...
- Cloudify deployments of service components should include following environments
- CONFIG_BINDING_SERVICE=<cbs_k8s_service_name>
- CONFIGDCAE_BINDINGCA_SERVICE_CLIENTCERT=<path>CERTPATH=/opt/dcae/cacert/cacert.pem (this will be default unless overridden by component via blueprint)
- Enable AAF cert distribution by default on path identified by CONFIG_BINDING_SERVICE_CLIENTCERT.This step cacert distribution (step to be done regardless of tls_info setting in blueprint () under DCAE_CA_CERTPATH
Note: tls_info to be used for components supporting HTTPS as server
...
. When specified, plugin will mount AAF certificate on application specific path specified. More details here - https://docs.onap.org/en/latest/submodules/dcaegen2.git/docs/sections/tls_enablement.html. In this case, DCAE_CA_CERTPATH will be overridden to use the path provided for exposing the cacert path)
Below configuration is explicitly required in blueprint only when components required to support tls as server.
tls_info:
cert_directory: '<application path>'
use_tls: true
Bootstrap pod (DCAEGEN2-1550)
- Add new k8s plugin version including R4 version (1.4.13) in CM deployments
- To keep existing components from breaking, continue to register “config-binding-service” and “config_binding_service” as services in Consul, with port 10000 as the service port.
...
- Service registration on Consul will not be done for CBS TLS service. As components change to use TLS, they should
...
- use the Kubernetes DNS name (exposed via env CONFIG_BINDING_SERVICE) for the service along with port 10443.
Library Enhancement (CBS java sdk - DCAEGEN2-1552, CBS python util - DCAEGEN2-1551)
(Below to be confirmed based on K8s Plugin updates)
- Verify if the new environment setting for TLS (below) added by K8s plugin is visible within POD.
- CONFIG_BINDING_SERVICE_TLS=<https<cbs_cbsk8s_service_name>CONFIG
- DCAE_BINDINGCA_SERVICE_CLIENTCERTCERTPATH=<path>
- If DCAE_CA_CERTPATH is defined, use the cacert for establishing secure end-point to interface with CBS (port 10443)
- If TLS envs are env is undefined, use R4 service name and port (10000) to interface with CBS (HTTP)
Note: Libraries should stop using Consul service discovery to find CBS; instead rely on kubernetes DNS name (exposed via env CONFIG_BINDING_SERVICE) and port 10000 for HTTP and 10443 for HTTPS. Service registration on Consul will not be done for CBS TLS service
ServiceComponents (Optional for E release)
- Switch to newer version of libraries (CBS SDK for java and python CBS utils)
- If not using library, component must use DCAE_CA_CERTPATH and 10443 for CBS HTTPS connection besides removing logic for Consul service discovery for CBS service.
- Update blueprint to use newer version of k8s plugin in blueprints
...