AETHER-2611,AETHER-2329 Subscriber proxy auth support
Change-Id: I6b71fb6de100d39c797a79e4f6630706eb7c1dfb
diff --git a/aether-roc-umbrella/Chart.yaml b/aether-roc-umbrella/Chart.yaml
index 68b5241..9afa2a4 100644
--- a/aether-roc-umbrella/Chart.yaml
+++ b/aether-roc-umbrella/Chart.yaml
@@ -7,7 +7,7 @@
description: Aether ROC Umbrella chart to deploy all Aether ROC
kubeVersion: ">=1.18.0"
type: application
-version: 1.4.53
+version: 1.4.54
appVersion: v0.0.0
keywords:
- aether
@@ -73,7 +73,7 @@
- name: subscriber-proxy
condition: import.subscriber-proxy.enabled
repository: "file://../subscriber-proxy"
- version: 0.0.4
+ version: 0.0.5
- name: nginx
alias: sdcore-test-dummy
condition: import.sdcore-test-dummy.enabled
diff --git a/aether-roc-umbrella/templates/sdcore-test-dummy-config.yaml b/aether-roc-umbrella/templates/sdcore-test-dummy-config.yaml
index 5adedae..07e5ef3 100644
--- a/aether-roc-umbrella/templates/sdcore-test-dummy-config.yaml
+++ b/aether-roc-umbrella/templates/sdcore-test-dummy-config.yaml
@@ -35,6 +35,10 @@
rewrite ^/v1/config/5g/.* /v1/config/5g break;
proxy_pass http://127.0.0.1:8080/post_dummy;
}
+ location /api/subscriber {
+ rewrite ^/api/subscriber/.* /api/subscriber break;
+ proxy_pass http://127.0.0.1:8080/post_dummy;
+ }
location = /post_dummy {
# turn off logging here to avoid double logging
access_log off;
diff --git a/subscriber-proxy/Chart.yaml b/subscriber-proxy/Chart.yaml
index 809ca19..a7b857a 100644
--- a/subscriber-proxy/Chart.yaml
+++ b/subscriber-proxy/Chart.yaml
@@ -6,8 +6,8 @@
name: subscriber-proxy
kubeVersion: ">=1.17.0"
type: application
-version: 0.0.4
-appVersion: v0.2.2
+version: 0.0.5
+appVersion: v0.2.17
description: Subscriber-Proxy
keywords:
- aether
diff --git a/subscriber-proxy/templates/_helpers.tpl b/subscriber-proxy/templates/_helpers.tpl
index ba0078e..6f324dd 100644
--- a/subscriber-proxy/templates/_helpers.tpl
+++ b/subscriber-proxy/templates/_helpers.tpl
@@ -54,3 +54,16 @@
app.kubernetes.io/name: {{ include "subscriber-proxy.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "aether-roc-gui.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default (include "subscriber-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+
diff --git a/subscriber-proxy/templates/deployment.yaml b/subscriber-proxy/templates/deployment.yaml
index 2cbccc7..b18e635 100644
--- a/subscriber-proxy/templates/deployment.yaml
+++ b/subscriber-proxy/templates/deployment.yaml
@@ -20,6 +20,7 @@
name: {{ template "subscriber-proxy.fullname" . }}
{{- include "subscriber-proxy.selectorLabels" . | nindent 8 }}
spec:
+ serviceAccountName: subscriber-proxy
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 6 }}
@@ -43,26 +44,28 @@
valueFrom:
fieldRef:
fieldPath: spec.nodeName
+ - name: OIDC_SERVER_URL
+ value: {{ .Values.config.openidc.issuer }}
args:
- "/usr/local/bin/subscriber-proxy"
- - "-bind_port=:{{ .Values.ports.port }}"
+ - "-bind_port=:{{ .Values.config.port }}"
- "-client_key=/etc/subscriber-proxy/certs/tls.key"
- "-client_crt=/etc/subscriber-proxy/certs/tls.crt"
- "-ca_crt=/etc/subscriber-proxy/certs/tls.cacert"
- "-alsologtostderr"
- "-hostCheckDisabled"
- - "-webconsole_url=http://{{ .Values.ports.webui_endpt.addr}}:{{ .Values.ports.webui_endpt.port}}"
- - "-onos_config_url={{ .Values.ports.aether_config_endpt.addr}}:{{ .Values.ports.aether_config_endpt.port}}"
+ - "-webconsole_url=http://{{ .Values.config.webui_endpt.addr}}:{{ .Values.config.webui_endpt.port}}"
+ - "-onos_config_url={{ .Values.config.aether_config_endpt.addr}}:{{ .Values.config.aether_config_endpt.port}}"
ports:
- - containerPort: {{.Values.ports.port}}
+ - containerPort: {{.Values.config.port}}
readinessProbe:
tcpSocket:
- port: {{ .Values.ports.port }}
+ port: {{ .Values.config.port }}
initialDelaySeconds: 5
periodSeconds: 10
livenessProbe:
tcpSocket:
- port: {{ .Values.ports.port }}
+ port: {{ .Values.config.port }}
initialDelaySeconds: 15
periodSeconds: 20
volumeMounts:
diff --git a/subscriber-proxy/templates/role.yaml b/subscriber-proxy/templates/role.yaml
new file mode 100644
index 0000000..19aa2b4
--- /dev/null
+++ b/subscriber-proxy/templates/role.yaml
@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ namespace: {{ .Release.Namespace }}
+ name: {{ template "subscriber-proxy.fullname" . }}-secret-reader-role
+rules:
+ - apiGroups: [""] # "" indicates the core API group
+ resources: ["secrets"]
+ verbs: ["get", "watch", "list"]
diff --git a/subscriber-proxy/templates/rolebinding.yaml b/subscriber-proxy/templates/rolebinding.yaml
new file mode 100644
index 0000000..f325597
--- /dev/null
+++ b/subscriber-proxy/templates/rolebinding.yaml
@@ -0,0 +1,17 @@
+# SPDX-FileCopyrightText: 2020-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ template "subscriber-proxy.fullname" . }}-secret-reader
+ namespace: {{ .Release.Namespace }}
+subjects:
+ - kind: ServiceAccount
+ name: subscriber-proxy
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ template "subscriber-proxy.fullname" . }}-secret-reader-role
+ apiGroup: rbac.authorization.k8s.io
diff --git a/subscriber-proxy/templates/secret.yaml b/subscriber-proxy/templates/secret.yaml
index 445c6bf..73cc3fe 100644
--- a/subscriber-proxy/templates/secret.yaml
+++ b/subscriber-proxy/templates/secret.yaml
@@ -16,3 +16,16 @@
{{ base $path }}: '{{ $root.Files.Get $path | b64enc }}'
{{ end }}
type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "subscriber-proxy.fullname" . }}-keycloak-secret
+ labels:
+ chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+ release: "{{ .Release.Name }}"
+ heritage: "{{ .Release.Service }}"
+data:
+ username: "{{ .Values.config.openidc.credentials.username }}"
+ password: "{{ .Values.config.openidc.credentials.password }}"
+type: Opaque
diff --git a/subscriber-proxy/templates/service.yaml b/subscriber-proxy/templates/service.yaml
index 91e173c..409d289 100644
--- a/subscriber-proxy/templates/service.yaml
+++ b/subscriber-proxy/templates/service.yaml
@@ -19,6 +19,6 @@
name: {{ template "subscriber-proxy.fullname" . }}
ports:
- name: sub-proxy
- port: {{.Values.ports.port}}
+ port: {{.Values.config.port}}
protocol: TCP
diff --git a/subscriber-proxy/templates/serviceaccount.yaml b/subscriber-proxy/templates/serviceaccount.yaml
new file mode 100644
index 0000000..726cfd7
--- /dev/null
+++ b/subscriber-proxy/templates/serviceaccount.yaml
@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: subscriber-proxy
+ namespace: {{ .Release.Namespace }}
diff --git a/subscriber-proxy/values.yaml b/subscriber-proxy/values.yaml
index 5617a82..680e305 100644
--- a/subscriber-proxy/values.yaml
+++ b/subscriber-proxy/values.yaml
@@ -10,7 +10,7 @@
image:
repository: onosproject/sdcore-adapter
- tag: v0.2.2
+ tag: v0.2.17
pullPolicy: IfNotPresent
pullSecrets: []
@@ -26,18 +26,20 @@
version: v3
secure: true
-initialConfig: ""
-output: ""
-spgwEndpoint: ""
-ports:
- port: 5001
+config:
+ port: 5000
webui_endpt:
- addr: webui.omec.svc.cluster.local
- port: 5000
+ addr: aether-roc-umbrella-sdcore-test-dummy
+ port: 80
aether_config_endpt:
addr: onos-config
port: 5150
+ openidc:
+ issuer:
+ credentials:
+ username: "YWxpY2VhQG9wZW5uZXR3b3JraW5nLm9yZw=="
+ password: "cGFzc3dvcmQ="
prometheusEnabled: true