From: Zhang Rong(Jon) Date: Wed, 22 May 2024 14:44:02 +0000 (+0800) Subject: Support mTLS (Mutual TLS) with O2 API X-Git-Tag: 2.0.4~10^2 X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F20%2F12920%2F3;hp=33c7e7d9ee099b7d718bd74209e983f04cdc0298;p=pti%2Fo2.git Support mTLS (Mutual TLS) with O2 API Since the specification defined the API should support mTLS (Mutual TLS). This commit will enable the mTLS support in the O2 IMS API. Test Plan: 1. Request the O2 API with client key and client cert, the API works as expected. 2. The O2 API which is configured with the client CA cert can serve the client requests as expected. Issue-ID: INF-448 Change-Id: If53fb4fea1dac33968f167b0f40e83d34615faec Signed-off-by: Zhang Rong(Jon) --- diff --git a/charts/resources/scripts/init/o2api_start.sh b/charts/resources/scripts/init/o2api_start.sh index 4581db5..e790a6f 100644 --- a/charts/resources/scripts/init/o2api_start.sh +++ b/charts/resources/scripts/init/o2api_start.sh @@ -15,6 +15,10 @@ #!/bin/bash # The gunicorn start with [::] to listen on both IPv4 and IPv6 -gunicorn -b [::]:80 o2app.entrypoints.flask_application:app --certfile /configs/server.crt --keyfile /configs/server.key +gunicorn -b [::]:80 o2app.entrypoints.flask_application:app \ +--certfile /configs/server.crt \ +--keyfile /configs/server.key \ +--ca-certs /configs/smoca.crt \ +--cert-reqs 2 sleep infinity diff --git a/charts/templates/deployment.yaml b/charts/templates/deployment.yaml index 72e3580..29e387f 100644 --- a/charts/templates/deployment.yaml +++ b/charts/templates/deployment.yaml @@ -179,6 +179,9 @@ spec: mountPath: /configs/server.key subPath: config.json readOnly: true + - name: smocacrt + mountPath: /configs/smoca.crt + subPath: config.json {{- if .Values.o2dms.helm_cli_enable }} - name: helmcli image: "{{ .Values.o2ims.images.tags.o2service }}"