From: khemendra kumar Date: Wed, 22 Jul 2020 10:05:29 +0000 (+0000) Subject: Merge "Modified to support Certificate and KeyPath" X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=f480f7e721adb1c3a78a7986e7572bb28c5cc91d;hp=ca41a44422d165aa0abe252dca48241d8b74df3f;p=ealt-edge.git Merge "Modified to support Certificate and KeyPath" --- diff --git a/mep/mepagent/README.md b/mep/mepagent/README.md index b50520e..f3ec851 100644 --- a/mep/mepagent/README.md +++ b/mep/mepagent/README.md @@ -1,2 +1,57 @@ # mep_agent_lib Agent lib for mep service regsitration API + + +## Introduction + +MEP agent library and sample application is provide for quickly develop applications on MEP platform. +Code is devided in 2 part. +- SampleApp +- Service registration pkg. +- config file for setting application configuration +- docker file , build and k8s yaml files + +* SampleApp + - sample application for service regsitration to MEP + - contains main function and call service registration function from provided pkg + - It has config file for setting application configuration + +* pkg for service registration + - pkg can be used to register developer applications to MEP. + - support http and https connection to MEP + - configuration can be enabled/disbaled in config files when start mep agent + +## Configuration +mainly below configuration supported + - MEP GW details + - IP: IP of MEP Gateway + - HTTPS port: GW HTTPS proxy port + - HTTP port: GW HTTP proxy port + - App instance ID + - service registration sample data as per ETSI mp1 interface. + +## Usages +Developer who develp applications for MEP, can leverage sample application and pkg freamework to support mp1 interface for service registration. +In future this library can be extened to support all mp1 interface like discovery, service avaiibilty. +MEP support mp1 interfaces as per ETSI compliant. + +* Steps + - configure MEP GW IP and port in path meagent/SampleApp/conf/app_instance_info.yaml + - based on deplyment mode(development/production) provide HTTP/HTTPS port + - kong API GW run as K8s service, check corresponding port and config accordingly + - Kong has admin and proxy port. + - use proxy port and configure + - Build go applicaion with below cmd: + - cd mepagent/SampleApp + - CGO_ENABLED=0 go build -a -ldflags '-extldflags "-static"' src/main/main.go + - Build docker and push to docker + - sudo ./docker-build.sh + - Deploy Application + - In mep-k8s.yaml + - enable/disable ssl which is env. variable in k8s yaml file + - APP_SSL_MODE "1" to enable ssl. + - By default app run in normal mode. + - generate k8s secret with ca.crt file which is root CA used by MEP. + - MEP provide cert-manager and vault to automate it. Plz refer corresponding document. + + diff --git a/mep/mepagent/SampleApp/conf/app_info.yaml b/mep/mepagent/SampleApp/conf/app_info.yaml new file mode 100644 index 0000000..ad6a655 --- /dev/null +++ b/mep/mepagent/SampleApp/conf/app_info.yaml @@ -0,0 +1,18 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#ssl_cipher configuration +sslCiphers: > + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 diff --git a/mep/mepagent/SampleApp/conf/app_instance_info.yaml b/mep/mepagent/SampleApp/conf/app_instance_info.yaml index 37f764c..b284c61 100644 --- a/mep/mepagent/SampleApp/conf/app_instance_info.yaml +++ b/mep/mepagent/SampleApp/conf/app_instance_info.yaml @@ -14,8 +14,10 @@ --- appInstanceId: id12345 -mepServerIP: 192.168.0.101 -mepServerPORT: 30088 +mepGWIP: 159.138.22.15 +httpGWPORT: 30010 +httpsGWPORT: 30011 +mepGWROUTES: /mp1 serviceInfoPosts: - serName: ExampleService serInstanceId: diff --git a/mep/mepagent/SampleApp/docker-build.sh b/mep/mepagent/SampleApp/docker-build.sh new file mode 100755 index 0000000..309890f --- /dev/null +++ b/mep/mepagent/SampleApp/docker-build.sh @@ -0,0 +1,17 @@ +#!/bin/sh +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +MEP_VERSION=latest +docker build --no-cache -t ealtedge/mepagent:${MEP_VERSION} -f docker/Dockerfile . diff --git a/mep/mepagent/SampleApp/Dockerfile b/mep/mepagent/SampleApp/docker/Dockerfile similarity index 100% rename from mep/mepagent/SampleApp/Dockerfile rename to mep/mepagent/SampleApp/docker/Dockerfile diff --git a/mep/mepagent/SampleApp/go.mod b/mep/mepagent/SampleApp/go.mod index 62785eb..8195cb6 100644 --- a/mep/mepagent/SampleApp/go.mod +++ b/mep/mepagent/SampleApp/go.mod @@ -3,11 +3,5 @@ module mep-agent go 1.14 require ( - github.com/agiledragon/gomonkey v2.0.1+incompatible - github.com/khemendra0/mep_agent_lib v0.0.0-20200514200710-1e480711e278 // indirect - github.com/khemendra0/mep_agent_lib_2 v0.0.0-20200515044354-e1f42901419d // indirect - github.com/khemendra0/mep_agent_lib_3 v0.0.0-20200515181745-facda354cc2a // indirect - github.com/khemendra0/mep_agent_lib_5 v0.0.0-20200515190552-685e7af625aa // indirect - github.com/smartystreets/goconvey v1.6.4 - gopkg.in/yaml.v2 v2.2.8 + gopkg.in/yaml.v2 v2.2.8 // indirect ) diff --git a/mep/mepagent/SampleApp/go.sum b/mep/mepagent/SampleApp/go.sum deleted file mode 100644 index 2fa3f6f..0000000 --- a/mep/mepagent/SampleApp/go.sum +++ /dev/null @@ -1,29 +0,0 @@ -github.com/agiledragon/gomonkey v2.0.1+incompatible h1:DIQT3ZshgGz9pTwBddRSZWDutIRPx2d7UzmjzgWo9q0= -github.com/agiledragon/gomonkey v2.0.1+incompatible/go.mod h1:2NGfXu1a80LLr2cmWXGBDaHEjb1idR6+FVlX5T3D9hw= -github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= -github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= -github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= -github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= -github.com/khemendra0/mep_agent_lib v0.0.0-20200514200710-1e480711e278 h1:OlJt5hf1vSwZDsL5Er+dq7gaZFWGsO9xEHPhDeUhj58= -github.com/khemendra0/mep_agent_lib v0.0.0-20200514200710-1e480711e278/go.mod h1:R3E+++9kes5yTa/FOTigCbgESB89fxkV3fSNgaIZ+aw= -github.com/khemendra0/mep_agent_lib v0.0.0-20200514203355-fdf3ccdf5332 h1:u5H6Sng3lcaFDHGkS9oCpKYj4vg0KkQem3DwLIRa+Uk= -github.com/khemendra0/mep_agent_lib_2 v0.0.0-20200515044354-e1f42901419d h1:h4OImiHv7jng9JN7NENbHzMBZiqdKCyfOHrn8HB9lUo= -github.com/khemendra0/mep_agent_lib_2 v0.0.0-20200515044354-e1f42901419d/go.mod h1:cLt2kf1jVHS7gmHMHSFzGtWlD5ac16rMfsObbkY2RlU= -github.com/khemendra0/mep_agent_lib_3 v0.0.0-20200515181745-facda354cc2a h1:wvynPYD+6o9LMSkqFv4lDOseaOL91G50XTj4vdD4Ws8= -github.com/khemendra0/mep_agent_lib_3 v0.0.0-20200515181745-facda354cc2a/go.mod h1:BFDUBKoOuzZLmkOLHUv3GODCPbgd6jhJNruFLganZJI= -github.com/khemendra0/mep_agent_lib_4 v0.0.0-20200515185547-0c783f20e651 h1:wi75k+JXOA1K5H4s+GKIox6c0RPSfQ9VP7j2vJ2044M= -github.com/khemendra0/mep_agent_lib_5 v0.0.0-20200515190552-685e7af625aa h1:aKmYnfBgLdJ+fKS3MHE0ig8UiJuTdMqohCaas8hN/r4= -github.com/khemendra0/mep_agent_lib_5 v0.0.0-20200515190552-685e7af625aa/go.mod h1:Z90GKwOZ8xQuY9eLUKrgt5TvVBVQZbNRSzsbvbYCCmQ= -github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM= -github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc= -github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= -github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= -gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/mep/mepagent/SampleApp/mepagent.yaml b/mep/mepagent/SampleApp/mepagent.yaml old mode 100644 new mode 100755 index 79b7ef6..a8df546 --- a/mep/mepagent/SampleApp/mepagent.yaml +++ b/mep/mepagent/SampleApp/mepagent.yaml @@ -12,27 +12,35 @@ # See the License for the specific language governing permissions and # limitations under the License. + +# mep pod --- -apiVersion: apps/v1 -kind: Deployment +apiVersion: v1 +kind: Pod metadata: name: mepagent namespace: mep + labels: + app: mepagent spec: - replicas: 1 - selector: - matchLabels: - app: mepagent - template: - metadata: - labels: - app: mepagent - spec: - containers: - - - image: "mepagent:latest" - imagePullPolicy: IfNotPresent - name: mepagent - ports: - - - containerPort: 80 + containers: + - image: ealtedge/mepagent:latest + imagePullPolicy: Always + name: mepagent-pod + env: + - name: CA_CERT_DOMAIN_NAME + value: "www.ealtedge.org" + - name: SSL_ROOT + value: "/etc/mepagent_ssl/trust.cer" + - name: APP_SSL_MODE + value: "0" + ports: + - containerPort: 80 + #volumeMounts: + #- name: mepagentssl + #mountPath: "/etc/mepagent_ssl" + #readOnly: true + #volumes: + #- name: mepagentssl + #secret: + #secretName: mepagentssl-secret diff --git a/mep/mepagent/SampleApp/src/main/main.go b/mep/mepagent/SampleApp/src/main/main.go index 6c6fcee..9f536e5 100644 --- a/mep/mepagent/SampleApp/src/main/main.go +++ b/mep/mepagent/SampleApp/src/main/main.go @@ -18,8 +18,15 @@ package main import ( "github.com/akraino-edge-stack/ealt-edge/mep/mepagent/pkg/service" + "time" ) func main() { _, _ = service.SvcReg("./conf/app_instance_info.yaml") + Heart() } + +func Heart() { + time.Sleep(time.Hour) +} + diff --git a/mep/mepagent/pkg/model/appconf.go b/mep/mepagent/pkg/model/appconf.go new file mode 100644 index 0000000..b5fd5e2 --- /dev/null +++ b/mep/mepagent/pkg/model/appconf.go @@ -0,0 +1,21 @@ +/* + * Copyright 2020 Huawei Technologies Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package model + +type AppConf struct { + SslCipherSuite string `yaml:"sslCiphers" json:"sslCiphers"` +} diff --git a/mep/mepagent/pkg/model/instance.go b/mep/mepagent/pkg/model/instance.go index 66f4202..d51009d 100644 --- a/mep/mepagent/pkg/model/instance.go +++ b/mep/mepagent/pkg/model/instance.go @@ -19,8 +19,10 @@ package model type AppInstanceInfo struct { AppInstanceId string `yaml:"appInstanceId" json:"appInstanceId"` - MepServerIP string `yaml:"mepServerIP" json:"mepServerIP"` - MepServerPORT string `yaml:"mepServerPORT" json:"mepServerPORT"` + MepGWIP string `yaml:"mepGWIP" json:"mepGWIP"` + HttpGWPORT string `yaml:"httpGWPORT" json:"httpGWPORT"` + HttpsGWPORT string `yaml:"httpsGWPORT" json:"httpsGWPORT"` + MepGWROUTES string `yaml:"mepGWROUTES" json:"mepGWROUTES"` ServiceInfoPosts []ServiceInfoPost `yaml:"serviceInfoPosts" json:"serviceInfoPosts"` SerAvailabilityNotificationSubscriptions []SerAvailabilityNotificationSubscription `yaml:"serAvailabilityNotificationSubscriptions" json:"serAvailabilityNotificationSubscriptions"` } diff --git a/mep/mepagent/pkg/service/register.go b/mep/mepagent/pkg/service/register.go index 9341574..5dd6dc3 100644 --- a/mep/mepagent/pkg/service/register.go +++ b/mep/mepagent/pkg/service/register.go @@ -19,11 +19,15 @@ package service import ( "encoding/json" "log" + "os" "strconv" "time" ) func SvcReg(confPath string) (string, error) { + var urlProto string + var gwPORT string + conf, err := GetConf(confPath) if err != nil { log.Println(err.Error()) @@ -32,9 +36,21 @@ func SvcReg(confPath string) (string, error) { appInstanceId := conf.AppInstanceId serviceInfos := conf.ServiceInfoPosts - mepServerIP := conf.MepServerIP - mepServerPORT := conf.MepServerPORT - url := "http://" + mepServerIP + ":" + mepServerPORT + "/mep/mec_service_mgmt/v1/applications/" + appInstanceId + "/services" + gwRoutes := conf.MepGWROUTES + gwIP := conf.MepGWIP + + sslMode := os.Getenv("APP_SSL_MODE") + //if ssl mode is enabled, then config tls + if sslMode == "0" { + gwPORT = conf.HttpGWPORT + urlProto = "http://" + } else { + gwPORT = conf.HttpsGWPORT + urlProto = "https://" + } + + url := urlProto + gwIP + ":" + gwPORT + gwRoutes + "/mep/mec_service_mgmt/v1/applications/" + appInstanceId + "/services" + log.Println("Register url is" + url) for _, serviceInfo := range serviceInfos { data, e := json.Marshal(serviceInfo) diff --git a/mep/mepagent/pkg/service/request.go b/mep/mepagent/pkg/service/request.go new file mode 100644 index 0000000..1d40c40 --- /dev/null +++ b/mep/mepagent/pkg/service/request.go @@ -0,0 +1,158 @@ +/* + * Copyright 2020 Huawei Technologies Co., Ltd. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package service + +import ( + "crypto/tls" + "crypto/x509" + "errors" + "io/ioutil" + "log" + "net/http" + "os" + "strconv" + "strings" +) + +// const +var cipherSuiteMap = map[string]uint16{ + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, +} + +// register to mep +func RegisterToMep(param string, url string) (string, error) { + response, errPost := DoPost(param, url) + if errPost != nil { + log.Println("Failed to send request") + return "", errPost + } + defer response.Body.Close() + + if response.StatusCode != http.StatusCreated { + return "", errors.New("request failed, status is " + strconv.Itoa(response.StatusCode)) + } + body, err := ioutil.ReadAll(response.Body) + if err != nil { + log.Println("Failed to read response") + return "", err + } + + return string(body), nil +} + +func DoPost(param string, url string) (*http.Response, error) { + sslMode := os.Getenv("APP_SSL_MODE") + + //if ssl mode is enabled, then config tls + if sslMode == "0" { + response, errPost := http.Post(url, "application/json", strings.NewReader(param)) + if errPost != nil { + log.Println("Failed to create http request") + return nil, errPost + } + return response, nil + } else { + req, errReq := http.NewRequest("POST", url, strings.NewReader(param)) + if errReq != nil { + log.Println("Failed to create https request") + return nil, errReq + } + response, errDo := DoRegister(req) + if errDo != nil { + log.Println("Failed to post https request %s", errDo) + return nil, errDo + } + return response, nil + } +} + +func DoRegister(req *http.Request) (*http.Response, error) { + config, err := TlsConfig() + if err != nil { + log.Println("Failed to config HTTPS") + return nil, err + } + + trans := &http.Transport{ + TLSClientConfig: config, + } + + client := &http.Client{Transport: trans} + + return client.Do(req) +} + +func TlsConfig() (*tls.Config, error) { + caCert, err := ioutil.ReadFile(os.Getenv("SSL_ROOT")) + if err != nil { + log.Println("Failed to read cert from file") + return nil, err + } + + CACERT := x509.NewCertPool() + CACERT.AppendCertsFromPEM(caCert) + + appconf, err1 := GetAppConf("./conf/app_info.yaml") + if err1 != nil { + log.Println("Failed to read cipher from file") + return nil, err1 + } + + cipherslist := appconf.SslCipherSuite + if cipherslist == "" { + log.Println("no cipher provided in conf") + return nil, err + } + + ciphermap := getcipher(cipherslist) + if ciphermap == nil { + return nil, err + } + + return &tls.Config{ + RootCAs: CACERT, + ServerName: os.Getenv("CA_CERT_DOMAIN_NAME"), + CipherSuites: ciphermap, + MinVersion: tls.VersionTLS12, + }, nil +} + +func getcipher(ciphers string) []uint16 { + ciphersmap := make([]uint16, 0) + cipherlist := strings.Split(ciphers, ",") + for _, ciphername := range cipherlist { + ciphernametrim := strings.TrimSpace(ciphername) + if len(ciphernametrim) == 0 { + continue + } + + ciphervalue, ok := cipherSuiteMap[ciphernametrim] + if !ok { + log.Println("not recommended cipher") + return nil + } + ciphersmap = append(ciphersmap, ciphervalue) + } + + if len(ciphersmap) <= 0 { + log.Println("no cipher in list") + return nil + } + + return ciphersmap +} diff --git a/mep/mepagent/pkg/service/util.go b/mep/mepagent/pkg/service/util.go index 49313f4..9cfe217 100644 --- a/mep/mepagent/pkg/service/util.go +++ b/mep/mepagent/pkg/service/util.go @@ -17,11 +17,8 @@ package service import ( - "errors" "gopkg.in/yaml.v2" "io/ioutil" - "net/http" - "strings" "github.com/akraino-edge-stack/ealt-edge/mep/mepagent/pkg/model" ) @@ -42,21 +39,18 @@ func GetConf(path string) (model.AppInstanceInfo, error) { return info, nil } -// register to mep -func RegisterToMep(param string, url string) (string, error) { - response, err := http.Post(url, "application/json", strings.NewReader(param)) +func GetAppConf(FilePath string) (model.AppConf, error) { + var AppInfo model.AppConf + yamlFile, err := ioutil.ReadFile(FilePath) if err != nil { - return "", err + return AppInfo, err } - if response.StatusCode != http.StatusCreated { - return "", errors.New("created failed") - } - defer response.Body.Close() - body, err2 := ioutil.ReadAll(response.Body) - if err2 != nil { - return "", err2 + err1 := yaml.UnmarshalStrict(yamlFile, &AppInfo) + if err1 != nil { + return AppInfo, err } - return string(body), nil + return AppInfo, nil + } diff --git a/mep/mepserver/create_mep_secret.sh b/mep/mepserver/create_mep_secret.sh index 34e0f55..d9500cb 100755 --- a/mep/mepserver/create_mep_secret.sh +++ b/mep/mepserver/create_mep_secret.sh @@ -16,3 +16,4 @@ kubectl create namespace mep kubectl create secret --namespace mep generic mepssl-secret --from-file=server.cer --from-file=server_key.pem --from-file=trust.cer kubectl create secret --namespace mep generic kongssl-secret --from-file=server.cer --from-file=server_key.pem --from-file=trust.cer +kubectl create secret --namespace mep generic mepagentssl_secret --from-file=server.cer --from-file=server_key.pem --from-file=trust.cer diff --git a/mep/mepserver/kong-k8s.yaml b/mep/mepserver/kong-k8s.yaml index 520a83f..c61475f 100644 --- a/mep/mepserver/kong-k8s.yaml +++ b/mep/mepserver/kong-k8s.yaml @@ -71,6 +71,10 @@ spec: value: /dev/stdout - name: KONG_PROXY_ERROR_LOG value: /dev/stderr + #- name: KONG_SSL_CERT + #value: /run/kongssl/server.cer + #- name: KONG_SSL_CERT_KEY + #value: /run/kongssl/server_key.pem ports: - containerPort: 8000 name: proxy @@ -84,14 +88,14 @@ spec: - containerPort: 8444 name: admin-api-ssl protocol: TCP - volumeMounts: - - name: kongssl - mountPath: "/run/kongssl" - readOnly: true - volumes: - - name: kongssl - secret: - secretName: kongssl-secret + #volumeMounts: + #- name: kongssl + #mountPath: "/run/kongssl" + #readOnly: true + #volumes: + #- name: kongssl + #secret: + #secretName: kongssl-secret # kong service @@ -108,9 +112,13 @@ spec: ports: - port: 8000 name: proxy + nodePort: 30010 - port: 8443 name: proxy-ssl + nodePort: 30011 - port: 8001 name: admin-api + nodePort: 30012 - port: 8444 name: admin-api-ssl + nodePort: 30013 diff --git a/mep/mepserver/mep-k8s.yaml b/mep/mepserver/mep-k8s.yaml index 69e8cca..b27b6bf 100755 --- a/mep/mepserver/mep-k8s.yaml +++ b/mep/mepserver/mep-k8s.yaml @@ -35,14 +35,14 @@ spec: value: "/etc/mepssl" - name: MEP_SSL_MODE value: "0" - volumeMounts: - - name: mepssl - mountPath: "/etc/mepssl" - readOnly: true - volumes: - - name: mepssl - secret: - secretName: mepssl-secret + #volumeMounts: + #- name: mepssl + #mountPath: "/etc/mepssl" + #readOnly: true + #volumes: + #- name: mepssl + #secret: + #secretName: mepssl-secret # mep service diff --git a/ocd/infra/playbooks/roles/mepagent/files/deploy/mepagent.yaml b/ocd/infra/playbooks/roles/mepagent/files/deploy/mepagent.yaml new file mode 100755 index 0000000..a8df546 --- /dev/null +++ b/ocd/infra/playbooks/roles/mepagent/files/deploy/mepagent.yaml @@ -0,0 +1,46 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# mep pod +--- +apiVersion: v1 +kind: Pod +metadata: + name: mepagent + namespace: mep + labels: + app: mepagent +spec: + containers: + - image: ealtedge/mepagent:latest + imagePullPolicy: Always + name: mepagent-pod + env: + - name: CA_CERT_DOMAIN_NAME + value: "www.ealtedge.org" + - name: SSL_ROOT + value: "/etc/mepagent_ssl/trust.cer" + - name: APP_SSL_MODE + value: "0" + ports: + - containerPort: 80 + #volumeMounts: + #- name: mepagentssl + #mountPath: "/etc/mepagent_ssl" + #readOnly: true + #volumes: + #- name: mepagentssl + #secret: + #secretName: mepagentssl-secret diff --git a/ocd/infra/playbooks/roles/mepagent/tasks/install.yml b/ocd/infra/playbooks/roles/mepagent/tasks/install.yml new file mode 100644 index 0000000..53234a9 --- /dev/null +++ b/ocd/infra/playbooks/roles/mepagent/tasks/install.yml @@ -0,0 +1,28 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: copy deploy folder to mep node to install mepagent + copy: + src: deploy + dest: /tmp/mepagent/ + +- name: Create mepagent-secret + shell: +# yamllint disable rule:line-length + cmd: kubectl create secret --namespace mep generic mepagentssl-secret --from-file=/tmp/mepserver/deploy/server.cer --from-file=/tmp/mepserver/deploy/server_key.pem --from-file=/tmp/mepserver/deploy/trust.cer + +- name: Apply mepagent service + shell: + cmd: kubectl apply -f /tmp/mepagent/deploy/mepagent.yaml diff --git a/ocd/infra/playbooks/roles/mepagent/tasks/main.yml b/ocd/infra/playbooks/roles/mepagent/tasks/main.yml new file mode 100644 index 0000000..fc34c0a --- /dev/null +++ b/ocd/infra/playbooks/roles/mepagent/tasks/main.yml @@ -0,0 +1,17 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- include: "install.yml" + when: operation == 'install' diff --git a/ocd/infra/playbooks/roles/mepagent/tasks/uninstall.yml b/ocd/infra/playbooks/roles/mepagent/tasks/uninstall.yml new file mode 100644 index 0000000..4a95461 --- /dev/null +++ b/ocd/infra/playbooks/roles/mepagent/tasks/uninstall.yml @@ -0,0 +1,29 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: Uninstalling mepagent + shell: + cmd: echo "Reseting the mepagent" + +- name: Remove the Deployment of mepagent + shell: + cmd: kubectl delete namespace mep + ignore_errors: 'True' + + +- name: Remove the Deployment of mepserver + shell: + cmd: kubectl delete -f /tmp/mepagent/deploy + ignore_errors: 'True' diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/kong-k8s.yaml b/ocd/infra/playbooks/roles/mepserver/files/deploy/kong-k8s.yaml index 520a83f..c61475f 100644 --- a/ocd/infra/playbooks/roles/mepserver/files/deploy/kong-k8s.yaml +++ b/ocd/infra/playbooks/roles/mepserver/files/deploy/kong-k8s.yaml @@ -71,6 +71,10 @@ spec: value: /dev/stdout - name: KONG_PROXY_ERROR_LOG value: /dev/stderr + #- name: KONG_SSL_CERT + #value: /run/kongssl/server.cer + #- name: KONG_SSL_CERT_KEY + #value: /run/kongssl/server_key.pem ports: - containerPort: 8000 name: proxy @@ -84,14 +88,14 @@ spec: - containerPort: 8444 name: admin-api-ssl protocol: TCP - volumeMounts: - - name: kongssl - mountPath: "/run/kongssl" - readOnly: true - volumes: - - name: kongssl - secret: - secretName: kongssl-secret + #volumeMounts: + #- name: kongssl + #mountPath: "/run/kongssl" + #readOnly: true + #volumes: + #- name: kongssl + #secret: + #secretName: kongssl-secret # kong service @@ -108,9 +112,13 @@ spec: ports: - port: 8000 name: proxy + nodePort: 30010 - port: 8443 name: proxy-ssl + nodePort: 30011 - port: 8001 name: admin-api + nodePort: 30012 - port: 8444 name: admin-api-ssl + nodePort: 30013 diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/kongconfig.sh b/ocd/infra/playbooks/roles/mepserver/files/deploy/kongconfig.sh new file mode 100755 index 0000000..ea6f79d --- /dev/null +++ b/ocd/infra/playbooks/roles/mepserver/files/deploy/kongconfig.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Command to update Kong + + +curl --location --request DELETE 'http://159.138.22.15:30012/routes/mp1' +curl --location --request DELETE 'http://159.138.22.15:30012/services/http-mp1' +curl --location --request POST 'http://159.138.22.15:30012/services' --header 'Content-Type: application/json' --data '{"url": "https://mep-service:8088","name": "http-mp1"}' +curl --location --request POST 'http://159.138.22.15:30012/services/http-mp1/routes' --header 'Content-Type: application/json' --data '{"paths": ["/mp1"], "name": "mp1"}' diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/mep-k8s.yaml b/ocd/infra/playbooks/roles/mepserver/files/deploy/mep-k8s.yaml index 69e8cca..b27b6bf 100755 --- a/ocd/infra/playbooks/roles/mepserver/files/deploy/mep-k8s.yaml +++ b/ocd/infra/playbooks/roles/mepserver/files/deploy/mep-k8s.yaml @@ -35,14 +35,14 @@ spec: value: "/etc/mepssl" - name: MEP_SSL_MODE value: "0" - volumeMounts: - - name: mepssl - mountPath: "/etc/mepssl" - readOnly: true - volumes: - - name: mepssl - secret: - secretName: mepssl-secret + #volumeMounts: + #- name: mepssl + #mountPath: "/etc/mepssl" + #readOnly: true + #volumes: + #- name: mepssl + #secret: + #secretName: mepssl-secret # mep service diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/server.cer b/ocd/infra/playbooks/roles/mepserver/files/deploy/server.cer deleted file mode 100644 index 02157e1..0000000 --- a/ocd/infra/playbooks/roles/mepserver/files/deploy/server.cer +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDBjCCAe4CCQCfViZd0MNOEDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB -VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 -cyBQdHkgTHRkMB4XDTIwMDUwOTE1MDczNFoXDTMwMDUwNzE1MDczNFowRTELMAkG -A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 -IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -APAyHQYv9OUkzXF/jcSl24MxmzY8FGrTAv1HsY1I0IH/vzeig60CGAyvi/Za/rWq -6vh2lR4mSHRJ7aB6gNrvhj/IHrJFtt6HDhIoG6WiJ0xZRjnkvYdgye2/Jc6ydJjQ -F4nz17BbvyzkxdZtnd5aHhM5Fbkd/R5DPNyaNnCetUUehMH7I0vAew//kIu2PfQJ -stvOzgdAtBuPz/D6Cq7EljkX+6ROZggDi2NRFKzMp2moajKdvPQFs1WTKg1at/+k -zFAcAi68DxyxhdPEFpKU3uepccbh332cJ1/x1bVHlUSVwH9SNi8to9nLG/NrL2UY -wrX/ZzrYL7IUHqu7zlVpUN8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA42ECvTd3 -ZsL5a1x5HKQiIuvjKYI6pfsU67vB3e+IiXC8KqYVTWLIWILUXDXYrmO68vQ4+ewz -GKTPmL50x7y6EurX5qYJ/Znj4frBOkFIRlT17rwz+HDx/ZdaLmh4D3q0jkfsjSqi -eEh2kHfiJMLEWwPLcTfTdqtnjITvPIVydj+T+ocCvgfXsriJq4TwXl8panJiQAS2 -15gs3aRtb6PEr8jvt+a1WfnBtpFscelr7BTGpQZvGPbIFx0Xw1O106dMbi1nxG5B -xsWL8JAb5qlbxW+jQdSuz+O2vF/CGeGZLUqvJjHx+Ud6OBoBMBmf9tEprQxJeCRD -OhHC7N5cztTIdQ== ------END CERTIFICATE----- diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/server_key.pem b/ocd/infra/playbooks/roles/mepserver/files/deploy/server_key.pem deleted file mode 100644 index 637bffa..0000000 --- a/ocd/infra/playbooks/roles/mepserver/files/deploy/server_key.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,C02B29671A16FE3F - -oj2/2Q763tk6b6+A0H16+G7CEjnx6uWlKbf6N2GzcvQnJBd7n39Q2aImVM8syNCO -2wyNL5LH/FZt8qBOAFMIX8wba+VRbDAZrVK3mVNLjHf5K2Pb4kQdvzwunGC9vjR3 -C4w8sVvs2Lo+zU3f/TpWNrN8B4AVx0jn+yPmyzMgJ+TgpvBOsinSWC96UBNOeabf -ShwFtO7wrFDWjmgtBWlWYUn4DogFiahIfw/CVMzvsSAtpB03Ajb5boEWLtkfly+s -EfajYn42/YeG5/ibzb7aQ5Ld/U5RFX36s4O3J3FGnHhsGIWNn0NUM4NfPBiKD9r8 -Wy9muK9n1MsaUPbn2Dn8tWjSZGVeNjeVCLQaEoIYRin8zhDlpco3fE2F+cKWOTce -VV8ejCikB+bQeFnQCAeT0RNNhXgeRwSTotLKjmGYB2PiWsBdiBy1XM3Icw5nc6MF -jx6zCN5VeQ0k2ZOkoNUn95C/3d6JfyGTOAbzRvfJAoLS1ZguwZFL3Ki27Q/pdkdl -HAjJbS/l4CRXftn2IHSTS7OBtbnKeD0Ui19Iq50SLQEFfobKxdquio0vxIQCovkp -ouiUH/93yETLyIkc1enYnwqpEnoEgYV+aQRbdVUMajNWDcsemI9sdHQR9xueAokU -ksNK4+YejmcW3+DZva+haTaeG73RKRVVuVSczeQs5mEaCl4sKJANR/flfcZFtBBD -LSj82oa8lc72c7a3w5P8qZIui91jEIjpnZPstUGv8Pc1MqnSMu4oyehYF1tkOVfR -LdxZhzRGyYjkU1ki6GvRQ5+hd6cPV8AP46dxYyk5/tmdnY+cAMs+VpP4eK9CR6LD -FkjwkHRxpSIvY2useQWCszCaEgIl6KwysWTPH4mAztH028/2jw1GgAe5xlBBYHlE -uHbBP6h8VNLGWV1TADXpERYnudGAf3RA7/PU7JzeEebCVWuV21DhaU0KU8gNx+tO -J/LHn95BtVEsuweeUyJh2G35sas50RxBi5UXy8MfG50QteUa7RPyGCkoxyo3wyts -O2FKsPLpUsqKD73XL1BB1hiBeylB41r9zrQAK845V2M8lhWSe0yI96LDkphaDHWs -G8C9q9zR5+aNdJK4tgDYA1MkIArmMDKoknQkJFGn1QbVnYTIXQZNIyfalhriW/0Z -GPqPIeX8ejUU1Ev0s+0sTp/yVMMZzCInUQCcPMcFS7QDL3K3IsMw/2ucpp5thPSE -IehioQf8gnDqaDD8qaOjAoZ+F5hthysAv7lDQEX/d/wr28g1PBZr5p78x4x5T3uE -uLaGFmxIC1UdcKeOkCxUGXahqjaHuFeJI1eL8KHKi/b57Co1dHlfqx3pQJi74TlF -AwkqC5s2VBa2fCXy7gfcE5wkrD2KpGcaOa37AiSocSMcYnF4RmWiZ2CHnebMuG5s -hVDqXofamV4E0CpJHq9TRCAdR6qq6rTfQcT73Vmu7FvMXb3cT/F8aXfli2x157zw -K2Xi2PsbBLDl6zODzZ2/EjShNnwPOTtx0m73kppa/RoW+56AlFG6q/7fH1tDkOqW -fvVrZlJVFeDNp7sBEuoN+OhCiuKG9VajaQWpeUeCkua0kRzsKRs/oA== ------END RSA PRIVATE KEY----- diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/trust.cer b/ocd/infra/playbooks/roles/mepserver/files/deploy/trust.cer deleted file mode 100644 index 02157e1..0000000 --- a/ocd/infra/playbooks/roles/mepserver/files/deploy/trust.cer +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDBjCCAe4CCQCfViZd0MNOEDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB -VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 -cyBQdHkgTHRkMB4XDTIwMDUwOTE1MDczNFoXDTMwMDUwNzE1MDczNFowRTELMAkG -A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 -IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -APAyHQYv9OUkzXF/jcSl24MxmzY8FGrTAv1HsY1I0IH/vzeig60CGAyvi/Za/rWq -6vh2lR4mSHRJ7aB6gNrvhj/IHrJFtt6HDhIoG6WiJ0xZRjnkvYdgye2/Jc6ydJjQ -F4nz17BbvyzkxdZtnd5aHhM5Fbkd/R5DPNyaNnCetUUehMH7I0vAew//kIu2PfQJ -stvOzgdAtBuPz/D6Cq7EljkX+6ROZggDi2NRFKzMp2moajKdvPQFs1WTKg1at/+k -zFAcAi68DxyxhdPEFpKU3uepccbh332cJ1/x1bVHlUSVwH9SNi8to9nLG/NrL2UY -wrX/ZzrYL7IUHqu7zlVpUN8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA42ECvTd3 -ZsL5a1x5HKQiIuvjKYI6pfsU67vB3e+IiXC8KqYVTWLIWILUXDXYrmO68vQ4+ewz -GKTPmL50x7y6EurX5qYJ/Znj4frBOkFIRlT17rwz+HDx/ZdaLmh4D3q0jkfsjSqi -eEh2kHfiJMLEWwPLcTfTdqtnjITvPIVydj+T+ocCvgfXsriJq4TwXl8panJiQAS2 -15gs3aRtb6PEr8jvt+a1WfnBtpFscelr7BTGpQZvGPbIFx0Xw1O106dMbi1nxG5B -xsWL8JAb5qlbxW+jQdSuz+O2vF/CGeGZLUqvJjHx+Ud6OBoBMBmf9tEprQxJeCRD -OhHC7N5cztTIdQ== ------END CERTIFICATE----- diff --git a/ocd/infra/playbooks/roles/mepserver/tasks/install.yml b/ocd/infra/playbooks/roles/mepserver/tasks/install.yml index da0ff9e..b739ae2 100644 --- a/ocd/infra/playbooks/roles/mepserver/tasks/install.yml +++ b/ocd/infra/playbooks/roles/mepserver/tasks/install.yml @@ -23,6 +23,37 @@ src: deploy dest: /tmp/mepserver/ +- name: Generate Certificates + shell: +# yamllint disable rule:line-length + cmd: openssl genrsa -out ca.key 2048 + chdir: /tmp/mepserver/deploy/ + +- name: Generate Certificate - Step 2 + shell: + cmd: openssl req -new -key ca.key -subj /C=CN/ST=Peking/L=Beijing/O=ealtedge/CN=www.ealtedge.org -out ca.csr + chdir: /tmp/mepserver/deploy/ + +- name: Generate Root Certificate + shell: + cmd: openssl x509 -req -days 365 -in ca.csr -extensions v3_req -signkey ca.key -out trust.cer + chdir: /tmp/mepserver/deploy/ + +- name: Generate TLS certificate and TLS Key + shell: + cmd: openssl genrsa -out server_key.pem 2048 + chdir: /tmp/mepserver/deploy/ + +- name: Generate TLS Certificate and TLS Key + shell: + cmd: openssl req -new -key server_key.pem -subj /C=CN/ST=Beijing/L=Beijing/O=ealtedge/CN=www.ealtedge.org -out tls.csr + chdir: /tmp/mepserver/deploy/ + +- name: Generate TLS Certificate and TLS Key + shell: + cmd: openssl x509 -req -in tls.csr -extensions v3_req -CA trust.cer -CAkey ca.key -CAcreateserial -out server.cer + chdir: /tmp/mepserver/deploy/ + - name: Create mepssl-secret shell: # yamllint disable rule:line-length @@ -48,3 +79,12 @@ - name: Apply postgres-k8s.yaml shell: cmd: kubectl apply -f /tmp/mepserver/deploy/postgres-k8s.yaml + +- name: -----Configuring Kong API Gateway----- + shell: + cmd: sleep 30 + +- name: Configuring Kong API Gateway + shell: + cmd: chmod +x kongconfig.sh && ./kongconfig.sh + chdir: /tmp/mepserver/deploy/