From 694394bbd53bbeca17b7f99dc3a635e422817d25 Mon Sep 17 00:00:00 2001 From: Vijay Venkatesh Kumar Date: Thu, 20 Feb 2020 21:50:14 +0000 Subject: [PATCH] dcae sec updates for dashboard and inventory - Dashboard switched to https + non-root + portal sdk 2.6.0 - InventoryAPI keystore pwd read from file and filebeat support Change-Id: I40d2f6a8414f0a8fc8ed7b60ed0118e69cdbb2fd Signed-off-by: Vijay Venkatesh Kumar Issue-ID: DCAEGEN2-1592 Issue-ID: OJSI-159 Signed-off-by: Vijay Venkatesh Kumar --- .../dcae-dashboard/templates/deployment.yaml | 2 + .../dcaegen2/components/dcae-dashboard/values.yaml | 8 +-- .../resources/config/config.json | 2 +- .../dcae-inventory-api/resources/log/filebeat.yml | 72 ++++++++++++++++++++++ .../dcae-inventory-api/templates/configmap.yaml | 8 +++ .../dcae-inventory-api/templates/deployment.yaml | 29 +++++++++ .../components/dcae-inventory-api/values.yaml | 2 +- 7 files changed, 117 insertions(+), 6 deletions(-) create mode 100644 kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml index 116a77fd8b..a926fb396b 100644 --- a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml @@ -104,6 +104,8 @@ spec: volumeMounts: - mountPath: /usr/local/share/ca-certificates/ name: tls-info + - mountPath: /opt/logs/dcae/dashboard + name: component-log env: - name: CONSUL_HOST value: consul-server.{{ include "common.namespace" . }} diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml index 03cb99ad14..22076e5c6a 100644 --- a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml @@ -44,7 +44,7 @@ config: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.1.0 +image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.3.0 pullPolicy: Always # probe configuration parameters @@ -60,13 +60,13 @@ readiness: initialDelaySeconds: 30 periodSeconds: 30 path: /ccsdk-app/health - scheme: HTTP + scheme: HTTPS service: type: NodePort name: dashboard - externalPort: 8080 - internalPort: 8080 + externalPort: 8443 + internalPort: 8443 nodePort: 18 # application configuration override for postgres postgres: diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json index c8c7dd79f1..d9927314e1 100644 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json +++ b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/config/config.json @@ -36,7 +36,7 @@ "type": "https", "port": 8080, "keyStorePath": "/opt/cert/cert.jks", - "keyStorePassword": "hD:!w:CxF]lGvM6Mz9l^j[7U", + "keyStorePassword": "/opt/cert/jks.pass", "keyStoreType": "JKS" }] } diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml new file mode 100644 index 0000000000..0e5ee9bffa --- /dev/null +++ b/kubernetes/dcaegen2/components/dcae-inventory-api/resources/log/filebeat.yml @@ -0,0 +1,72 @@ +#============LICENSE_START======================================================== +# ================================================================================ +# Copyright (c) 2018-2019 AT&T Intellectual Property. All rights reserved. +# Modifications Copyright © 2018 Amdocs, Bell Canada +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +filebeat.prospectors: +#it is mandatory, in our case it's log +- input_type: log + #This is the canolical path as mentioned in logback.xml, *.* means it will monitor all files in the directory. + paths: + - /var/log/onap/*/*/*/*.log + - /var/log/onap/*/*/*.log + - /var/log/onap/*/*.log + #Files older than this should be ignored.In our case it will be 48 hours i.e. 2 days. It is a helping flag for clean_inactive + ignore_older: 48h + # Remove the registry entry for a file that is more than the specified time. In our case it will be 96 hours, i.e. 4 days. It will help to keep registry records with in limit + clean_inactive: 96h + + +# Name of the registry file. If a relative path is used, it is considered relative to the +# data path. Else full qualified file name. +#filebeat.registry_file: ${path.data}/registry + + +output.logstash: + #List of logstash server ip addresses with port number. + #But, in our case, this will be the loadbalancer IP address. + #For the below property to work the loadbalancer or logstash should expose 5044 port to listen the filebeat events or port in the property should be changed appropriately. + hosts: ["{{.Values.config.logstashServiceName}}.{{.Release.Namespace}}:{{.Values.config.logstashPort}}"] + #If enable will do load balancing among availabe Logstash, automatically. + loadbalance: true + + #The list of root certificates for server verifications. + #If certificate_authorities is empty or not set, the trusted + #certificate authorities of the host system are used. + #ssl.certificate_authorities: $ssl.certificate_authorities + + #The path to the certificate for SSL client authentication. If the certificate is not specified, + #client authentication is not available. + #ssl.certificate: $ssl.certificate + + #The client certificate key used for client authentication. + #ssl.key: $ssl.key + + #The passphrase used to decrypt an encrypted key stored in the configured key file + #ssl.key_passphrase: $ssl.key_passphrase + +logging: + level: debug + + # enable file rotation with default configuration + to_files: true + + # do not log to syslog + to_syslog: false + + files: + path: /usr/share/filebeat/logs + name: mybeat.log + keepfiles: 7 diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml index 96ba64f945..5b7a244835 100644 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml +++ b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/configmap.yaml @@ -24,3 +24,11 @@ metadata: heritage: {{ .Release.Service }} data: {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{include "common.fullname" . }}-filebeat-configmap + namespace: {{include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/log/*").AsConfig . | indent 2 }} diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml index 2bfb01d970..f056079fe4 100644 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml +++ b/kubernetes/dcaegen2/components/dcae-inventory-api/templates/deployment.yaml @@ -101,10 +101,38 @@ spec: subPath: config.json - mountPath: /opt/cert/ name: tls-info + - mountPath: /opt/logs/ + name: component-log env: - name: CONSUL_HOST value: consul.{{ include "common.namespace" . }} + - name: {{ include "common.name" . }}-filebeat + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + image: {{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }} + imagePullPolicy: IfNotPresent + resources: {} + volumeMounts: + - mountPath: /var/log/onap/inventory + name: component-log + - mountPath: /usr/share/filebeat/data + name: filebeat-data + - mountPath: /usr/share/filebeat/filebeat.yml + name: filebeat-conf + subPath: filebeat.yml volumes: + - emptyDir: {} + name: component-log + - emptyDir: {} + name: filebeat-data + - configMap: + defaultMode: 420 + name: {{ include "common.fullname" . }}-filebeat-configmap + name: filebeat-conf - name: {{ include "common.fullname" . }}-inv-config configMap: name: {{ include "common.fullname" . }}-configmap @@ -112,3 +140,4 @@ spec: name: tls-info imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" + diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml index 8e4430c37e..a6e51256b9 100644 --- a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml @@ -44,7 +44,7 @@ config: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.platform.inventory-api:3.4.0 +image: onap/org.onap.dcaegen2.platform.inventory-api:3.4.1 pullPolicy: Always -- 2.16.6