From: Keren Joseph Date: Tue, 12 Sep 2017 07:13:15 +0000 (+0300) Subject: moving certs and keys to k8s secrets X-Git-Tag: 2.0.0-ONAP~662^2 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=59ffd500ea34c201fbb3edc39e64655fa8381be0 moving certs and keys to k8s secrets changed location of used certs and keys files, updated deploy yamls and create/delete all Issue-ID: OOM-293 Change-Id: I53766b7028d6b725bf381875105b196246ff2ee1 Signed-off-by: Keren Joseph --- diff --git a/kubernetes/aai/templates/data-router-deployment.yaml b/kubernetes/aai/templates/data-router-deployment.yaml index f823061c33..0033208642 100644 --- a/kubernetes/aai/templates/data-router-deployment.yaml +++ b/kubernetes/aai/templates/data-router-deployment.yaml @@ -35,6 +35,10 @@ spec: volumeMounts: - mountPath: /opt/app/data-router/config/ name: data-router-config + - mountPath: /opt/app/data-router/config/auth/tomcat_keystore + name: data-router-tomcat-key + - mountPath: /opt/app/data-router/config/auth/client-cert-onap.p12 + name: data-router-client-cert - mountPath: /opt/app/data-router/dynamic/ name: data-router-dynamic - mountPath: /logs/ @@ -56,6 +60,12 @@ spec: - name: data-router-logs hostPath: path: "/dockerdata-nfs/{{ .Values.nsPrefix }}/aai/data-router/logs/" + - name: data-router-tomcat-key + secret: + secretName: secret-{{ .Values.nsPrefix }}-aai + - name: data-router-client-cert + secret: + secretName: secret-{{ .Values.nsPrefix }}-aai restartPolicy: Always imagePullSecrets: - name: "{{ .Values.nsPrefix }}-docker-registry-key" diff --git a/kubernetes/aai/templates/modelloader-deployment.yaml b/kubernetes/aai/templates/modelloader-deployment.yaml index 5391273d9d..ec6a9178a7 100644 --- a/kubernetes/aai/templates/modelloader-deployment.yaml +++ b/kubernetes/aai/templates/modelloader-deployment.yaml @@ -20,6 +20,8 @@ spec: volumeMounts: - mountPath: /opt/app/model-loader/config/ name: aai-model-loader-config + - mountPath: /opt/app/model-loader/config/auth/aai-os-cert.p12 + name: aai-os-cert - mountPath: /logs/ name: aai-model-loader-logs image: "{{ .Values.image.modelLoaderImage }}:{{ .Values.image.modelLoaderVersion }}" @@ -35,6 +37,9 @@ spec: - name: aai-model-loader-logs hostPath: path: "/dockerdata-nfs/{{ .Values.nsPrefix }}/aai/model-loader/logs/" + - name: aai-os-cert + secret: + secretName: secret-{{ .Values.nsPrefix }}-aai restartPolicy: Always imagePullSecrets: - name: "{{ .Values.nsPrefix }}-docker-registry-key" diff --git a/kubernetes/aai/templates/search-data-service-deployment.yaml b/kubernetes/aai/templates/search-data-service-deployment.yaml index f2db9370fd..8f4acef7cb 100644 --- a/kubernetes/aai/templates/search-data-service-deployment.yaml +++ b/kubernetes/aai/templates/search-data-service-deployment.yaml @@ -27,6 +27,8 @@ spec: volumeMounts: - mountPath: /opt/app/search-data-service/config/ name: aai-search-data-service-config + - mountPath: /opt/app/search-data-service/config/auth/tomcat_keystore + name: aai-tomcat-key - mountPath: /logs/ name: aai-search-data-service-logs ports: @@ -40,6 +42,9 @@ spec: - name: aai-search-data-service-config hostPath: path: "/dockerdata-nfs/{{ .Values.nsPrefix }}/aai/search-data-service/appconfig/" + - name: aai-tomcat-key + secret: + secretName: secret-{{ .Values.nsPrefix }}-aai - name: aai-search-data-service-logs hostPath: path: "/dockerdata-nfs/{{ .Values.nsPrefix }}/aai/search-data-service/logs/" diff --git a/kubernetes/aai/templates/sparky-be-deployment.yaml b/kubernetes/aai/templates/sparky-be-deployment.yaml index 6a8ff9308d..f4c44e28ed 100644 --- a/kubernetes/aai/templates/sparky-be-deployment.yaml +++ b/kubernetes/aai/templates/sparky-be-deployment.yaml @@ -27,6 +27,12 @@ spec: volumeMounts: - mountPath: /opt/app/sparky/config/ name: aai-sparky-be-config + - mountPath: /opt/app/sparky/config/auth/client-cert-onap.p12 + name: aai-sparky-be-client-cert + - mountPath: /opt/app/sparky/config/auth/aai-os-cert.p12 + name: aai-sparky-be-aai-os-cert + - mountPath: /opt/app/sparky/config/auth/inventory-ui-keystore + name: aai-sparky-be-inventory-key - mountPath: /logs/ name: aai-sparky-be-logs ports: @@ -43,6 +49,15 @@ spec: - name: aai-sparky-be-logs hostPath: path: "/dockerdata-nfs/{{ .Values.nsPrefix }}/aai/sparky-be/logs/" + - name: aai-sparky-be-client-cert + secret: + secretName: secret-{{ .Values.nsPrefix }}-aai + - name: aai-sparky-be-aai-os-cert + secret: + secretName: secret-{{ .Values.nsPrefix }}-aai + - name: aai-sparky-be-inventory-key + secret: + secretName: secret-{{ .Values.nsPrefix }}-aai restartPolicy: Always imagePullSecrets: - name: "{{ .Values.nsPrefix }}-docker-registry-key" diff --git a/kubernetes/config/.helmignore b/kubernetes/config/.helmignore index 4c38baed31..bc7bb96055 100644 --- a/kubernetes/config/.helmignore +++ b/kubernetes/config/.helmignore @@ -22,4 +22,5 @@ #ignore config docker image files docker -createConfig.sh \ No newline at end of file +createConfig.sh +certs diff --git a/kubernetes/config/docker/init/src/config/aai/model-loader/appconfig/auth/aai-os-cert.p12 b/kubernetes/config/certs/aai/aai-os-cert.p12 similarity index 100% rename from kubernetes/config/docker/init/src/config/aai/model-loader/appconfig/auth/aai-os-cert.p12 rename to kubernetes/config/certs/aai/aai-os-cert.p12 diff --git a/kubernetes/config/docker/init/src/config/aai/data-router/appconfig/auth/client-cert-onap.p12 b/kubernetes/config/certs/aai/client-cert-onap.p12 similarity index 100% rename from kubernetes/config/docker/init/src/config/aai/data-router/appconfig/auth/client-cert-onap.p12 rename to kubernetes/config/certs/aai/client-cert-onap.p12 diff --git a/kubernetes/config/docker/init/src/config/aai/sparky-be/appconfig/auth/inventory-ui-keystore b/kubernetes/config/certs/aai/inventory-ui-keystore similarity index 100% rename from kubernetes/config/docker/init/src/config/aai/sparky-be/appconfig/auth/inventory-ui-keystore rename to kubernetes/config/certs/aai/inventory-ui-keystore diff --git a/kubernetes/config/docker/init/src/config/aai/data-router/appconfig/auth/tomcat_keystore b/kubernetes/config/certs/aai/tomcat_keystore similarity index 100% rename from kubernetes/config/docker/init/src/config/aai/data-router/appconfig/auth/tomcat_keystore rename to kubernetes/config/certs/aai/tomcat_keystore diff --git a/kubernetes/config/docker/init/src/config/message-router/dmaap/mykey b/kubernetes/config/certs/message-router/mykey similarity index 100% rename from kubernetes/config/docker/init/src/config/message-router/dmaap/mykey rename to kubernetes/config/certs/message-router/mykey diff --git a/kubernetes/config/docker/init/src/config/mso/mso/aai.crt b/kubernetes/config/certs/mso/aai.crt similarity index 100% rename from kubernetes/config/docker/init/src/config/mso/mso/aai.crt rename to kubernetes/config/certs/mso/aai.crt diff --git a/kubernetes/config/docker/init/src/config/mso/mso/encryption.key b/kubernetes/config/certs/mso/encryption.key similarity index 100% rename from kubernetes/config/docker/init/src/config/mso/mso/encryption.key rename to kubernetes/config/certs/mso/encryption.key diff --git a/kubernetes/config/docker/init/src/config/policy/opt/policy/config/drools/policy-keystore b/kubernetes/config/certs/policy/policy-keystore similarity index 100% rename from kubernetes/config/docker/init/src/config/policy/opt/policy/config/drools/policy-keystore rename to kubernetes/config/certs/policy/policy-keystore diff --git a/kubernetes/message-router/templates/message-router-dmaap.yaml b/kubernetes/message-router/templates/message-router-dmaap.yaml index 59c57f85f6..0579541cb1 100644 --- a/kubernetes/message-router/templates/message-router-dmaap.yaml +++ b/kubernetes/message-router/templates/message-router-dmaap.yaml @@ -69,7 +69,7 @@ spec: hostPath: path: /dockerdata-nfs/{{ .Values.nsPrefix }}/message-router/dmaap/cadi.properties - name: mykey - hostPath: - path: /dockerdata-nfs/{{ .Values.nsPrefix }}/message-router/dmaap/mykey + secret: + secretName: secret-{{ .Values.nsPrefix }}-message-router imagePullSecrets: - name: "{{ .Values.nsPrefix }}-docker-registry-key" diff --git a/kubernetes/mso/templates/mso-deployment.yaml b/kubernetes/mso/templates/mso-deployment.yaml index 0f3034f4cc..9414990201 100644 --- a/kubernetes/mso/templates/mso-deployment.yaml +++ b/kubernetes/mso/templates/mso-deployment.yaml @@ -49,6 +49,10 @@ spec: volumeMounts: - mountPath: /shared name: mso + - mountPath: /shared/aai.crt + name: mso-aai-crt + - mountPath: /shared/encryption.key + name: mso-key - mountPath: /docker-files name: mso-docker-files env: @@ -72,5 +76,11 @@ spec: - name: mso-docker-files hostPath: path: /dockerdata-nfs/{{ .Values.nsPrefix }}/mso/docker-files + - name: mso-aai-crt + secret: + secretName: secret-{{ .Values.nsPrefix }}-mso + - name: mso-key + secret: + secretName: secret-{{ .Values.nsPrefix }}-mso imagePullSecrets: - name: "{{ .Values.nsPrefix }}-docker-registry-key" diff --git a/kubernetes/oneclick/createAll.bash b/kubernetes/oneclick/createAll.bash index 7b8e2f8886..0ecee0392a 100755 --- a/kubernetes/oneclick/createAll.bash +++ b/kubernetes/oneclick/createAll.bash @@ -26,6 +26,14 @@ create_registry_key() { kubectl --namespace $1-$2 create secret docker-registry $3 --docker-server=$4 --docker-username=$5 --docker-password=$6 --docker-email=$7 } +create_certs_secret() { + if [ -d $LOCATION/config/certs/$i/ ]; then + printf "\nCreating certs and keys secret **********\n" + _CERTS_FILES=$(find $LOCATION/config/certs/$2/ -type f | awk '$0="--from-file="$0' ORS=' ') + kubectl create secret generic secret-$1-$2 $_CERTS_FILES -n $1-$2 + fi +} + create_onap_helm() { HELM_VALUES_ADDITION="" if [[ ! -z $HELM_VALUES_FILEPATH ]]; then @@ -118,6 +126,8 @@ for i in ${HELM_APPS[@]}; do printf "\nCreating registry secret **********\n" create_registry_key $NS $i ${NS}-docker-registry-key $ONAP_DOCKER_REGISTRY $DU $DP $ONAP_DOCKER_MAIL + create_certs_secret $NS $i + printf "\nCreating deployments and services **********\n" create_onap_helm $NS $i $start diff --git a/kubernetes/oneclick/deleteAll.bash b/kubernetes/oneclick/deleteAll.bash index 40d070124a..f7c48fd18d 100755 --- a/kubernetes/oneclick/deleteAll.bash +++ b/kubernetes/oneclick/deleteAll.bash @@ -16,6 +16,13 @@ delete_registry_key() { kubectl --namespace $1-$2 delete secret ${1}-docker-registry-key } +delete_certs_secret() { + if [ -d $LOCATION/config/certs/$i/ ]; then + kubectl delete secret secret-$1-$2 -n $1-$2 + fi +} + + delete_app_helm() { helm delete $1-$2 --purge } @@ -36,8 +43,9 @@ EOF NS= INCL_SVC=false APP= +LOCATION="../" -while getopts ":n:u:s:a:" PARAM; do +while getopts ":n:u:s:a:l:" PARAM; do case $PARAM in u) usage @@ -53,6 +61,9 @@ while getopts ":n:u:s:a:" PARAM; do exit 1 fi ;; + l) + LOCATION=${OPTARG} + ;; ?) usage exit @@ -74,6 +85,7 @@ printf "\n********** Cleaning up ONAP: ${ONAP_APPS[*]}\n" for i in ${HELM_APPS[@]}; do + delete_certs_secret $NS $i delete_app_helm $NS $i delete_namespace $NS $i diff --git a/kubernetes/policy/templates/dep-drools.yaml b/kubernetes/policy/templates/dep-drools.yaml index 75055c10d8..7da046e156 100644 --- a/kubernetes/policy/templates/dep-drools.yaml +++ b/kubernetes/policy/templates/dep-drools.yaml @@ -66,6 +66,8 @@ spec: volumeMounts: - mountPath: /tmp/policy-install/config name: drools + - mountPath: /tmp/policy-install/config/policy-keystore + name: drools-keystore - mountPath: /usr/share/maven/conf/settings.xml name: drools-settingsxml volumes: @@ -75,5 +77,8 @@ spec: - name: drools hostPath: path: /dockerdata-nfs/{{ .Values.nsPrefix }}/policy/opt/policy/config/drools/ + - name: drools-keystore + secret: + secretName: secret-{{ .Values.nsPrefix }}-policy imagePullSecrets: - name: "{{ .Values.nsPrefix }}-docker-registry-key"