From eb585dd5e2711d50fe2fc5ec34a2a67af9fd9f60 Mon Sep 17 00:00:00 2001 From: Gabriel Cuba Date: Tue, 25 Apr 2023 16:48:41 -0500 Subject: [PATCH] Feature 10957: Set up dedicated namespace for helm based EE and add client side TLS for gRPC Change-Id: Ic4d931b44372265b7366178cdd912b13a73db334 Signed-off-by: Gabriel Cuba --- osm_lcm/data_utils/lcm_config.py | 2 + osm_lcm/lcm_helm_conn.py | 58 +++++++++++++++++++++++------ osm_lcm/ns.py | 17 ++++++--- osm_lcm/tests/test_lcm_helm_conn.py | 6 +-- 4 files changed, 64 insertions(+), 19 deletions(-) diff --git a/osm_lcm/data_utils/lcm_config.py b/osm_lcm/data_utils/lcm_config.py index 08a8728..711d76a 100644 --- a/osm_lcm/data_utils/lcm_config.py +++ b/osm_lcm/data_utils/lcm_config.py @@ -125,6 +125,8 @@ class VcaConfig(OsmConfigman): loglevel: str = "DEBUG" logfile: str = None ca_store: str = "/etc/ssl/certs/osm-ca.crt" + client_cert_path: str = "/etc/ssl/lcm-client/tls.crt" + client_key_path: str = "/etc/ssl/lcm-client/tls.key" kubectl_osm_namespace: str = "osm" kubectl_osm_cluster_name: str = "_system-osm-k8s" helm_ee_service_port: int = 50050 diff --git a/osm_lcm/lcm_helm_conn.py b/osm_lcm/lcm_helm_conn.py index 72bd7f5..30eba46 100644 --- a/osm_lcm/lcm_helm_conn.py +++ b/osm_lcm/lcm_helm_conn.py @@ -79,14 +79,13 @@ def retryer(max_wait_time_var="_initial_retry_time", delay_time_var="_retry_dela def create_secure_context( - trusted: str, + trusted: str, client_cert_path: str, client_key_path: str ) -> ssl.SSLContext: ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.verify_mode = ssl.CERT_REQUIRED ctx.check_hostname = True ctx.minimum_version = ssl.TLSVersion.TLSv1_2 - # TODO: client TLS - # ctx.load_cert_chain(str(client_cert), str(client_key)) + ctx.load_cert_chain(client_cert_path, client_key_path) ctx.load_verify_locations(trusted) ctx.set_ciphers("ECDHE+AESGCM:ECDHE+CHACHA20:DHE+AESGCM:DHE+CHACHA20") ctx.set_alpn_protocols(["h2"]) @@ -186,6 +185,9 @@ class LCMHelmConn(N2VCConnector, LcmBase): and credentials object set to None as all credentials should be osm kubernetes .kubeconfig """ + if not namespace: + namespace = self.vca_config.kubectl_osm_namespace + self.log.info( "create_execution_environment: namespace: {}, artifact_path: {}, " "chart_model: {}, db_dict: {}, reuse_ee_id: {}".format( @@ -249,7 +251,7 @@ class LCMHelmConn(N2VCConnector, LcmBase): system_cluster_uuid, kdu_model=kdu_model, kdu_instance=helm_id, - namespace=self.vca_config.kubectl_osm_namespace, + namespace=namespace, params=config, db_dict=db_dict, timeout=progress_timeout, @@ -263,15 +265,13 @@ class LCMHelmConn(N2VCConnector, LcmBase): system_cluster_uuid, kdu_model=kdu_model, kdu_instance=helm_id, - namespace=self.vca_config.kubectl_osm_namespace, + namespace=namespace, params=config, db_dict=db_dict, timeout=progress_timeout, ) - ee_id = "{}:{}.{}".format( - vca_type, self.vca_config.kubectl_osm_namespace, helm_id - ) + ee_id = "{}:{}.{}".format(vca_type, namespace, helm_id) return ee_id, None except N2VCException: raise @@ -423,6 +423,34 @@ class LCMHelmConn(N2VCConnector, LcmBase): certificate_name=certificate_name, ) + async def setup_ns_namespace( + self, + name: str, + ): + # Obtain system cluster id from database + system_cluster_uuid = await self._get_system_cluster_id() + await self._k8sclusterhelm3.create_namespace( + namespace=name, + cluster_uuid=system_cluster_uuid, + ) + await self._k8sclusterhelm3.setup_default_rbac( + name="ee-role", + namespace=name, + api_groups=[""], + resources=["secrets"], + verbs=["get"], + service_account="default", + cluster_uuid=system_cluster_uuid, + ) + await self._k8sclusterhelm3.copy_secret_data( + src_secret="osm-ca", + dst_secret="osm-ca", + src_namespace=self.vca_config.kubectl_osm_namespace, + dst_namespace=name, + cluster_uuid=system_cluster_uuid, + data_key="ca.crt", + ) + async def register_execution_environment( self, namespace: str, @@ -693,8 +721,12 @@ class LCMHelmConn(N2VCConnector, LcmBase): async def delete_namespace( self, namespace: str, db_dict: dict = None, total_timeout: float = None ): - # method not implemented for this connector, execution environments must be deleted individually - pass + # Obtain system cluster id from database + system_cluster_uuid = await self._get_system_cluster_id() + await self._k8sclusterhelm3.delete_namespace( + namespace=namespace, + cluster_uuid=system_cluster_uuid, + ) async def install_k8s_proxy_charm( self, @@ -767,7 +799,11 @@ class LCMHelmConn(N2VCConnector, LcmBase): else: return "ERROR", "No result received" - ssl_context = create_secure_context(self.vca_config.ca_store) + ssl_context = create_secure_context( + self.vca_config.ca_store, + self.vca_config.client_cert_path, + self.vca_config.client_key_path, + ) channel = Channel( ip_addr, self.vca_config.helm_ee_service_port, ssl=ssl_context ) diff --git a/osm_lcm/ns.py b/osm_lcm/ns.py index 9ceb609..83705d4 100644 --- a/osm_lcm/ns.py +++ b/osm_lcm/ns.py @@ -133,6 +133,7 @@ class NsLcm(LcmBase): SUBOPERATION_STATUS_NOT_FOUND = -1 SUBOPERATION_STATUS_NEW = -2 SUBOPERATION_STATUS_SKIP = -3 + EE_TLS_NAME = "ee-tls" task_name_deploy_vca = "Deploying VCA" def __init__(self, msg, lcm_tasks, config: LcmCfg): @@ -1830,7 +1831,7 @@ class NsLcm(LcmBase): ee_id, credentials = await self.vca_map[ vca_type ].create_execution_environment( - namespace=namespace, + namespace=nsr_id, reuse_ee_id=ee_id, db_dict=db_dict, config=osm_config, @@ -2750,13 +2751,16 @@ class NsLcm(LcmBase): # create namespace and certificate if any helm based EE is present in the NS if check_helm_ee_in_ns(db_vnfds): - # TODO: create EE namespace + await self.vca_map["helm-v3"].setup_ns_namespace( + name=nsr_id, + ) # create TLS certificates await self.vca_map["helm-v3"].create_tls_certificate( - secret_name="ee-tls-{}".format(nsr_id), + secret_name=self.EE_TLS_NAME, dns_prefix="*", nsr_id=nsr_id, usage="server auth", + namespace=nsr_id, ) nsi_id = None # TODO put nsi_id when this nsr belongs to a NSI @@ -4646,9 +4650,12 @@ class NsLcm(LcmBase): # Delete Namespace and Certificates if necessary if check_helm_ee_in_ns(list(db_vnfds_from_member_index.values())): await self.vca_map["helm-v3"].delete_tls_certificate( - certificate_name=db_nslcmop["nsInstanceId"], + namespace=db_nslcmop["nsInstanceId"], + certificate_name=self.EE_TLS_NAME, + ) + await self.vca_map["helm-v3"].delete_namespace( + namespace=db_nslcmop["nsInstanceId"], ) - # TODO: Delete namespace # Delete from k8scluster stage[1] = "Deleting KDUs." diff --git a/osm_lcm/tests/test_lcm_helm_conn.py b/osm_lcm/tests/test_lcm_helm_conn.py index 8f8b0b8..b4af5a3 100644 --- a/osm_lcm/tests/test_lcm_helm_conn.py +++ b/osm_lcm/tests/test_lcm_helm_conn.py @@ -87,14 +87,14 @@ class TestLcmHelmConn(asynctest.TestCase): ) self.assertEqual( ee_id, - "{}:{}.{}".format("helm-v3", "osm", helm_chart_id), - "Check ee_id format: :.", + "{}:{}.{}".format("helm-v3", namespace, helm_chart_id), + "Check ee_id format: :.", ) self.helm_conn._k8sclusterhelm3.install.assert_called_once_with( "myk8s_id", kdu_model="/helm_sample_charm", kdu_instance=helm_chart_id, - namespace="osm", + namespace=namespace, db_dict=db_dict, params=None, timeout=None, -- 2.25.1