...
- Not all service will switch to TLS interface for El-Alto
- CBS deployments must support both HTTPS and HTTP in-parallel
- SDK library (python and java) have separate api/version to let application choose migration
- *Cannot* deploy two instances in the same pod (CBS http and CBS HTTPS) under the same K8S service (To to be confirmed)
Migration Plan
Following are impacts to components to be done in specified order
CBS Enhancement (DCAEGEN2-1549)
...
- Cloudify deployments of service components should include following environments
- CONFIG_BINDING_SERVICE=<http_cbs_k8s_service_name>
- CONFIG_BINDING_SERVICE_TLS=<https<https_cbs_k8s_service_name>
- CONFIG_BINDING_SERVICE_CLIENTCERT=<path>
- Enable AAF cert distribution by default on path identified by CONFIG_BINDING_SERVICE_CLIENTCERT.
- This step to be done regardless of tls_info setting in blueprint (tls_info to be used for components supporting HTTPS as server; in this case certificate are required to be mounted also application specific path specified – this can be created as softlink to path specified by CONFIG_BINDING_SERVICE_CLIENTCERT).
...
- Verify if the new environment setting for TLS (below) added by K8s plugin is visible within POD.
- CONFIG_BINDING_SERVICE_TLS=<https<https_cbs_service_name>
- CONFIG_BINDING_SERVICE_CLIENTCERT=<path>
- If defined, use the secure end-point to interface with CBS (port 10443)
- If TLS envs are undefined, use R4 service name and port (10000) to interface with CBS
...