Versions Compared

Old Version 12

changes.mady.by.user Pawel Baniewski

Saved on

compared with

New Version 13

changes.mady.by.user Pawel Baniewski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Infowarning

Page describes planned Guilin contribution

...

Code Block
Current one is actually external one:
security.keys.keyStoreFile: /etc/ves-hv/ssl/cert.jks
security.keys.keyStorePasswordFile: /etc/ves-hv/ssl/jks.pass
security.keys.trustStoreFile: /etc/ves-hv/ssl/trust.jks
security.keys.trustStorePasswordFile: /etc/ves-hv/ssl/trust.pass

RestConf

(question)

Way forward

Blueprint generator

(question)

K8s plugin

So, to implement goal of this feature, K8s plugin must be enhanced to support following new blueprint properties in new external_cert section and extra properties in K8s plugin configuration and configuration parameters stored in CBS listed in following table:

Code Block
external_cert:
	use_external_tls
	external_cert_directory
	ca_name
	external_certificate_parameters:
		common_name
		sans
		country
		organization
		state
		organizational_unit
		location


Meaning of properties is described in following table. CertService's client properties are described in details on a dedicated page.

...

**** - property available in blueprint changeable every deployment or not and stored in DCAE's Config Binding Service (CBS)


GroupProperty nameType (input*/blueprint**/plugin***/cbs****)DefaultDescription
external_cert









use_external_tlsinputtrueA boolean that indicates whether the component uses AAF CertService to acquire operator certificate to protect external (between xNFs and ONAP) traffic. For a time being only operator certificate from CMPv2 server is supported
external_cert_directoryblueprint/opt/app/dcae-certificate/external_certDirectory where operator certificate and trusted certs should be created
ca_nameinputRAName of Certificate Authority configured on CertService side (in cmpServers.json). Default RA_TEST corresponds to default CMPv2 testing configuration.

external_cert:

external_certificate_parameters

common_nameinput<Specific for every blueprint>Common name which should be present in certificate. Specific for every blueprint (e.g. dcae-ves-collector for VES)
sansinput<Specific for every blueprint>List of Subject Alternative Names (SANs) which should be present in certificate. Delimiter - : Should contain common_name value and other FQDNs under which given component is accessible, e.g. if xNFs uses ves-collector in request URL, such should be also present in SANs - e.g. dcae-ves-collector:ves-collector.
countryinputUSCountry name in ISO 3166-1 alpha-2 format, for which certificate will be createdorganizationinputLinux-FoundationOrganization name, for which certificate will be createdstateinputCaliforniaState name, for which certificate will be createdorganizational_unitinputONAPOrganizational unit name, for which certificate will be createdlocationinputSan-Francisco
Location name, for which certificate will be created
Extra configuration parameters stored in CBS

properties:

application_config

external_keystore_pathblueprint + cbs/opt/app/dcae-certificate/external_cert/keystore.jksPath to keystore with external certificate
external_keystore_password_pathblueprint + cbs/opt/app/dcae-certificate/external_cert/keystore.passPath to password for keystore with external certificate
external_truststore_pathblueprint + cbs/opt/app/dcae-certificate/external_cert/truststore.jksPath to truststore with external trust anchors
external_truststore_password_pathblueprint + cbs/opt/app/dcae-certificate/external_cert/truststore.passPath to password for truststore with external trust anchors
Extra K8s plugin configuration parameters

image_tagpluginnexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSIONImage name and version

request_urlpluginhttps://aaf-cert-service:8443/v1/certificate/URL to Cert Service API

timeoutplugin30000Request timeout

countrypluginUSCountry name in ISO 3166-1 alpha-2 format, for which certificate will be created

organizationpluginLinux-FoundationOrganization name, for which certificate will be created

statepluginCaliforniaState name, for which certificate will be created

organizational_unitpluginONAPOrganizational unit name, for which certificate will be created

locationpluginSan-FranciscoLocation name, for which certificate will be created


If new properties are provided by blueprint and use_external_tls is set to true, K8s plugin must be able to create init containers section and within it add information about CertService's client image and pass all other variables as environment variables. Very similar to example described on a dedicated page

DCAE component specs

(question)

DCAE bluerprints

Cloudify blueprints must be adjusted to take advantage of new K8s plugin functionality and must provide extra properties which controls CertService's client call.

...