From 7e214bfc3b04d6c62193a4cb0a350628907697ed Mon Sep 17 00:00:00 2001 From: Ravi Pendurty Date: Tue, 1 Apr 2025 17:27:54 +0530 Subject: [PATCH] Include authentication for kafka-ui Include self signed certs for kafka-ui Issue-ID: OAM-450 Change-Id: I7fe962f84c0aadb65369af4489192cfecb402df7 Signed-off-by: Ravi Pendurty --- solution/smo/common/.env | 2 +- solution/smo/common/certs-selfsigned/README.md | 31 +++++++++++ .../common/certs-selfsigned/smo.o-ran-sc.org.crt | 34 ++++++++++++ .../common/certs-selfsigned/smo.o-ran-sc.org.csr | 26 +++++++++ .../common/certs-selfsigned/smo.o-ran-sc.org.ext | 13 +++++ .../common/certs-selfsigned/smo.o-ran-sc.org.jks | Bin 0 -> 4007 bytes .../common/certs-selfsigned/smo.o-ran-sc.org.key | 52 ++++++++++++++++++ .../common/certs-selfsigned/smo.o-ran-sc.org.p12 | Bin 0 -> 4322 bytes solution/smo/common/docker-compose.yaml | 25 +++++++-- solution/smo/common/gateway/conf/middleware.yaml | 9 ++- solution/smo/common/identity/o-ran-sc-realm.json | 61 +++++++++++++++++++++ solution/smo/common/kafka-ui/config.yaml | 17 ++++++ 12 files changed, 264 insertions(+), 6 deletions(-) create mode 100644 solution/smo/common/certs-selfsigned/README.md create mode 100644 solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.crt create mode 100644 solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.csr create mode 100644 solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.ext create mode 100644 solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.jks create mode 100644 solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.key create mode 100644 solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.p12 create mode 100644 solution/smo/common/kafka-ui/config.yaml diff --git a/solution/smo/common/.env b/solution/smo/common/.env index da35a0b..8118a23 100644 --- a/solution/smo/common/.env +++ b/solution/smo/common/.env @@ -49,7 +49,7 @@ ZOOKEEPER_IMAGE=quay.io/strimzi/kafka:0.35.0-kafka-3.4.0 ## Kafka KAFKA_IMAGE=quay.io/strimzi/kafka:0.35.0-kafka-3.4.0 KAFKA_BRIDGE_IMAGE=quay.io/strimzi/kafka-bridge:0.25.0 -KAFKA_UI_IMAGE=provectuslabs/kafka-ui:v0.7.2 +KAFKA_UI_IMAGE=ghcr.io/kafbat/kafka-ui:v1.2.0 ## Messages (DMaaP) DMAAP_IMAGE=nexus3.onap.org:10001/onap/dmaap/dmaap-mr:1.1.18 diff --git a/solution/smo/common/certs-selfsigned/README.md b/solution/smo/common/certs-selfsigned/README.md new file mode 100644 index 0000000..9c29754 --- /dev/null +++ b/solution/smo/common/certs-selfsigned/README.md @@ -0,0 +1,31 @@ +# Create RSA Private Key and CSR (Certificate Signing Request) + + openssl req -new -newkey rsa:4096 -nodes -keyout smo.o-ran-sc.org.key -out smo.o-ran-sc.org.csr -subj "/CN=smo.o-ran-sc.org" + +# Create a config file containing the SANs + + smo.o-ran-sc.org.ext - Hand coded file containing the SANs and related information to be used in later stages + +# Generate the Certificate using the key, csr and config file + + openssl x509 -req -in smo.o-ran-sc.org.csr -signkey smo.o-ran-sc.org.key -out smo.o-ran-sc.org.crt -days 365 -extfile smo.o-ran-sc.org.ext + +# Verify the Certificate + + openssl x509 -in smo.o-ran-sc.org.crt -noout -text + +# Install/Trust the Certificate (if you dont want to see the warning in the browser or when running curl) + + sudo cp smo.o-ran-sc.org.crt /usr/local/share/ca-certificates/ + sudo update-ca-certificates + +# Java applications require certificates in .jks format + + ## Step 1 - Convert to .p12 format + openssl pkcs12 -export -in smo.o-ran-sc.org.crt -inkey smo.o-ran-sc.org.key -out smo.o-ran-sc.org.p12 -name traefikp12 -passout pass:changeit + + ## Step 2 - Convert .p12 to .jks - + keytool -importkeystore -srckeystore smo.o-ran-sc.org.p12 -srcstoretype PKCS12 -destkeystore smo.o-ran-sc.org.jks -deststoretype JKS -deststorepass changeit -srcstorepass changeit -alias traefikp12 + + + diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.crt b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.crt new file mode 100644 index 0000000..5c30a30 --- /dev/null +++ b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.crt @@ -0,0 +1,34 @@ +-----BEGIN CERTIFICATE----- +MIIF1DCCA7ygAwIBAgIUB1CNmJ5LSjziLtOz22+neOzxIYswDQYJKoZIhvcNAQEL +BQAwGzEZMBcGA1UEAwwQc21vLm8tcmFuLXNjLm9yZzAeFw0yNTAzMjYxNDE5MTRa +Fw0yNjAzMjYxNDE5MTRaMBsxGTAXBgNVBAMMEHNtby5vLXJhbi1zYy5vcmcwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDbR5lB67CpkbEvHekbN2+PQn3u +FWe5QPrZHS8qTtz/OXEI0v8pAS+UwEzszMun1ILiiciCvMwVFhgCOeksf0yVlSVs +hRn+P7ljw0BJLZg9A6QCmesSGAmjaF/Y7nZQ91g4Zn9nqIt0gWXqEzD0HaS4MKX0 +dXd+AeTTdp6zj22mFmX+AEyurGLfalzOOtInd6hQp6OBo5j/EPRyi4BI+Lg1GEuX +W/8CUjGRHUv68eyhejfs15eMUjjBL8hws7BnYBH1IzuuEKuSPPJouAUAawcCmRww +ZqCCmHF6qecfZurqbxofDDCnjDKZSw3vtUbQ+AKujJdDZiU6/aQ+HQ3wu0XpYSBB +7KA9aOQqqocFWkfyYLnN51XTyt6sAfCBK4oqsrs70E97xOb0MLcW69qabI1AC5SE +QYrQz0YdWNrehBi43CruNBWS90j5unGenARqzEuK1RsNHhGBfD76YkK9b60JxeBl +nPus4WU6FPGz6J867NkSDUiSsgIDkm9+zbJ0sggczVt4R/LbdowIgeOR4r8OBkOc +Yxm/BXDR9BdPVykKBSqxrDG6nRxMbo0Bw+rv5elf+4KdEo75vBvubXQN6X/WIEn6 +v2lqM1+T8OG7Q9X3ti1JIAIv80SQy2DU9cT2PWXj5P/cPMmtxge8tVDI/1cpCTaT +z0WryyCU3HO3Wrs20QIDAQABo4IBDjCCAQowQAYDVR0jBDkwN6EfpB0wGzEZMBcG +A1UEAwwQc21vLm8tcmFuLXNjLm9yZ4IUB1CNmJ5LSjziLtOz22+neOzxIYswCQYD +VR0TBAIwADALBgNVHQ8EBAMCBaAwga0GA1UdEQSBpTCBooIQc21vLm8tcmFuLXNj +Lm9yZ4IZaWRlbnRpdHkuc21vLm8tcmFuLXNjLm9yZ4IidmVzLWNvbGxlY3Rvci5k +Y24uc21vLm8tcmFuLXNjLm9yZ4IZa2Fma2EtdWkuc21vLm8tcmFuLXNjLm9yZ4IY +Z2F0ZXdheS5zbW8uby1yYW4tc2Mub3JnghppbmZsdXhkYjIuc21vLm8tcmFuLXNj +Lm9yZzANBgkqhkiG9w0BAQsFAAOCAgEAFiPwswFGsvf8Am70mvyfucgV/WwgEva8 +X/8+4NcMOMJKVX55n7O8m4r4UE+z7Aw82/Oq0Hn6w202lEpoBTBsmzxIDMYKMHy+ ++RuCf+M/m+b8uT2sIX2QLgTES7b3RGZh6OPRBUN01HufAKnm0lOfpKacwL2/Ox6u +gESxvsqFGM2t1TRSUNifQ7T9I+csJmLbNlYCYTdAt9SNdY0Z4Obv7uRQ5gontWQV +glJYDtls84i9dwzStBWtJ7vcz21oRupRGotEBl05Ju3Jvt8oqvZxMJs+rnESRxZd +purKyEEZpPLK2sqCdWOe2ceNS3fgFtPaPJrKkdqj7iKasIWxI1Rzj0O6wHXWZ1wJ +U6b97devNljskfEeBC7pJ9lMUCbtoufk+5W07vrxrzG6gNUSG5LHeFDIZZ9ip3S0 +gl4Ip8lAb1u6PRbNERvPssLizMAKHwXU6+lrw5B0yiDX4+5UJWzly8n0K6gdzAxG +wTr3dC9LeHG1TguYPNaYHYU7VrFcOTrnDWNECpLUbWSFlhT2bYbSqWTLQFLyrHDo +tZ6mbVOc9BnvYHAIOuuOfsJ8ur5c16Ysrc2eVyy13Hu93NIvcgSPyGsn3xbbgVZC +nwDYIs9t6hFijxmcsxKmy4gXyJX8nVfH745XfQR6TStLY6hQjVdYEfG8aSGn2yJD +HujnfccXVK8= +-----END CERTIFICATE----- diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.csr b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.csr new file mode 100644 index 0000000..57af49b --- /dev/null +++ b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.csr @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIEYDCCAkgCAQAwGzEZMBcGA1UEAwwQc21vLm8tcmFuLXNjLm9yZzCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBANtHmUHrsKmRsS8d6Rs3b49Cfe4VZ7lA ++tkdLypO3P85cQjS/ykBL5TATOzMy6fUguKJyIK8zBUWGAI56Sx/TJWVJWyFGf4/ +uWPDQEktmD0DpAKZ6xIYCaNoX9judlD3WDhmf2eoi3SBZeoTMPQdpLgwpfR1d34B +5NN2nrOPbaYWZf4ATK6sYt9qXM460id3qFCno4GjmP8Q9HKLgEj4uDUYS5db/wJS +MZEdS/rx7KF6N+zXl4xSOMEvyHCzsGdgEfUjO64Qq5I88mi4BQBrBwKZHDBmoIKY +cXqp5x9m6upvGh8MMKeMMplLDe+1RtD4Aq6Ml0NmJTr9pD4dDfC7RelhIEHsoD1o +5CqqhwVaR/Jguc3nVdPK3qwB8IEriiqyuzvQT3vE5vQwtxbr2ppsjUALlIRBitDP +Rh1Y2t6EGLjcKu40FZL3SPm6cZ6cBGrMS4rVGw0eEYF8PvpiQr1vrQnF4GWc+6zh +ZToU8bPonzrs2RINSJKyAgOSb37NsnSyCBzNW3hH8tt2jAiB45Hivw4GQ5xjGb8F +cNH0F09XKQoFKrGsMbqdHExujQHD6u/l6V/7gp0Sjvm8G+5tdA3pf9YgSfq/aWoz +X5Pw4btD1fe2LUkgAi/zRJDLYNT1xPY9ZePk/9w8ya3GB7y1UMj/VykJNpPPRavL +IJTcc7dauzbRAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAgEAfuIUW98BSWYrDV+Y +kUX5zc+OWXfjAOm3dW2bF+E5Zih1j5Sut9OiWqxqf6qPDpxnIk3jKzezMxxbVo/1 +umVLNX7PoojbZq/C7QXDR1JI8/E/hDpg44mF/Kx2FZeWzpg5MG8wffX/ZFD93Jpy +ULt5EgAMQd+bkG0A2l6zBs/YPC/ttPGcFMkbyRFfjdPbcajXo4x6SoeUnnJ+6be4 +GJ716atyuWX3B9jp1YETUO0lXnfkEtuzhOEtBjqLrZnmMk4Q13oD4uYf2zk32Nvy +V1DSX1SNuEAiJqxTu4k58TX+F8TtWYsUiH3EBT16Vq48zVfkh028IoFEusNZW8Eg +TLIjBHXje2zG80Edfq7N+YmIcEamIHNOChMz0AaZ3ShOitTifX5DJovNdmeQ9q82 +mSdnGuHVHGxHPJ1WJskPHOhmO9NEfDPsCc9C3dDREtOxCx2aI+hWVmYWR6PjsmHs +3lUeZipmnvXd5iQtQnPsD49eQEQ4P3xlrvkKM+gLZ6T6Brmo/seiJE/EC/UYcc/d +ozJJzK0a7y62EwLBQ3HP15KTDcT7oR/wsmc6bz4ztq+4GhF69X4PvWvzab75qM3w +Amfm55WjDwMEdOFSdE2j1liA4RwDHUOktk3mjWv8a1RWzz7EwM7yLayD4dfspdKu +ZdXHgnRHjOv8YnmQ4ZezJpjTIZA= +-----END CERTIFICATE REQUEST----- diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.ext b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.ext new file mode 100644 index 0000000..acbb7a1 --- /dev/null +++ b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.ext @@ -0,0 +1,13 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, keyEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = smo.o-ran-sc.org +DNS.2 = identity.smo.o-ran-sc.org +DNS.3 = ves-collector.dcn.smo.o-ran-sc.org +DNS.4 = kafka-ui.smo.o-ran-sc.org +DNS.5 = gateway.smo.o-ran-sc.org +DNS.6 = influxdb2.smo.o-ran-sc.org + diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.jks b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.jks new file mode 100644 index 0000000000000000000000000000000000000000..ac7fafc78cb919475d816787db8f4887a29833b0 GIT binary patch literal 4007 zcmaKuXH*l~(uR{jlmt)$(tA-lgx+fqfq>GaNH?@d@9jv56hXRFsRGiZW26O8kRnA| zq$>zWGl104`8@a6S>L(q{+PA)JF{oz&-1RmFSjnY0002!PXPZDP+xC52S>DvreYK9!JO>tk(CuD9)Qa?xXvpy6o zypFGAU7HkPz}BgCG}9kd{;=b{y~Y3YoY8!N)QlrcOP@KUwgzdPri^`{BLdlCkD4X|eFkq?BLfLHg`$K)cABpBzH3$HxS!v7?1k zT|3JARS{O`oDs8E&yefwrj>IRi!Q>I;${h*1%h1+Vy^PKt@&GM1&`+j9P*EhaN^^2G>=HL5=ajDHWPkE>tS$}6i>TkhTcNmJ zzlSSck-;HV)@63>O(~Qfba!&7LV<lI!9%K!bf=}?8_SF zhnhh1Z4(V z=zboh(`b0TUQeT!46Z3>4au1}w7Lfmp%P2)TT~gR`n0n~42|W9twqy(RAc;{hO0TQ z32qw&utWV57*Ji?S>PeT9G{E@F;`%6T@dbFOJ7M3rgekUtI?dUZ|2|JZQdlEi5sL%>fL(JKTdcf11@Z ztBZTT63*jvY|*slpfstRRNLAb{rf5B;#YNYYt3Q~ww{j>F|PU>tonD8(PD&`3u1$( zR;{{ab%dvHcbUDb@7)Y(6ZQNNqo9PE7N~p-kR#6!qPplN-Jz1Wb1Ujr-gn1C!1pux zv}{c@>B~cvFdor~NfY;-H(VA;j4r8&4xMeM2FanJ^ zvOP(qq8Qy0(vk3$u$_v2;WItK&gLw;zW$MC>Zi%_?3(MQNKfBM@37PGX*dh>u0zKi z5Avu>s^Q&W<;sD|&1Z3_5Mp#c-{IlBWW-Oq2!W{Xj4^Bx8;j(kxq}(@cg0;8f?#3Z zqP^=S<9Z>Oew*s-)|R0Wu_XD9nI?R1mBkV%eZLy)A31vebv0lH|E)qIf7wBnoO$^y zEOcKChgYB>?zM*EKHcXnFFPnj#*RMGpu+M76|m-wXB{A14EzgX)mEV;3$qlS0b0(j zyx+9XpU=8)cF^byHZKZ9fA}UmK={(Fl*xbsEUG^&Pv!~lJ|XNoo1W2(xX0@c8&MVu zywxF!w)2f;4{=9Xyl#dK&;%j&GOt|zB1G5#pKTR>#Vautq}iCA1ArWpy)6qA`7ow_ z+DhkKc(^NZ1tEd9HZzSB;T$UOFHPHrx4&9fGGkW_5SCa-A+b77QsA}7NQNJU!XSiS zzxLyOc<14Pb>iVMCdHK|pJWL|WFJ#?177PqzggR4F4W`Ny>qyfWx0?ib2dCa&&8fC zZb5k)Nw#UX%H;Sk5bg4FgC&SEWA-`M>07tx>?PAdjM6G{8x~PM5Ct&^*FN&p>LFSO zS7ZCvfqp@6v%aZX#){I>EJ%BvpQEpYh## zX#k^@EV6arijiLnF%Nj@-?q;1os3mjmi;9+aZXazQW&JCqrUxeuh-P>sA`+B({F@$ zy>dundbn>)=pcWDq_RbQe32MD~~7s9l_2c?;*JC7-4Mw}7uY zzEIe_aNYOd*_6|pUvEE9kE&V(I3 zexz4nsJkdruafO3f?j0wgZL6noX-eZctVQsWwflC^}ddD$>w&xKRZnJolNd!t0*ay zvp#5|Uo6r*Nr$<@MMHTE)`J)ev;oRo+^F!uV;fB~4y$-oF1e+KM}pkl>7Mv(9X&tO zKP$NtCaLAe`zqCTz0(IaseTgF(-3=1{PGScAHIELc+=7-n0~wsM}ME+fPZ96DKlp- z_Z#7RWb7hWu;gok;67eJ`B$)$M;HZ9B^6neaiZGA7dZD<=ynjkxXBsmjZ}4Q;F@P| zN1MsDNnbbhFiH^~i@KL=Q+RSWiAO;e5@B#?lXCSzZuWwvu6OCfjg|M8c#d{N)Bt~G zR`1qZTi6g&>dsf1FcOCM;M>i6npeq{5~lIP7tG27?QQrHmA>wRnTqI-#?M+%ZBlZ0 zY0BP2g?#VE4Xw7iPxS-O4CZW%1F>HqLMvrns2%Kaf#=kbz1La3fz|BCSjR#7^cA$f zERXc*AQbDv6kEt&loMZuFgY1zgse#Ue2gC8)+vf(S~g)x?DOIHa@lp;{YFzi58nSj z|1+?eh!k87002+JFk@N zp3bm}3f!N+lJg=Pzv2gqrhU*Q3=NjyF-x)i7~Bvo9Ro;iLnur)J^i+86yv2z3#waH zTR2OJqy&`xi<$va>})f=?XOQXlXVPpDu3Y{;jl>qKVU6shQB%R3kU_SO!((FCb^Z; zIa~sCYpNbEJhA*DKh7Iau3uIhQJi%}b>RIXT-jZo9i-$Du|jRB~PssEh$Wy0>TBGQ9S1V&Hof@OOk@ zoIpdH!svsLPpb#;Cc0m{m8;Stq;D;R0S8+b$!=3kIw7}53)?!IW>Ad&yiKZeWS z!ABV7;p*yu^7Zf*u}8W8`wpXvouiALupj#0B?c!uUxxs@|1y{f?e6I67ij-j{9j%F z^voZF{_zYDK*#;N5vbWfJO{ZSygDyv>8HJL<)A*o*<2|vPEp8q={yV#Drm&z#2xED zXe3Z5&h1x@2Ay`hNvG*JgW;|@idq!CQ21XRC(M|zWtE)O^A@El&Zo&Dq@R%Qi5iY} z>&s(cgfBj%08p_yZd6cGn){)>Q-Q4}T%*2YAc|qQ`m3a&{&WH2-39lW(4EI~(k37~ z8Pz6yf?opT;_A-!ivB8;7i&+8F*Lg|Ldq^1smKQJjIREjt)jJ+v-Ee{r@OUct>Is(nN#}$ z_4^$P9+&yP!&sA*eOC3bXjP&chB1#cbS({ifU<+}zcyUDlYIv`rk1yjZ@c~+{Cpr- z&N@V)`B9$eD~b&C!rmv(Qk=|UjZ!eFx0I7#qeN*yQ}J&0Q5m<6+@i-T><3j1_o_VC zvH7KLM!5%!JGP!=^1l*8yZ&nJu$(Ftsvgca6~fMkw9k)=dXpygyYMd1%|)1~7XYTY zM%*@GkCPa48>veNpVRlJpXZtO?IfB$B@NaSM54;|6HLuuyErsw*&G*wZGG)&AH8wy YZE@w*FzABy6)n_G8duM|6fzt8f8Ka$X#fBK literal 0 HcmV?d00001 diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.key b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.key new file mode 100644 index 0000000..bb81759 --- /dev/null +++ b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.key @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDbR5lB67CpkbEv +HekbN2+PQn3uFWe5QPrZHS8qTtz/OXEI0v8pAS+UwEzszMun1ILiiciCvMwVFhgC +Oeksf0yVlSVshRn+P7ljw0BJLZg9A6QCmesSGAmjaF/Y7nZQ91g4Zn9nqIt0gWXq +EzD0HaS4MKX0dXd+AeTTdp6zj22mFmX+AEyurGLfalzOOtInd6hQp6OBo5j/EPRy +i4BI+Lg1GEuXW/8CUjGRHUv68eyhejfs15eMUjjBL8hws7BnYBH1IzuuEKuSPPJo +uAUAawcCmRwwZqCCmHF6qecfZurqbxofDDCnjDKZSw3vtUbQ+AKujJdDZiU6/aQ+ +HQ3wu0XpYSBB7KA9aOQqqocFWkfyYLnN51XTyt6sAfCBK4oqsrs70E97xOb0MLcW +69qabI1AC5SEQYrQz0YdWNrehBi43CruNBWS90j5unGenARqzEuK1RsNHhGBfD76 +YkK9b60JxeBlnPus4WU6FPGz6J867NkSDUiSsgIDkm9+zbJ0sggczVt4R/LbdowI +geOR4r8OBkOcYxm/BXDR9BdPVykKBSqxrDG6nRxMbo0Bw+rv5elf+4KdEo75vBvu +bXQN6X/WIEn6v2lqM1+T8OG7Q9X3ti1JIAIv80SQy2DU9cT2PWXj5P/cPMmtxge8 +tVDI/1cpCTaTz0WryyCU3HO3Wrs20QIDAQABAoICAHxPVbnCRK+MsZbVbQ4J2kur +1TpAlkG2bb7hxZhFhxGFXegzvYVgb7nzXmisHRQy7FRC6hH7t/KISOoSLHcWX7M5 +DzM7LaYuOAovaWVS3MhSJQt4eIQUbnpdtGCFpzt1TWUD7lw0d4J/zOfrI0hw+a2V +nq88XJZpunCLAaMnv3B1qDJbtx0bCx4+7QfY3sSTGC9JKe9XcGfBE+NP5FT582ve +LxRKigGl2QW8RxOnTI+qesPg4MAi6JvUW9xQccPY+bUv2ShvuOQ5eu8Uy3kWM64s +YIer1njStRpl8Wmi7bAjdfp97aM+Xnz6yJbI/LGAt/x+JU6HPLn5ir/PttRvRkzg +KNVMP00W/sQSTCGNIw36xIxmCVue8fbMbYZnkvMbiGyRBKMhrdWmRn5g1HlaWipl +HBYMzO/+E7s3Ac1c1ZrHKxQpZfY2krIgWxzK4S8nGNfDFZmILmx9De5qJJy1vGZF +8A/kYGjIERpZJBOHK1zzWiAJUw/NBElb5nxaoLDsjsWbaYio5Sy3wcFWQlBeRIxR +Ot3ZD1KmA9qEGopjcFNC+58v4cSLRrS54RgKQvCQl+aXse3g0GDz3Jkt5XBYFQvk +LNkTOnGEV4IovUCkEthxrG/2uSomqKCWCRSO66sPsMw3cSNS7Z2AjoygtCKtzRsX +wkt50RabU/Vhd/+k6bRxAoIBAQDtxqKtTrIRfjRg58HBAwNUz9It3HV2/NIB5VgO +sNYUY1egk9ad9JGwXRvbV7yHK0epbbFr+NVnJLiSQyGfjr6ub7SPeIlvwcExXRZe +MvyJVWnFXhcAYwG7Xp9RPIDDTeZDljTs6xfKs2u/ArL+fCw0eh7uWtFz0CYdhmVS +mPfuo9yY4XR7BJYhfijge3TrWGuA68OwcZInyi5FxBqzEH0EmPy/VC5Ioa5K/7O0 +y/s3h8hTJQws+DKxGTfg557bcMp9Gx+emXiq8BGKy+P8jf0P5B1cH3zTlGljNLvg +E8n1zoeqI5XgOt2yjVrQg4/uKmgOVlJ3b4o2QehWFJIs1sr9AoIBAQDsFg0n7aUD +WZDTXD+yZsBNmMdKjb7t6ea+qHohL/5eJD1y6coOGaTnVbYG7zz25QOc5ysw458K +Xg/VFw593W4MsxshAWRefUz6oDpIgx7sWw+i1t89wcKSz52bWXesdBz0Lem9q9mj +YlJzdopgfNbD18qTDy3wWmDQgYxnzlmwc7DsmD/hz1QenBPYlm7jurUyCWC1YKJM +CftcpwRzEo7lHJNBUloLGeINxAP0/FUkulxJIRr/G/3h22/3i7Vqlm3BbUnUSJxC +Lj1jssnXAVW7A1bH76zckerEQFaFD3t7jYyHuIBZ1ikCdxntq9fSrFn51vqnSTua +kjoGE4IcbfVlAoIBABoL10gaxcDKzVwMJxpIhTXmKgTiEG//U9XnVJUPY/QJydCK +QUk+QDNMj7+gRcOcxxXVMUk9kcrhp+JFvkonLdYX4HSS5KM8WzhYFRouhaFZnOOE +4golzkvDGrqgYQ6D2wRuUM/fFNUcgGIFHqxn18PL2NWNV0JTe8liLnk0znvysTiC +Aetz3io/EqU8gNtC7UvLB72tQzBeomD8EVyqIre9NnqS8xr7swb+KaZVbehwVE5f +UY0fhxYFSCy30pwBJ/06WmVaNHCtKY7FtOy2dREnkNvFizv2FvFKFoZ+RHJLtGq7 +yTAt4pkriNYsgzi4pntjk1cH/eDhqVy8liKZSNUCggEBAJsJiC42c+0VPnRu2i2w +KI1MzWN6Xm4i8rM2NK3itKriJbB3M4e6834v3VAEgAarMooxjT2X3XOTfdY0RAII +DiMs453zKhSbOJhF7MB9yyrwSf5oGUaXHc4HpbrFMEACKJl6JUu3tT8EbJ0CtbDT +ir4l0hRtHX//+iAzUx9AdcnYz9Ev0pPZ8aYAXVAYyk2m6SMo4Wd7RFmnHHkl/VgM +UebHszRsflFX+AmONgMGSmvKLpyfrvjlSv6teoQYLVUH4J/rw1YzMNqNPydf3Ajk +CYa8lJrMHLrk4EVs8uSC3FaxCB6A3VkhuOCzkkVwWlUxdg0KTqTZBNlnOc+PtBwz +YbkCggEAK03jxSsqnTVjhMR0AJlx8ljvoJRofQYkcUx5h7tZioo1lek9QhWvBtzU +jcTue81YSxYnuNLGTpisz0WY7nNewXXggx+wfQoBYgVj+aLOFMZ+U+JbCYmjtDMa +wWxDmGIbt6tvU9kR1t7nJ0XJU0ZNI8d2Ktj2zhfxueZZabQmAvfjKrEDOyIwiGEt +s7hludnGgnJ11GhI4wXMHhoc0I7iIXP6u24wHrrpTMVy6h27m1WqHRolS6PK367o +Nyno63pWRt4rtTCl38UATxeJ0v9vzzs2ZBBUgQzyHt1dlCu6LTKy8IYNjPKzMLUI +HHRxwkXLiluL1Wjr1Afz+9dcL+qWfw== +-----END PRIVATE KEY----- diff --git a/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.p12 b/solution/smo/common/certs-selfsigned/smo.o-ran-sc.org.p12 new file mode 100644 index 0000000000000000000000000000000000000000..9ba54ea48f5f118ea5ed4b3f245121f32204c739 GIT binary patch literal 4322 zcmY+GWmFUl(}tI3=~!}?TpAXZTsozs8>B%}&;@CvTe`cXyF*GrX^{>QM7jl+l74;8 z`Mx)P%$akpduIM#0}mznfsTd&4<#wZ269EJL|zf1;h+_TlB8pXk|h7d@$gXW!v93r zMWNV9e^DGd8sKk>_)mfchhXFV-vt6RY&a1n?ueijG3jYV5jr|9AUG7;Sl1OQxYfg< zXQ?bn$jMnO^<%|;b{o<@@21`qX6EXITN(rFqBwg(qZ+?$F{<#hf6wPlwruZ*tPm3_ zVI@FR(A-Tbo0%I`@$5$1y1a2!jcB|TUZ2Rb<+NB6*%p5gC>Pv6c|ih$vA^c{x>mw! zamg?dSsjw`aWH7$Jd7``KV=0_d;Hur91!a`+JmHCh?pE0-{x>2JTQ_H7|^q;O5?Vjx#TyVOK)>#gFmVz{Bh#I`kP|c+8Y$us|(J!_q9#3&OPff1c&EsXWYuOTA!ropRixhTWrO+yE zuix-04CCMnL@NZR^~rzuX-+|`gjV#Ci0ZuIc3fWXrF?S%h50HECdsr3BEbG_Wz55@ zs$EjLmGkmah1Hx%>0l?UlYzcP^q9^*+^6~~Xw#CA1J4OCoNgQL{A1sAWVrn8%F>Cd z#lmT!A}P*pB4%WNA$Z18>6)5=pVjkXG~q>(g>hVF%s}5~`~rWP+$rNVp+Dcuv@B({ zGP3|k4f=A_4kTQxt@5?ElD?$Q++KU~%S}x&*QlrH9-kG{=j63KUtr%3OZdkT@$P&w zNuwJWD>kW!ydUk*N}FcOoRr2{i4kD}6rv?)+>b^x1q-3mClzOSgVb0%isNPom~UR26W4C z;TRieL54V^xo#qJ2ghUqMN;MDw?=02>Sm^2l4gk53fD79>G|fTxA)`?i^mR}3S`8q zB5(?3507~KQT3VLXcB$ zN1K|HkV|2}qhnsXBwMS4VMS^%O<4o_Nq+yM$aX0s71?g?u#WZW1N#R%^%Uv4aA(>; z4}+HGj3l;I%0JRCEHujY?vq+e8}+9B`$5s+)q4Ko+I_NyE1a@~d+rWVh$yMvHzs zFTuCmHIYN*x0TUo>i4Aha7cS04OvMh?+f=Up>8yegSZ6H?>Hzb;rhL039b(y(i3o0 zy2rly;YSSef^4-@YF!B}hoFMp!(VO$)^*gXMRhO_gV-y?Wj}Qlk31gwv~J(2N~q9N z>Vdfn=-N!YMz|*G*_1lq?AgJ^;09_6zs>oueDx08HmsxxbHiZ04G4TdThU`4v%EO^ z!u&0Tg@Q~_vxKi0Ohf@X7v=A8{lc{5P;HxG@y6@Yd)<_@NkR!j-obWb(4}-}t#8d5 z>Nex(`>n(N6f%%0!L2NpjaGo&zWa&;P%D8@+2S1*8hzIYl*1=~p?XKu51zcwfsFOu zrsW+$!nZw}yAk*vHi5SbiBQ{-`yl*jO6}i=YC00NqObzqZ%=-_U0PxjRql`R zG~Z&V&eBtaRspTI)7?+YfdpojGa?C#JLOk)Xq;!PT5|_8?UPRwrjk}aWs?c?TFV<5 zj%(jYbjcA%4MQVHcRanKVBLi@IkitjyEQcD`FQ zFn=t5w`mS%ec1-gACySU4)F=Bw5p#_ls%+zHJb+0ywcp9%H!!%A$wJ8?;V6g{Lroc zipNeX$G`Na8AoLf1cW`^fF96)T`I~>sv-Kyb`aSCWlA{;(LrgXTl{GugMEb7DSX9{ zRJHeM5gW=%oDW*^w0EhSqnRhY7N0q9Jr~4iho@WL6vjd1nc`rU?}xxc61NK=U+rk} z7M+1|ft|e7^*s01bJPQag>!H;;YiSP+fbd@sgxt*K4LY>Y$(pg{q8w8p4zGF^;5l3 z1!UT%32iy|1YIwMV*ykD8|eL}HK5v%@TmNy3dj70vy(};t8{X}rZ)F9Z!*3my}Irg z8#@|26u9$WA}R_6E@FlPXaC~Kzcr4H|NmOTLqq=?zWfWF|HoDs|JW+QK-~t4fu;VB zt^Tg7^pmrm7`h?bYTNeFQ@id=5Oq0C$0qO`oc`=V5*t+Q-t8fHda;|*>9$#c7(vHt z>|DPkD3q&V?T~y%6SiEyY*gvKh@xnAI+k)&d%bpf)$p4dkxCcMzXMs+_UZ7tv~>0q zcEQiYm%aF!2fmD!z?g3cBB#|1PRShDLXu19qG$z%mNaU4Z?njyF`_p0p0*;(!sPZH zYxO2q3Mh&JR(q}qc|UKKY^d*uBG;rOugME_d$W*8PuGLVxFH%)K+CG@H`{Tp1(k0z z+N2c+j?Tio3}&dC{cuKAI9V;XC-O6*xuK_IgZ(#^0OQCBP+xgKh$ZWBrdWB}koPOw z;qEsox}O9$py)oct{jw|H=P4_fR|5Wf$ltB+SFuv*c)h5TwL96#FNU6qm66GrX5nPIx%PZTq!wWo-R63&5Vd)bfb`#xlRbbSHfcuYNb$ZWo0zS({8C2M-d! z92G9R+jDS7DA(y34Su>-d(WJaPPA1%&G)SZf5x#4R|Q%+KFV1O_}+D$dlBWL4rsuo zF8%ss6gHdY$x2}|S~f00CoFwmWKOKz(m^Q;Fmt0#-!8=dNjjepQ$q=2wr`0!iCh7w z-b{$#h|odm;uX*Vf~NGQp$RqLM0S6^X-&hd`|UHa^cMfnrXoR#xg~XUKuSlu^dY_| zTU+L&fHB)g^jXr6)86^2{Rdp?23K}7nKruJ-uFY>$6#K~I!T^&4?tGeSsEQ)^~jvw zxZ!P68@hg~nduSMgo`!{pOyKu#o}s5muJ$TLoKsMoJt{?+qmnu~-Tj7X}T z>p0DViWl?mhYYyfflgoz6*dt8h*IIF@|9>YhpKL0|5ArrW@Eo3x4gMNN+%V$mRZC?HDg3ObESu8Mm)GxCzl2Z)fI;g^`~7}#TopQ5_h_?r$J$l%+<5-8 z9u?b(yRz}}F-F-j8|6KnF5~PIk>kX$G=mzV#3)?%!{EO zCbyqNM(1%r=i}IDO>Xu&)chM}n+_EgyGYM)u0_qaj2^L=V<;+E;imD0?TB=XR;V?@eD>)BWiA9ghJ*NYLC)9e;h= z9nr&`77xv30I%r8IMXZ(gHo{Dw9U;j~Ss=** zhl|wx8h+lpXm-oVO9PBkw8p}zxzD%6OPtQfmc15ibP!h0((&Ax0Dy#kRW0PB5`)r4 z;uA+N_psnOqGevA&IsmsvieKnac*B^*}?$h7f!YnzLZ}P88rbWBzta?EV%$jdxrC_ zzOchTTZwCBXQ@gT)K>dcWv#5_8`lc#_jhkt&G_jy49CNJDb1oga+`^VsYo~6)tSRF za&-_~k4Pzj=FbgAE^kKYHk%!)OyE?@6Dqlpg0*XpB%}b1>Y(#SI}w8i$edEh6Xn{J zLYL)-tFB4lH=xJ(n-q%9e9j|egTraOy3l>D*mi5nX=6J}u-~tp&7#*+zZ8NGhnj3haOHDrF`j|H<#X-CLyImTfyseL0Vm4G@a7Nq`M^94( z_q+)aXNIHPH}0QAUv`P3zzRJ@ge|`00AO}c+i0arJT*f{b8$^~fVuRz-n+g)$U5gX zsN&kx>FS3z+J+?L_I=HO*b$%FX{_pJfZ%{S_4^37RA2>1N$z83K6G9FOfpyWfW6uS z*VV_JvaEO|k*N?oPJ1Xn3J%MYX~a;Ix2lNRpYq)SV?bTha0(p#b{W@puCB4K%9y=G zDk*)4kERx?z$)}IlG-s_8bk$j!4#TJuzs4fWE=$@sQL`29O$6HONr@DB}cLo7Nhlh z`HUXhqK5ais`hYheyz|9|%@6#m&!@DJN029trdeV%g%N?oqw|qb-I2 z8$67R=lc2@=+bq2u@J=SnR`f@`z}Q|A8dz+r|gcrt0e@US~&XdT3;$$%5uncwDejG zX{vEaRJ~Kx7vv0}A*tu)5VyS+Y+EZ|>61J7qZ?GGp*LX!9fc!yA z0-Y*2XYA~p)q&PGO(g%Zk2MrmJT+JqAaIupAR}J3zggsGB4j{|i&>NL<&?b8Z{}%p znF4Pc3T2MihbitDRbrpACE`R;We5_pQF@;Usc#D89?tr(XHps)kSU_$9>j<9o>P*u zY`$Yzb5tDn3AFi;o_5?OkE8MB16p=$f(0$J*f3V`y>|SaAeZQ#79WLl_zF5ik|%@q z((Jc`V^d`U<{(yL(P57g#z8FjtBso8)oJ4)(81Iv7*n#x@SH!O$X=KL?&_0=nN_I-fJordh2^n9>7jbHE9gySydItr7zZPn3Ng9 z92_7vdT}JLP^vD4y7omQe5!9N#egS~NWbti>1L3|Z?6T93QH`T$J>EWZP|cX4P5nW%W=z~DD?25F6iWYpUb%k(Ii&(U literal 0 HcmV?d00001 diff --git a/solution/smo/common/docker-compose.yaml b/solution/smo/common/docker-compose.yaml index 7011e32..7d68bed 100755 --- a/solution/smo/common/docker-compose.yaml +++ b/solution/smo/common/docker-compose.yaml @@ -57,13 +57,15 @@ services: - --providers.docker.network=${TRAEFIK_NETWORK_NAME} - --providers.docker.exposedByDefault=false - --providers.docker.watch=true - - --providers.file.filename=/middleware.yaml + - --providers.file.filename=/etc/traefik/middleware.yaml volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - - ./gateway/conf/middleware.yaml:/middleware.yaml:ro + - ./gateway/conf/middleware.yaml:/etc/traefik/middleware.yaml:ro - ./gateway/conf/.htpasswd:/.htpasswd:ro - + - ./certs-selfsigned/smo.o-ran-sc.org.crt:/certs/dev.crt + - ./certs-selfsigned/smo.o-ran-sc.org.key:/certs/dev.key + - ./letsencrypt:/letsencrypt # ACME storage labels: traefik.enable: true traefik.http.middlewares.traefik-auth.basicauth.usersfile: .htpasswd @@ -99,6 +101,11 @@ services: image: ${IDENTITY_IMAGE} container_name: identity hostname: identity + healthcheck: + test: curl "http://localhost:9000/health/ready" || exit 1 + interval: 5s + timeout: 10s + retries: 45 environment: KEYCLOAK_CREATE_ADMIN_USER: true KC_BOOTSTRAP_ADMIN_USERNAME: ${ADMIN_USERNAME} @@ -118,10 +125,12 @@ services: KEYCLOAK_TLS_TRUSTSTORE_PASSWORD: changeit KC_HOSTNAME: "https://identity.${HTTP_DOMAIN}" KC_HOSTNAME_ADMIN: "https://identity.${HTTP_DOMAIN}" - KEYCLOAK_EXTRA_ARGS: "--spi-theme-default=oam" + KC_HEALTH_ENABLED: true + KEYCLOAK_EXTRA_ARGS: "--spi-theme-default=oam --import-realm" restart: unless-stopped volumes: - /etc/localtime:/etc/localtime:ro + - ./identity/o-ran-sc-realm.json:/opt/bitnami/keycloak/data/import/o-ran-sc-realm.json - ./identity/standalone.xml:/opt/jboss/keycloak/standalone/configuration/standalone.xml - ./identity/keystore.jks:/opt/bitnami/keycloak/certs/keystore.jks - ./identity/truststoreONAPall.jks:/opt/bitnami/keycloak/certs/truststore.jks @@ -276,6 +285,11 @@ services: KAFKA_CLUSTERS_0_NAME: kafka KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: kafka:9092 DYNAMIC_CONFIG_ENABLED: 'true' + SPRING_CONFIG_ADDITIONAL-LOCATION: /config.yaml + JAVA_OPTS: "-Djavax.net.ssl.trustStore=/etc/certs/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit -Djdk.internal.httpclient.disableHostnameVerification=true" + volumes: + - ./kafka-ui/config.yaml:/config.yaml + - ./certs-selfsigned/smo.o-ran-sc.org.jks:/etc/certs/truststore.jks labels: traefik.enable: true traefik.http.routers.kafka-ui.entrypoints: websecure @@ -285,6 +299,9 @@ services: app: "kafka-ui" deploy: "o-ran-sc-smo-common" solution: "o-ran-sc-smo" + depends_on: + identity: + condition: service_healthy networks: dmz: default: diff --git a/solution/smo/common/gateway/conf/middleware.yaml b/solution/smo/common/gateway/conf/middleware.yaml index 19119d8..106ba8b 100644 --- a/solution/smo/common/gateway/conf/middleware.yaml +++ b/solution/smo/common/gateway/conf/middleware.yaml @@ -10,8 +10,15 @@ http: stsSeconds: 315360000 stsIncludeSubdomains: true stsPreload: true + oauth_headers: + headers: + customRequestHeaders: + Authorization: "" # tls: # options: # myTLSOptions: # minVersion: VersionTLS12 - +tls: + certificates: + - certFile: "/certs/dev.crt" + keyFile: "/certs/dev.key" diff --git a/solution/smo/common/identity/o-ran-sc-realm.json b/solution/smo/common/identity/o-ran-sc-realm.json index 44ebf69..14ea1c9 100644 --- a/solution/smo/common/identity/o-ran-sc-realm.json +++ b/solution/smo/common/identity/o-ran-sc-realm.json @@ -304,6 +304,7 @@ } ], "odlux.app": [], + "kafka-ui.app": [], "security-admin-console": [], "admin-cli": [], "account-console": [], @@ -750,6 +751,66 @@ "microprofile-jwt" ] }, + { + "id": "93bc9c5c-1414-4231-ab20-0e88fa8dade2", + "clientId": "kafka-ui.app", + "name": "Kafka-UI", + "description": "Kafka UI application for managing Kafka resources", + "rootUrl": "", + "adminUrl": "", + "baseUrl": "", + "surrogateAuthRequired": false, + "enabled": true, + "alwaysDisplayInConsole": false, + "clientAuthenticatorType": "client-secret", + "redirectUris": [ + "https://kafka-ui.smo.o-ran-sc.org/*" + ], + "webOrigins": [ + "/*" + ], + "notBefore": 0, + "bearerOnly": false, + "consentRequired": false, + "standardFlowEnabled": true, + "implicitFlowEnabled": false, + "directAccessGrantsEnabled": true, + "serviceAccountsEnabled": false, + "publicClient": true, + "frontchannelLogout": true, + "protocol": "openid-connect", + "attributes": { + "realm_client": "false", + "oidc.ciba.grant.enabled": "false", + "backchannel.logout.session.required": "true", + "frontchannel.logout.session.required": "true", + "oauth2.device.authorization.grant.enabled": "false", + "display.on.consent.screen": "false", + "backchannel.logout.revoke.offline.tokens": "false" + }, + "authenticationFlowBindingOverrides": {}, + "fullScopeAllowed": true, + "nodeReRegistrationTimeout": -1, + "defaultClientScopes": [ + "web-origins", + "acr", + "roles", + "profile", + "basic", + "email" + ], + "optionalClientScopes": [ + "address", + "phone", + "offline_access", + "microprofile-jwt" + ], + "access": { + "view": true, + "configure": true, + "manage": true + } + }, { "id": "048a9bfc-077a-42a2-afe8-1ec13d3a43a3", "clientId": "realm-management", diff --git a/solution/smo/common/kafka-ui/config.yaml b/solution/smo/common/kafka-ui/config.yaml new file mode 100644 index 0000000..6db0fbc --- /dev/null +++ b/solution/smo/common/kafka-ui/config.yaml @@ -0,0 +1,17 @@ +auth: + type: OAUTH2 + oauth2: + client: + keycloak: + provider: keycloak + clientId: kafka-ui.app + #clientSecret: yyy + scope: openid + issuer-uri: https://identity.smo.o-ran-sc.org/realms/onap + redirect-uri: https://kafka-ui.smo.o-ran-sc.org/login/oauth2/code/keycloak + user-name-attribute: preferred_username + client-name: keycloak + logoutUri: https://identity.smo.o-ran-sc.org/realms/onap/protocol/openid-connect/logout + custom-params: + type: keycloak + logoutUrl: https://identity.smo.o-ran-sc.org/realms/onap/protocol/openid-connect/logout -- 2.16.6