...
So, to implement goal of this feature, both: blueprint generator and K8s plugin must be enhanced to support following new blueprint properties in new external_cert section and configuration parameters stored in CBS listed in following table. Additionally only K8s plugin must be enhanced to support extra properties in K8s plugin configuration listed in following table:
| Code Block |
|---|
external_cert: use_external_tls external_cert_directory ca_name external_certificate_parameters: common_name sans |
...
** - property available in blueprint, doesn't need to be changed every deployment
*** - property not available in blueprint, but available in K8s plugin configuration. The same for all blueprints
**** - property available in blueprint changeable every deployment or not and stored in DCAE's Config Binding Service (CBS)
| Group | Property name | Type (input*/blueprint**/plugin***/cbs****) | Default | Description |
|---|---|---|---|---|
| external_cert | use_external_tls | input | true | A boolean that indicates whether the component uses AAF CertService to acquire operator certificate to protect external (between xNFs and ONAP) traffic. For a time being only operator certificate from CMPv2 server is supported |
| external_cert_directory | blueprint | /opt/app/dcae-certificate/external_cert | Directory where operator certificate and trusted certs should be created | |
| ca_name | input | RA | Name of Certificate Authority configured on CertService side (in cmpServers.json). Default RA_TEST corresponds to default CMPv2 testing configuration. | |
external_cert: external_certificate_parameters | common_name | input | <Specific for every blueprint> | Common name which should be present in certificate. Specific for every blueprint (e.g. dcae-ves-collector for VES) |
| sans | input | <Specific for every blueprint> | List of Subject Alternative Names (SANs) which should be present in certificate. Delimiter - : Should contain common_name value and other FQDNs under which given component is accessible, e.g. if xNFs uses ves-collector in request URL, such should be also present in SANs - e.g. dcae-ves-collector:ves-collector. | |
| Extra configuration parameters stored in CBS | ||||
properties: application_config | external_keystore_path | blueprint + cbs | /opt/app/dcae-certificate/external_cert/keystore.jks | Path to keystore with external certificate |
| external_keystore_password_path | blueprint + cbs | /opt/app/dcae-certificate/external_cert/keystore.pass | Path to password for keystore with external certificate | |
| external_truststore_path | blueprint + cbs | /opt/app/dcae-certificate/external_cert/truststore.jks | Path to truststore with external trust anchors | |
| external_truststore_password_path | blueprint + cbs | /opt/app/dcae-certificate/external_cert/truststore.pass | Path to password for truststore with external trust anchors | |
| Extra K8s plugin configuration parameters | ||||
If new properties are provided by blueprint and use_external_tls is set to true, K8s plugin must be able to create init containers section and within it add information about CertService's client image and pass all other variables as environment variables. Section very similar to example described on a dedicated page.
Configuration specific only for K8s plugin
Additionally only K8s plugin must be enhanced to support extra properties in K8s plugin configuration listed in following table. All such parameters must be configured using appropriate global helm CMPv2 properties and stored in K8s plugin configuration file.
| Group | Property name | Origin | Default | Description |
|---|---|---|---|---|
| external_cert | image_tag | plugin | nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION | Image name and version |
| request_url | plugin | https://aaf-cert-service:8443/v1/certificate/ | URL to Cert Service API | |
| timeout | plugin | 30000 | Request timeout. Needs to be taken from global CMPv2 helm variable | |
| country | plugin | US | Country name in ISO 3166-1 alpha-2 format, for which certificate will be created. Needs to be taken from global CMPv2 helm variable | |
| organization | plugin | Linux-Foundation | Organization name, for which certificate will be created. Needs to be taken from global CMPv2 helm variable | |
| state | plugin | California | State name, for which certificate will be created. Needs to be taken from global CMPv2 helm variable | |
| organizational_unit | plugin | ONAP | Organizational unit name, for which certificate will be created. Needs to be taken from global CMPv2 helm variable | |
| location | plugin | San-Francisco | Location name, for which certificate will be created |
...
| . Needs to be taken from global CMPv2 helm variable |
DCAE component specs
Each component described above has its own component spec. Each has to be updated with all properties described abovein blueprint generator section.
DCAE bluerprints
Cloudify blueprints must be adjusted to take advantage of new K8s plugin functionality and must provide extra properties which controls CertService's client call.
Take into account X.509 certificates from CMPv2 server
Option 1
Keep application intact and implement truststore merger and invoke it as new init container to provide to application one truststore with multiple trust anchors and one keystore with certificate from CMPv2 server.
Option 2
Adjust applications to support different certificates and trusted certificates on external and internal traffic separately.
DCAE extra init container (aka trust merger)
Cause DCAE wants to keep the same application implementation (one keystore and one truststore) need to implement new container which
DCAE components
Components which don't distinguish between external and internal traffic must be refactored to support different certificates and trusted certificates on both traffics separately.