Support mTLS (Mutual TLS) with O2 API

Since the specification defined the API should support
mTLS (Mutual TLS). This commit will enable the mTLS support in the O2
IMS API.

Test Plan:
1. Request the O2 API with client key and client cert, the
API works as expected.
2. The O2 API which is configured with the client CA cert can serve
the client requests as expected.

Issue-ID: INF-448

Change-Id: If53fb4fea1dac33968f167b0f40e83d34615faec
Signed-off-by: Zhang Rong(Jon) <rong.zhang@windriver.com>

diff --git a/charts/resources/scripts/init/o2api_start.sh b/charts/resources/scripts/init/o2api_start.sh
index 4581db5..e790a6f 100644 (file)
--- a/charts/resources/scripts/init/o2api_start.sh
+++ b/charts/resources/scripts/init/o2api_start.sh
@@ -15,6 +15,10 @@
 #!/bin/bash
 
 # The gunicorn start with [::] to listen on both IPv4 and IPv6
-gunicorn -b [::]:80 o2app.entrypoints.flask_application:app --certfile /configs/server.crt  --keyfile /configs/server.key
+gunicorn -b [::]:80 o2app.entrypoints.flask_application:app \
+--certfile /configs/server.crt \
+--keyfile /configs/server.key \
+--ca-certs /configs/smoca.crt \
+--cert-reqs 2
 
 sleep infinity

diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml
index 72e3580..29e387f 100644 (file)
--- a/charts/templates/deployment.yaml
+++ b/charts/templates/deployment.yaml
@@ -179,6 +179,9 @@ spec:
               mountPath: /configs/server.key
               subPath: config.json
               readOnly: true
+            - name: smocacrt
+              mountPath: /configs/smoca.crt
+              subPath: config.json
         {{- if .Values.o2dms.helm_cli_enable }}
         - name: helmcli
           image: "{{ .Values.o2ims.images.tags.o2service }}"