From b747fd2db81a059a8fa8e3acb23ca2c5980fc93b Mon Sep 17 00:00:00 2001 From: abhijit_onap Date: Wed, 22 Jul 2020 02:02:33 +0530 Subject: [PATCH] Ansible-playbook files for SSL Support To support complete automation of SSL support in MEP Node Added scripts to generate Certificates. Added new yaml files for MEP Server, MEP Agent and Kong Signed-off-by: abhijit_onap Change-Id: I79900523e3594a03148e953b2008be70e8aef709 --- .../roles/mepagent/files/deploy/mepagent.yaml | 46 ++++++++++++++++++++++ .../playbooks/roles/mepagent/tasks/install.yml | 28 +++++++++++++ ocd/infra/playbooks/roles/mepagent/tasks/main.yml | 17 ++++++++ .../playbooks/roles/mepagent/tasks/uninstall.yml | 29 ++++++++++++++ .../roles/mepserver/files/deploy/kong-k8s.yaml | 24 +++++++---- .../roles/mepserver/files/deploy/kongconfig.sh | 22 +++++++++++ .../roles/mepserver/files/deploy/mep-k8s.yaml | 16 ++++---- .../roles/mepserver/files/deploy/server.cer | 19 --------- .../roles/mepserver/files/deploy/server_key.pem | 30 -------------- .../roles/mepserver/files/deploy/trust.cer | 19 --------- .../playbooks/roles/mepserver/tasks/install.yml | 40 +++++++++++++++++++ 11 files changed, 206 insertions(+), 84 deletions(-) create mode 100755 ocd/infra/playbooks/roles/mepagent/files/deploy/mepagent.yaml create mode 100644 ocd/infra/playbooks/roles/mepagent/tasks/install.yml create mode 100644 ocd/infra/playbooks/roles/mepagent/tasks/main.yml create mode 100644 ocd/infra/playbooks/roles/mepagent/tasks/uninstall.yml create mode 100755 ocd/infra/playbooks/roles/mepserver/files/deploy/kongconfig.sh delete mode 100644 ocd/infra/playbooks/roles/mepserver/files/deploy/server.cer delete mode 100644 ocd/infra/playbooks/roles/mepserver/files/deploy/server_key.pem delete mode 100644 ocd/infra/playbooks/roles/mepserver/files/deploy/trust.cer diff --git a/ocd/infra/playbooks/roles/mepagent/files/deploy/mepagent.yaml b/ocd/infra/playbooks/roles/mepagent/files/deploy/mepagent.yaml new file mode 100755 index 0000000..a8df546 --- /dev/null +++ b/ocd/infra/playbooks/roles/mepagent/files/deploy/mepagent.yaml @@ -0,0 +1,46 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +# mep pod +--- +apiVersion: v1 +kind: Pod +metadata: + name: mepagent + namespace: mep + labels: + app: mepagent +spec: + containers: + - image: ealtedge/mepagent:latest + imagePullPolicy: Always + name: mepagent-pod + env: + - name: CA_CERT_DOMAIN_NAME + value: "www.ealtedge.org" + - name: SSL_ROOT + value: "/etc/mepagent_ssl/trust.cer" + - name: APP_SSL_MODE + value: "0" + ports: + - containerPort: 80 + #volumeMounts: + #- name: mepagentssl + #mountPath: "/etc/mepagent_ssl" + #readOnly: true + #volumes: + #- name: mepagentssl + #secret: + #secretName: mepagentssl-secret diff --git a/ocd/infra/playbooks/roles/mepagent/tasks/install.yml b/ocd/infra/playbooks/roles/mepagent/tasks/install.yml new file mode 100644 index 0000000..53234a9 --- /dev/null +++ b/ocd/infra/playbooks/roles/mepagent/tasks/install.yml @@ -0,0 +1,28 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: copy deploy folder to mep node to install mepagent + copy: + src: deploy + dest: /tmp/mepagent/ + +- name: Create mepagent-secret + shell: +# yamllint disable rule:line-length + cmd: kubectl create secret --namespace mep generic mepagentssl-secret --from-file=/tmp/mepserver/deploy/server.cer --from-file=/tmp/mepserver/deploy/server_key.pem --from-file=/tmp/mepserver/deploy/trust.cer + +- name: Apply mepagent service + shell: + cmd: kubectl apply -f /tmp/mepagent/deploy/mepagent.yaml diff --git a/ocd/infra/playbooks/roles/mepagent/tasks/main.yml b/ocd/infra/playbooks/roles/mepagent/tasks/main.yml new file mode 100644 index 0000000..fc34c0a --- /dev/null +++ b/ocd/infra/playbooks/roles/mepagent/tasks/main.yml @@ -0,0 +1,17 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- include: "install.yml" + when: operation == 'install' diff --git a/ocd/infra/playbooks/roles/mepagent/tasks/uninstall.yml b/ocd/infra/playbooks/roles/mepagent/tasks/uninstall.yml new file mode 100644 index 0000000..4a95461 --- /dev/null +++ b/ocd/infra/playbooks/roles/mepagent/tasks/uninstall.yml @@ -0,0 +1,29 @@ +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +- name: Uninstalling mepagent + shell: + cmd: echo "Reseting the mepagent" + +- name: Remove the Deployment of mepagent + shell: + cmd: kubectl delete namespace mep + ignore_errors: 'True' + + +- name: Remove the Deployment of mepserver + shell: + cmd: kubectl delete -f /tmp/mepagent/deploy + ignore_errors: 'True' diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/kong-k8s.yaml b/ocd/infra/playbooks/roles/mepserver/files/deploy/kong-k8s.yaml index 520a83f..c61475f 100644 --- a/ocd/infra/playbooks/roles/mepserver/files/deploy/kong-k8s.yaml +++ b/ocd/infra/playbooks/roles/mepserver/files/deploy/kong-k8s.yaml @@ -71,6 +71,10 @@ spec: value: /dev/stdout - name: KONG_PROXY_ERROR_LOG value: /dev/stderr + #- name: KONG_SSL_CERT + #value: /run/kongssl/server.cer + #- name: KONG_SSL_CERT_KEY + #value: /run/kongssl/server_key.pem ports: - containerPort: 8000 name: proxy @@ -84,14 +88,14 @@ spec: - containerPort: 8444 name: admin-api-ssl protocol: TCP - volumeMounts: - - name: kongssl - mountPath: "/run/kongssl" - readOnly: true - volumes: - - name: kongssl - secret: - secretName: kongssl-secret + #volumeMounts: + #- name: kongssl + #mountPath: "/run/kongssl" + #readOnly: true + #volumes: + #- name: kongssl + #secret: + #secretName: kongssl-secret # kong service @@ -108,9 +112,13 @@ spec: ports: - port: 8000 name: proxy + nodePort: 30010 - port: 8443 name: proxy-ssl + nodePort: 30011 - port: 8001 name: admin-api + nodePort: 30012 - port: 8444 name: admin-api-ssl + nodePort: 30013 diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/kongconfig.sh b/ocd/infra/playbooks/roles/mepserver/files/deploy/kongconfig.sh new file mode 100755 index 0000000..ea6f79d --- /dev/null +++ b/ocd/infra/playbooks/roles/mepserver/files/deploy/kongconfig.sh @@ -0,0 +1,22 @@ +#!/bin/bash +# Copyright 2020 Huawei Technologies Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Command to update Kong + + +curl --location --request DELETE 'http://159.138.22.15:30012/routes/mp1' +curl --location --request DELETE 'http://159.138.22.15:30012/services/http-mp1' +curl --location --request POST 'http://159.138.22.15:30012/services' --header 'Content-Type: application/json' --data '{"url": "https://mep-service:8088","name": "http-mp1"}' +curl --location --request POST 'http://159.138.22.15:30012/services/http-mp1/routes' --header 'Content-Type: application/json' --data '{"paths": ["/mp1"], "name": "mp1"}' diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/mep-k8s.yaml b/ocd/infra/playbooks/roles/mepserver/files/deploy/mep-k8s.yaml index 69e8cca..b27b6bf 100755 --- a/ocd/infra/playbooks/roles/mepserver/files/deploy/mep-k8s.yaml +++ b/ocd/infra/playbooks/roles/mepserver/files/deploy/mep-k8s.yaml @@ -35,14 +35,14 @@ spec: value: "/etc/mepssl" - name: MEP_SSL_MODE value: "0" - volumeMounts: - - name: mepssl - mountPath: "/etc/mepssl" - readOnly: true - volumes: - - name: mepssl - secret: - secretName: mepssl-secret + #volumeMounts: + #- name: mepssl + #mountPath: "/etc/mepssl" + #readOnly: true + #volumes: + #- name: mepssl + #secret: + #secretName: mepssl-secret # mep service diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/server.cer b/ocd/infra/playbooks/roles/mepserver/files/deploy/server.cer deleted file mode 100644 index 02157e1..0000000 --- a/ocd/infra/playbooks/roles/mepserver/files/deploy/server.cer +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDBjCCAe4CCQCfViZd0MNOEDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB -VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 -cyBQdHkgTHRkMB4XDTIwMDUwOTE1MDczNFoXDTMwMDUwNzE1MDczNFowRTELMAkG -A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 -IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -APAyHQYv9OUkzXF/jcSl24MxmzY8FGrTAv1HsY1I0IH/vzeig60CGAyvi/Za/rWq -6vh2lR4mSHRJ7aB6gNrvhj/IHrJFtt6HDhIoG6WiJ0xZRjnkvYdgye2/Jc6ydJjQ -F4nz17BbvyzkxdZtnd5aHhM5Fbkd/R5DPNyaNnCetUUehMH7I0vAew//kIu2PfQJ -stvOzgdAtBuPz/D6Cq7EljkX+6ROZggDi2NRFKzMp2moajKdvPQFs1WTKg1at/+k -zFAcAi68DxyxhdPEFpKU3uepccbh332cJ1/x1bVHlUSVwH9SNi8to9nLG/NrL2UY -wrX/ZzrYL7IUHqu7zlVpUN8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA42ECvTd3 -ZsL5a1x5HKQiIuvjKYI6pfsU67vB3e+IiXC8KqYVTWLIWILUXDXYrmO68vQ4+ewz -GKTPmL50x7y6EurX5qYJ/Znj4frBOkFIRlT17rwz+HDx/ZdaLmh4D3q0jkfsjSqi -eEh2kHfiJMLEWwPLcTfTdqtnjITvPIVydj+T+ocCvgfXsriJq4TwXl8panJiQAS2 -15gs3aRtb6PEr8jvt+a1WfnBtpFscelr7BTGpQZvGPbIFx0Xw1O106dMbi1nxG5B -xsWL8JAb5qlbxW+jQdSuz+O2vF/CGeGZLUqvJjHx+Ud6OBoBMBmf9tEprQxJeCRD -OhHC7N5cztTIdQ== ------END CERTIFICATE----- diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/server_key.pem b/ocd/infra/playbooks/roles/mepserver/files/deploy/server_key.pem deleted file mode 100644 index 637bffa..0000000 --- a/ocd/infra/playbooks/roles/mepserver/files/deploy/server_key.pem +++ /dev/null @@ -1,30 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,C02B29671A16FE3F - -oj2/2Q763tk6b6+A0H16+G7CEjnx6uWlKbf6N2GzcvQnJBd7n39Q2aImVM8syNCO -2wyNL5LH/FZt8qBOAFMIX8wba+VRbDAZrVK3mVNLjHf5K2Pb4kQdvzwunGC9vjR3 -C4w8sVvs2Lo+zU3f/TpWNrN8B4AVx0jn+yPmyzMgJ+TgpvBOsinSWC96UBNOeabf -ShwFtO7wrFDWjmgtBWlWYUn4DogFiahIfw/CVMzvsSAtpB03Ajb5boEWLtkfly+s -EfajYn42/YeG5/ibzb7aQ5Ld/U5RFX36s4O3J3FGnHhsGIWNn0NUM4NfPBiKD9r8 -Wy9muK9n1MsaUPbn2Dn8tWjSZGVeNjeVCLQaEoIYRin8zhDlpco3fE2F+cKWOTce -VV8ejCikB+bQeFnQCAeT0RNNhXgeRwSTotLKjmGYB2PiWsBdiBy1XM3Icw5nc6MF -jx6zCN5VeQ0k2ZOkoNUn95C/3d6JfyGTOAbzRvfJAoLS1ZguwZFL3Ki27Q/pdkdl -HAjJbS/l4CRXftn2IHSTS7OBtbnKeD0Ui19Iq50SLQEFfobKxdquio0vxIQCovkp -ouiUH/93yETLyIkc1enYnwqpEnoEgYV+aQRbdVUMajNWDcsemI9sdHQR9xueAokU -ksNK4+YejmcW3+DZva+haTaeG73RKRVVuVSczeQs5mEaCl4sKJANR/flfcZFtBBD -LSj82oa8lc72c7a3w5P8qZIui91jEIjpnZPstUGv8Pc1MqnSMu4oyehYF1tkOVfR -LdxZhzRGyYjkU1ki6GvRQ5+hd6cPV8AP46dxYyk5/tmdnY+cAMs+VpP4eK9CR6LD -FkjwkHRxpSIvY2useQWCszCaEgIl6KwysWTPH4mAztH028/2jw1GgAe5xlBBYHlE -uHbBP6h8VNLGWV1TADXpERYnudGAf3RA7/PU7JzeEebCVWuV21DhaU0KU8gNx+tO -J/LHn95BtVEsuweeUyJh2G35sas50RxBi5UXy8MfG50QteUa7RPyGCkoxyo3wyts -O2FKsPLpUsqKD73XL1BB1hiBeylB41r9zrQAK845V2M8lhWSe0yI96LDkphaDHWs -G8C9q9zR5+aNdJK4tgDYA1MkIArmMDKoknQkJFGn1QbVnYTIXQZNIyfalhriW/0Z -GPqPIeX8ejUU1Ev0s+0sTp/yVMMZzCInUQCcPMcFS7QDL3K3IsMw/2ucpp5thPSE -IehioQf8gnDqaDD8qaOjAoZ+F5hthysAv7lDQEX/d/wr28g1PBZr5p78x4x5T3uE -uLaGFmxIC1UdcKeOkCxUGXahqjaHuFeJI1eL8KHKi/b57Co1dHlfqx3pQJi74TlF -AwkqC5s2VBa2fCXy7gfcE5wkrD2KpGcaOa37AiSocSMcYnF4RmWiZ2CHnebMuG5s -hVDqXofamV4E0CpJHq9TRCAdR6qq6rTfQcT73Vmu7FvMXb3cT/F8aXfli2x157zw -K2Xi2PsbBLDl6zODzZ2/EjShNnwPOTtx0m73kppa/RoW+56AlFG6q/7fH1tDkOqW -fvVrZlJVFeDNp7sBEuoN+OhCiuKG9VajaQWpeUeCkua0kRzsKRs/oA== ------END RSA PRIVATE KEY----- diff --git a/ocd/infra/playbooks/roles/mepserver/files/deploy/trust.cer b/ocd/infra/playbooks/roles/mepserver/files/deploy/trust.cer deleted file mode 100644 index 02157e1..0000000 --- a/ocd/infra/playbooks/roles/mepserver/files/deploy/trust.cer +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDBjCCAe4CCQCfViZd0MNOEDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB -VTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 -cyBQdHkgTHRkMB4XDTIwMDUwOTE1MDczNFoXDTMwMDUwNzE1MDczNFowRTELMAkG -A1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 -IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -APAyHQYv9OUkzXF/jcSl24MxmzY8FGrTAv1HsY1I0IH/vzeig60CGAyvi/Za/rWq -6vh2lR4mSHRJ7aB6gNrvhj/IHrJFtt6HDhIoG6WiJ0xZRjnkvYdgye2/Jc6ydJjQ -F4nz17BbvyzkxdZtnd5aHhM5Fbkd/R5DPNyaNnCetUUehMH7I0vAew//kIu2PfQJ -stvOzgdAtBuPz/D6Cq7EljkX+6ROZggDi2NRFKzMp2moajKdvPQFs1WTKg1at/+k -zFAcAi68DxyxhdPEFpKU3uepccbh332cJ1/x1bVHlUSVwH9SNi8to9nLG/NrL2UY -wrX/ZzrYL7IUHqu7zlVpUN8CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA42ECvTd3 -ZsL5a1x5HKQiIuvjKYI6pfsU67vB3e+IiXC8KqYVTWLIWILUXDXYrmO68vQ4+ewz -GKTPmL50x7y6EurX5qYJ/Znj4frBOkFIRlT17rwz+HDx/ZdaLmh4D3q0jkfsjSqi -eEh2kHfiJMLEWwPLcTfTdqtnjITvPIVydj+T+ocCvgfXsriJq4TwXl8panJiQAS2 -15gs3aRtb6PEr8jvt+a1WfnBtpFscelr7BTGpQZvGPbIFx0Xw1O106dMbi1nxG5B -xsWL8JAb5qlbxW+jQdSuz+O2vF/CGeGZLUqvJjHx+Ud6OBoBMBmf9tEprQxJeCRD -OhHC7N5cztTIdQ== ------END CERTIFICATE----- diff --git a/ocd/infra/playbooks/roles/mepserver/tasks/install.yml b/ocd/infra/playbooks/roles/mepserver/tasks/install.yml index da0ff9e..b739ae2 100644 --- a/ocd/infra/playbooks/roles/mepserver/tasks/install.yml +++ b/ocd/infra/playbooks/roles/mepserver/tasks/install.yml @@ -23,6 +23,37 @@ src: deploy dest: /tmp/mepserver/ +- name: Generate Certificates + shell: +# yamllint disable rule:line-length + cmd: openssl genrsa -out ca.key 2048 + chdir: /tmp/mepserver/deploy/ + +- name: Generate Certificate - Step 2 + shell: + cmd: openssl req -new -key ca.key -subj /C=CN/ST=Peking/L=Beijing/O=ealtedge/CN=www.ealtedge.org -out ca.csr + chdir: /tmp/mepserver/deploy/ + +- name: Generate Root Certificate + shell: + cmd: openssl x509 -req -days 365 -in ca.csr -extensions v3_req -signkey ca.key -out trust.cer + chdir: /tmp/mepserver/deploy/ + +- name: Generate TLS certificate and TLS Key + shell: + cmd: openssl genrsa -out server_key.pem 2048 + chdir: /tmp/mepserver/deploy/ + +- name: Generate TLS Certificate and TLS Key + shell: + cmd: openssl req -new -key server_key.pem -subj /C=CN/ST=Beijing/L=Beijing/O=ealtedge/CN=www.ealtedge.org -out tls.csr + chdir: /tmp/mepserver/deploy/ + +- name: Generate TLS Certificate and TLS Key + shell: + cmd: openssl x509 -req -in tls.csr -extensions v3_req -CA trust.cer -CAkey ca.key -CAcreateserial -out server.cer + chdir: /tmp/mepserver/deploy/ + - name: Create mepssl-secret shell: # yamllint disable rule:line-length @@ -48,3 +79,12 @@ - name: Apply postgres-k8s.yaml shell: cmd: kubectl apply -f /tmp/mepserver/deploy/postgres-k8s.yaml + +- name: -----Configuring Kong API Gateway----- + shell: + cmd: sleep 30 + +- name: Configuring Kong API Gateway + shell: + cmd: chmod +x kongconfig.sh && ./kongconfig.sh + chdir: /tmp/mepserver/deploy/ -- 2.16.6