configuration parameters
@@ -63,9 +65,18 @@ readiness:
  service:
    type: NodePort
    name: config-binding-service
-  externalPort: 10000
-  internalPort: 10000
-  nodePort: 15
+  # TLS service
+  secure:
+    enabled: true
+    externalPort: 10443
+    internalPort: 10443
+    nodePort: 14
+  # Non-TLS service
+  insecure:
+    enabled: true
+    externalPort: 10000
+    internalPort: 10000
+    nodePort: 15
  
  # Resource Limit flavor -By Default using small
  flavor: small
diff --git a/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json b/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json

index 600f07c..3b20fc4 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json
+++ b/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json
@@ -1,6 +1,6 @@
  {
      "cloudify": {
-        "protocol": "http"
+        "protocol": "https"
      },
      "inventory": {
          "protocol": "http"
diff --git a/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml

index 3e4e53b..a671978 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml
@@ -72,7 +72,7 @@ spec:
            imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
            args:
            - --service
-          - "cloudify_manager|dcae-cloudify-manager.{{ include "common.namespace" . }}|80"
+          - "cloudify_manager|dcae-cloudify-manager.{{ include "common.namespace" . }}|443"
            - --service
            - "inventory|inventory.{{ include "common.namespace" . }}|8080"
            - --key
@@ -119,6 +119,8 @@ spec:
                value: admin
              - name: CONFIG_BINDING_SERVICE
                value: config-binding-service
+            - name: NODE_EXTRA_CA_CERTS
+              value: /opt/app/dh/etc/cert/cacert.pem
              - name: POD_IP
                valueFrom:
                  fieldRef:
diff --git a/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml b/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml

index 0eddf7c..30893b6 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml
@@ -46,7 +46,7 @@ config:
  #################################################################
  # application image
  repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.deployment-handler:4.0.1
+image: onap/org.onap.dcaegen2.platform.deployment-handler:4.2.0
  pullPolicy: Always
  
  # probe configuration parameters
diff --git a/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml b/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml

index dd98516..6e03f52 100644 (file)
--- a/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml
@@ -40,7 +40,7 @@ config:
  #################################################################
  # application image
  repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.servicechange-handler:1.1.5
+image: onap/org.onap.dcaegen2.platform.servicechange-handler:1.2.0
  
  pullPolicy: Always
author	Jack Lucas <jflucas@research.att.com>
	Fri, 31 May 2019 12:35:34 +0000 (08:35 -0400)
committer	Jack Lucas <jflucas@research.att.com>
	Thu, 27 Jun 2019 15:41:04 +0000 (15:41 +0000)
kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml		patch \| blob \| history
kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml		patch \| blob \| history