Update of the workflow fe and be charts to secure the communications and to start the backend server is https mode with a secured connection to SDC
Issue-ID: OOM-1954
Signed-off-by: IlanaP <ilanap@amdocs.com>
Change-Id: Ia3c4c714e317b8f8b6b4ee9245daa50eea50275f
Signed-off-by: IlanaP <ilanap@amdocs.com>
dcae_source_url: "https://sdc.dcae.plugin.simpledemo.onap.org:30264/dcaed/#/home"
dcae_dt_discovery_url: "https://sdc-dcae-dt:9446/dcae/#/dcae/home"
dcae_dt_source_url: "https://sdc.dcae.plugin.simpledemo.onap.org:30266/dcae/#/dcae/home"
- workflow_discovery_url: "http://sdc-wfd-fe:8080/workflows"
- workflow_source_url: "https://sdc.workflow.plugin.simpledemo.onap.org:30431/workflows/"
+ workflow_discovery_url: "https://sdc-wfd-fe:8443/workflows"
+ workflow_source_url: "https://sdc.workflow.plugin.simpledemo.onap.org:30256/workflows/"
# default number of instances
replicaCount: 1
-{{- define "sdc-wfd-be.volumes" }}
- {{ if .Values.config.cassandraSSLEnabled }}
- - name: {{ include "common.fullname" . }}-cassandra-client-truststore
- hostPath:
- path: /etc/cassandra-client-truststore/truststore
- type: File
- {{- end }}
- {{ if .Values.config.serverSSLEnabled }}
- - name: {{ include "common.fullname" . }}-server-https-keystore
- hostPath:
- path: /config/server-https-keystore/keystore
- type: File
- {{- end }}
-{{- end }}
-
-{{- define "sdc-wfd-be.volumeMounts" }}
- {{ if .Values.config.cassandraSSLEnabled }}
- - name: {{ include "common.fullname" . }}-cassandra-client-truststore
- mountPath: /etc/cassandra-client-truststore/truststore
- subPath: truststore
- readOnly: true
- {{- end }}
- {{ if .Values.config.serverSSLEnabled }}
- - name: {{ include "common.fullname" . }}-server-https-keystore
- mountPath: /etc/server-https-keystore/keystore
- subPath: keystore
- readOnly: true
- {{- end }}
-{{- end }}
\ No newline at end of file
+{{- define "wfd-be.internalPort" }}{{ if .Values.config.serverSSLEnabled }}{{ .Values.service.internalPort2 }}{{ else }}{{ .Values.service.internalPort }}{{ end }}{{- end }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
ports:
- - containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPort2 }}
+ - containerPort: {{ template "wfd-be.internalPort" . }}
# disable liveness probe when breakpoints set in debugger
# so K8s doesn't restart unresponsive container
{{ if .Values.liveness.enabled }}
livenessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort2 }}
+ port: {{ template "wfd-be.internalPort" . }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end }}
readinessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort2 }}
+ port: {{ template "wfd-be.internalPort" . }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
- name: CS_TRUST_STORE_PATH
value: "{{ .Values.config.cassandraTrustStorePath }}"
- name: CS_TRUST_STORE_PASSWORD
- value: "{{ .Values.config.cassandraTrustStorePassword }}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: cs_truststore_password}
- name: SDC_PROTOCOL
value: "{{ .Values.config.sdcProtocol }}"
- name: SDC_ENDPOINT
- name: SDC_USER
value: "{{ .Values.config.sdcExternalUser }}"
- name: SDC_PASSWORD
- value: "{{ .Values.config.sdcExternalUserPassword }}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: wf_external_user_password}
- name: SERVER_SSL_ENABLED
value: "{{ .Values.config.serverSSLEnabled }}"
- name: SERVER_SSL_KEYSTORE_TYPE
- name: SERVER_SSL_KEYSTORE_PATH
value: "{{ .Values.config.serverSSLKeyStorePath }}"
- name: SERVER_SSL_KEY_PASSWORD
- value: "{{ .Values.config.serverSSLKeyPassword }}"
- volumeMounts:
- {{- template "sdc-wfd-be.volumeMounts" . }}
- volumes:
- {{- template "sdc-wfd-be.volumes" . }}
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: keystore_password}
+ - name: SERVER_SSL_TRUSTSTORE_TYPE
+ value: "{{ .Values.config.serverSSLTrustStoreType }}"
+ - name: SERVER_SSL_TRUSTSTORE_PATH
+ value: "{{ .Values.config.serverSSLTrustStorePath }}"
+ - name: SERVER_SSL_TRUST_PASSWORD
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: truststore_password}
imagePullSecrets:
- name: "{{ include "common.namespace" . }}-docker-registry-key"
type: {{ .Values.service.type }}
ports:
{{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.internalPort }}
+ - port: {{ template "wfd-be.internalPort" . }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName | default "http" }}
+ name: {{ .Values.service.portName }}
{{- else -}}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName | default "http" }}
+ - port: {{ if .Values.config.serverSslEnabled }}{{ .Values.service.externalPort2 }}{{ else }}{{ .Values.service.externalPort }}{{ end }}
+ targetPort: {{ template "wfd-be.internalPort" . }}
+ name: {{ .Values.service.portName }}
{{- end}}
selector:
app: {{ include "common.name" . }}
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/workflow-backend:1.5.2
-configInitImage: onap/workflow-init:1.5.2
+image: onap/workflow-backend:1.6.0
+configInitImage: onap/workflow-init:1.6.0
pullPolicy: Always
-# flag to enable debugging - application support required
-debugEnabled: false
-
initJob:
enabled: true
cassandraAuthenticationEnabled: true
cassandraThriftClientPort: 9160
cassandraClientPort: 9042
+
sdcProtocol: HTTPS
sdcEndpoint: sdc-be:8443
sdcExternalUser: workflow
- sdcExternalUserPassword: Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
- serverSSLEnabled: false
+
+ serverSSLEnabled: true
+
serverSSLKeyStoreType: jks
- serverSSLKeyStorePath: etc/org.onap.sdc.p12
- serverSSLKeyPassword: "!ppJ.JvWn0hGh)oVF]([Kv)^"
+ serverSSLKeyStorePath: /etc/keystore
+
+ serverSSLTrustStoreType: jks
+ serverSSLTrustStorePath: /etc/truststore
+
cassandraSSLEnabled: false
- cassandraTrustStorePath: /etc/cassandra-client-truststore/truststore
- cassandraTrustStorePassword: password
+ cassandraTrustStorePath: /etc/truststore
# default number of instances
replicaCount: 1
service:
type: NodePort
+ portName: sdc-wfd-be
internalPort: 8080
externalPort: 8080
internalPort2: 8443
externalPort2: 8443
- portName: sdc-wfd-be
- nodePort: "57"
+ nodePort: "57" # only one node port. set to http or https port depending on isHttpsEnabled property
+
ingress:
enabled: false
--- /dev/null
+{{- define "wfd-fe.internalPort" }}{{ if .Values.config.isHttpsEnabled }}{{ .Values.service.internalPort2 }}{{ else }}{{ .Values.service.internalPort }}{{ end }}{{- end }}
image: "{{ include "common.repository" . }}/{{ .Values.image }}"
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
ports:
- - containerPort: {{ .Values.service.internalPort }}
- - containerPort: {{ .Values.service.internalPort2 }}
+ - containerPort: {{ template "wfd-fe.internalPort" . }}
{{ if .Values.liveness.enabled }}
livenessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort }}
+ port: {{ template "wfd-fe.internalPort" . }}
initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
periodSeconds: {{ .Values.liveness.periodSeconds }}
{{ end }}
readinessProbe:
tcpSocket:
- port: {{ .Values.service.internalPort }}
+ port: {{ template "wfd-fe.internalPort" . }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
env:
value: "{{ .Values.config.isHttpsEnabled}}"
{{ if and .Values.config.isHttpsEnabled (eq .Values.security.isDefaultStore false) }}
- name: KEYSTORE_PASS
- value: "{{ .Values.security.keystorePass}}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: keystore_password}
- name: TRUSTSTORE_PASS
- value: "{{ .Values.security.truststorePass}}"
+ valueFrom:
+ secretKeyRef: {name: {{ .Release.Name }}-sdc-cs-secrets, key: truststore_password}
- name: TRUSTSTORE_PATH
value: "{{ .Values.security.storePath }}/{{ .Values.security.truststoreFilename }}"
- name: KEYSTORE_PATH
value: "{{ .Values.security.storePath }}/{{ .Values.security.keystoreFilename }}"
+ - name: TRUST_ALL
+ value: "{{ .Values.config.isTrustAll}}"
{{ end }}
volumeMounts:
- name: {{ include "common.fullname" . }}-localtime
"version": "v1",
"url": "/",
"protocol": "UI",
- "port": "{{ .Values.service.internalPort }}",
+ "port": "{{ .Values.service.internalPort2 }}",
"visualRange":"0|1"
}
]'
type: {{ .Values.service.type }}
ports:
{{if eq .Values.service.type "NodePort" -}}
- - port: {{ .Values.service.internalPort }}
+ - port: {{ template "wfd-fe.internalPort" . }}
nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
- name: {{ .Values.service.portName | default "http" }}
- - port: {{ .Values.service.internalPort2 }}
- nodePort: {{ .Values.global.nodePortPrefixExt | default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort2 }}
- name: {{ .Values.service.portName2 | default "https" }}
+ name: {{ .Values.service.portName }}
{{- else -}}
- - port: {{ .Values.service.externalPort }}
- targetPort: {{ .Values.service.internalPort }}
- name: {{ .Values.service.portName | default "http" }}
- - port: {{ .Values.service.externalPort2 }}
- targetPort: {{ .Values.service.internalPort2 }}
- name: {{ .Values.service.portName2 | default "https" }}
+ - port: {{ if .Values.config.isHttpsEnabled }}{{ .Values.service.externalPort2 }}{{ else }}{{ .Values.service.externalPort }}{{ end }}
+ targetPort: {{ template "wfd-fe.internalPort" . }}
+ name: {{ .Values.service.portName }}
{{- end}}
selector:
app: {{ include "common.name" . }}
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/workflow-frontend:1.5.2
+image: onap/workflow-frontend:1.6.0
pullPolicy: Always
# flag to enable debugging - application support required
config:
javaOptions: "-Xmx256m -Xms256m"
- backendServerURL: "http://sdc-wfd-be:8080"
+ backendServerURL: "https://sdc-wfd-be:8443"
isHttpsEnabled: true
-
+ # following flag decides whether to check the certificate on the outgoing proxy request or whether to trust all parties
+ isTrustAll: true
# https relevant settings. Change in case you have other trust files then default ones.
security:
isDefaultStore: false
truststoreFilename: "org.onap.sdc.trust.jks"
keystoreFilename: "org.onap.sdc.p12"
- keystorePass: "!ppJ.JvWn0hGh)oVF]([Kv)^"
- truststorePass: "].][xgtze]hBhz*wy]}m#lf*"
storePath: "etc"
# default number of instances
type: NodePort
internalPort: 8080
externalPort: 8080
- portName: sdc-wfd-fe
- nodePort: "56"
- portName2: sdc-wfd-fe2
internalPort2: 8443
externalPort2: 8443
- nodePort2: "31"
+ portName: sdc-wfd-fe
+ nodePort: "56" # only one node port. set to http or https port depending on isHttpsEnabled property
ingress:
enabled: false
sdc_password: "{{ .Values.global.secrets.sdc_password }}"
#default user:
cs_password: "{{ .Values.global.secrets.cs_password }}"
+ cs_truststore_password: "{{ .Values.global.secrets.cs_truststore_password }}"
+ # ssl - stores
+ truststore_password: "{{ .Values.global.secrets.truststore_password }}"
+ keystore_password: "{{ .Values.global.secrets.keystore_password }}"
+ # workflow
+ wf_external_user_password: "{{ .Values.global.secrets.wf_external_user_password }}"
\ No newline at end of file
sdc_password: QWExMjM0JV4h
#Should be the password of shared cassandra instance/chart
cs_password: Y2Fzc2FuZHJh
+ cs_truststore_password: XS5dW3hndHplXWhCaHoqd3ldfW0jbGYq
+ truststore_password: XS5dW3hndHplXWhCaHoqd3ldfW0jbGYq
+ keystore_password: IXBwSi5KdlduMGhHaClvVkZdKFtLdile
+ wf_external_user_password: S3A4Yko0U1hzek0wV1hsaGFrM2VIbGNzZTJnQXc4NHZhb0dHbUp2VXkyVQ==
ubuntuInitRepository: oomk8s
ubuntuInitImage: ubuntu-init:1.0.0
cassandra:
Code Review / oom.git / commitdiff