...
- uwsgi https option
The multicloud services which are based on uwsgi could utilize the https feature of uwsgi: https://uwsgi-docs.readthedocs.io/en/latest/HTTPS.htmlYou probably have to rebuild uwsgi with ssl-support:
On a debian server with uwsgi installed by pip this would be (as root):
apt-get install libssl-dev pip install uwsgi -I --no-cache-dir-Ifor reinstall,--no-cache-dirfor building new from scratch. - cert files
The question would be: who/how to generate key and cert ?Follow the practice of MSB project, multicloud service will generate our own keys/certs and put them in the docker by default. And also make sure these keys/certs can be overrided by OOM helm chart , just like the logging settings.
It is suggested that we follow the same pattern, put the generated certs under pub/ssl/cert/ with name cert.crt and cert.key
- ENV variable to enable/disable https on the same port
I don't believe the http and https endpoint should co-exists which make no sense from security perspective. So I recommend that the http/https should be toggled by an ENV variable and binding to the same port
The ENV variable could be: SSL_ENABLED, to enable https endpoint, set SSL_ENABLED=true ; otherwise just leave it unset or set to some other value (SSL_ENABLED=false, e.g.)
The entry point of docker container will check this ENV var and determine to enable https or http mode for uwsgi. - example patch: https://gerrit.onap.org/r/#/c/81829/ + https://gerrit.onap.org/r/#/c/81912/
6, Security Requirement: Run microservice as non-root user
...