README.md for Python HelloWorld

Dockerfile

@@ -1,4 +1,4 @@
-FROM <PYTHON_IMAGE_NAME>
+FROM python:3.13-slim
 
 ARG USER_ID=60577
 ARG USER_NAME="eric-sdk"

charts/eric-oss-hello-world-python-app/Chart.yaml

@@ -3,4 +3,4 @@ appVersion: "2.0.0"
 description: IDUN SDK Hello World App
 name: eric-oss-hello-world-python-app
 type: application
-version: VERSION
+version: 1.0.1-1

charts/eric-oss-hello-world-python-app/eric-product-info.yaml

@@ -5,6 +5,6 @@ images:
     productName: "Python hello world sample app image"
     productNumber: ""
     registry: "armdocker.rnd.ericsson.se"
-    repoPath: "REPO_PATH"
+    repoPath: "proj-eric-oss-drop"
     name: "eric-oss-hello-world-python-app"
-    tag: "VERSION"
+    tag: "1.0.1-1"

charts/eric-oss-hello-world-python-app/templates/_helpers.tpl

@@ -341,4 +341,21 @@ Define the annotations for security policy
 */}}
 {{- define "eric-oss-hello-world-python-app.securityPolicy.annotations" -}}
 # Automatically generated annotations for documentation purposes.
-{{- end -}}
+{{- end -}}
+
+{{/*
+Define the function to get the secret name
+ */}}
+{{- define "eric-oss-hello-world-python-app.clientSecret" -}}
+{{- $clientSecret := "" -}}
+{{- if .Values.global }}
+  {{- if .Values.global.clientCredentials }}
+    {{- if .Values.global.clientCredentials.secret }}
+      {{- if .Values.global.clientCredentials.secret.name }}
+        {{- $clientSecret = .Values.global.clientCredentials.secret.name }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- print $clientSecret }}
+{{- end }}

charts/eric-oss-hello-world-python-app/templates/deployment/deployment.yaml

@@ -63,6 +63,10 @@ spec:
           secret:
             secretName: {{ index .Values "appSecretName" | quote }}
             defaultMode: 420
+        - name: client-creds
+          secret:
+            secretName: {{ include "eric-oss-hello-world-python-app.clientSecret" . | quote }}
+            defaultMode: 420
       containers:
         - name: eric-oss-hello-world-python-app
           image: {{ template "eric-oss-hello-world-python-app.imagePath" (dict "imageId" "eric-oss-hello-world-python-app" "values" .Values "files" .Files) }}
@@ -89,6 +93,9 @@ spec:
             - name: app-certs
               mountPath: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }}
               readOnly: true
+            - name: client-creds
+              mountPath: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }}
+              readOnly: true
           env:
             - name: IAM_CLIENT_ID
               value: {{ index .Values "clientId" | quote }}
@@ -108,6 +115,12 @@ spec:
               value: {{ index .Values "appCertFileName" | quote }}
             - name: APP_CERT_FILE_PATH
               value: {{ index .Values "appCertMountPath" | default .Values.instantiationDefaults.appCertMountPath | quote }}
+            - name: CLIENT_CREDS_FILE_PATH
+              value: {{ index .Values "clientCredsMountPath" | default .Values.instantiationDefaults.clientCredsMountPath | quote }}
+            - name: CLIENT_ID_FILE_NAME
+              value: {{ .Values.global.clientCredentials.secret.clientIdKey | quote }}
+            - name: AUTHENTICATION_TYPE
+              value: {{ index .Values "authenticationType" | default .Values.instantiationDefaults.authenticationType | quote }}
             - name: SERVICE_NAME
               value: {{ .Chart.Name }}
             - name: CONTAINER_NAME

charts/eric-oss-hello-world-python-app/values.yaml

@@ -5,13 +5,13 @@ global:
   timezone: UTC
   registry:
     url: armdocker.rnd.ericsson.se
-    imagePullPolicy: IfNotPresent
+    imagePullPolicy: Always
   pullSecret:
   internalIPFamily:
 
 imageCredentials:
   repoPath:
-  pullPolicy: IfNotPresent
+  pullPolicy: Always
   registry:
     url:
   pullSecret:
@@ -126,3 +126,10 @@ podPriority:
 instantiationDefaults:
   platformCaCertMountPath: "/etc/tls-ca/platform/"
   appCertMountPath: "/etc/tls/log/"
+  clientCredsMountPath: "/etc/client-creds/"
+
+global:
+  clientCredentials:
+    secret:
+      clientIdKey: "clientId"
+      name: "<instance id>-cc"

csar/Definitions/AppDescriptor.yaml

@@ -1,10 +1,14 @@
 #tosca_definitions_version: Metadata/Tosca.meta
 Description of an APP:
     APPName: eric-oss-hello-world-python-app
-    APPVersion: VERSION
+    APPVersion: 1.0.1-1
     APPType: rApp
-APPComponent:
-    NameofComponent: eric-oss-hello-world-python-app
-    Version: VERSION
-    Path: OtherDefinitions/ASD/eric-oss-hello-world-python-appASD.yaml
-    ArtefactType: Microservice
+AppComponentList:
+    - NameofComponent: eric-oss-hello-world-python-app
+      Version: 1.0.1-1
+      Path: OtherDefinitions/ASD/eric-oss-hello-world-python-appASD.yaml
+      ArtefactType: ASD
+    - NameofComponent: security-mgmt
+      Version: 1.0.0
+      Path: OtherDefinitions/SecurityManagement
+      ArtefactType: SecurityManagement

csar/OtherDefinitions/ASD/eric-oss-hello-world-python-appASD.yaml

@@ -2,9 +2,9 @@ asdId: 1
 asdSchemaVersion: 1.0.0
 asdProvider: Ericsson
 asdApplicationName: eric-oss-hello-world-python-app
-asdApplicationVersion: VERSION
+asdApplicationVersion: 1.0.1-1
 asdApplicationInfoName: Hello World Python Application
 asdInfoDescription: Hello World Python application for App Onboarding
 deploymentItems:
     deploymentItemId: 1
-    artifactId: OtherDefinitions/ASD/eric-oss-hello-world-python-app-VERSION.tgz
+    artifactId: OtherDefinitions/ASD/eric-oss-hello-world-python-app-1.0.1-1.tgz

csar/OtherDefinitions/SecurityManagement/security-metadata.json

@@ -0,0 +1,3 @@
+{
+	"authenticatorType": "client-x509"
+}

eric-oss-hello-world-python-app/config.py

@@ -15,6 +15,9 @@ def get_config():
     app_key                 = get_os_env_string("APP_KEY", "")
     app_cert                = get_os_env_string("APP_CERT", "")
     app_cert_file_path      = get_os_env_string("APP_CERT_FILE_PATH", "")
+    authentication_type     = get_os_env_string("AUTHENTICATION_TYPE", "")
+    client_creds_file_path  = get_os_env_string("CLIENT_CREDS_FILE_PATH", "")
+    client_id_file_name     = get_os_env_string("CLIENT_ID_FILE_NAME", "")
 
     config = {
             "iam_client_id": iam_client_id,
@@ -26,7 +29,10 @@ def get_config():
             "log_endpoint": log_endpoint,
             "app_key": app_key,
             "app_cert": app_cert,
-            "app_cert_file_path": app_cert_file_path
+            "app_cert_file_path": app_cert_file_path,
+            "authentication_type": authentication_type,
+            "client_creds_file_path": client_creds_file_path,
+            "client_id_file_name": client_id_file_name
     }
     return config
 

eric-oss-hello-world-python-app/login.py

@@ -7,6 +7,8 @@
 from urllib.parse import urljoin
 import json
 import requests
+import logging
+import re
 from config import get_config
 
 class LoginError(Exception):
@@ -23,32 +25,84 @@ def login():
     headers = {
         "Content-Type": "application/x-www-form-urlencoded"
     }
-    form_data = {
-        "grant_type": "client_credentials",
-        "client_id": config.get("iam_client_id"),
-        "client_secret": config.get("iam_client_secret"),
-        "tenant_id": "master"
-    }
     try:
-        resp = tls_login(login_url, form_data, headers)
-    except LoginError:
+        resp = tls_login(login_url, headers)
+    except LoginError as e:
+        error_message = str(e)
+        match = re.search(r'\((\d{3})\)', error_message)
+        if match:
+            status_code = int(match.group(1))
+            print(f"Login failed with status code: {status_code}")
+        else:
+            print(f"Login failed: {error_message}")
         return None, 0
 
     resp = json.loads(resp.decode('utf-8'))
     token, time_until_expiry = resp["access_token"], resp["expires_in"]
     time_until_expiry -= 10 # add a buffer to ensure our session doesn't expire mid-request
     return token, time_until_expiry
 
-def tls_login(url, form_data, headers):
+def tls_login(url, headers):
     '''
     This function sends an HTTP POST request with TLS for the login operation
     '''
     config = get_config()
-    cert = os.path.join("/", config.get("ca_cert_file_path"), config.get("ca_cert_file_name"))
+    ca_cert = os.path.join("/", config.get("ca_cert_file_path"), config.get("ca_cert_file_name"))
+    app_cert = os.path.join("/", config.get("app_cert_file_path"), config.get("app_cert"))
+    app_key = os.path.join("/", config.get("app_cert_file_path"), config.get("app_key"))
+    authentication_type = config.get("authentication_type").lower()
     try:
-        response = requests.post(url, data=form_data, headers = headers, timeout=5, verify=cert)
+
+        print("Headers:", headers)
+        if authentication_type == "client-x509":
+            print("client_creds_file_path:", config.get("client_creds_file_path"))
+            print("client_id_file_name:", config.get("client_id_file_name"))
+            client_id_file_path = os.path.join("/", config.get("client_creds_file_path"), config.get("client_id_file_name"))
+            print("Hello 1:", client_id_file_path)
+            client_id = read_file(client_id_file_path)
+            print("Hello 2:", client_id)
+            form_data = {
+                "grant_type": "client_credentials",
+                "client_id": client_id,
+                "tenant_id": "master"
+            }
+            print("Form data1:", form_data)
+            print(f"Login1")
+            response = requests.post(
+                url,
+                data=form_data,
+                headers=headers,
+                timeout=5,
+                verify=ca_cert,
+                cert=(app_cert, app_key)
+            )
+        elif authentication_type == "client-secret":
+            form_data = {
+                "grant_type": "client_credentials",
+                "client_id": config.get("iam_client_id"),
+                "client_secret": config.get("iam_client_secret"),
+                "tenant_id": "master"
+            }
+            print("Form data2:", form_data)
+            print(f"Login2")
+            response = requests.post(
+                url,
+                data=form_data,
+                headers=headers,
+                timeout=5,
+                verify=ca_cert
+            )
         if response.status_code != 200:
+            print(f"Log POST to https://{url} responded with {response.status_code}: {response.text}")
+            print(f"Login3")
+            print("Response status code:", response.status_code)
+            print("Response content:", response.text)
             raise LoginError(f"Login failed ({response.status_code})")
     except Exception as exception:
+        print(f"Login4")
         raise LoginError(f"Login failed ({exception})") from exception
     return response.content
+
+def read_file(path):
+    with open(path, "r") as f:
+        return f.read().strip()

eric-oss-hello-world-python-app/mtls_logging.py

@@ -97,8 +97,18 @@ def log(self, message, severity):
                 ca_cert = os.path.join("/", self.config.get("ca_cert_file_path"), self.config.get("ca_cert_file_name"))
                 app_cert = os.path.join("/", self.config.get("app_cert_file_path"), self.config.get("app_cert"))
                 app_key = os.path.join("/", self.config.get("app_cert_file_path"), self.config.get("app_key"))
-                requests.post(f"https://{log_url}", json=json_data, timeout=5,
-                                    headers = headers, verify=ca_cert, cert=(app_cert, app_key))
+                response = requests.post(
+                    f"https://{log_url}",
+                        json=json_data,
+                        timeout=5,
+                        headers=headers,
+                        verify=ca_cert,
+                        cert=(app_cert, app_key)
+                        )
+
+                    # Add this log after the request
+                print(f"Log POST to https://{log_url} responded with {response.status_code}: {response.text}")
+
             except (requests.exceptions.InvalidURL, requests.exceptions.MissingSchema) as exception:
                 # logs to console if failed to log to log transformer
-                self.logger.error("Request failed for mTLS logging: %s", exception)
+                self.logger.error("Request failed for mTLS logging: %s", exception)

requirements.txt

@@ -1,3 +1,3 @@
 flask==3.0.1
-requests==2.32.0
+requests==2.32.4
 prometheus-client==0.20.0