From: amatthews Date: Thu, 18 Aug 2022 14:31:12 +0000 (+0100) Subject: [OOF] Service Mesh Compliance for OOF X-Git-Tag: 11.0.0~41 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=379daacca80d748ea9fee3c4185c828a9559b509 [OOF] Service Mesh Compliance for OOF Updating basic requirements for Service Mesh Compliance within OOF. Removed AAF dependencies in OOF deployments. Resolved merge conflict for oof-has/resources/conflict/conductor.conf for DCAE Issue-ID: OOM-2253 Change-Id: I660085ca94db723e4880dfa67aa31b604e712d15 Signed-off-by: amatthews --- diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml index 3ed20ba8a6..4e38c830f0 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/deployment.yaml @@ -44,8 +44,10 @@ spec: args: - --container-name - oof-has-controller + {{- if (include "common.needTLS" .) }} - --container-name - aaf-service + {{- end }} env: - name: NAMESPACE valueFrom: @@ -55,6 +57,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if (include "common.needTLS" .) }} - name: {{ include "common.name" . }}-has-sms-readiness command: - sh @@ -73,6 +76,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} {{ include "common.certInitializer.initContainer" . | indent 6 }} containers: @@ -108,9 +112,11 @@ spec: - mountPath: /usr/local/bin/log.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: log.conf + {{- if (include "common.needTLS" .) }} - mountPath: /usr/local/bin/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer + {{- end }} resources: {{ include "common.resources" . | indent 12 }} - name: {{ include "common.name" . }}-nginx @@ -121,8 +127,10 @@ spec: args: - "-c" - | + {{- if (include "common.needTLS" .) }} grep -v '^$' /opt/bitnami/nginx/ssl/local/org.onap.oof.crt > /tmp/oof.crt cat /tmp/oof.crt /tmp/intermediate_root_ca.pem /tmp/AAF_RootCA.cer >> /opt/bitnami/nginx/org.onap.oof.crt + {{- end }} /opt/bitnami/scripts/nginx/entrypoint.sh /opt/bitnami/scripts/nginx/run.sh ports: - containerPort: {{ .Values.service.internalPort }} @@ -146,12 +154,14 @@ spec: - mountPath: /opt/bitnami/nginx/conf/nginx.conf name: {{ .Values.global.commonConfigPrefix }}-config subPath: nginx.conf + {{- if (include "common.needTLS" .) }} - mountPath: /tmp/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer - mountPath: /tmp/intermediate_root_ca.pem name: {{ include "common.fullname" . }}-onap-certs subPath: intermediate_root_ca.pem + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -178,6 +188,8 @@ spec: path: conductor.conf - key: log.conf path: log.conf +{{- if (include "common.needTLS" .) }} {{ include "oof.certificate.volume" . | indent 8 }} +{{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml index 751545ebef..f13e7cea9b 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/templates/service.yaml @@ -32,11 +32,11 @@ spec: {{if eq .Values.service.type "NodePort" -}} - port: {{ .Values.service.externalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} {{- else -}} - port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.portName }}{{ if (include "common.needTLS" .) }}s{{ end }} {{- end}} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml index e4e843ac3e..c850cb7752 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-api/values.yaml @@ -45,7 +45,7 @@ service: externalPort: 8091 internalPort: 8091 nodePort: 75 - portName: oof-has-api + portName: http #backend container info uwsgi: diff --git a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml index 55bb4f620d..92be670db6 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-controller/templates/deployment.yaml @@ -43,8 +43,10 @@ spec: args: - --job-name - {{ include "common.release" . }}-{{ .Values.config.etcd.configJobNameOverride }}-job + {{- if (include "common.needTLS" .) }} - --container-name - aaf-sms + {{- end }} env: - name: NAMESPACE valueFrom: @@ -54,6 +56,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if (include "common.needTLS" .) }} - name: {{ include "common.name" . }}-cont-sms-readiness command: - sh @@ -72,6 +75,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} containers: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.image.optf_has }} @@ -113,9 +117,11 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh + {{- if (include "common.needTLS" .) }} - mountPath: /usr/local/bin/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -141,6 +147,8 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh +{{- if (include "common.needTLS" .) }} {{ include "oof.certificate.volume" . | indent 8 }} +{{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml index 4f58ec3b94..72ecd7db2d 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-data/templates/deployment.yaml @@ -52,6 +52,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if (include "common.needTLS" .) }} - name: {{ include "common.name" . }}-data-sms-readiness command: - sh @@ -70,6 +71,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} containers: - name: {{ include "common.name" . }} @@ -112,6 +114,7 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh + {{- if (include "common.needTLS" .) }} - mountPath: /usr/local/bin/aai_cert.cer name: {{ .Values.global.commonConfigPrefix }}-config subPath: aai_cert.cer @@ -121,6 +124,7 @@ spec: - mountPath: /usr/local/bin/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -146,10 +150,14 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh + {{- if (include "common.needTLS" .) }} - key: aai_cert.cer path: aai_cert.cer - key: aai_key.key path: aai_key.key + {{- end }} +{{- if (include "common.needTLS" .) }} {{ include "oof.certificate.volume" . | indent 8 }} +{{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml index f8755ea66b..b90a6f6e89 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-reservation/templates/deployment.yaml @@ -52,6 +52,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if (include "common.needTLS" .) }} - name: {{ include "common.name" . }}-resrv-sms-readiness command: - sh @@ -70,6 +71,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} containers: - name: {{ include "common.name" . }} @@ -112,9 +114,11 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh + {{- if (include "common.needTLS" .) }} - mountPath: /usr/local/bin/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -140,6 +144,8 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh +{{- if (include "common.needTLS" .) }} {{ include "oof.certificate.volume" . | indent 8 }} +{{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml b/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml index 154bc78e41..4499d9806e 100755 --- a/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml +++ b/kubernetes/oof/components/oof-has/components/oof-has-solver/templates/deployment.yaml @@ -52,6 +52,7 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if (include "common.needTLS" .) }} - name: {{ include "common.name" . }}-solvr-sms-readiness command: - sh @@ -70,6 +71,7 @@ spec: fieldPath: metadata.namespace image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- end }} containers: - name: {{ include "common.name" . }} @@ -112,9 +114,11 @@ spec: - mountPath: /usr/local/bin/healthy.sh name: {{ .Values.global.commonConfigPrefix }}-config subPath: healthy.sh + {{- if (include "common.needTLS" .) }} - mountPath: /usr/local/bin/AAF_RootCA.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer + {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -140,6 +144,8 @@ spec: path: log.conf - key: healthy.sh path: healthy.sh +{{- if (include "common.needTLS" .) }} {{ include "oof.certificate.volume" . | indent 8 }} +{{- end }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/oof/components/oof-has/resources/config/conductor.conf b/kubernetes/oof/components/oof-has/resources/config/conductor.conf index 78553d73af..d650808036 100755 --- a/kubernetes/oof/components/oof-has/resources/config/conductor.conf +++ b/kubernetes/oof/components/oof-has/resources/config/conductor.conf @@ -159,13 +159,13 @@ appkey = "" # # is_aaf_enabled. (boolean value) -is_aaf_enabled = true +is_aaf_enabled = {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} # aaf_cache_expiry_hrs. (integer value) aaf_cache_expiry_hrs = 3 # aaf_url. (string value) -aaf_url = https://{{.Values.config.aaf.serviceName}}:{{.Values.config.aaf.port}}/authz/perms/user/ +aaf_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.aaf.serviceName}}:{{.Values.config.aaf.port}}/authz/perms/user/ # aaf_cert_file. (string value) #aaf_cert_file = @@ -175,7 +175,7 @@ aaf_url = https://{{.Values.config.aaf.serviceName}}:{{.Values.config.aaf.port}} # aaf_ca_bundle_file. (string value) #aaf_ca_bundle_file = -aaf_ca_bundle_file = /usr/local/bin/AAF_RootCA.cer +aaf_ca_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} # aaf_retries. (integer value) #aaf_retries = 3 @@ -193,9 +193,12 @@ aaf_ca_bundle_file = /usr/local/bin/AAF_RootCA.cer # From conductor # +# is_enabled. (boolean value) +is_enabled = {{ (eq "true" (include "common.needTLS" .)) | ternary true false }} + # Base URL for SMS, up to and not including the version, and without a trailing # slash. (string value) -aaf_sms_url = https://{{.Values.config.sms.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sms.port}} +aaf_sms_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.sms.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sms.port}} # Timeout for SMS API Call (integer value) @@ -231,7 +234,8 @@ complex_cache_refresh_interval = 60 # Base URL for A&AI, up to and not including the version, and without a # trailing slash. (string value) -server_url = https://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.aai.port}}/aai +#server_url = https://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.aai.port}}/aai +server_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.aai.serviceName}}.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aai.port .Values.config.aai.plainPort }}/aai # Timeout for A&AI Rest Call (string value) #aai_rest_timeout = 30 @@ -252,7 +256,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} # Username for AAI. (string value) username = OOF @@ -676,7 +680,8 @@ concurrent = true # Base URL for SDC, up to and not including the version, and without a # trailing slash. (string value) #server_url = https://controller:8443/sdc -server_url = https://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sdc.port}}/sdc +#server_url = https://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{.Values.config.sdc.port}}/sdc +server_url = http{{ if (include "common.needTLS" .) }}s{{ end }}://{{.Values.config.sdc.serviceName}}.{{ include "common.namespace" . }}:{{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.sdc.port .Values.config.sdc.plainPort }}/sdc # Timeout for SDC Rest Call (string value) #sdc_rest_timeout = 30 @@ -699,7 +704,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} # Username for SDC. (string value) #username = @@ -744,7 +749,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} # Username for CPS. (string value) #username = @@ -788,7 +793,7 @@ certificate_key_file = # Certificate Authority Bundle file in pem format. Must contain the appropriate # trust chain for the Certificate file. (string value) #certificate_authority_bundle_file = certificate_authority_bundle.pem -certificate_authority_bundle_file = /usr/local/bin/AAF_RootCA.cer +certificate_authority_bundle_file = {{ if (include "common.needTLS" .) }}/usr/local/bin/AAF_RootCA.cer{{ end }} # Username for DCAE. (string value) #username = diff --git a/kubernetes/oof/components/oof-has/resources/config/nginx.conf b/kubernetes/oof/components/oof-has/resources/config/nginx.conf index cbb1b60a58..9272e8581c 100644 --- a/kubernetes/oof/components/oof-has/resources/config/nginx.conf +++ b/kubernetes/oof/components/oof-has/resources/config/nginx.conf @@ -11,12 +11,17 @@ http { server { +{{ if (include "common.needTLS" .) }} listen 8091 ssl; server_name oof; ssl_certificate /opt/bitnami/nginx/org.onap.oof.crt; ssl_certificate_key /opt/bitnami/nginx/ssl/local/org.onap.oof.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; +{{ else }} + listen 8091; + server_name oof; +{{ end }} location / { include /opt/bitnami/nginx/conf/uwsgi_params; diff --git a/kubernetes/oof/components/oof-has/values.yaml b/kubernetes/oof/components/oof-has/values.yaml index 733b9209b5..0c5397c5a8 100755 --- a/kubernetes/oof/components/oof-has/values.yaml +++ b/kubernetes/oof/components/oof-has/values.yaml @@ -56,6 +56,7 @@ config: aai: serviceName: aai port: 8443 + plainPort: 80 msb: serviceName: msb-iag port: 80 @@ -68,6 +69,7 @@ config: sdc: serviceName: sdc-be port: 8443 + plainPort: 8080 cps: service: cps-tbdmt port: 8080 diff --git a/kubernetes/oof/resources/config/conf/common_config.yaml b/kubernetes/oof/resources/config/conf/common_config.yaml index 57e8e27a19..d34967617b 100644 --- a/kubernetes/oof/resources/config/conf/common_config.yaml +++ b/kubernetes/oof/resources/config/conf/common_config.yaml @@ -5,7 +5,7 @@ osdf_system: external: 8698 # clients use this port on DockerHost osdf_ip_default: 0.0.0.0 # # Important Note: At deployment time, we need to ensure the port mapping is done - ssl_context: ['/opt/osdf/org.onap.oof.crt', '/opt/osdf/osaaf/local/org.onap.oof.key'] + ssl_context: {{ if (include "common.needTLS" .) }}['/opt/osdf/org.onap.oof.crt', '/opt/osdf/osaaf/local/org.onap.oof.key']{{ end }} osdf_temp: # special configuration required for "workarounds" or testing local_policies: diff --git a/kubernetes/oof/resources/config/conf/osdf_config.yaml b/kubernetes/oof/resources/config/conf/osdf_config.yaml index 441a77ab5a..ff62bb6b0a 100755 --- a/kubernetes/oof/resources/config/conf/osdf_config.yaml +++ b/kubernetes/oof/resources/config/conf/osdf_config.yaml @@ -11,14 +11,14 @@ placementDefaultMinorVersion: {{ .Values.config.placementDefaultMinorVersion }} placementDefaultPatchVersion: {{ .Values.config.placementDefaultPatchVersion }} # Credentials for Conductor -conductorUrl: {{ .Values.config.conductorUrl }} +conductorUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.conductorUrl.https .Values.config.conductorUrl.http }} conductorPingWaitTime: {{ .Values.config.conductorPingWaitTime }} conductorMaxRetries: {{ .Values.config.conductorMaxRetries }} # versions to be set in HTTP header conductorMinorVersion: {{ .Values.config.conductorMinorVersion }} # Policy Platform -- requires ClientAuth, Authorization, and Environment -policyPlatformUrl: {{ .Values.config.policyPlatformUrl }} +policyPlatformUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.policyPlatformUrl.https .Values.config.policyPlatformUrl.http }} policyPlatformEnv: {{ .Values.config.policyPlatformEnv }} # Credentials for DMaaP @@ -31,14 +31,14 @@ sdcONAPInstanceID: {{ .Values.config.sdcONAPInstanceID }} is_aaf_enabled: {{ .Values.config.is_aaf_enabled }} aaf_cache_expiry_mins: {{ .Values.config.aaf_cache_expiry_mins }} -aaf_url: {{ .Values.config.aaf_url }} +aaf_url: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aaf_url.https .Values.config.aaf_url.http }} aaf_user_roles: {{- range .Values.config.aaf_user_roles }} - {{ . }} {{- end }} # Secret Management Service from AAF -aaf_sms_url: {{ .Values.config.aaf_sms_url }}.{{ include "common.namespace" . }}:{{ .Values.config.aaf_sms_port }} +aaf_sms_url: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aaf_sms_url.https .Values.config.aaf_sms_url.http }}.{{ include "common.namespace" . }}:{{ .Values.config.aaf_sms_port }} aaf_sms_timeout: {{ .Values.config.aaf_sms_timeout }} secret_domain: {{ .Values.config.secret_domain }} aaf_ca_certs: {{ .Values.config.aaf_ca_certs }} @@ -56,7 +56,7 @@ cpsCellListUrl: {{ .Values.config.cps.cellListUrl }} cpsNbrListUrl: {{ .Values.config.cps.nbrListUrl }} # AAI api -aaiUrl: {{ .Values.config.aaiUrl }} +aaiUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.aaiUrl.https .Values.config.aaiUrl.http }} aaiGetLinksUrl: {{ .Values.config.aaiGetLinksUrl }} aaiServiceInstanceUrl : {{ .Values.config.aaiServiceInstanceUrl }} aaiGetControllersUrl: {{ .Values.config.aaiGetControllersUrl }} @@ -65,7 +65,7 @@ aaiGetInterDomainLinksUrl: {{ .Values.config.aaiGetInterDomainLinksUrl }} dslQueryPath: /aai/v23/dsl?format= #DES api -desUrl: {{ .Values.config.desUrl }} +desUrl: {{ (eq "true" (include "common.needTLS" .)) | ternary .Values.config.desUrl.https .Values.config.desUrl.http }} desApiPath: {{ .Values.config.desApiPath }} desHeaders: Accept: application/json @@ -77,4 +77,3 @@ desPassword: {{ .Values.config.desPassword }} appkey: '' activateConsulConfig: False - diff --git a/kubernetes/oof/templates/deployment.yaml b/kubernetes/oof/templates/deployment.yaml index 58ff39e1e5..31884c06bb 100644 --- a/kubernetes/oof/templates/deployment.yaml +++ b/kubernetes/oof/templates/deployment.yaml @@ -52,12 +52,13 @@ spec: image: {{ include "repositoryGenerator.image.readiness" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness + {{- if (include "common.needTLS" .) }} - command: - sh - -c - resp="FAILURE"; until [ $resp = "200" ]; do - resp=$(curl -s -o /dev/null -k --write-out %{http_code} https://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/osdf/secret); + resp=$(curl -s -o /dev/null -k --write-out %{http_code} http{{ if (include "common.needTLS" .) }}s{{ end }}://aaf-sms.{{ include "common.namespace" . }}:10443/v1/sms/domain/osdf/secret); echo $resp; sleep 2; done @@ -70,6 +71,7 @@ spec: image: {{ include "repositoryGenerator.image.curl" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-osdf-sms-readiness + {{- end }} {{ include "common.certInitializer.initContainer" . | indent 6 }} containers: - name: {{ include "common.name" . }} @@ -80,8 +82,10 @@ spec: args: - "-c" - | + {{- if (include "common.needTLS" .) }} grep -v '^$' /opt/osdf/osaaf/local/org.onap.oof.crt > /tmp/oof.crt cat /tmp/oof.crt /opt/app/ssl_cert/intermediate_root_ca.pem /opt/app/ssl_cert/aaf_root_ca.cer >> /opt/osdf/org.onap.oof.crt + {{ end }} python osdfapp.py ports: - containerPort: {{ .Values.service.internalPort }} @@ -108,12 +112,14 @@ spec: - mountPath: /opt/osdf/config/osdf_config.yaml name: {{ include "common.fullname" . }}-config subPath: osdf_config.yaml + {{- if (include "common.needTLS" .) }} - mountPath: /opt/app/ssl_cert/aaf_root_ca.cer name: {{ include "common.fullname" . }}-onap-certs subPath: aaf_root_ca.cer - mountPath: /opt/app/ssl_cert/intermediate_root_ca.pem name: {{ include "common.fullname" . }}-onap-certs subPath: intermediate_root_ca.pem + {{- end }} - mountPath: /opt/osdf/config/common_config.yaml name: {{ include "common.fullname" . }}-config subPath: common_config.yaml diff --git a/kubernetes/oof/templates/service.yaml b/kubernetes/oof/templates/service.yaml index 0706a8d6d4..b2da17a23f 100644 --- a/kubernetes/oof/templates/service.yaml +++ b/kubernetes/oof/templates/service.yaml @@ -33,11 +33,11 @@ spec: - port: {{ .Values.service.externalPort }} nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }} targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.name }}{{ if (include "common.needTLS" .) }}s{{ end }} {{- else -}} - port: {{ .Values.service.externalPort }} targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.portName }} + name: {{ .Values.service.name }}{{ if (include "common.needTLS" .) }}s{{ end }} {{- end}} selector: app: {{ include "common.name" . }} diff --git a/kubernetes/oof/values.yaml b/kubernetes/oof/values.yaml index 5d668289d2..f6867bd8bf 100644 --- a/kubernetes/oof/values.yaml +++ b/kubernetes/oof/values.yaml @@ -56,13 +56,17 @@ config: placementDefaultPatchVersion: "0" # Url and credentials for Conductor. - conductorUrl: https://oof-has-api:8091/v1/plans/ + conductorUrl: + https: https://oof-has-api:8091/v1/plans/ + http: http://oof-has-api:8091/v1/plans/ conductorPingWaitTime: 10 conductorMaxRetries: 30 # versions to be set in HTTP header conductorMinorVersion: 0 # Url and credentials for the Policy Platform - policyPlatformUrl: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision # Policy Dev platform URL + policyPlatformUrl: + https: https://policy-xacml-pdp:6969/policy/pdpx/v1/decision # Policy Dev platform URL + http: http://policy-xacml-pdp:8080/policy/pdpx/v1/decision policyPlatformEnv: TEST # Environment for policy platform # Credentials for the message reader - A placeholder. messageReaderHosts: NA @@ -73,12 +77,16 @@ config: #AAF Authentication is_aaf_enabled: False aaf_cache_expiry_mins: 5 - aaf_url: https://aaf-service:8100 + aaf_url: + https: https://aaf-service:8100 + http: http://aaf-service:8080 aaf_user_roles: - '/placement:org.onap.oof.access|*|read ALL' - '/pci:org.onap.oof.access|*|read ALL' # Secret Management Service from AAF - aaf_sms_url: https://aaf-sms + aaf_sms_url: + https: https://aaf-sms + http: http://aaf-sms aaf_sms_port: 10443 aaf_sms_timeout: 30 secret_domain: osdf @@ -95,14 +103,18 @@ config: nbrListUrl: 'ran-network/getNbrList' #aai api - aaiUrl: https://aai:8443 + aaiUrl: + https: https://aai:8443 + http: http://aai:8080 aaiGetLinksUrl: /aai/v16/network/logical-links aaiServiceInstanceUrl : /aai/v20/nodes/service-instances/service-instance/ aaiGetControllersUrl: /aai/v19/external-system/esr-thirdparty-sdnc-list controllerQueryUrl: /aai/v19/query?format=resource aaiGetInterDomainLinksUrl: /aai/v19/network/logical-links?link-type=inter-domain&operational-status=up #des api - desUrl: https://des.url:9000 + desUrl: + https: https://des.url:9000 + http: http://des.url:8080 desApiPath: /datalake/v1/exposure/ desUsername: '' desPassword: ''