For enabling TLS, as new application port is involved the service should be redeployed (by modifying the parameters in blueprint), esp when changing from noAuth to basicAuth/certOnly/certBasicAuth. The latter 3 types use 8443 while the noAuth uses 8080. Any changes within basicAuth/certOnly/certBasicAuth can be done through consul update as k8s deployment descriptor (which contains the service definition and healthcheck spec) are still valid.Currently VES supports authentication methods certBasicAuth. It is possible to run as a option noAuth method, hovewer HTTP it is not supported by default.
High level test cases for auth.method = "
...
certBasicAuth" :
When application is setup for TLS and auth.method = "basicAuth", healthcheck endpoint must be using 8443 (change submitted to override and support 8080 for healthcheck is not required nor valid).
To change VES Collector flag to basic.auth and adopt healthhecks to use HTTPS, there is need to change VES blueprints. Steps:
- Copy attached k8s-ves-0529-secure.yaml file to ONAP Bootstrap node
- From Rancher node find bootstrap pod: kubectl -n onap get pod | grep -i bootstrap
- Login to found in point 1 pod: kubectl exec -it <bootstrap_pod_name> -n onap bash
- Uninstal VES: cfy uninstall ves
- Delete VES blueprint: cfy blueprints delete ves
- Overwrite VES default blueprint with copied k8s-ves-0529-secure.yaml: copy new bp - k8s-ves-0529-secure.yaml as /blueprints/k8s-ves.yaml
- Apply new blueprint: cfy install -b ves -d ves -i /inputs/k8s-ves-inputs.yaml /blueprints/k8s-ves.yaml
Test Case Name
Test Case Description
| TC ID | Test Case Name | Test Case Execution | Expected Result | Test Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| T01 | Client with correct basic auth and correct certificate | curl -vk --cert cert.pem --key key.pem -u sample1:sample1 -X POST https://{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json" | PASS. HTTP/1.1 202 |
| ||||||
| T02 | Client with incorrect basic auth and correct certificate | curl -vk --cert cert.pem --key key.pem -u sample1:sample2 -X POST https://{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json" | PASS. HTTP/1.1 202 |
| ||||||
| T03 | Client without basic auth and with correct certificate | curl -vk --cert cert.pem --key key.pem -X POST https://{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json" | PASS. HTTP/1.1 202 |
| ||||||
| T04 | Client with correct basic auth and incorrect certificate | curl -vk --cert incorrect.crt --key rootCA.key --pass collector -u sample1:sample1 -X POST https://{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json" | FAIL, connection closed because of bad certificate |
| ||||||
| T05 | Client with correct basic auth and without certificate | curl -vk -u sample1:sample1 -X POST https://{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json" | PASS. HTTP/1.1 202 |
| ||||||
| T06 | Client with incorrect certificate and incorrect basic auth | curl -vk --cert incorrect.crt --key rootCA.key --pass collector -u dummy:sample1 -X POST https://{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json" | FAIL, connection closed because of bad authentication |
| ||||||
| T07 | Client without certificate and without basic auth | curl -vk -X POST https://{xdcae-ves-collector_ip}:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json" | FAIL, HTTP/1.1 401 |
|