Added HTTPS support

On StarlingX openstack is now by default HTTPS.  Support must be added
for this.

Also, In the helm chart, values have been added to allowing mounting
the host cert in the watcher pod.  The mounted cert is then used to
verify the SSL certificate of the STX and DCMANAGER clients.

TEST PLAN
PASS: Run compliance and quality robot tests, with mock SMO
* With HTTPS enabled
* Use cert mounting values
* Deploy oran-o2 application on StarlingX system controller (stx9)
PASS: Run compliance and quality robot tests, with mock SMO
* Without HTTPS enabled
* Deploy oran-o2 application on StarlingX system controller (stx9)

Issue-ID: INF-461
Signed-off-by: jkraitbewr <joshua.kraitberg@windriver.com>
Change-Id: Icdd1bae303bfe29c27570c310b32d80a9f56709c

diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml
index 72e3580..a1e4582 100644 (file)
--- a/charts/templates/deployment.yaml
+++ b/charts/templates/deployment.yaml
@@ -124,6 +124,12 @@ spec:
               value: "1"
             - name: REDIS_HOST
               value: localhost
+            {{- if default false .Values.o2ims.useHostCert }}
+            - name: REQUESTS_CA_BUNDLE
+              value: /etc/ssl/custom-cert.pem
+            {{- end }}
+            - name: CGTS_INSECURE_SSL
+              value: {{ ternary "1" "0" (default false .Values.o2ims.cgtsInsecureSSL) | quote }}
           volumeMounts:
             - name: scripts
               mountPath: /opt
@@ -131,6 +137,11 @@ spec:
               mountPath: /configs/o2app.conf
               subPath: config.json
               readOnly: true
+            {{- if default false .Values.o2ims.useHostCert }}
+            - name: ca-certs
+              mountPath: /etc/ssl/custom-cert.pem
+              readOnly: true
+            {{- end }}
         - name: o2api
           image: "{{ .Values.o2ims.images.tags.o2service }}"
           ports:
@@ -219,4 +230,10 @@ spec:
         - name: db-pv
           persistentVolumeClaim:
             claimName: {{ .Chart.Name }}-db-pv
+        {{- if default false .Values.o2ims.useHostCert }}
+        - name: ca-certs
+          hostPath:
+            path: {{ .Values.o2ims.hostCertPath | quote }}
+            type: File
+        {{- end }}
 ---

diff --git a/charts/values.yaml b/charts/values.yaml
index 0ab6f73..8b6c01f 100644 (file)
--- a/charts/values.yaml
+++ b/charts/values.yaml
@@ -1,4 +1,5 @@
-# Copyright (C) 2021-2023 Wind River Systems, Inc.
+---
+# Copyright (C) 2021-2024 Wind River Systems, Inc.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -60,6 +61,14 @@ o2ims:
     pullPolicy: IfNotPresent
   logginglevel: "WARNING"
 
+  # Mount certs from host system.
+  # Normally required to use CGTS client with SSL.
+  useHostCert: false
+  hostCertPath: /etc/ssl/certs/ca-certificates.crt
+
+  # Skip SSL verification when using CGTS client.
+  cgtsInsecureSSL: false
+
 o2dms:
   helm_cli_enable: false
 

diff --git a/docker-compose.yml b/docker-compose.yml
index a3bf256..3d5b5e8 100644 (file)
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,6 +20,7 @@ services:
       - OS_USERNAME=${OS_USERNAME}
       - OS_PASSWORD=${OS_PASSWORD}
       - LOGGING_CONFIG_LEVEL=DEBUG
+      - CGTS_INSECURE_SSL=1
     volumes:
       - ./configs:/configs
       - ./o2ims:/o2ims
@@ -67,6 +68,7 @@ services:
       - OS_PASSWORD=${OS_PASSWORD}
       - LOGGING_CONFIG_LEVEL=DEBUG
       - HELM_USER_PASSWD=St8rlingX*
+      - CGTS_INSECURE_SSL=1
     volumes:
       - ./configs:/configs
       - ./share:/share
@@ -99,6 +101,7 @@ services:
       - OS_USERNAME=${OS_USERNAME}
       - OS_PASSWORD=${OS_PASSWORD}
       - LOGGING_CONFIG_LEVEL=DEBUG
+      - CGTS_INSECURE_SSL=1
     volumes:
       - ./configs:/configs
       - ./o2ims:/o2ims

diff --git a/o2common/config/config.py b/o2common/config/config.py
index 61c8c69..06c3b56 100644 (file)
--- a/o2common/config/config.py
+++ b/o2common/config/config.py
@@ -22,8 +22,11 @@ from o2common.helper import o2logging
 logger = o2logging.get_logger(__name__)
 
 
-_DEFAULT_DCMANAGER_URL = "http://192.168.204.1:8119/v1.0"
+CGTS_INSECURE_SSL = os.environ.get("CGTS_INSECURE_SSL", "0") == "1"
+
 _DEFAULT_STX_URL = "http://192.168.204.1:5000/v3"
+_DCMANAGER_URL_PORT = os.environ.get("DCMANAGER_API_PORT", "8119")
+_DCMANAGER_URL_PATH = os.environ.get("DCMANAGER_API_PATH", "/v1.0")
 
 
 def get_config_path():
@@ -60,6 +63,26 @@ def get_api_url():
     return f"https://{host}:{port}"
 
 
+def get_stx_url():
+    try:
+        return get_stx_client_args()["auth_url"]
+    except KeyError:
+        logger.error('Please source your RC file before execution, '
+                     'e.g.: `source ~/downloads/admin-rc.sh`')
+        sys.exit(1)
+
+
+def get_dc_manager_url():
+    auth_url = os.environ.get("DCMANAGER_OS_AUTH_URL", None)
+    if auth_url is None:
+        temp_url = get_stx_url()
+        u = urlparse(temp_url)
+        u = u._replace(netloc=f"{u.hostname}:{_DCMANAGER_URL_PORT}")
+        u = u._replace(path=_DCMANAGER_URL_PATH)
+        auth_url = u.geturl()
+    return auth_url
+
+
 def get_root_api_base():
     return "/"
 
@@ -129,17 +152,7 @@ def is_ipv6(address):
 
 def get_stx_access_info(region_name="RegionOne", subcloud_hostname: str = "",
                         sub_is_https: bool = False):
-    # authurl = os.environ.get("STX_AUTH_URL", "http://192.168.204.1:5000/v3")
-    # username = os.environ.get("STX_USERNAME", "admin")
-    # pswd = os.environ.get("STX_PASSWORD", "passwd1")
-    # stx_access_info = (authurl, username, pswd)
     try:
-        # client_args = dict(
-        #     auth_url=os.environ.get('OS_AUTH_URL', _DEFAULT_STX_URL),
-        #     username=os.environ.get('OS_USERNAME', "admin"),
-        #     api_key=os.environ.get('OS_PASSWORD', "fakepasswd1"),
-        #     project_name=os.environ.get('OS_PROJECT_NAME', "admin"),
-        # )
         client_args = get_stx_client_args()
     except KeyError:
         logger.error('Please source your RC file before execution, '
@@ -152,7 +165,7 @@ def get_stx_access_info(region_name="RegionOne", subcloud_hostname: str = "",
     if "" != subcloud_hostname:
         if is_ipv6(subcloud_hostname):
             subcloud_hostname = "[" + subcloud_hostname + "]"
-        orig_auth_url = urlparse(_DEFAULT_STX_URL)
+        orig_auth_url = urlparse(get_stx_url())
         new_auth_url = orig_auth_url._replace(
             netloc=orig_auth_url.netloc.replace(
                 orig_auth_url.hostname, subcloud_hostname))
@@ -163,7 +176,7 @@ def get_stx_access_info(region_name="RegionOne", subcloud_hostname: str = "",
             new_auth_url = new_auth_url._replace(
                 scheme=new_auth_url.scheme.
                 replace(new_auth_url.scheme, 'https'))
-            os_client_args['insecure'] = True
+            os_client_args['insecure'] = CGTS_INSECURE_SSL
         os_client_args['os_auth_url'] = new_auth_url.geturl()
         os_client_args['os_endpoint_type'] = 'public'
     # os_client_args['system_url'] = os_client_args['os_auth_url']
@@ -177,12 +190,6 @@ def get_stx_access_info(region_name="RegionOne", subcloud_hostname: str = "",
 
 def get_dc_access_info():
     try:
-        # client_args = dict(
-        #     auth_url=os.environ.get('OS_AUTH_URL', _DEFAULT_STX_URL),
-        #     username=os.environ.get('OS_USERNAME', "admin"),
-        #     api_key=os.environ.get('OS_PASSWORD', "fakepasswd1"),
-        #     project_name=os.environ.get('OS_PROJECT_NAME', "admin"),
-        # )
         client_args = get_stx_client_args()
     except KeyError:
         logger.error('Please source your RC file before execution, '
@@ -195,7 +202,7 @@ def get_dc_access_info():
     auth_url = urlparse(os_client_args.pop('os_auth_url'))
     hostname = f"[{auth_url.hostname}]" if is_ipv6(auth_url.hostname) \
         else auth_url.hostname
-    dcmanager_url = urlparse(_DEFAULT_DCMANAGER_URL)
+    dcmanager_url = urlparse(get_dc_manager_url())
     dcmanager_url = dcmanager_url._replace(netloc=dcmanager_url.netloc.replace(
         dcmanager_url.hostname, hostname))
 
@@ -213,12 +220,6 @@ def get_dc_access_info():
 def get_fm_access_info(subcloud_hostname: str = "",
                        sub_is_https: bool = False):
     try:
-        # client_args = dict(
-        #     auth_url=os.environ.get('OS_AUTH_URL', _DEFAULT_STX_URL),
-        #     username=os.environ.get('OS_USERNAME', "admin"),
-        #     api_key=os.environ.get('OS_PASSWORD', "fakepasswd1"),
-        #     project_name=os.environ.get('OS_PROJECT_NAME', "admin"),
-        # )
         client_args = get_stx_client_args()
     except KeyError:
         logger.error('Please source your RC file before execution, '
@@ -235,7 +236,7 @@ def get_fm_access_info(subcloud_hostname: str = "",
     if "" != subcloud_hostname:
         subcloud_hostname = f"[{subcloud_hostname}]" if \
             is_ipv6(subcloud_hostname) else subcloud_hostname
-        orig_auth_url = urlparse(_DEFAULT_STX_URL)
+        orig_auth_url = urlparse(get_stx_url())
         new_auth_url = orig_auth_url._replace(
             netloc=orig_auth_url.netloc.replace(
                 orig_auth_url.hostname, subcloud_hostname))
@@ -246,7 +247,7 @@ def get_fm_access_info(subcloud_hostname: str = "",
         os_client_args['auth_url'] = new_auth_url.geturl()
         os_client_args['endpoint_type'] = 'publicURL'
 
-    os_client_args['insecure'] = True
+    os_client_args['insecure'] = CGTS_INSECURE_SSL
 
     os_client_args['username'] = os_client_args.pop('os_username')
     os_client_args['password'] = os_client_args.pop('os_api_key')

diff --git a/o2ims/adapter/clients/ocloud_client.py b/o2ims/adapter/clients/ocloud_client.py
index 4e8430f..5a7b3fb 100644 (file)
--- a/o2ims/adapter/clients/ocloud_client.py
+++ b/o2ims/adapter/clients/ocloud_client.py
@@ -301,7 +301,7 @@ class StxClientImp(object):
                 subcloud_stxclient = self.getSubcloudClient(
                     subcloud.subcloud_id)
                 systems = subcloud_stxclient.isystem.list()
-                logger.debug('systems:' + str(systems[0].to_dict()))
+                logger.debug('subcloud system:' + str(systems[0].to_dict()))
                 pools.append(systems[0])
             except Exception as ex:
                 logger.warning('Failed get cgstclient of subcloud %s: %s' %

diff --git a/requirements-stx.txt b/requirements-stx.txt
index 88effb5..d057d79 100644 (file)
--- a/requirements-stx.txt
+++ b/requirements-stx.txt
@@ -2,6 +2,6 @@
 # -e git+https://opendev.org/starlingx/config.git@master#egg=cgtsclient&subdirectory=sysinv/cgts-client/cgts-client
 # -e git+https://opendev.org/starlingx/fault.git@master#egg=fmclient&subdirectory=python-fmclient/fmclient
 
--e git+https://opendev.org/starlingx/distcloud-client.git@eb4e7eeeb09bdf2e1b80984b378c5a8ea9930f04#egg=distributedcloud-client&subdirectory=distributedcloud-client
+-e git+https://opendev.org/starlingx/distcloud-client.git@b4a8ec19dc6078952a3762d7eee8d426d520a1f0#egg=distributedcloud-client&subdirectory=distributedcloud-client
 -e git+https://opendev.org/starlingx/config.git@r/stx.7.0#egg=cgtsclient&subdirectory=sysinv/cgts-client/cgts-client
 -e git+https://opendev.org/starlingx/fault.git@r/stx.7.0#egg=fmclient&subdirectory=python-fmclient/fmclient