Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

JIRA Associated

CBS HTTPS support (DCAEGEN2-1515)

  1. CBS expose both secure/insecure + AAF cert (DCAEGEN2-1549)
  2. Deployment update (DCAEGEN2-1550)
  3. SDK impact (java- DCAEGEN2-1552 / python - DCAEGEN2-1551)

Problem Statement :

CBS Api’s are used by all Service components to retrieve the configuration from consul during startup (and for periodic polling after). To support ONAP S3P security needs, Configbinding Service apis should be switched to HTTPS. As this has impact across all DCAE services, this has to be introduced in phased manner. El-Alto focus will on getting CBS HTTPS deployed and corresponding libraries updated.

Assumptions

  • Not all service will switch to TLS interface for El-Alto
  • CBS deployments must support both HTTPS and HTTP in-parallel
  • SDK library (python and java) have separate api/version to let application choose migration
  • *Cannot* deploy two instances in the same pod (CBS http and CBS HTTPS) under the same K8S service (To to be confirmed)

Migration Plan

Following are impacts to components to be done in specified order


CBS Enhancement  (DCAEGEN2-1549)

  1. Support HTTPS enablement via environment variable
    • USE_HTTPS: set to “1” to use HTTPS, anything else is HTTP
    • HTTPS_KEY_PATH: path to the TLS private key
    • HTTPS_CERT_PATH: path to the TLS certificate
  2. Use port 10443 if USE_HTTPS is set to “1”, otherwise  port 10000


Deployment Enhancement (Helm chart updates) DCAEGEN2-1550

  1. Modify existing dcae-config-binding-service charts to support the new environment and new CBS container version.
    1. USE_HTTPS=0
    2. Nodeport 30415 to be used as Dublin
    3. K8S Service name: config-binding-service will remain same as R4
  2. Setup additional dcae-config-binding-service-tls to support new CBS instantiation with TLS enabled; the primary difference will be on env/nodeport
    1. USE_HTTPS=1
    2. Nodeport 30471
    3. K8S Service name: config-binding-service-tls
  3. Expose the ONAP dcae cert using TLS init container.
    1. Set HTTPS_KEY_PATH and HTTPS_CERT_PATH to proper values based on where the certs directory is mounted.

K8s plugin updates (DCAEGEN2-1550)

  1. Cloudify deployments of service components should include following environments
    • CONFIG_BINDING_SERVICE=<http_cbs_k8s_service_name>
    • CONFIG_BINDING_SERVICE_TLS=<https_cbs_k8s_service_name>
    • CONFIG_BINDING_SERVICE_CLIENTCERT=<path>
  2. Enable AAF cert distribution by default on path identified by CONFIG_BINDING_SERVICE_CLIENTCERT.
    1. This step to be done regardless of tls_info setting in blueprint (tls_info to be used for components supporting HTTPS as server; in this case certificate are required to be mounted also application specific path specified – this can be created as softlink to path specified by CONFIG_BINDING_SERVICE_CLIENTCERT).

Bootstrap pod (DCAEGEN2-1550)

  1. Add new k8s plugin version including R4 version (1.4.13) in CM deployments
  2. To keep existing components from breaking, continue to register “config-binding-service” and “config_binding_service” as services in Consul, with port 10000 as the service port.

Note: Service registration on Consul will not be done for CBS TLS service.  As components change to use TLS, they should just use the Kubernetes DNS name for the service along with port 10443.

Library Enhancement (CBS java sdk - DCAEGEN2-1552, CBS python util - DCAEGEN2-1551)

  1. Verify if the new environment setting for TLS (below) added by K8s plugin is visible within POD.
    • CONFIG_BINDING_SERVICE_TLS=<https_cbs_service_name>
    • CONFIG_BINDING_SERVICE_CLIENTCERT=<path>
  2. If defined, use the secure end-point to interface with CBS (port 10443)
  3. If TLS envs are undefined, use R4 service name and port (10000) to interface with CBS

Note: Libraries should stop using Consul service discovery to find CBS.

ServiceComponents (Optional for E release)

  1. Switch to newer version of libraries (CBS SDK for java and python CBS utils)
  2. Update blueprint to use newer version of k8s plugin in blueprints


  • No labels