Feature 10957: Set up dedicated namespace for helm based EE and add client side TLS for gRPC
Change-Id: Ic4d931b44372265b7366178cdd912b13a73db334
Signed-off-by: Gabriel Cuba <gcuba@whitestack.com>
diff --git a/osm_lcm/data_utils/lcm_config.py b/osm_lcm/data_utils/lcm_config.py
index 08a8728..711d76a 100644
--- a/osm_lcm/data_utils/lcm_config.py
+++ b/osm_lcm/data_utils/lcm_config.py
@@ -125,6 +125,8 @@
loglevel: str = "DEBUG"
logfile: str = None
ca_store: str = "/etc/ssl/certs/osm-ca.crt"
+ client_cert_path: str = "/etc/ssl/lcm-client/tls.crt"
+ client_key_path: str = "/etc/ssl/lcm-client/tls.key"
kubectl_osm_namespace: str = "osm"
kubectl_osm_cluster_name: str = "_system-osm-k8s"
helm_ee_service_port: int = 50050
diff --git a/osm_lcm/lcm_helm_conn.py b/osm_lcm/lcm_helm_conn.py
index 72bd7f5..30eba46 100644
--- a/osm_lcm/lcm_helm_conn.py
+++ b/osm_lcm/lcm_helm_conn.py
@@ -79,14 +79,13 @@
def create_secure_context(
- trusted: str,
+ trusted: str, client_cert_path: str, client_key_path: str
) -> ssl.SSLContext:
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.verify_mode = ssl.CERT_REQUIRED
ctx.check_hostname = True
ctx.minimum_version = ssl.TLSVersion.TLSv1_2
- # TODO: client TLS
- # ctx.load_cert_chain(str(client_cert), str(client_key))
+ ctx.load_cert_chain(client_cert_path, client_key_path)
ctx.load_verify_locations(trusted)
ctx.set_ciphers("ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20")
ctx.set_alpn_protocols(["h2"])
@@ -186,6 +185,9 @@
and credentials object set to None as all credentials should be osm kubernetes .kubeconfig
"""
+ if not namespace:
+ namespace = self.vca_config.kubectl_osm_namespace
+
self.log.info(
"create_execution_environment: namespace: {}, artifact_path: {}, "
"chart_model: {}, db_dict: {}, reuse_ee_id: {}".format(
@@ -249,7 +251,7 @@
system_cluster_uuid,
kdu_model=kdu_model,
kdu_instance=helm_id,
- namespace=self.vca_config.kubectl_osm_namespace,
+ namespace=namespace,
params=config,
db_dict=db_dict,
timeout=progress_timeout,
@@ -263,15 +265,13 @@
system_cluster_uuid,
kdu_model=kdu_model,
kdu_instance=helm_id,
- namespace=self.vca_config.kubectl_osm_namespace,
+ namespace=namespace,
params=config,
db_dict=db_dict,
timeout=progress_timeout,
)
- ee_id = "{}:{}.{}".format(
- vca_type, self.vca_config.kubectl_osm_namespace, helm_id
- )
+ ee_id = "{}:{}.{}".format(vca_type, namespace, helm_id)
return ee_id, None
except N2VCException:
raise
@@ -423,6 +423,34 @@
certificate_name=certificate_name,
)
+ async def setup_ns_namespace(
+ self,
+ name: str,
+ ):
+ # Obtain system cluster id from database
+ system_cluster_uuid = await self._get_system_cluster_id()
+ await self._k8sclusterhelm3.create_namespace(
+ namespace=name,
+ cluster_uuid=system_cluster_uuid,
+ )
+ await self._k8sclusterhelm3.setup_default_rbac(
+ name="ee-role",
+ namespace=name,
+ api_groups=[""],
+ resources=["secrets"],
+ verbs=["get"],
+ service_account="default",
+ cluster_uuid=system_cluster_uuid,
+ )
+ await self._k8sclusterhelm3.copy_secret_data(
+ src_secret="osm-ca",
+ dst_secret="osm-ca",
+ src_namespace=self.vca_config.kubectl_osm_namespace,
+ dst_namespace=name,
+ cluster_uuid=system_cluster_uuid,
+ data_key="ca.crt",
+ )
+
async def register_execution_environment(
self,
namespace: str,
@@ -693,8 +721,12 @@
async def delete_namespace(
self, namespace: str, db_dict: dict = None, total_timeout: float = None
):
- # method not implemented for this connector, execution environments must be deleted individually
- pass
+ # Obtain system cluster id from database
+ system_cluster_uuid = await self._get_system_cluster_id()
+ await self._k8sclusterhelm3.delete_namespace(
+ namespace=namespace,
+ cluster_uuid=system_cluster_uuid,
+ )
async def install_k8s_proxy_charm(
self,
@@ -767,7 +799,11 @@
else:
return "ERROR", "No result received"
- ssl_context = create_secure_context(self.vca_config.ca_store)
+ ssl_context = create_secure_context(
+ self.vca_config.ca_store,
+ self.vca_config.client_cert_path,
+ self.vca_config.client_key_path,
+ )
channel = Channel(
ip_addr, self.vca_config.helm_ee_service_port, ssl=ssl_context
)
diff --git a/osm_lcm/ns.py b/osm_lcm/ns.py
index 9ceb609..83705d4 100644
--- a/osm_lcm/ns.py
+++ b/osm_lcm/ns.py
@@ -133,6 +133,7 @@
SUBOPERATION_STATUS_NOT_FOUND = -1
SUBOPERATION_STATUS_NEW = -2
SUBOPERATION_STATUS_SKIP = -3
+ EE_TLS_NAME = "ee-tls"
task_name_deploy_vca = "Deploying VCA"
def __init__(self, msg, lcm_tasks, config: LcmCfg):
@@ -1830,7 +1831,7 @@
ee_id, credentials = await self.vca_map[
vca_type
].create_execution_environment(
- namespace=namespace,
+ namespace=nsr_id,
reuse_ee_id=ee_id,
db_dict=db_dict,
config=osm_config,
@@ -2750,13 +2751,16 @@
# create namespace and certificate if any helm based EE is present in the NS
if check_helm_ee_in_ns(db_vnfds):
- # TODO: create EE namespace
+ await self.vca_map["helm-v3"].setup_ns_namespace(
+ name=nsr_id,
+ )
# create TLS certificates
await self.vca_map["helm-v3"].create_tls_certificate(
- secret_name="ee-tls-{}".format(nsr_id),
+ secret_name=self.EE_TLS_NAME,
dns_prefix="*",
nsr_id=nsr_id,
usage="server auth",
+ namespace=nsr_id,
)
nsi_id = None # TODO put nsi_id when this nsr belongs to a NSI
@@ -4646,9 +4650,12 @@
# Delete Namespace and Certificates if necessary
if check_helm_ee_in_ns(list(db_vnfds_from_member_index.values())):
await self.vca_map["helm-v3"].delete_tls_certificate(
- certificate_name=db_nslcmop["nsInstanceId"],
+ namespace=db_nslcmop["nsInstanceId"],
+ certificate_name=self.EE_TLS_NAME,
)
- # TODO: Delete namespace
+ await self.vca_map["helm-v3"].delete_namespace(
+ namespace=db_nslcmop["nsInstanceId"],
+ )
# Delete from k8scluster
stage[1] = "Deleting KDUs."
diff --git a/osm_lcm/tests/test_lcm_helm_conn.py b/osm_lcm/tests/test_lcm_helm_conn.py
index 8f8b0b8..b4af5a3 100644
--- a/osm_lcm/tests/test_lcm_helm_conn.py
+++ b/osm_lcm/tests/test_lcm_helm_conn.py
@@ -87,14 +87,14 @@
)
self.assertEqual(
ee_id,
- "{}:{}.{}".format("helm-v3", "osm", helm_chart_id),
- "Check ee_id format: <helm-version>:<default namespace>.<helm_chart-id>",
+ "{}:{}.{}".format("helm-v3", namespace, helm_chart_id),
+ "Check ee_id format: <helm-version>:<NS ID>.<helm_chart-id>",
)
self.helm_conn._k8sclusterhelm3.install.assert_called_once_with(
"myk8s_id",
kdu_model="/helm_sample_charm",
kdu_instance=helm_chart_id,
- namespace="osm",
+ namespace=namespace,
db_dict=db_dict,
params=None,
timeout=None,