Update Gizmo and Champ security config

- Update rProxy to use AAF geo-locate endpoint rather than hard coded IP
address
- Update fProxy to use separate truststore
- Restructure charts to reduce certificate duplication

Change-Id: I1e63ceb0ebabd8bb3dfacc71dac841858279b6f1
Issue-ID: AAF-718
Signed-off-by: Lee, Tian (tl5884) <TianL@amdocs.com>

diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore
deleted file mode 100644 (file)
index f3ac070..0000000
Binary files a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/tomcat_keystore and /dev/null differ

diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12
deleted file mode 100644 (file)
index dbf4fca..0000000
Binary files a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/client-cert.p12 and /dev/null differ

diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json
index 2865e01..ca34049 100644 (file)
--- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json
+++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/uri-authorization.json
@@ -82,18 +82,18 @@
       "permissions": [
         "test\\.auth\\.access\\|services\\|GET,PUT",
         "\\|services\\|GET"
-       ]
+      ]
     },
     {
       "uri": "\/services\/inventory\/.*",
       "permissions": [
-        "org\\.access\\|\\*\\|\\*"
-       ]
+        "org\\.onap\\.aai\\.resources\\|\\*\\|.*"
+      ]
     },
     {
-    "uri": "\/services\/champ-service\/.*",
-    "permissions": [
-      "org\\.access\\|\\*\\|\\*"
-     ]
-  }
+      "uri": "\/services\/champ-service\/.*",
+      "permissions": [
+        "org\\.onap\\.aai\\.resources\\|\\*\\|.*"
+      ]
+    }
  ]

diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties
index 33daa73..1878a4d 100644 (file)
--- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties
+++ b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/cadi.properties
@@ -9,13 +9,27 @@
 #hostname=test.aic.cip.att.com
 
 cadi_loglevel=DEBUG
-cadi_keyfile=/opt/app/rproxy/config/security/keyfile
 
+# OAuth2
+aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.0/token
+aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.0/introspect
+
+cadi_latitude=37.78187
+cadi_longitude=-122.26147
+
+# Locate URL (which AAF Env)
+aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095
+
+# AAF URL
+aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.0
+
+cadi_keyfile=/opt/app/rproxy/config/security/keyfile
+cadi_keystore=/opt/app/rproxy/config/auth/org.onap.aai.p12
+cadi_keystore_password=enc:383RDJRFA6yQz9AOxUxC1iIg3xTJXityw05MswnpnEtelRQy2D4r5INQjrea7GTV
+cadi_alias=aai@aai.onap.org
 cadi_truststore=/opt/app/rproxy/config/auth/tomcat_keystore
 cadi_truststore_password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
 
-# Configure AAF
-aaf_url=https://{{.Values.global.aaf.serverHostname}}:{{.Values.global.aaf.serverPort}}
 aaf_env=DEV
 
 aaf_id=demo@people.osaaf.org

diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile b/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile
deleted file mode 100644 (file)
index 6cd12fc..0000000
--- a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/security/keyfile
+++ /dev/null
@@ -1,27 +0,0 @@
-bZNOXiGDJ2_eiKBKWYLIFx27URvb-SWfmOl2d-QKetcVKIupOrsG-ScS_VXOtKN3Yxfb2cR6t7oM
-1RNpDnhsKAxDLM6A62IkS_h_Rp3Q9c2JeyomVmyiuHR7a2ARbelaMrX8WDrxXI_t9ce4pIHDVE29
-xiQm3Bdp7d7IiKkgg-ipvOU7Y6NEzeQbvHlHvRTJ3ZZMSwHxBOA5M8DhKN-AF1sqwozEVaNAuJxK
-BVdh72A6KTW7ieb_GvVQQp8h32BuOz8oJhZV7KaGXsWTEvXg9ImboY0h7Sl9hufgn1ZtDK1jxzGm
-6O6LBg1qezzZaFGTXRmHvaeYmEeYSu0bGsU4x-JCU0RyhNTzFhkhjNoccaqPXBdcJymLf096mD99
-QLS8nyji_KtLQJL1fqr500c8p6SOURLPgG6Gzkn4ghgFYlfgve92xs1R3ggHKhNTLV4HJ4O6iSDm
-zCoHeRbsZR1JER9yxT-v8NtcHOMAZe1oDQeY6jVyxb-bhaonN6eZPI4nyF6MHJQtWKhGARC_kOs6
-x9E0ZdAEp5TrX7F7J5PwkXzbCOuSiTVftOBum43iUB4q9He8tn2tJ0X4LtLHT3bPl16wWnZm9RPf
-8wBtTJh4QP_cTStPq1ftSaLIAuqVFpbiC2DxGemXZn3QvykuYqa-rKeYPoIJ5dtWd5rNb_hhcSIz
-FakKTELb0HWYGji98TBF6PaStea2f2m-wGX_uQGD7_Dijl6AgnV9koKVs1bN1XljLtNMPbLdD8sz
-UCvc5lwvCFyyeunljI7os1fgwBmaMyckflq5VfZv9kFxom6jFLbcozylQ_uBg4j7oCP79IXVUI-r
-banZltOSmm8zHGc2R9UlUyxJWBi01yxwi1hUtn9g1H4RtncQpu3BY0Qvu5YLAmS5imivUnGVZWbv
-6wcqnJt5HwaVatE9NHONSLNTViQPsUOutWZBZxhJtAncdZuWOYZSh4TPzUJWvt6zT0E3YMBc_UuG
-yPmdLyqo7qGHR8YWRqq_vq6ISJqENMnVD6X9-BeI6KM4GPEAlDWyhgENXxQFjG45ufg3UpP8LBTB
-xDntlfkphRumsd13-8IlvwVtlpgnbuCMbwP_-lNVeNJcdA1InPt79oY-SEVZ-RVM1881ZASCnFeB
-lh3BTc_bGQ8YoC9s6iHtcCK_1SdbwzBfQBJUqqcYsa8hJLe-j8di7KCaFzI3a-UXWKuuWljpbKbq
-ibd48UFJt_34_GxkD6bmLxycuNH-og2Sd2VcYU0o5UarcrY4-2sgFPE7Mzxovrl98uayfgNF9DqE
-fJ4MwFGqLRtEHlm4zfuMxQ5Rh_giMUHDJApc1DYRkxdGbNUd4bC4aRBln2IhN-rNKbSVtiW_uT6v
-1KTMGmElvktjPWybJd2SvhT5qOLUM81-cmZzAsNa04jxZLBlQn_1fel3IroVos4Ohbdhar2NG6T5
-liten9RZ9P4Cg9RWhgeQonAD5kqLWXAHnCfffb5CVcAU5PHqkCgCbdThvD0-zIGETLO9AE0jKISc
-0o67CUZn3MzJ9pP_3gh-ALr2w-KAwqasqCf0igf1wmEDijv9wEDcgDm39ERIElTpGKgfyuVl4F8u
-PrpK5ZfpUYySUB6CZFQVVz0MvH6E7orQk4dCKFIimV_XwEtGijBttrTvyV6xYNScAEw_olt-0mdm
-8UEKSsuqSyDMxUWLjKJT19rNedahYJNtI87WR9Fhhjsrai9Or3a-srOYa56wcvSj2ZHbkevbO9Xv
-dQ2wzWCGEAMQSpSr83n0XEpR2pZT19Z19Svbhr08mnt2JNykCk60FLCeDTUOylJtYw6YOjqBizQZ
--85B51BCbSEaAKJkgT9-8n_-LGW5aPBrBB_9FT7UIYczNEt3B1Lqr2s4ipPI_36JecEfqaS2cNLn
-c0ObAtNGAONkhO5LYLneMR3fZPMFuOX1-rMObPgE0i9dYqWDZ_30w9rpRsmiWyxYi5lvWDxU5L1J
-uJxwREz3oa_VgpSC3Y2oxCufdQwzBk57iVLDOb1qs_Hwj1SWd1nukWyAo2-g5sR1folAEcao
\ No newline at end of file

diff --git a/kubernetes/aai/charts/aai-champ/templates/deployment.yaml b/kubernetes/aai/charts/aai-champ/templates/deployment.yaml
index aa9157f..537763a 100644 (file)
--- a/kubernetes/aai/charts/aai-champ/templates/deployment.yaml
+++ b/kubernetes/aai/charts/aai-champ/templates/deployment.yaml
@@ -31,12 +31,6 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ .Release.Name }}
     spec:
-    {{ if .Values.global.installSidecarSecurity }}
-      hostAliases:
-      - ip: {{ .Values.global.aaf.serverIp }}
-        hostnames:
-        - {{ .Values.global.aaf.serverHostname }}
-    {{ end }}
       initContainers:
         - command:
           - /root/ready.py
@@ -163,18 +157,18 @@ spec:
           - name: {{ include "common.fullname" . }}-rproxy-log-config
             mountPath: /opt/app/rproxy/config/logback-spring.xml
             subPath: logback-spring.xml
-          - name: {{ include "common.fullname" . }}-rproxy-auth-config
+          - name: {{ include "common.fullname" . }}-rproxy-auth-certs
             mountPath: /opt/app/rproxy/config/auth/tomcat_keystore
             subPath: tomcat_keystore
-          - name: {{ include "common.fullname" . }}-rproxy-auth-config
+          - name: {{ include "common.fullname" . }}-rproxy-auth-certs
             mountPath: /opt/app/rproxy/config/auth/client-cert.p12
             subPath: client-cert.p12
+          - name: {{ include "common.fullname" . }}-rproxy-auth-certs
+            mountPath: /opt/app/rproxy/config/auth/org.onap.aai.p12
+            subPath: org.onap.aai.p12
           - name: {{ include "common.fullname" . }}-rproxy-auth-config
             mountPath: /opt/app/rproxy/config/auth/uri-authorization.json
             subPath: uri-authorization.json
-          #- name: {{ include "common.fullname" . }}-rproxy-auth-config
-          #  mountPath: /opt/app/rproxy/config/auth/aaf_truststore.jks
-          #  subPath: aaf_truststore.jks
           - name: {{ include "common.fullname" . }}-rproxy-security-config
             mountPath: /opt/app/rproxy/config/security/keyfile
             subPath: keyfile
@@ -189,7 +183,9 @@ spec:
           - name: CONFIG_HOME
             value: "/opt/app/fproxy/config"
           - name: KEY_STORE_PASSWORD
-            value: {{ .Values.config.keyStorePassword }} 
+            value: {{ .Values.config.keyStorePassword }}
+          - name: TRUST_STORE_PASSWORD
+            value: {{ .Values.config.trustStorePassword }}
           - name: spring_profiles_active
             value: {{ .Values.global.fproxy.activeSpringProfiles }}
           volumeMounts:
@@ -199,10 +195,13 @@ spec:
           - name: {{ include "common.fullname" . }}-fproxy-log-config
             mountPath: /opt/app/fproxy/config/logback-spring.xml
             subPath: logback-spring.xml
-          - name: {{ include "common.fullname" . }}-fproxy-auth-config
+          - name: {{ include "common.fullname" . }}-fproxy-auth-certs
             mountPath: /opt/app/fproxy/config/auth/tomcat_keystore
             subPath: tomcat_keystore
-          - name: {{ include "common.fullname" . }}-fproxy-auth-config
+          - name: {{ include "common.fullname" . }}-fproxy-auth-certs
+            mountPath: /opt/app/fproxy/config/auth/fproxy_truststore
+            subPath: fproxy_truststore
+          - name: {{ include "common.fullname" . }}-fproxy-auth-certs
             mountPath: /opt/app/fproxy/config/auth/client-cert.p12
             subPath: client-cert.p12
           ports:
@@ -251,18 +250,21 @@ spec:
         - name: {{ include "common.fullname" . }}-rproxy-auth-config
           secret:
             secretName: {{ include "common.fullname" . }}-rproxy-auth-config
+        - name: {{ include "common.fullname" . }}-rproxy-auth-certs
+          secret:
+            secretName: aai-rproxy-auth-certs
         - name: {{ include "common.fullname" . }}-rproxy-security-config
           secret:
-            secretName: {{ include "common.fullname" . }}-rproxy-security-config
+            secretName: aai-rproxy-security-config
         - name: {{ include "common.fullname" . }}-fproxy-config
           configMap:
             name: {{ include "common.fullname" . }}-fproxy-config
         - name: {{ include "common.fullname" . }}-fproxy-log-config
           configMap:
             name: {{ include "common.fullname" . }}-fproxy-log-config
-        - name: {{ include "common.fullname" . }}-fproxy-auth-config
+        - name: {{ include "common.fullname" . }}-fproxy-auth-certs
           secret:
-            secretName: {{ include "common.fullname" . }}-fproxy-auth-config
+            secretName: aai-fproxy-auth-certs
     {{ end }}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"

diff --git a/kubernetes/aai/charts/aai-champ/templates/secrets.yaml b/kubernetes/aai/charts/aai-champ/templates/secrets.yaml
index a0a1519..b0a62f6 100644 (file)
--- a/kubernetes/aai/charts/aai-champ/templates/secrets.yaml
+++ b/kubernetes/aai/charts/aai-champ/templates/secrets.yaml
@@ -41,28 +41,10 @@ data:
 ---
 apiVersion: v1
 kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}-fproxy-auth-config
-  namespace: {{ include "common.namespace" . }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/fproxy/config/auth/*").AsSecrets . | indent 2 }}
----
-apiVersion: v1
-kind: Secret
 metadata:
   name: {{ include "common.fullname" . }}-rproxy-auth-config
   namespace: {{ include "common.namespace" . }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/rproxy/config/auth/*").AsSecrets . | indent 2 }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}-rproxy-security-config
-  namespace: {{ include "common.namespace" . }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/rproxy/config/security/*").AsSecrets . | indent 2 }}
 {{ end }}
\ No newline at end of file

diff --git a/kubernetes/aai/charts/aai-champ/values.yaml b/kubernetes/aai/charts/aai-champ/values.yaml
index b865b00..b1ce34d 100644 (file)
--- a/kubernetes/aai/charts/aai-champ/values.yaml
+++ b/kubernetes/aai/charts/aai-champ/values.yaml
@@ -33,6 +33,7 @@ flavor: small
 config:
   keyStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
   keyManagerPassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+  trustStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
 
 # default number of instances
 replicaCount: 1

diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/client-cert.p12 b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/client-cert.p12
deleted file mode 100644 (file)
index dbf4fca..0000000
Binary files a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/client-cert.p12 and /dev/null differ

diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/tomcat_keystore b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/tomcat_keystore
deleted file mode 100644 (file)
index 99129c1..0000000
Binary files a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/tomcat_keystore and /dev/null differ

diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json
index e468b3d..54d5de2 100644 (file)
--- a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json
+++ b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/auth/uri-authorization.json
@@ -82,18 +82,18 @@
     "permissions": [
       "test\\.auth\\.access\\|services\\|GET,PUT",
       "\\|services\\|GET"
-     ]
+    ]
   },
   {
     "uri": "\/services\/inventory\/.*",
     "permissions": [
-      "org\\.access\\|\\*\\|\\*"
-     ]
+      "org\\.onap\\.aai\\.resources\\|\\*\\|.*"
+    ]
   },
   {
     "uri": "\/services\/gizmo\/.*",
     "permissions": [
-      "org\\.access\\|\\*\\|\\*"
-     ]
+      "org\\.onap\\.aai\\.resources\\|\\*\\|.*"
+    ]
   }
 ]

diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/cadi.properties b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/cadi.properties
index a82e38c..51ac56a 100644 (file)
--- a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/cadi.properties
+++ b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/cadi.properties
@@ -9,17 +9,31 @@
 #hostname=test.aic.cip.att.com
 
 cadi_loglevel=DEBUG
-cadi_keyfile=/opt/app/rproxy/config/security/keyfile
 
+# OAuth2
+aaf_oauth2_token_url=https://AAF_LOCATE_URL/AAF_NS.token:2.0/token
+aaf_oauth2_introspect_url=https://AAF_LOCATE_URL/AAF_NS.introspect:2.0/introspect
+
+cadi_latitude=37.78187
+cadi_longitude=-122.26147
+
+# Locate URL (which AAF Env)
+aaf_locate_url=https://aaf-locate.{{.Release.Namespace}}:8095
+
+# AAF URL
+aaf_url=https://AAF_LOCATE_URL/AAF_NS.service:2.0
+
+cadi_keyfile=/opt/app/rproxy/config/security/keyfile
+cadi_keystore=/opt/app/rproxy/config/auth/org.onap.aai.p12
+cadi_keystore_password=enc:383RDJRFA6yQz9AOxUxC1iIg3xTJXityw05MswnpnEtelRQy2D4r5INQjrea7GTV
+cadi_alias=aai@aai.onap.org
 cadi_truststore=/opt/app/rproxy/config/auth/tomcat_keystore
 cadi_truststore_password=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
 
-# Configure AAF
-aaf_url=https://{{.Values.global.aaf.serverHostname}}:{{.Values.global.aaf.serverPort}}
 aaf_env=DEV
 
 aaf_id=demo@people.osaaf.org
 aaf_password=enc:92w4px0y_rrm265LXLpw58QnNPgDXykyA1YTrflbAKz
 
 # This is a colon separated list of client cert issuers
-cadi_x509_issuers=CN=ONAP, OU=ONAP, O=ONAP, L=Ottawa, ST=Ontario, C=CA
+cadi_x509_issuers=CN=ONAP, OU=ONAP, O=ONAP, L=Ottawa, ST=Ontario, C=CA
\ No newline at end of file

diff --git a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/security/keyfile b/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/security/keyfile
deleted file mode 100644 (file)
index 6cd12fc..0000000
--- a/kubernetes/aai/charts/aai-gizmo/resources/rproxy/config/security/keyfile
+++ /dev/null
@@ -1,27 +0,0 @@
-bZNOXiGDJ2_eiKBKWYLIFx27URvb-SWfmOl2d-QKetcVKIupOrsG-ScS_VXOtKN3Yxfb2cR6t7oM
-1RNpDnhsKAxDLM6A62IkS_h_Rp3Q9c2JeyomVmyiuHR7a2ARbelaMrX8WDrxXI_t9ce4pIHDVE29
-xiQm3Bdp7d7IiKkgg-ipvOU7Y6NEzeQbvHlHvRTJ3ZZMSwHxBOA5M8DhKN-AF1sqwozEVaNAuJxK
-BVdh72A6KTW7ieb_GvVQQp8h32BuOz8oJhZV7KaGXsWTEvXg9ImboY0h7Sl9hufgn1ZtDK1jxzGm
-6O6LBg1qezzZaFGTXRmHvaeYmEeYSu0bGsU4x-JCU0RyhNTzFhkhjNoccaqPXBdcJymLf096mD99
-QLS8nyji_KtLQJL1fqr500c8p6SOURLPgG6Gzkn4ghgFYlfgve92xs1R3ggHKhNTLV4HJ4O6iSDm
-zCoHeRbsZR1JER9yxT-v8NtcHOMAZe1oDQeY6jVyxb-bhaonN6eZPI4nyF6MHJQtWKhGARC_kOs6
-x9E0ZdAEp5TrX7F7J5PwkXzbCOuSiTVftOBum43iUB4q9He8tn2tJ0X4LtLHT3bPl16wWnZm9RPf
-8wBtTJh4QP_cTStPq1ftSaLIAuqVFpbiC2DxGemXZn3QvykuYqa-rKeYPoIJ5dtWd5rNb_hhcSIz
-FakKTELb0HWYGji98TBF6PaStea2f2m-wGX_uQGD7_Dijl6AgnV9koKVs1bN1XljLtNMPbLdD8sz
-UCvc5lwvCFyyeunljI7os1fgwBmaMyckflq5VfZv9kFxom6jFLbcozylQ_uBg4j7oCP79IXVUI-r
-banZltOSmm8zHGc2R9UlUyxJWBi01yxwi1hUtn9g1H4RtncQpu3BY0Qvu5YLAmS5imivUnGVZWbv
-6wcqnJt5HwaVatE9NHONSLNTViQPsUOutWZBZxhJtAncdZuWOYZSh4TPzUJWvt6zT0E3YMBc_UuG
-yPmdLyqo7qGHR8YWRqq_vq6ISJqENMnVD6X9-BeI6KM4GPEAlDWyhgENXxQFjG45ufg3UpP8LBTB
-xDntlfkphRumsd13-8IlvwVtlpgnbuCMbwP_-lNVeNJcdA1InPt79oY-SEVZ-RVM1881ZASCnFeB
-lh3BTc_bGQ8YoC9s6iHtcCK_1SdbwzBfQBJUqqcYsa8hJLe-j8di7KCaFzI3a-UXWKuuWljpbKbq
-ibd48UFJt_34_GxkD6bmLxycuNH-og2Sd2VcYU0o5UarcrY4-2sgFPE7Mzxovrl98uayfgNF9DqE
-fJ4MwFGqLRtEHlm4zfuMxQ5Rh_giMUHDJApc1DYRkxdGbNUd4bC4aRBln2IhN-rNKbSVtiW_uT6v
-1KTMGmElvktjPWybJd2SvhT5qOLUM81-cmZzAsNa04jxZLBlQn_1fel3IroVos4Ohbdhar2NG6T5
-liten9RZ9P4Cg9RWhgeQonAD5kqLWXAHnCfffb5CVcAU5PHqkCgCbdThvD0-zIGETLO9AE0jKISc
-0o67CUZn3MzJ9pP_3gh-ALr2w-KAwqasqCf0igf1wmEDijv9wEDcgDm39ERIElTpGKgfyuVl4F8u
-PrpK5ZfpUYySUB6CZFQVVz0MvH6E7orQk4dCKFIimV_XwEtGijBttrTvyV6xYNScAEw_olt-0mdm
-8UEKSsuqSyDMxUWLjKJT19rNedahYJNtI87WR9Fhhjsrai9Or3a-srOYa56wcvSj2ZHbkevbO9Xv
-dQ2wzWCGEAMQSpSr83n0XEpR2pZT19Z19Svbhr08mnt2JNykCk60FLCeDTUOylJtYw6YOjqBizQZ
--85B51BCbSEaAKJkgT9-8n_-LGW5aPBrBB_9FT7UIYczNEt3B1Lqr2s4ipPI_36JecEfqaS2cNLn
-c0ObAtNGAONkhO5LYLneMR3fZPMFuOX1-rMObPgE0i9dYqWDZ_30w9rpRsmiWyxYi5lvWDxU5L1J
-uJxwREz3oa_VgpSC3Y2oxCufdQwzBk57iVLDOb1qs_Hwj1SWd1nukWyAo2-g5sR1folAEcao
\ No newline at end of file

diff --git a/kubernetes/aai/charts/aai-gizmo/templates/deployment.yaml b/kubernetes/aai/charts/aai-gizmo/templates/deployment.yaml
index 0a30388..ba90fdc 100644 (file)
--- a/kubernetes/aai/charts/aai-gizmo/templates/deployment.yaml
+++ b/kubernetes/aai/charts/aai-gizmo/templates/deployment.yaml
@@ -32,11 +32,6 @@ spec:
         release: {{ .Release.Name }}
     spec:
     {{ if .Values.global.installSidecarSecurity }}
-      hostAliases:
-      - ip: {{ .Values.global.aaf.serverIp }}
-        hostnames:
-        - {{ .Values.global.aaf.serverHostname }}
-
       initContainers:
         - name: {{ .Values.global.tproxyConfig.name }}
           image: "{{ include "common.repository" . }}/{{ .Values.global.tproxyConfig.image }}"
@@ -154,18 +149,18 @@ spec:
           - name: {{ include "common.fullname" . }}-rproxy-log-config
             mountPath: /opt/app/rproxy/config/logback-spring.xml
             subPath: logback-spring.xml
-          - name: {{ include "common.fullname" . }}-rproxy-auth-config
+          - name: {{ include "common.fullname" . }}-rproxy-auth-certs
             mountPath: /opt/app/rproxy/config/auth/tomcat_keystore
             subPath: tomcat_keystore
-          - name: {{ include "common.fullname" . }}-rproxy-auth-config
+          - name: {{ include "common.fullname" . }}-rproxy-auth-certs
             mountPath: /opt/app/rproxy/config/auth/client-cert.p12
             subPath: client-cert.p12
+          - name: {{ include "common.fullname" . }}-rproxy-auth-certs
+            mountPath: /opt/app/rproxy/config/auth/org.onap.aai.p12
+            subPath: org.onap.aai.p12
           - name: {{ include "common.fullname" . }}-rproxy-auth-config
             mountPath: /opt/app/rproxy/config/auth/uri-authorization.json
             subPath: uri-authorization.json
-          - name: {{ include "common.fullname" . }}-rproxy-auth-config
-            mountPath: /opt/app/rproxy/config/auth/aaf_truststore.jks
-            subPath: aaf_truststore.jks
           - name: {{ include "common.fullname" . }}-rproxy-security-config
             mountPath: /opt/app/rproxy/config/security/keyfile
             subPath: keyfile
@@ -181,6 +176,8 @@ spec:
             value: "/opt/app/fproxy/config"
           - name: KEY_STORE_PASSWORD
             value: {{ .Values.config.keyStorePassword }}
+          - name: TRUST_STORE_PASSWORD
+            value: {{ .Values.config.trustStorePassword }}
           - name: spring_profiles_active
             value: {{ .Values.global.fproxy.activeSpringProfiles }}
           volumeMounts:
@@ -190,10 +187,13 @@ spec:
           - name: {{ include "common.fullname" . }}-fproxy-log-config
             mountPath: /opt/app/fproxy/config/logback-spring.xml
             subPath: logback-spring.xml
-          - name: {{ include "common.fullname" . }}-fproxy-auth-config
+          - name: {{ include "common.fullname" . }}-fproxy-auth-certs
             mountPath: /opt/app/fproxy/config/auth/tomcat_keystore
             subPath: tomcat_keystore
-          - name: {{ include "common.fullname" . }}-fproxy-auth-config
+          - name: {{ include "common.fullname" . }}-fproxy-auth-certs
+            mountPath: /opt/app/fproxy/config/auth/fproxy_truststore
+            subPath: fproxy_truststore
+          - name: {{ include "common.fullname" . }}-fproxy-auth-certs
             mountPath: /opt/app/fproxy/config/auth/client-cert.p12
             subPath: client-cert.p12
           ports:
@@ -245,18 +245,21 @@ spec:
         - name: {{ include "common.fullname" . }}-rproxy-auth-config
           secret:
             secretName: {{ include "common.fullname" . }}-rproxy-auth-config
+        - name: {{ include "common.fullname" . }}-rproxy-auth-certs
+          secret:
+            secretName: aai-rproxy-auth-certs
         - name: {{ include "common.fullname" . }}-rproxy-security-config
           secret:
-            secretName: {{ include "common.fullname" . }}-rproxy-security-config
+            secretName: aai-rproxy-security-config
         - name: {{ include "common.fullname" . }}-fproxy-config
           configMap:
             name: {{ include "common.fullname" . }}-fproxy-config
         - name: {{ include "common.fullname" . }}-fproxy-log-config
           configMap:
             name: {{ include "common.fullname" . }}-fproxy-log-config
-        - name: {{ include "common.fullname" . }}-fproxy-auth-config
+        - name: {{ include "common.fullname" . }}-fproxy-auth-certs
           secret:
-            secretName: {{ include "common.fullname" . }}-fproxy-auth-config
+            secretName: aai-fproxy-auth-certs
     {{ end }}
 
       imagePullSecrets:

diff --git a/kubernetes/aai/charts/aai-gizmo/templates/secrets.yaml b/kubernetes/aai/charts/aai-gizmo/templates/secrets.yaml
index 7db7605..96c3424 100644 (file)
--- a/kubernetes/aai/charts/aai-gizmo/templates/secrets.yaml
+++ b/kubernetes/aai/charts/aai-gizmo/templates/secrets.yaml
@@ -45,28 +45,10 @@ data:
 ---
 apiVersion: v1
 kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}-fproxy-auth-config
-  namespace: {{ include "common.namespace" . }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/fproxy/config/auth/*").AsSecrets . | indent 2 }}
----
-apiVersion: v1
-kind: Secret
 metadata:
   name: {{ include "common.fullname" . }}-rproxy-auth-config
   namespace: {{ include "common.namespace" . }}
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/rproxy/config/auth/*").AsSecrets . | indent 2 }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}-rproxy-security-config
-  namespace: {{ include "common.namespace" . }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/rproxy/config/security/*").AsSecrets . | indent 2 }}
 {{ end }}

diff --git a/kubernetes/aai/charts/aai-gizmo/values.yaml b/kubernetes/aai/charts/aai-gizmo/values.yaml
index 9d93663..72da329 100644 (file)
--- a/kubernetes/aai/charts/aai-gizmo/values.yaml
+++ b/kubernetes/aai/charts/aai-gizmo/values.yaml
@@ -29,6 +29,7 @@ flavor: small
 config:
   keyStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
   keyManagerPassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+  trustStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
 
 # default number of instances
 replicaCount: 1

diff --git a/kubernetes/aai/charts/aai-gizmo/resources/fproxy/config/auth/client-cert.p12 b/kubernetes/aai/resources/config/fproxy/auth/client-cert.p12
similarity index 100%
rename from kubernetes/aai/charts/aai-gizmo/resources/fproxy/config/auth/client-cert.p12
rename to kubernetes/aai/resources/config/fproxy/auth/client-cert.p12

diff --git a/kubernetes/aai/resources/config/fproxy/auth/fproxy_truststore b/kubernetes/aai/resources/config/fproxy/auth/fproxy_truststore
new file mode 100644 (file)
index 0000000..f6ebc75
Binary files /dev/null and b/kubernetes/aai/resources/config/fproxy/auth/fproxy_truststore differ

diff --git a/kubernetes/aai/charts/aai-gizmo/resources/fproxy/config/auth/tomcat_keystore b/kubernetes/aai/resources/config/fproxy/auth/tomcat_keystore
similarity index 100%
rename from kubernetes/aai/charts/aai-gizmo/resources/fproxy/config/auth/tomcat_keystore
rename to kubernetes/aai/resources/config/fproxy/auth/tomcat_keystore

diff --git a/kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12 b/kubernetes/aai/resources/config/rproxy/auth/client-cert.p12
similarity index 100%
rename from kubernetes/aai/charts/aai-champ/resources/fproxy/config/auth/client-cert.p12
rename to kubernetes/aai/resources/config/rproxy/auth/client-cert.p12

diff --git a/kubernetes/aai/resources/config/rproxy/auth/org.onap.aai.p12 b/kubernetes/aai/resources/config/rproxy/auth/org.onap.aai.p12
new file mode 100644 (file)
index 0000000..023e2ea
Binary files /dev/null and b/kubernetes/aai/resources/config/rproxy/auth/org.onap.aai.p12 differ

diff --git a/kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystore b/kubernetes/aai/resources/config/rproxy/auth/tomcat_keystore
similarity index 100%
rename from kubernetes/aai/charts/aai-champ/resources/rproxy/config/auth/tomcat_keystore
rename to kubernetes/aai/resources/config/rproxy/auth/tomcat_keystore

diff --git a/kubernetes/aai/resources/config/rproxy/security/keyfile b/kubernetes/aai/resources/config/rproxy/security/keyfile
new file mode 100644 (file)
index 0000000..3416d4a
--- /dev/null
+++ b/kubernetes/aai/resources/config/rproxy/security/keyfile
@@ -0,0 +1,27 @@
+2otP92kNFHdexroZxvgYY7ffslFiwCD3CiVYMIfUF2edqZK7972NwkvE_mbaBo6jh8lByLIqrWAf
+jyzoiVsvQ_kCa0cS1xaRLpcxv3bx1b7o3hGPBqpd6vmSG4y2JLzNlCBZWuTJz827wr8p_fWrYuUm
+4L1WoaEe8W5PRnXjl4hDqbJBAlEoRIBXugUDt_7O5wgx2Rl3HVoOczZtf0RzONZ1F0BmKf3QlAUe
+moSbARitYRgIPt5sLbT7qPyoEpGDhQ1XBowR744-wsjBc-14yO62Ajp5xWKTp15uWn3_HHuw1SAf
+GWSBRGlSlEVkXQqi9Hw5jDttKVzHX1ckwR0SQOirbtHPHplxPX3WKjKhSdSeMzw6LOAHIQYRMKBT
+74oGnULAfPtV7TaGwOKriT3P49CoPdt9On89-LGyCZSxDWKH0K-rgB6I2_hPT2Uzr3jmXiMa-sfh
+iMvyQ7ABBVx0OFsUuNb5mcU2O6dWiQreL5RerrloV_X3ZtnNjxENXKjQ5KBR1A5ISPjFFK-kf4Rb
+p6FSII8LcsiqgdWuZ4GX_C6x8HX4A-vD0x3Uc9CfoXY-k23cNIy-R-W-oB-P2OgdWDNgZ7VaOLNt
+3L-NwWpNblfYvs93cNmkbVAwCZ3r0OP7RFeuON84TRaynK_Fh2S3rypRyJcUmM1pvpZqJ5_-umSW
+hUs1OqkdLv3xjlVzzK-3nMr0q3Zcyp4XdyLYtcX5I3Xqk9ZcsyAT7ghmHhV8KjUjue7OcfAWg0m7
+RJLGq6VC8HeK4HEMa4lF677Qh7DRufghIDEmQSIDfGA790WGSA8HqcOvAL4hURCHyCWiPa5i8ksX
+xX4HyqF8PCVCLJ_ZhzcuIlc0jStAexWbJU_vcyX7XgUaHCkF-M-zv1FP6Z3DHBMD2QqSWjmyNCCk
+8sIuwzs62P_j2o9jG33kssedCrUWOwZancU107-5H0Zw-UWvtCqUfmRZ7TsEbWY7lk_SKfLfAN5q
+ncOQgU_VxDXUFDST4LN_WVECRafK3UtwWomxWSji25Lbf6NVni3ok-yLMDZR-wrE-54jLPES9j0i
+5N0xrk9CfsvGUpUZ1_XQcgaxI6m27DtCCJXb5ywenPBiUIJCMCTq88CqNZxGpju2i4BJcUH2hUHe
+GKhO8pgslwhtEVot9EDwdzSrJkWFCfb6ud4zMxrqdi7-mLWMOydg6lhpEFEX5wu2BLIujGsZlEGE
+_K9jGfBypjXuJCKDZIuPfEnf_7idjKis_JcFB7x4Hx2HHDcBjlWWFZN_VIEnPkQSyZEC26RTFP3k
+zkY3GwUfA36a4XW2pu3gE9wz-W6fkONfzOZ6YiyCm_dRFUVuGSdJG02Hh5iXYlMOGJltPzWH2jVf
+S-QTOmXQTKSOheXoJO6O-9uQbsRf-kq-6w1pvIOp4ms35w4_0Xj0Xr2a9y-L9PdBZvrUsa-jxsZU
+LyA-YY4Ej6QwDBDTD2MGjF1E5_ekYgjoNlltM9rJjofruM4ym0n7LPHC7YXXQSEFOZYeTKi6wUDw
+hQ1DoWHgu4PQ2lexada8sxQdConbPe2iW16h-PrO5D12E4XbT00fqaMlBmjQwzdNRdCC2NRPIQ5W
+nwaO8dZ9yjxsjT7ZVHb9-DRblb3XDocponzxVXqUGtJAie4WXQnerX0ApTWGaHEr5y56JJVS_3LP
+bKrbXBXcs4jTUX4ECXRrOs8JQDQNysXhvTPCu0XUxNZpjx6KLxDs93k2OcESHjl5J6n6OKKJqqoN
+JEyFO5LGXpnmUJbn0-CaHHPRI1mHwEu4brY8wDZd9A0PD1KGXDoCHMfEk1lGblQdyOcVrXZ6uSBk
+Z6zHDnwSCHO1mPYqtelJQehZoFuPSv9PIgKLxs_qJOtZFnXII5YO1mGXgiIBWBjUFDR5HG4ENS6y
+J4MCF-JLMp-PVMAkOaCIQRRDpRnMm_fT1sc_P562Diu_pcdt-r55pMFQYGoGfjRmxQBKk0-SsdnP
+mlZIiis9DfQEN0q3QQdNRYBJD7tmhUwhAPZdLgXqJA8sZf8UyFQhhpsky79NT343YL9smUlF
\ No newline at end of file

diff --git a/kubernetes/aai/templates/configmap.yaml b/kubernetes/aai/templates/configmap.yaml
index a23ed5f..651bf8d 100644 (file)
--- a/kubernetes/aai/templates/configmap.yaml
+++ b/kubernetes/aai/templates/configmap.yaml
@@ -72,4 +72,32 @@ type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/aai/*").AsSecrets . | indent 2 }}
 
-
+{{ if .Values.global.installSidecarSecurity }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aai-fproxy-auth-certs
+  namespace: {{ include "common.namespace" . }}
+type: Opaque
+data:
+{{ tpl (.Files.Glob "resources/config/fproxy/auth/*").AsSecrets . | indent 2 }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aai-rproxy-auth-certs
+  namespace: {{ include "common.namespace" . }}
+type: Opaque
+data:
+{{ tpl (.Files.Glob "resources/config/rproxy/auth/*").AsSecrets . | indent 2 }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aai-rproxy-security-config
+  namespace: {{ include "common.namespace" . }}
+type: Opaque
+data:
+{{ tpl (.Files.Glob "resources/config/rproxy/security/*").AsSecrets . | indent 2 }}
+{{ end }}
\ No newline at end of file