From: Ravi Pendurty Date: Tue, 1 Apr 2025 11:57:54 +0000 (+0530) Subject: Include authentication for kafka-ui X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=7e214bfc3b04d6c62193a4cb0a350628907697ed;p=oam.git Include authentication for kafka-ui Include self signed certs for kafka-ui Issue-ID: OAM-450 Change-Id: I7fe962f84c0aadb65369af4489192cfecb402df7 Signed-off-by: Ravi Pendurty --- diff --git a/solution/smo/common/.env b/solution/smo/common/.env index da35a0b..8118a23 100644 --- a/solution/smo/common/.env +++ b/solution/smo/common/.env @@ -49,7 +49,7 @@ ZOOKEEPER_IMAGE=quay.io/strimzi/kafka:0.35.0-kafka-3.4.0 ## Kafka KAFKA_IMAGE=quay.io/strimzi/kafka:0.35.0-kafka-3.4.0 KAFKA_BRIDGE_IMAGE=quay.io/strimzi/kafka-bridge:0.25.0 -KAFKA_UI_IMAGE=provectuslabs/kafka-ui:v0.7.2 +KAFKA_UI_IMAGE=ghcr.io/kafbat/kafka-ui:v1.2.0 ## Messages (DMaaP) DMAAP_IMAGE=nexus3.onap.org:10001/onap/dmaap/dmaap-mr:1.1.18 diff --git a/solution/smo/common/certs-selfsigned/README.md b/solution/smo/common/certs-selfsigned/README.md new file mode 100644 index 0000000..9c29754 --- /dev/null +++ b/solution/smo/common/certs-selfsigned/README.md @@ -0,0 +1,31 @@ +# Create RSA Private Key and CSR (Certificate Signing Request) + + openssl req -new -newkey rsa:4096 -nodes -keyout smo.o-ran-sc.org.key -out smo.o-ran-sc.org.csr -subj "/CN=smo.o-ran-sc.org" + +# Create a config file containing the SANs + + smo.o-ran-sc.org.ext - Hand coded file containing the SANs and related information to be used in later stages + +# Generate the Certificate using the key, csr and config file + + openssl x509 -req -in smo.o-ran-sc.org.csr -signkey smo.o-ran-sc.org.key -out smo.o-ran-sc.org.crt -days 365 -extfile smo.o-ran-sc.org.ext + +# Verify the Certificate + + openssl x509 -in smo.o-ran-sc.org.crt -noout -text + +# Install/Trust the Certificate (if you dont want to see the warning in the browser or when running curl) + + sudo cp smo.o-ran-sc.org.crt /usr/local/share/ca-certificates/ + sudo update-ca-certificates + +# Java applications require certificates in .jks format + + ## Step 1 - Convert to .p12 format + openssl pkcs12 -export -in smo.o-ran-sc.org.crt -inkey smo.o-ran-sc.org.key -out smo.o-ran-sc.org.p12 -name traefikp12 -passout pass:changeit + + ## Step 2 - Convert .p12 to .jks - + keytool -importkeystore -srckeystore smo.o-ran-sc.org.p12 -srcstoretype PKCS12 -destkeystore smo.o-ran-sc.org.jks -deststoretype JKS -deststorepass changeit -srcstorepass changeit -alias traefikp12 + + + diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.crt b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.crt new file mode 100644 index 0000000..5c30a30 --- /dev/null +++ b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.crt @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF1DCCA7ygAwIBAgIUB1CNmJ5LSjziLtOz22+neOzxIYswDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQc21vLm8tcmFuLXNjLm9yZzAeFw0yNTAzMjYxNDE5MTRa +Fw0yNjAzMjYxNDE5MTRaMBsxGTAXBgNVBAMMEHNtby5vLXJhbi1zYy5vcmcwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDbR5lB67CpkbEvHekbN2+PQn3u +FWe5QPrZHS8qTtz/OXEI0v8pAS+UwEzszMun1ILiiciCvMwVFhgCOeksf0yVlSVs +hRn+P7ljw0BJLZg9A6QCmesSGAmjaF/Y7nZQ91g4Zn9nqIt0gWXqEzD0HaS4MKX0 +dXd+AeTTdp6zj22mFmX+AEyurGLfalzOOtInd6hQp6OBo5j/EPRyi4BI+Lg1GEuX +W/8CUjGRHUv68eyhejfs15eMUjjBL8hws7BnYBH1IzuuEKuSPPJouAUAawcCmRww +ZqCCmHF6qecfZurqbxofDDCnjDKZSw3vtUbQ+AKujJdDZiU6/aQ+HQ3wu0XpYSBB +7KA9aOQqqocFWkfyYLnN51XTyt6sAfCBK4oqsrs70E97xOb0MLcW69qabI1AC5SE +QYrQz0YdWNrehBi43CruNBWS90j5unGenARqzEuK1RsNHhGBfD76YkK9b60JxeBl +nPus4WU6FPGz6J867NkSDUiSsgIDkm9+zbJ0sggczVt4R/LbdowIgeOR4r8OBkOc +Yxm/BXDR9BdPVykKBSqxrDG6nRxMbo0Bw+rv5elf+4KdEo75vBvubXQN6X/WIEn6 +v2lqM1+T8OG7Q9X3ti1JIAIv80SQy2DU9cT2PWXj5P/cPMmtxge8tVDI/1cpCTaT +z0WryyCU3HO3Wrs20QIDAQABo4IBDjCCAQowQAYDVR0jBDkwN6EfpB0wGzEZMBcG +A1UEAwwQc21vLm8tcmFuLXNjLm9yZ4IUB1CNmJ5LSjziLtOz22+neOzxIYswCQYD +VR0TBAIwADALBgNVHQ8EBAMCBaAwga0GA1UdEQSBpTCBooIQc21vLm8tcmFuLXNj +Lm9yZ4IZaWRlbnRpdHkuc21vLm8tcmFuLXNjLm9yZ4IidmVzLWNvbGxlY3Rvci5k +Y24uc21vLm8tcmFuLXNjLm9yZ4IZa2Fma2EtdWkuc21vLm8tcmFuLXNjLm9yZ4IY +Z2F0ZXdheS5zbW8uby1yYW4tc2Mub3JnghppbmZsdXhkYjIuc21vLm8tcmFuLXNj +Lm9yZzANBgkqhkiG9w0BAQsFAAOCAgEAFiPwswFGsvf8Am70mvyfucgV/WwgEva8 +X/8+4NcMOMJKVX55n7O8m4r4UE+z7Aw82/Oq0Hn6w202lEpoBTBsmzxIDMYKMHy+ ++RuCf+M/m+b8uT2sIX2QLgTES7b3RGZh6OPRBUN01HufAKnm0lOfpKacwL2/Ox6u +gESxvsqFGM2t1TRSUNifQ7T9I+csJmLbNlYCYTdAt9SNdY0Z4Obv7uRQ5gontWQV +glJYDtls84i9dwzStBWtJ7vcz21oRupRGotEBl05Ju3Jvt8oqvZxMJs+rnESRxZd +purKyEEZpPLK2sqCdWOe2ceNS3fgFtPaPJrKkdqj7iKasIWxI1Rzj0O6wHXWZ1wJ +U6b97devNljskfEeBC7pJ9lMUCbtoufk+5W07vrxrzG6gNUSG5LHeFDIZZ9ip3S0 +gl4Ip8lAb1u6PRbNERvPssLizMAKHwXU6+lrw5B0yiDX4+5UJWzly8n0K6gdzAxG +wTr3dC9LeHG1TguYPNaYHYU7VrFcOTrnDWNECpLUbWSFlhT2bYbSqWTLQFLyrHDo +tZ6mbVOc9BnvYHAIOuuOfsJ8ur5c16Ysrc2eVyy13Hu93NIvcgSPyGsn3xbbgVZC +nwDYIs9t6hFijxmcsxKmy4gXyJX8nVfH745XfQR6TStLY6hQjVdYEfG8aSGn2yJD +HujnfccXVK8= +-----END CERTIFICATE----- diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.csr b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.csr new file mode 100644 index 0000000..57af49b --- /dev/null +++ b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.csr @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIEYDCCAkgCAQAwGzEZMBcGA1UEAwwQc21vLm8tcmFuLXNjLm9yZzCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBANtHmUHrsKmRsS8d6Rs3b49Cfe4VZ7lA ++tkdLypO3P85cQjS/ykBL5TATOzMy6fUguKJyIK8zBUWGAI56Sx/TJWVJWyFGf4/ +uWPDQEktmD0DpAKZ6xIYCaNoX9judlD3WDhmf2eoi3SBZeoTMPQdpLgwpfR1d34B +5NN2nrOPbaYWZf4ATK6sYt9qXM460id3qFCno4GjmP8Q9HKLgEj4uDUYS5db/wJS +MZEdS/rx7KF6N+zXl4xSOMEvyHCzsGdgEfUjO64Qq5I88mi4BQBrBwKZHDBmoIKY +cXqp5x9m6upvGh8MMKeMMplLDe+1RtD4Aq6Ml0NmJTr9pD4dDfC7RelhIEHsoD1o +5CqqhwVaR/Jguc3nVdPK3qwB8IEriiqyuzvQT3vE5vQwtxbr2ppsjUALlIRBitDP +Rh1Y2t6EGLjcKu40FZL3SPm6cZ6cBGrMS4rVGw0eEYF8PvpiQr1vrQnF4GWc+6zh +ZToU8bPonzrs2RINSJKyAgOSb37NsnSyCBzNW3hH8tt2jAiB45Hivw4GQ5xjGb8F +cNH0F09XKQoFKrGsMbqdHExujQHD6u/l6V/7gp0Sjvm8G+5tdA3pf9YgSfq/aWoz +X5Pw4btD1fe2LUkgAi/zRJDLYNT1xPY9ZePk/9w8ya3GB7y1UMj/VykJNpPPRavL +IJTcc7dauzbRAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAfuIUW98BSWYrDV+Y +kUX5zc+OWXfjAOm3dW2bF+E5Zih1j5Sut9OiWqxqf6qPDpxnIk3jKzezMxxbVo/1 +umVLNX7PoojbZq/C7QXDR1JI8/E/hDpg44mF/Kx2FZeWzpg5MG8wffX/ZFD93Jpy +ULt5EgAMQd+bkG0A2l6zBs/YPC/ttPGcFMkbyRFfjdPbcajXo4x6SoeUnnJ+6be4 +GJ716atyuWX3B9jp1YETUO0lXnfkEtuzhOEtBjqLrZnmMk4Q13oD4uYf2zk32Nvy +V1DSX1SNuEAiJqxTu4k58TX+F8TtWYsUiH3EBT16Vq48zVfkh028IoFEusNZW8Eg +TLIjBHXje2zG80Edfq7N+YmIcEamIHNOChMz0AaZ3ShOitTifX5DJovNdmeQ9q82 +mSdnGuHVHGxHPJ1WJskPHOhmO9NEfDPsCc9C3dDREtOxCx2aI+hWVmYWR6PjsmHs +3lUeZipmnvXd5iQtQnPsD49eQEQ4P3xlrvkKM+gLZ6T6Brmo/seiJE/EC/UYcc/d +ozJJzK0a7y62EwLBQ3HP15KTDcT7oR/wsmc6bz4ztq+4GhF69X4PvWvzab75qM3w +Amfm55WjDwMEdOFSdE2j1liA4RwDHUOktk3mjWv8a1RWzz7EwM7yLayD4dfspdKu +ZdXHgnRHjOv8YnmQ4ZezJpjTIZA= +-----END CERTIFICATE REQUEST----- diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.ext b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.ext new file mode 100644 index 0000000..acbb7a1 --- /dev/null +++ b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.ext @@ -0,0 +1,13 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = smo.o-ran-sc.org +DNS.2 = identity.smo.o-ran-sc.org +DNS.3 = ves-collector.dcn.smo.o-ran-sc.org +DNS.4 = kafka-ui.smo.o-ran-sc.org +DNS.5 = gateway.smo.o-ran-sc.org +DNS.6 = influxdb2.smo.o-ran-sc.org + diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.jks b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.jks new file mode 100644 index 0000000..ac7fafc Binary files /dev/null and b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.jks differ diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.key b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.key new file mode 100644 index 0000000..bb81759 --- /dev/null +++ b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDbR5lB67CpkbEv +HekbN2+PQn3uFWe5QPrZHS8qTtz/OXEI0v8pAS+UwEzszMun1ILiiciCvMwVFhgC +Oeksf0yVlSVshRn+P7ljw0BJLZg9A6QCmesSGAmjaF/Y7nZQ91g4Zn9nqIt0gWXq +EzD0HaS4MKX0dXd+AeTTdp6zj22mFmX+AEyurGLfalzOOtInd6hQp6OBo5j/EPRy +i4BI+Lg1GEuXW/8CUjGRHUv68eyhejfs15eMUjjBL8hws7BnYBH1IzuuEKuSPPJo +uAUAawcCmRwwZqCCmHF6qecfZurqbxofDDCnjDKZSw3vtUbQ+AKujJdDZiU6/aQ+ +HQ3wu0XpYSBB7KA9aOQqqocFWkfyYLnN51XTyt6sAfCBK4oqsrs70E97xOb0MLcW +69qabI1AC5SEQYrQz0YdWNrehBi43CruNBWS90j5unGenARqzEuK1RsNHhGBfD76 +YkK9b60JxeBlnPus4WU6FPGz6J867NkSDUiSsgIDkm9+zbJ0sggczVt4R/LbdowI +geOR4r8OBkOcYxm/BXDR9BdPVykKBSqxrDG6nRxMbo0Bw+rv5elf+4KdEo75vBvu +bXQN6X/WIEn6v2lqM1+T8OG7Q9X3ti1JIAIv80SQy2DU9cT2PWXj5P/cPMmtxge8 +tVDI/1cpCTaTz0WryyCU3HO3Wrs20QIDAQABAoICAHxPVbnCRK+MsZbVbQ4J2kur +1TpAlkG2bb7hxZhFhxGFXegzvYVgb7nzXmisHRQy7FRC6hH7t/KISOoSLHcWX7M5 +DzM7LaYuOAovaWVS3MhSJQt4eIQUbnpdtGCFpzt1TWUD7lw0d4J/zOfrI0hw+a2V +nq88XJZpunCLAaMnv3B1qDJbtx0bCx4+7QfY3sSTGC9JKe9XcGfBE+NP5FT582ve +LxRKigGl2QW8RxOnTI+qesPg4MAi6JvUW9xQccPY+bUv2ShvuOQ5eu8Uy3kWM64s +YIer1njStRpl8Wmi7bAjdfp97aM+Xnz6yJbI/LGAt/x+JU6HPLn5ir/PttRvRkzg +KNVMP00W/sQSTCGNIw36xIxmCVue8fbMbYZnkvMbiGyRBKMhrdWmRn5g1HlaWipl +HBYMzO/+E7s3Ac1c1ZrHKxQpZfY2krIgWxzK4S8nGNfDFZmILmx9De5qJJy1vGZF +8A/kYGjIERpZJBOHK1zzWiAJUw/NBElb5nxaoLDsjsWbaYio5Sy3wcFWQlBeRIxR +Ot3ZD1KmA9qEGopjcFNC+58v4cSLRrS54RgKQvCQl+aXse3g0GDz3Jkt5XBYFQvk +LNkTOnGEV4IovUCkEthxrG/2uSomqKCWCRSO66sPsMw3cSNS7Z2AjoygtCKtzRsX +wkt50RabU/Vhd/+k6bRxAoIBAQDtxqKtTrIRfjRg58HBAwNUz9It3HV2/NIB5VgO +sNYUY1egk9ad9JGwXRvbV7yHK0epbbFr+NVnJLiSQyGfjr6ub7SPeIlvwcExXRZe +MvyJVWnFXhcAYwG7Xp9RPIDDTeZDljTs6xfKs2u/ArL+fCw0eh7uWtFz0CYdhmVS +mPfuo9yY4XR7BJYhfijge3TrWGuA68OwcZInyi5FxBqzEH0EmPy/VC5Ioa5K/7O0 +y/s3h8hTJQws+DKxGTfg557bcMp9Gx+emXiq8BGKy+P8jf0P5B1cH3zTlGljNLvg +E8n1zoeqI5XgOt2yjVrQg4/uKmgOVlJ3b4o2QehWFJIs1sr9AoIBAQDsFg0n7aUD +WZDTXD+yZsBNmMdKjb7t6ea+qHohL/5eJD1y6coOGaTnVbYG7zz25QOc5ysw458K +Xg/VFw593W4MsxshAWRefUz6oDpIgx7sWw+i1t89wcKSz52bWXesdBz0Lem9q9mj +YlJzdopgfNbD18qTDy3wWmDQgYxnzlmwc7DsmD/hz1QenBPYlm7jurUyCWC1YKJM +CftcpwRzEo7lHJNBUloLGeINxAP0/FUkulxJIRr/G/3h22/3i7Vqlm3BbUnUSJxC +Lj1jssnXAVW7A1bH76zckerEQFaFD3t7jYyHuIBZ1ikCdxntq9fSrFn51vqnSTua +kjoGE4IcbfVlAoIBABoL10gaxcDKzVwMJxpIhTXmKgTiEG//U9XnVJUPY/QJydCK +QUk+QDNMj7+gRcOcxxXVMUk9kcrhp+JFvkonLdYX4HSS5KM8WzhYFRouhaFZnOOE +4golzkvDGrqgYQ6D2wRuUM/fFNUcgGIFHqxn18PL2NWNV0JTe8liLnk0znvysTiC +Aetz3io/EqU8gNtC7UvLB72tQzBeomD8EVyqIre9NnqS8xr7swb+KaZVbehwVE5f +UY0fhxYFSCy30pwBJ/06WmVaNHCtKY7FtOy2dREnkNvFizv2FvFKFoZ+RHJLtGq7 +yTAt4pkriNYsgzi4pntjk1cH/eDhqVy8liKZSNUCggEBAJsJiC42c+0VPnRu2i2w +KI1MzWN6Xm4i8rM2NK3itKriJbB3M4e6834v3VAEgAarMooxjT2X3XOTfdY0RAII +DiMs453zKhSbOJhF7MB9yyrwSf5oGUaXHc4HpbrFMEACKJl6JUu3tT8EbJ0CtbDT +ir4l0hRtHX//+iAzUx9AdcnYz9Ev0pPZ8aYAXVAYyk2m6SMo4Wd7RFmnHHkl/VgM +UebHszRsflFX+AmONgMGSmvKLpyfrvjlSv6teoQYLVUH4J/rw1YzMNqNPydf3Ajk +CYa8lJrMHLrk4EVs8uSC3FaxCB6A3VkhuOCzkkVwWlUxdg0KTqTZBNlnOc+PtBwz +YbkCggEAK03jxSsqnTVjhMR0AJlx8ljvoJRofQYkcUx5h7tZioo1lek9QhWvBtzU +jcTue81YSxYnuNLGTpisz0WY7nNewXXggx+wfQoBYgVj+aLOFMZ+U+JbCYmjtDMa +wWxDmGIbt6tvU9kR1t7nJ0XJU0ZNI8d2Ktj2zhfxueZZabQmAvfjKrEDOyIwiGEt +s7hludnGgnJ11GhI4wXMHhoc0I7iIXP6u24wHrrpTMVy6h27m1WqHRolS6PK367o +Nyno63pWRt4rtTCl38UATxeJ0v9vzzs2ZBBUgQzyHt1dlCu6LTKy8IYNjPKzMLUI +HHRxwkXLiluL1Wjr1Afz+9dcL+qWfw== +-----END PRIVATE KEY----- diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.p12 b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.p12 new file mode 100644 index 0000000..9ba54ea Binary files /dev/null and b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.p12 differ diff --git a/solution/smo/common/docker-compose.yaml b/solution/smo/common/docker-compose.yaml index 7011e32..7d68bed 100755 --- a/solution/smo/common/docker-compose.yaml +++ b/solution/smo/common/docker-compose.yaml @@ -57,13 +57,15 @@ services: - --providers.docker.network=${TRAEFIK_NETWORK_NAME} - --providers.docker.exposedByDefault=false - --providers.docker.watch=true - - --providers.file.filename=/middleware.yaml + - --providers.file.filename=/etc/traefik/middleware.yaml volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - - ./gateway/conf/middleware.yaml:/middleware.yaml:ro + - ./gateway/conf/middleware.yaml:/etc/traefik/middleware.yaml:ro - ./gateway/conf/.htpasswd:/.htpasswd:ro - + - ./certs-selfsigned/smo.o-ran-sc.org.crt:/certs/dev.crt + - ./certs-selfsigned/smo.o-ran-sc.org.key:/certs/dev.key + - ./letsencrypt:/letsencrypt # ACME storage labels: traefik.enable: true traefik.http.middlewares.traefik-auth.basicauth.usersfile: .htpasswd @@ -99,6 +101,11 @@ services: image: ${IDENTITY_IMAGE} container_name: identity hostname: identity + healthcheck: + test: curl "http://localhost:9000/health/ready" || exit 1 + interval: 5s + timeout: 10s + retries: 45 environment: KEYCLOAK_CREATE_ADMIN_USER: true KC_BOOTSTRAP_ADMIN_USERNAME: ${ADMIN_USERNAME} @@ -118,10 +125,12 @@ services: KEYCLOAK_TLS_TRUSTSTORE_PASSWORD: changeit KC_HOSTNAME: "https://identity.${HTTP_DOMAIN}" KC_HOSTNAME_ADMIN: "https://identity.${HTTP_DOMAIN}" - KEYCLOAK_EXTRA_ARGS: "--spi-theme-default=oam" + KC_HEALTH_ENABLED: true + KEYCLOAK_EXTRA_ARGS: "--spi-theme-default=oam --import-realm" restart: unless-stopped volumes: - /etc/localtime:/etc/localtime:ro + - ./identity/o-ran-sc-realm.json:/opt/bitnami/keycloak/data/import/o-ran-sc-realm.json - ./identity/standalone.xml:/opt/jboss/keycloak/standalone/configuration/standalone.xml - ./identity/keystore.jks:/opt/bitnami/keycloak/certs/keystore.jks - ./identity/truststoreONAPall.jks:/opt/bitnami/keycloak/certs/truststore.jks @@ -276,6 +285,11 @@ services: KAFKA_CLUSTERS_0_NAME: kafka KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka:9092 DYNAMIC_CONFIG_ENABLED: 'true' + SPRING_CONFIG_ADDITIONAL-LOCATION: /config.yaml + JAVA_OPTS: "-Djavax.net.ssl.trustStore=/etc/certs/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djdk.internal.httpclient.disableHostnameVerification=true" + volumes: + - ./kafka-ui/config.yaml:/config.yaml + - ./certs-selfsigned/smo.o-ran-sc.org.jks:/etc/certs/truststore.jks labels: traefik.enable: true traefik.http.routers.kafka-ui.entrypoints: websecure @@ -285,6 +299,9 @@ services: app: "kafka-ui" deploy: "o-ran-sc-smo-common" solution: "o-ran-sc-smo" + depends_on: + identity: + condition: service_healthy networks: dmz: default: diff --git a/solution/smo/common/gateway/conf/middleware.yaml b/solution/smo/common/gateway/conf/middleware.yaml index 19119d8..106ba8b 100644 --- a/solution/smo/common/gateway/conf/middleware.yaml +++ b/solution/smo/common/gateway/conf/middleware.yaml @@ -10,8 +10,15 @@ http: stsSeconds: 315360000 stsIncludeSubdomains: true stsPreload: true + oauth_headers: + headers: + customRequestHeaders: + Authorization: "" # tls: # options: # myTLSOptions: # minVersion: VersionTLS12 - +tls: + certificates: + - certFile: "/certs/dev.crt" + keyFile: "/certs/dev.key" diff --git a/solution/smo/common/identity/o-ran-sc-realm.json b/solution/smo/common/identity/o-ran-sc-realm.json index 44ebf69..14ea1c9 100644 --- a/solution/smo/common/identity/o-ran-sc-realm.json +++ b/solution/smo/common/identity/o-ran-sc-realm.json @@ -304,6 +304,7 @@ } ], "odlux.app": [], + "kafka-ui.app": [], "security-admin-console": [], "admin-cli": [], "account-console": [], @@ -750,6 +751,66 @@ "microprofile-jwt" ] }, + { + "id": "93bc9c5c-1414-4231-ab20-0e88fa8dade2", + "clientId": "kafka-ui.app", + "name": "Kafka-UI", + "description": "Kafka UI application for managing Kafka resources", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://kafka-ui.smo.o-ran-sc.org/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "realm_client": "false", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "frontchannel.logout.session.required": "true", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } + }, { "id": "048a9bfc-077a-42a2-afe8-1ec13d3a43a3", "clientId": "realm-management", diff --git a/solution/smo/common/kafka-ui/config.yaml b/solution/smo/common/kafka-ui/config.yaml new file mode 100644 index 0000000..6db0fbc --- /dev/null +++ b/solution/smo/common/kafka-ui/config.yaml @@ -0,0 +1,17 @@ +auth: + type: OAUTH2 + oauth2: + client: + keycloak: + provider: keycloak + clientId: kafka-ui.app + #clientSecret: yyy + scope: openid + issuer-uri: https://identity.smo.o-ran-sc.org/realms/onap + redirect-uri: https://kafka-ui.smo.o-ran-sc.org/login/oauth2/code/keycloak + user-name-attribute: preferred_username + client-name: keycloak + logoutUri: https://identity.smo.o-ran-sc.org/realms/onap/protocol/openid-connect/logout + custom-params: + type: keycloak + logoutUrl: https://identity.smo.o-ran-sc.org/realms/onap/protocol/openid-connect/logout