...
HV-VES collector protects both external and internal traffic using the same certificate and trusted certificates. Such are configured by properties:
| Code Block |
|---|
TBACurrent one is actually external one: security.keys.keyStoreFile: /etc/ves-hv/ssl/cert.jks security.keys.keyStorePasswordFile: /etc/ves-hv/ssl/jks.pass security.keys.trustStoreFile: /etc/ves-hv/ssl/trust.jks security.keys.trustStorePasswordFile: /etc/ves-hv/ssl/trust.pass |
Way forward
K8s plugin
So, to implement goal of this feature, K8s plugin must be enhanced to support following new properties in tlsnew external_info cert section:
| Code Block |
|---|
external_cert:
use_external_tls
external_cert_directory
image_tag
request_url
timeout
ca_name
common_name
sans
country
organization
state
organizational_unit
location |
Meaning of properties is described in following table. CertService's client properties are described in details on a dedicated page.
* - property available in blueprint inputs, so can be changed every deployment
...
| Group | Property name | Type (input*/blueprint**) | Default | Description | |
|---|---|---|---|---|---|
| external_ | infocert | use_external_tls | input | true | A boolean that indicates whether the component uses AAF CertService to acquire operator certificate to protect external (between xNFs and ONAP) traffic. For a time being only operator certificate from CMPv2 server is supported |
| external_cert_directory | blueprint | /opt/app/dcae-certificate/external_cert | Directory where operator certificate and trusted certs should be created | external_cert||
| image_tag | input | nexus3.onap.org:10001/onap/org.onap.aaf.cert.service.client:1.0.0  | Image name and version | ||
| request_url | blueprint | https://aaf-cert-service-service:8443/v1/certificate/ | URL to Cert Service API | ||
| timeout | blueprint | 30000 | Request timeout | ||
| ca_name | input | RA_TEST | Name of Certificate Authority configured on CertService side (in cmpServers.json). Default RA_TEST corresponds to default CMPv2 testing configuration. | ||
| common_name | input | <Specific for every blueprint> | Common name which should be present in certificate. Specific for every blueprint (e.g. dcae-ves-collector for VES) | ||
| sans | input | <Specific for every blueprint> | List of Subject Alternative Names (SANs) which should be present in certificate. Delimiter - : Should contain common_name value and other FQDNs under which given component is accessible, e.g. if xNFs uses ves-collector in request URL, such should be also present in SANs - e.g. dcae-ves-collector:ves-collector. | ||
| country | input | US | Country name in ISO 3166-1 alpha-2 format, for which certificate will be created | ||
| organization | input | Linux-Foundation | Organization name, for which certificate will be created | ||
| state | input | California | State name, for which certificate will be created | ||
| organizational_unit | input | ONAP | Organizational unit name, for which certificate will be created | ||
| location | input | San-Francisco | Location name, for which certificate will be created |
...
If new properties are provided by blueprint and use_external_tls
...
Additionally, K8s plugin should be enhanced to support all properties which are required by CertService's client and which are listed on a dedicated page.
In the end is set to true, K8s plugin must be able to create init containers section and within it add information about CertService's client image and pass all other variables as environment variables. Very similar to example described on a dedicated page.
DCAE bluerprints
Cloudify blueprints must be adjusted to take advantage of new K8s plugin functionality and must provide extra properties which controls CertService's client call.
...