From c5f685fd58b54f2a6fb21d33cc427f487db6be2b Mon Sep 17 00:00:00 2001 From: Jack Lucas Date: Fri, 31 May 2019 08:35:34 -0400 Subject: [PATCH] Add TLS server support for CM and CBS Issue-ID: DCAEGEN2-909 Issue-ID: DCAEGEN2-904 Issue-ID: DCAEGEN2-1513 Issue-ID: DCAEGEN2-1550 Issue-ID: DCAEGEN2-1550 Change-Id: Ia59284e3ed786dcecd397482ca04b6b06c7e610d Signed-off-by: Jack Lucas --- .../resources/inputs/k8s-dashboard-inputs.yaml | 2 +- .../dcae-bootstrap/templates/deployment.yaml | 24 +++++- .../dcaegen2/charts/dcae-bootstrap/values.yaml | 7 +- .../templates/deployment.yaml | 26 +++++++ .../charts/dcae-cloudify-manager/values.yaml | 6 +- .../templates/deployment.yaml | 86 +++++++++++++++++++++- .../templates/service.yaml | 31 +++++--- .../charts/dcae-config-binding-service/values.yaml | 19 ++++- .../resources/config/config.json | 2 +- .../templates/deployment.yaml | 4 +- .../charts/dcae-deployment-handler/values.yaml | 2 +- .../charts/dcae-servicechange-handler/values.yaml | 2 +- 12 files changed, 183 insertions(+), 28 deletions(-) diff --git a/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml b/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml index e40a03068c..2718e1882f 100644 --- a/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml +++ b/kubernetes/dcaegen2/charts/dcae-bootstrap/resources/inputs/k8s-dashboard-inputs.yaml @@ -24,7 +24,7 @@ external_tls_port: {{ .Values.config.address.dashboard.portSecure }} database_cluster_name: {{ .Values.postgres.service.name2 }}.{{ include "common.namespace" . }} database_cluster_fqdn: {{ .Values.postgres.service.name2 }}.{{ include "common.namespace" . }}.{{ .Values.postgres.suffix }} database_name: "dashboard_pg" -cloudify_ip: {{ .Values.config.address.cm }} +cloudify_ip: {{ .Values.config.address.cm.host }} cloudify_user: "admin" cloudify_password: "admin" consul_url: {{ .Values.config.address.consul_ui }} diff --git a/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml index 0463655c79..be5a769a37 100644 --- a/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml +++ b/kubernetes/dcaegen2/charts/dcae-bootstrap/templates/deployment.yaml @@ -61,6 +61,19 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + - name: init-tls + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: {} + volumeMounts: + - mountPath: /opt/tls/shared + name: tls-info containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -75,14 +88,21 @@ spec: - mountPath: /etc/localtime name: localtime readOnly: true + - mountPath: /certs + name: tls-info + readOnly: true env: - name: CMADDR - value: {{ .Values.config.address.cm }} + value: {{ .Values.config.address.cm.host }} - name: CMPASS valueFrom: secretKeyRef: name: {{ include "common.name" . }}-cmpass key: password + - name: CMPROTO + value: {{ .Values.config.address.cm.proto }} + - name: CMPORT + value: !!string {{ .Values.config.address.cm.port }} - name: CONSUL value: {{ .Values.config.address.consul.host }}:{{ .Values.config.address.consul.port }} - name: DCAE_NAMESPACE @@ -99,5 +119,7 @@ spec: - name: localtime hostPath: path: /etc/localtime + - name: tls-info + emptyDir: {} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml index aec082fe15..882cf371e7 100644 --- a/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml +++ b/kubernetes/dcaegen2/charts/dcae-bootstrap/values.yaml @@ -38,7 +38,10 @@ config: host: consul-server port: 8500 consul_ui: consul-server-ui - cm: dcae-cloudify-manager + cm: + host: dcae-cloudify-manager + port: 443 + proto: https dashboard: port: 30418 portSecure: 30419 @@ -90,7 +93,7 @@ postgres: # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.4.18 +image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:1.6.0-STAGING-latest default_k8s_location: central # DCAE component images to be deployed via Cloudify Manager diff --git a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml index d6c58cd75f..b3e90a2efb 100644 --- a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml +++ b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml @@ -34,6 +34,12 @@ spec: app: {{ include "common.name" . }} release: {{ .Release.Name }} spec: + # host alias allows local 'cfy' command to use https and match + # the host name in the certificate + hostAliases: + - ip: "127.0.0.1" + hostnames: + - "dcae-cloudify-manager" initContainers: - name: {{ include "common.name" . }}-multisite-init image: {{ include "common.repository" . }}/{{ .Values.multisiteInitImage }} @@ -44,10 +50,26 @@ spec: - --configmap - {{ .Values.multisiteConfigMapName }} restartPolicy: Never + - name: init-tls + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: {} + volumeMounts: + - mountPath: /opt/tls/shared + name: tls-info containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + env: + - name: REQUESTS_CA_BUNDLE + value: "/opt/onap/certs/cacert.pem" resources: {{ include "common.resources" . | indent 12 }} ports: @@ -86,6 +108,8 @@ spec: readOnly: true - mountPath: /cfy-persist name: cm-persistent + - mountPath: /opt/onap/certs + name: tls-info securityContext: privileged: True volumes: @@ -107,5 +131,7 @@ spec: - name: cm-persistent persistentVolumeClaim: claimName: {{ include "common.fullname" . }}-data + - emptyDir: {} + name: tls-info imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml index 41f0750c78..b015143a1a 100644 --- a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml +++ b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/values.yaml @@ -44,7 +44,7 @@ config: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.deployments.cm-container:1.6.2 +image: onap/org.onap.dcaegen2.deployments.cm-container:2.0.0-STAGING-latest pullPolicy: Always # name of shared ConfigMap with kubeconfig for multiple clusters @@ -69,8 +69,8 @@ readiness: service: type: ClusterIP name: dcae-cloudify-manager - externalPort: 80 - internalPort: 80 + externalPort: 443 + internalPort: 443 # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml index a968204575..19fe038d44 100644 --- a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml +++ b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/deployment.yaml @@ -50,36 +50,60 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{- if .Values.service.secure.enabled }} + - name: init-tls + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + image: {{ .Values.global.tlsRepository }}/{{ .Values.global.tlsImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: {} + volumeMounts: + - mountPath: /opt/tls/shared + name: tls-info + {{ end }} containers: + {{- if .Values.service.secure.enabled }} - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {{ include "common.resources" . | indent 12 }} ports: - - containerPort: {{ .Values.service.internalPort }} + - containerPort: {{ .Values.service.secure.internalPort }} # disable liveness probe when breakpoints set in debugger # so K8s doesn't restart unresponsive container {{- if eq .Values.liveness.enabled true }} livenessProbe: tcpSocket: - port: {{ .Values.service.internalPort }} + port: {{ .Values.service.secure.internalPort }} initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} periodSeconds: {{ .Values.liveness.periodSeconds }} {{ end -}} readinessProbe: httpGet: + scheme: "HTTPS" path: {{ .Values.readiness.path }} - port: {{ .Values.service.internalPort }} + port: {{ .Values.service.secure.internalPort }} initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: - name: {{ include "common.fullname" . }}-logs mountPath: /opt/logs + - name: tls-info + mountPath: /opt/tls env: - name: CONSUL_HOST value: consul.{{ include "common.namespace" . }} - + - name: USE_HTTPS + value: "1" + - name: HTTPS_CERT_PATH + value: "/opt/tls/cert.pem" + - name: HTTPS_KEY_PATH + value: "/opt/tls/key.pem" - name: {{ include "common.name" . }}-filebeat-onap image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -91,13 +115,67 @@ spec: mountPath: /usr/share/filebeat/data - name: {{ include "common.fullname" . }}-logs mountPath: /var/log/onap + {{ end }} + {{- if .Values.service.insecure.enabled }} + - name: {{ include "common.name" . }}-insecure + image: "{{ include "common.repository" . }}/{{ .Values.image }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: +{{ include "common.resources" . | indent 12 }} + ports: + - containerPort: {{ .Values.service.insecure.internalPort }} + # disable liveness probe when breakpoints set in debugger + # so K8s doesn't restart unresponsive container + {{- if eq .Values.liveness.enabled true }} + livenessProbe: + tcpSocket: + port: {{ .Values.service.insecure.internalPort }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + {{ end -}} + readinessProbe: + httpGet: + scheme: "HTTP" + path: {{ .Values.readiness.path }} + port: {{ .Values.service.insecure.internalPort }} + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: + - name: {{ include "common.fullname" . }}-logs-insecure + mountPath: /opt/logs + env: + - name: CONSUL_HOST + value: consul.{{ include "common.namespace" . }} + - name: {{ include "common.name" . }}-filebeat-onap-insecure + image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + volumeMounts: + - name: {{ include "common.fullname" . }}-filebeat-conf + mountPath: /usr/share/filebeat/filebeat.yml + subPath: filebeat.yml + - name: {{ include "common.fullname" . }}-data-filebeat-insecure + mountPath: /usr/share/filebeat/data + - name: {{ include "common.fullname" . }}-logs-insecure + mountPath: /var/log/onap + {{ end }} volumes: - name: {{ include "common.fullname" . }}-filebeat-conf configMap: name: {{ .Release.Name }}-cbs-filebeat-configmap + {{- if .Values.service.secure.enabled }} - name: {{ include "common.fullname" . }}-data-filebeat emptyDir: {} - name: {{ include "common.fullname" . }}-logs emptyDir: {} + - name: tls-info + emptyDir: {} + {{ end }} + {{- if .Values.service.insecure.enabled }} + - name: {{ include "common.fullname" . }}-data-filebeat-insecure + emptyDir: {} + - name: {{ include "common.fullname" . }}-logs-insecure + emptyDir: {} + {{ end }} + imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml index 794b896eef..8176e77c1e 100644 --- a/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml +++ b/kubernetes/dcaegen2/charts/dcae-config-binding-service/templates/service.yaml @@ -28,16 +28,29 @@ metadata: spec: type: {{ .Values.service.type }} ports: - {{if eq .Values.service.type "NodePort" -}} - - port: {{ .Values.service.externalPort }} - nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.nodePort }} - name: {{ .Values.service.name }} + {{ if eq .Values.service.type "NodePort" -}} + {{ if .Values.service.insecure.enabled -}} + - port: {{ .Values.service.insecure.externalPort }} + nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.insecure.nodePort }} + name: {{ .Values.service.name }}-insecure + {{- end }} + {{ if .Values.service.secure.enabled -}} + - port: {{ .Values.service.secure.externalPort }} + nodePort: {{ .Values.global.nodePortPrefixExt| default .Values.nodePortPrefixExt }}{{ .Values.service.secure.nodePort }} + name: {{ .Values.service.name }}-secure + {{- end }} {{- else -}} - - port: {{ .Values.service.externalPort }} - targetPort: {{ .Values.service.internalPort }} - name: {{ .Values.service.name }} - {{- end}} + {{ if .Values.service.insecure.enabled -}} + - port: {{ .Values.service.insecure.externalPort }} + targetPort: {{ .Values.service.insecure.internalPort }} + name: {{ .Values.service.name }}-insecure + {{- end }} + {{ if .Values.service.secure.enabled -}} + - port: {{ .Values.service.secure.externalPort }} + targetPort: {{ .Values.service.secure.internalPort }} + name: {{ .Values.service.name }}-secure + {{- end }} + {{- end }} selector: app: {{ include "common.name" . }} release: {{ .Release.Name }} - diff --git a/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml b/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml index 4605e88c09..9adbffda20 100644 --- a/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml +++ b/kubernetes/dcaegen2/charts/dcae-config-binding-service/values.yaml @@ -25,6 +25,8 @@ global: readinessImage: readiness-check:2.0.0 loggingRepository: docker.elastic.co loggingImage: beats/filebeat:5.5.0 + tlsRepository: nexus3.onap.org:10001 + tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:1.0.3 repositoryCred: user: docker password: docker @@ -43,7 +45,7 @@ config: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.platform.configbinding.app-app:2.3.0 +image: onap/org.onap.dcaegen2.platform.configbinding:2.5.1-STAGING-latest pullPolicy: Always # probe configuration parameters @@ -63,9 +65,18 @@ readiness: service: type: NodePort name: config-binding-service - externalPort: 10000 - internalPort: 10000 - nodePort: 15 + # TLS service + secure: + enabled: true + externalPort: 10443 + internalPort: 10443 + nodePort: 14 + # Non-TLS service + insecure: + enabled: true + externalPort: 10000 + internalPort: 10000 + nodePort: 15 # Resource Limit flavor -By Default using small flavor: small diff --git a/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json b/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json index 600f07c457..3b20fc4e98 100644 --- a/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json +++ b/kubernetes/dcaegen2/charts/dcae-deployment-handler/resources/config/config.json @@ -1,6 +1,6 @@ { "cloudify": { - "protocol": "http" + "protocol": "https" }, "inventory": { "protocol": "http" diff --git a/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml index 3e4e53b679..a67197849f 100644 --- a/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml +++ b/kubernetes/dcaegen2/charts/dcae-deployment-handler/templates/deployment.yaml @@ -72,7 +72,7 @@ spec: imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} args: - --service - - "cloudify_manager|dcae-cloudify-manager.{{ include "common.namespace" . }}|80" + - "cloudify_manager|dcae-cloudify-manager.{{ include "common.namespace" . }}|443" - --service - "inventory|inventory.{{ include "common.namespace" . }}|8080" - --key @@ -119,6 +119,8 @@ spec: value: admin - name: CONFIG_BINDING_SERVICE value: config-binding-service + - name: NODE_EXTRA_CA_CERTS + value: /opt/app/dh/etc/cert/cacert.pem - name: POD_IP valueFrom: fieldRef: diff --git a/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml b/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml index 0eddf7c1a0..30893b6d7c 100644 --- a/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml +++ b/kubernetes/dcaegen2/charts/dcae-deployment-handler/values.yaml @@ -46,7 +46,7 @@ config: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.platform.deployment-handler:4.0.1 +image: onap/org.onap.dcaegen2.platform.deployment-handler:4.2.0 pullPolicy: Always # probe configuration parameters diff --git a/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml b/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml index dd985163c1..6e03f52713 100644 --- a/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml +++ b/kubernetes/dcaegen2/charts/dcae-servicechange-handler/values.yaml @@ -40,7 +40,7 @@ config: ################################################################# # application image repository: nexus3.onap.org:10001 -image: onap/org.onap.dcaegen2.platform.servicechange-handler:1.1.5 +image: onap/org.onap.dcaegen2.platform.servicechange-handler:1.2.0 pullPolicy: Always -- 2.16.6