From: jkraitbewr Date: Thu, 9 May 2024 19:36:57 +0000 (-0400) Subject: Added HTTPS support X-Git-Tag: 2.0.4~9^2 X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=29fa27bb53e2b4ff89f8ef61d0885df776bc14b1;p=pti%2Fo2.git Added HTTPS support On StarlingX openstack is now by default HTTPS. Support must be added for this. Also, In the helm chart, values have been added to allowing mounting the host cert in the watcher pod. The mounted cert is then used to verify the SSL certificate of the STX and DCMANAGER clients. TEST PLAN PASS: Run compliance and quality robot tests, with mock SMO * With HTTPS enabled * Use cert mounting values * Deploy oran-o2 application on StarlingX system controller (stx9) PASS: Run compliance and quality robot tests, with mock SMO * Without HTTPS enabled * Deploy oran-o2 application on StarlingX system controller (stx9) Issue-ID: INF-461 Signed-off-by: jkraitbewr Change-Id: Icdd1bae303bfe29c27570c310b32d80a9f56709c --- diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml index 72e3580..a1e4582 100644 --- a/charts/templates/deployment.yaml +++ b/charts/templates/deployment.yaml @@ -124,6 +124,12 @@ spec: value: "1" - name: REDIS_HOST value: localhost + {{- if default false .Values.o2ims.useHostCert }} + - name: REQUESTS_CA_BUNDLE + value: /etc/ssl/custom-cert.pem + {{- end }} + - name: CGTS_INSECURE_SSL + value: {{ ternary "1" "0" (default false .Values.o2ims.cgtsInsecureSSL) | quote }} volumeMounts: - name: scripts mountPath: /opt @@ -131,6 +137,11 @@ spec: mountPath: /configs/o2app.conf subPath: config.json readOnly: true + {{- if default false .Values.o2ims.useHostCert }} + - name: ca-certs + mountPath: /etc/ssl/custom-cert.pem + readOnly: true + {{- end }} - name: o2api image: "{{ .Values.o2ims.images.tags.o2service }}" ports: @@ -219,4 +230,10 @@ spec: - name: db-pv persistentVolumeClaim: claimName: {{ .Chart.Name }}-db-pv + {{- if default false .Values.o2ims.useHostCert }} + - name: ca-certs + hostPath: + path: {{ .Values.o2ims.hostCertPath | quote }} + type: File + {{- end }} --- diff --git a/charts/values.yaml b/charts/values.yaml index 0ab6f73..8b6c01f 100644 --- a/charts/values.yaml +++ b/charts/values.yaml @@ -1,4 +1,5 @@ -# Copyright (C) 2021-2023 Wind River Systems, Inc. +--- +# Copyright (C) 2021-2024 Wind River Systems, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -60,6 +61,14 @@ o2ims: pullPolicy: IfNotPresent logginglevel: "WARNING" + # Mount certs from host system. + # Normally required to use CGTS client with SSL. + useHostCert: false + hostCertPath: /etc/ssl/certs/ca-certificates.crt + + # Skip SSL verification when using CGTS client. + cgtsInsecureSSL: false + o2dms: helm_cli_enable: false diff --git a/docker-compose.yml b/docker-compose.yml index a3bf256..3d5b5e8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,6 +20,7 @@ services: - OS_USERNAME=${OS_USERNAME} - OS_PASSWORD=${OS_PASSWORD} - LOGGING_CONFIG_LEVEL=DEBUG + - CGTS_INSECURE_SSL=1 volumes: - ./configs:/configs - ./o2ims:/o2ims @@ -67,6 +68,7 @@ services: - OS_PASSWORD=${OS_PASSWORD} - LOGGING_CONFIG_LEVEL=DEBUG - HELM_USER_PASSWD=St8rlingX* + - CGTS_INSECURE_SSL=1 volumes: - ./configs:/configs - ./share:/share @@ -99,6 +101,7 @@ services: - OS_USERNAME=${OS_USERNAME} - OS_PASSWORD=${OS_PASSWORD} - LOGGING_CONFIG_LEVEL=DEBUG + - CGTS_INSECURE_SSL=1 volumes: - ./configs:/configs - ./o2ims:/o2ims diff --git a/o2common/config/config.py b/o2common/config/config.py index 61c8c69..06c3b56 100644 --- a/o2common/config/config.py +++ b/o2common/config/config.py @@ -22,8 +22,11 @@ from o2common.helper import o2logging logger = o2logging.get_logger(__name__) -_DEFAULT_DCMANAGER_URL = "http://192.168.204.1:8119/v1.0" +CGTS_INSECURE_SSL = os.environ.get("CGTS_INSECURE_SSL", "0") == "1" + _DEFAULT_STX_URL = "http://192.168.204.1:5000/v3" +_DCMANAGER_URL_PORT = os.environ.get("DCMANAGER_API_PORT", "8119") +_DCMANAGER_URL_PATH = os.environ.get("DCMANAGER_API_PATH", "/v1.0") def get_config_path(): @@ -60,6 +63,26 @@ def get_api_url(): return f"https://{host}:{port}" +def get_stx_url(): + try: + return get_stx_client_args()["auth_url"] + except KeyError: + logger.error('Please source your RC file before execution, ' + 'e.g.: `source ~/downloads/admin-rc.sh`') + sys.exit(1) + + +def get_dc_manager_url(): + auth_url = os.environ.get("DCMANAGER_OS_AUTH_URL", None) + if auth_url is None: + temp_url = get_stx_url() + u = urlparse(temp_url) + u = u._replace(netloc=f"{u.hostname}:{_DCMANAGER_URL_PORT}") + u = u._replace(path=_DCMANAGER_URL_PATH) + auth_url = u.geturl() + return auth_url + + def get_root_api_base(): return "/" @@ -129,17 +152,7 @@ def is_ipv6(address): def get_stx_access_info(region_name="RegionOne", subcloud_hostname: str = "", sub_is_https: bool = False): - # authurl = os.environ.get("STX_AUTH_URL", "http://192.168.204.1:5000/v3") - # username = os.environ.get("STX_USERNAME", "admin") - # pswd = os.environ.get("STX_PASSWORD", "passwd1") - # stx_access_info = (authurl, username, pswd) try: - # client_args = dict( - # auth_url=os.environ.get('OS_AUTH_URL', _DEFAULT_STX_URL), - # username=os.environ.get('OS_USERNAME', "admin"), - # api_key=os.environ.get('OS_PASSWORD', "fakepasswd1"), - # project_name=os.environ.get('OS_PROJECT_NAME', "admin"), - # ) client_args = get_stx_client_args() except KeyError: logger.error('Please source your RC file before execution, ' @@ -152,7 +165,7 @@ def get_stx_access_info(region_name="RegionOne", subcloud_hostname: str = "", if "" != subcloud_hostname: if is_ipv6(subcloud_hostname): subcloud_hostname = "[" + subcloud_hostname + "]" - orig_auth_url = urlparse(_DEFAULT_STX_URL) + orig_auth_url = urlparse(get_stx_url()) new_auth_url = orig_auth_url._replace( netloc=orig_auth_url.netloc.replace( orig_auth_url.hostname, subcloud_hostname)) @@ -163,7 +176,7 @@ def get_stx_access_info(region_name="RegionOne", subcloud_hostname: str = "", new_auth_url = new_auth_url._replace( scheme=new_auth_url.scheme. replace(new_auth_url.scheme, 'https')) - os_client_args['insecure'] = True + os_client_args['insecure'] = CGTS_INSECURE_SSL os_client_args['os_auth_url'] = new_auth_url.geturl() os_client_args['os_endpoint_type'] = 'public' # os_client_args['system_url'] = os_client_args['os_auth_url'] @@ -177,12 +190,6 @@ def get_stx_access_info(region_name="RegionOne", subcloud_hostname: str = "", def get_dc_access_info(): try: - # client_args = dict( - # auth_url=os.environ.get('OS_AUTH_URL', _DEFAULT_STX_URL), - # username=os.environ.get('OS_USERNAME', "admin"), - # api_key=os.environ.get('OS_PASSWORD', "fakepasswd1"), - # project_name=os.environ.get('OS_PROJECT_NAME', "admin"), - # ) client_args = get_stx_client_args() except KeyError: logger.error('Please source your RC file before execution, ' @@ -195,7 +202,7 @@ def get_dc_access_info(): auth_url = urlparse(os_client_args.pop('os_auth_url')) hostname = f"[{auth_url.hostname}]" if is_ipv6(auth_url.hostname) \ else auth_url.hostname - dcmanager_url = urlparse(_DEFAULT_DCMANAGER_URL) + dcmanager_url = urlparse(get_dc_manager_url()) dcmanager_url = dcmanager_url._replace(netloc=dcmanager_url.netloc.replace( dcmanager_url.hostname, hostname)) @@ -213,12 +220,6 @@ def get_dc_access_info(): def get_fm_access_info(subcloud_hostname: str = "", sub_is_https: bool = False): try: - # client_args = dict( - # auth_url=os.environ.get('OS_AUTH_URL', _DEFAULT_STX_URL), - # username=os.environ.get('OS_USERNAME', "admin"), - # api_key=os.environ.get('OS_PASSWORD', "fakepasswd1"), - # project_name=os.environ.get('OS_PROJECT_NAME', "admin"), - # ) client_args = get_stx_client_args() except KeyError: logger.error('Please source your RC file before execution, ' @@ -235,7 +236,7 @@ def get_fm_access_info(subcloud_hostname: str = "", if "" != subcloud_hostname: subcloud_hostname = f"[{subcloud_hostname}]" if \ is_ipv6(subcloud_hostname) else subcloud_hostname - orig_auth_url = urlparse(_DEFAULT_STX_URL) + orig_auth_url = urlparse(get_stx_url()) new_auth_url = orig_auth_url._replace( netloc=orig_auth_url.netloc.replace( orig_auth_url.hostname, subcloud_hostname)) @@ -246,7 +247,7 @@ def get_fm_access_info(subcloud_hostname: str = "", os_client_args['auth_url'] = new_auth_url.geturl() os_client_args['endpoint_type'] = 'publicURL' - os_client_args['insecure'] = True + os_client_args['insecure'] = CGTS_INSECURE_SSL os_client_args['username'] = os_client_args.pop('os_username') os_client_args['password'] = os_client_args.pop('os_api_key') diff --git a/o2ims/adapter/clients/ocloud_client.py b/o2ims/adapter/clients/ocloud_client.py index 4e8430f..5a7b3fb 100644 --- a/o2ims/adapter/clients/ocloud_client.py +++ b/o2ims/adapter/clients/ocloud_client.py @@ -301,7 +301,7 @@ class StxClientImp(object): subcloud_stxclient = self.getSubcloudClient( subcloud.subcloud_id) systems = subcloud_stxclient.isystem.list() - logger.debug('systems:' + str(systems[0].to_dict())) + logger.debug('subcloud system:' + str(systems[0].to_dict())) pools.append(systems[0]) except Exception as ex: logger.warning('Failed get cgstclient of subcloud %s: %s' % diff --git a/requirements-stx.txt b/requirements-stx.txt index 88effb5..d057d79 100644 --- a/requirements-stx.txt +++ b/requirements-stx.txt @@ -2,6 +2,6 @@ # -e git+https://opendev.org/starlingx/config.git@master#egg=cgtsclient&subdirectory=sysinv/cgts-client/cgts-client # -e git+https://opendev.org/starlingx/fault.git@master#egg=fmclient&subdirectory=python-fmclient/fmclient --e git+https://opendev.org/starlingx/distcloud-client.git@eb4e7eeeb09bdf2e1b80984b378c5a8ea9930f04#egg=distributedcloud-client&subdirectory=distributedcloud-client +-e git+https://opendev.org/starlingx/distcloud-client.git@b4a8ec19dc6078952a3762d7eee8d426d520a1f0#egg=distributedcloud-client&subdirectory=distributedcloud-client -e git+https://opendev.org/starlingx/config.git@r/stx.7.0#egg=cgtsclient&subdirectory=sysinv/cgts-client/cgts-client -e git+https://opendev.org/starlingx/fault.git@r/stx.7.0#egg=fmclient&subdirectory=python-fmclient/fmclient