Page History

Helm charts to be held locally and these are the only repos you can pull HELM charts from.

Connection authentication services (option 1 and 4) and (option 2 and 3) configurability of destination supported, like a white list. Those 2 layers of security are a better option than single one of them.

Use of HTTPS = authenticated repo that HELM chart would be pulled (consumed). Once authenticated restrictions apply while K8s pulling from repo. Client needs to authenticate the repo that is pulling from. 

Service mesh can handle secure communication and authentication and authorization policies.

Begin with HTTPs connection. From the subject field from the repo would have a subject name that would be validated against white list. So first autheticate (HTTPs) and then authorize (white list). 

It is also crucial to ensure that to push HELM chart to the repo is under control (authentication and authorization. 2 way TLS: client doing a POST would be authenticated by the repo and authorization at the repo level would have to be done based on the subject field of the cert that was passed by the client. 

Mutual TLS enablement to standard client side.

Log4j Target version 2.17.1 was released. It provides a fix for a vulnerability: https://cvelogging.mitreapache.org/cgi-binlog4j/cvename.cgi?name=CVE-2021-44832.2.x/changes-report.html#a2.17.1

Following tickets opened:

• AAI-3431 - AAI status (4 components with log4j) COMPLETE
  • aai-graph-admin, aai-resources, aai-traversal, aai-common : log4j <2.17.1 Direct dependencies updated
• DMAAP-1704 - DMAAP status (1 component with log4j) COMPLETE
  • dmaap-messagerouter-messageservice: log4j <2.17.1 Direct dependencies updated
• SDNC-1655 - SDNC status (1 component with log4j)
  • sdnc-oam: log4j 1.2.17 Direct dependency -> Dan created a ticket for an upgrade in Istanbul with low priority (https://jira.onap.org/browse/SDNC-1591) – “data-migrator needs to be migrated from log4j to log4j2 - which mostly entails just updating properties file and command line arguments in run script. Note: data-migrator is not currently used”. I have increased priority to high and added fixed version: Istanbul Maintenance release + comment under the ticket on the need to migrate to log4j-core 2.17.1.
• VNFSDK-827
• With Istanbul maintenance release branches and CLM Jenkins jobs configured in jjb file, next round of log4j focussed scans and analysis.
• - VNFSDK status (1 component with log4j)
  • vnfsdk-ves-agent: no scans for Istanbul branch -> as per Kanagaraj’s email sent on 24th of August, he mention that vnfsdk-ves-agent is not an active VNFSDK repo, so I have sent him an e-mail today to configure his jjb file accordingly.
• Restricted Wiki for Istanbul Maintenance release created
• CVE creation: no need to do it, simply we will document in the Release Notes repos that were impacted and fixed (direct) and document transitive dependencies. CVE is raised for vulnerability discovered in the code.
• ONAP CVEs opened so far: https://docs.onap.org/projects/onap-osa/en/latest/osalist.htmlDemo of CLM scans for Istanbul Maintenance was done.