...
- Not all service will switch to TLS interface for El-Alto
- CBS deployments must support both HTTPS and HTTP in-parallel
- SDK library (python and java) have separate api/version to let application choose migration
...
- *Cannot* deploy two instances in the same pod (CBS http and CBS HTTPS) under the same K8S service (To to be confirmed)
Migration Plan
Following are impacts to components to be done in specified order
CBS
...
Enhancement (DCAEGEN2-1549)
Tommy’s implementation has 3 environment variables:
- Support HTTPS enablement via environment variable
- TLS_FLAG - Boolean
- CBS_PORT
...
- AAF_CERT_LOC
- USE_HTTPS: set to “1” to use HTTPS, anything else is HTTP
- HTTPS_KEY_PATH: path to the TLS private key
- HTTPS_CERT_PATH: path to the TLS certificate
...
- Use port 10443 if USE_HTTPS is set to “1”,
...
- otherwise port 10000
Deployment Enhancement (Helm chart updates) DCAEGEN2-1550
- Modify existing dcae-config-binding-service charts to support the new environment and new CBS container version. TLS_FLAG=False and CBS_PORT= 10000 (externalPort)
- USE_HTTPS=0
...
config-binding-service NodePort 10.43.61.181 <none> 10000:30415/TCP
- Nodeport 30415 to be used as Dublin
- K8S Service name: config-binding-service will remain same as R4
...
- Setup additional dcae-config-binding-service-tls to support new CBS instantiation with TLS enabled; the primary difference will be on env setting - TLS_FLAG=True and CBS_PORT= 10002
...
- /nodeport
- USE_HTTPS=1
Nodeport – - Nodeport 30471
can be assigned- K8S Service name: config-binding-service-tls
- Expose the ONAP dcae cert using TLS init container Mapped volume into CBS pod should be set under AAF_CERT_LOC environment variable
- .
- Set HTTPS_KEY_PATH and HTTPS_CERT_PATH to proper values based on where the certs directory is mounted.
K8s plugin updates (DCAEGEN2-1550)
- Cloudify deployments of service components should include following environments
- CONFIG_BINDING_SERVICE=<http_cbs_k8s_service_name>
- CONFIG_BINDINDBINDING_SERVICE_PORTTLS=<https_cbs_service_externalport>CONFIG_BINDING_SERVICE_TLS=<https_cbs_k8s_service_name>
- CONFIG_BINDIND_SERVICE_TLS_PORT=<https_cbs_service_externalport>CONFIG_BINDING_SERVICE_CLIENTCERT=<path>
...
...
- Enable AAF cert distribution by default on path identified by CONFIG_BINDING_SERVICE_CLIENTCERT. This should be
- This step to be done regardless of tls_info setting in blueprint (tls_info to be used for components
- supporting HTTPS as server; in this case certificate are required to be mounted also application specific path
- specified – this can be created as softlink to
- path specified by CONFIG_BINDING_SERVICE_CLIENTCERT)
...
- .
...
Bootstrap pod (DCAEGEN2-1550)
- Add new k8s plugin version including R4 version (1.4.13) in CM deployments
It will probably be 1.4.14 or higher.
...
- To keep existing components from breaking, continue to register “config-binding-service” and “config_binding_service” as services in Consul, with port 10000 as the service port.
...
Note: Service registration on Consul will not be done for CBS TLS service. As components change to use TLS, they should just use the Kubernetes DNS name for the service along with port 10443.
Library Enhancement (CBS java sdk - DCAEGEN2-1552, CBS python util - DCAEGEN2-1551)
...
- Verify if the new environment setting for TLS (below) added by K8s plugin is visible within POD.
- CONFIG_BINDING_SERVICE_TLS=<https_cbs_service_name>CONFIG_BINDIND_SERVICE_TLS_PORT=<https_cbs_service_externalport>
- CONFIG_BINDING_SERVICE_CLIENTCERT=<path>
- If defined, use the secure end-point to interface with CBS (port 10443)
- If TLS envs are undefined, use R4 service name and port (10000) to interface with CBS
We know that CBS will be deployed with TLS in R5, so the library should just use it, unless the caller of
the library asks to use HTTP.
...
Note: Libraries should stop using Consul service discovery to find CBS.
ServiceComponents
- Switch to newer version of libraries (CBS SDK for java and python CBS utils)
- Update blueprint to use newer version of k8s plugin in blueprints