[PLATFORM] Generate Cert-Service certs with Cert-Manager

Utilize Cert-Manager to secure communication between
Cert-Service and its clients, adjust templates and
configs.

Issue-ID: OOM-2712
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I96426b1a184b4d254575e76d29214d9deda08cce
Signed-off-by: Remigiusz Janeczek <remigiusz.janeczek@nokia.com>

19 files changed, 247 insertions, 334 deletions

diff --git a/docs/oom_quickstart_guide.rst b/docs/oom_quickstart_guide.rst
index 5136e537f6..2fedc091d8 100644
--- a/docs/oom_quickstart_guide.rst
+++ b/docs/oom_quickstart_guide.rst
@@ -67,6 +67,12 @@ to suit your deployment with items like the OpenStack tenant information.
 
 
 
+.. note::
+  If you want to use CMPv2 certificate onboarding, Cert-Manager must be installed.
+  :doc:`Click here <oom_setup_paas>` to see how to install Cert-Manager.
+
+
+
 a. Enabling/Disabling Components:
 Here is an example of the nominal entries that need to be provided.
 We have different values file available for different contexts.
diff --git a/kubernetes/common/certManagerCertificate/requirements.yaml b/kubernetes/common/certManagerCertificate/requirements.yaml
index 210a02c65c..83becb0a33 100644
--- a/kubernetes/common/certManagerCertificate/requirements.yaml
+++ b/kubernetes/common/certManagerCertificate/requirements.yaml
@@ -16,3 +16,6 @@ dependencies:
   - name: common
     version: ~8.x-0
     repository: 'file://../common'
+  - name: cmpv2Config
+    version: ~8.x-0
+    repository: 'file://../cmpv2Config'
diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
index f820c30ca9..108873b31d 100644
--- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
+++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
@@ -18,7 +18,7 @@
 #
 # To request a certificate following steps are to be done:
 #  - create an object 'certificates' in the values.yaml
-#  - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate".
+#  - create a file templates/certificate.yaml and invoke the function "certManagerCertificate.certificate".
 #
 # Here is an example of the certificate request for a component:
 #
@@ -53,6 +53,7 @@
 #        passwordSecretRef:
 #          name: secret-name
 #          key:  secret-key
+#          create: true
 #
 # Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
 # Other mandatory fields for the certificate definition do not have to be defined directly,
@@ -74,7 +75,7 @@
 {{/*# General certifiacate attributes  #*/}}
 {{- $name           := include "common.fullname" $dot                                                             -}}
 {{- $certName       := default (printf "%s-cert-%d"   $name $i) $certificate.name                                 -}}
-{{- $secretName     := default (printf "%s-secret-%d" $name $i) $certificate.secretName                           -}}
+{{- $secretName     := default (printf "%s-secret-%d" $name $i) (tpl (default "" $certificate.secretName) $ )  -}}
 {{- $commonName     := (required "'commonName' for Certificate is required." $certificate.commonName)          -}}
 {{- $renewBefore    := default $subchartGlobal.certificate.default.renewBefore     $certificate.renewBefore    -}}
 {{- $duration       := default $subchartGlobal.certificate.default.duration        $certificate.duration       -}}
@@ -94,10 +95,11 @@
 {{- if $certificate.issuer -}}
 {{-   $issuer        = $certificate.issuer                                               -}}
 {{- end -}}
----
-{{- if $certificate.keystore }}
+{{/*# Secret #*/}}
+{{ if $certificate.keystore -}}
   {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}}
-  {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }}
+  {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote -}}
+  {{- if $passwordSecretRef.create }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -106,7 +108,8 @@ metadata:
 type: Opaque
 stringData:
   {{ $passwordSecretRef.key }}: {{ $password }}
-{{- end }}
+  {{- end }}
+{{ end -}}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -120,6 +123,15 @@ spec:
   {{- if $duration }}
   duration:    {{ $duration }}
   {{- end }}
+  {{- if $certificate.isCA }}
+  isCA: {{ $certificate.isCA }}
+  {{- end }}
+  {{- if $certificate.usages }}
+  usages:
+    {{- range $usage := $certificate.usages }}
+      - {{ $usage }}
+    {{- end }}
+  {{- end }}
   subject:
     organizations:
       - {{ $subject.organization }}
@@ -156,7 +168,9 @@ spec:
     {{- end }}
   {{- end }}
   issuerRef:
+    {{- if not (eq $issuer.kind "Issuer" ) }}
     group: {{ $issuer.group }}
+    {{- end }}
     kind:  {{ $issuer.kind }}
     name:  {{ $issuer.name }}
   {{- if $certificate.keystore }}
@@ -168,7 +182,7 @@ spec:
     {{ $outputType }}:
       create: true
       passwordSecretRef:
-        name: {{ $certificate.keystore.passwordSecretRef.name }}
+        name: {{ tpl (default "" $certificate.keystore.passwordSecretRef.name) $ }}
         key: {{ $certificate.keystore.passwordSecretRef.key }}
     {{- end }}
   {{- end }}
@@ -234,4 +248,4 @@ spec:
     {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}}
   {{- end -}}
 {{ $certsLinkCommand }}
-{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml
index 87509d11bc..b10896d2ce 100644
--- a/kubernetes/common/cmpv2Certificate/requirements.yaml
+++ b/kubernetes/common/cmpv2Certificate/requirements.yaml
@@ -19,3 +19,6 @@ dependencies:
   - name: repositoryGenerator
     version: ~8.x-0
     repository: 'file://../repositoryGenerator'
+  - name: cmpv2Config
+    version: ~8.x-0
+    repository: 'file://../cmpv2Config'
diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
index 58cc9c7249..f80b06b4d3 100644
--- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
+++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
@@ -62,7 +62,7 @@ There also need to be some includes used in a target component deployment (inden
 
 {{- define "common.certServiceClient.initContainer" -}}
 {{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
 {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
 {{- range $index, $certificate := $dot.Values.certificates -}}
@@ -97,11 +97,14 @@ There also need to be some includes used in a target component deployment (inden
 {{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}}
 {{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}}
 {{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}}
-{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}}
-{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}}
-{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}}
-{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}}
-{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}}
+{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}}
+{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}}
+{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}}
+{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}}
+{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}}
+{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}}
+{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}}
+{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}}
 - name: certs-init-{{ $index }}
   image: {{ include "repositoryGenerator.image.certserviceclient" $dot }}
   imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
@@ -133,11 +136,17 @@ There also need to be some includes used in a target component deployment (inden
     - name: KEYSTORE_PATH
       value: {{ $keystorePath | quote }}
     - name: KEYSTORE_PASSWORD
-      value: {{ $keystorePassword | quote }}
+      valueFrom:
+        secretKeyRef:
+          name: {{ $keystorePasswordSecret | quote}}
+          key: {{ $keystorePasswordSecretKey | quote}}
     - name: TRUSTSTORE_PATH
       value: {{ $truststorePath | quote }}
     - name: TRUSTSTORE_PASSWORD
-      value: {{ $truststorePassword | quote }}
+      valueFrom:
+        secretKeyRef:
+          name: {{ $truststorePasswordSecret | quote}}
+          key: {{ $truststorePasswordSecretKey | quote}}
   terminationMessagePath: /dev/termination-log
   terminationMessagePolicy: File
   volumeMounts:
@@ -151,10 +160,10 @@ There also need to be some includes used in a target component deployment (inden
 
 {{- define "common.certServiceClient.volumes" -}}
 {{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
 {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
-{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}}
+{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}}
 - name: certservice-tls-volume
   secret:
     secretName: {{ $certificatesSecretName }}
@@ -168,7 +177,7 @@ There also need to be some includes used in a target component deployment (inden
 
 {{- define "common.certServiceClient.volumeMounts" -}}
 {{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
 {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
 {{- range $index, $certificate := $dot.Values.certificates -}}
diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml
index b7531431c4..504947525d 100644
--- a/kubernetes/common/cmpv2Certificate/values.yaml
+++ b/kubernetes/common/cmpv2Certificate/values.yaml
@@ -11,38 +11,3 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-#################################################################
-# Global configuration default values that can be inherited by
-# all subcharts.
-#################################################################
-global:
-  # Enabling CMPv2
-  cmpv2Enabled: true
-  CMPv2CertManagerIntegration: false
-
-  certificate:
-    default:
-      subject:
-        organization: "Linux-Foundation"
-        country: "US"
-        locality: "San-Francisco"
-        province: "California"
-        organizationalUnit: "ONAP"
-
-  platform:
-    certServiceClient:
-      secret:
-        name: oom-cert-service-client-tls-secret
-        mountPath: /etc/onap/oom/certservice/certs/
-      envVariables:
-        certPath: "/var/custom-certs"
-        # Client configuration related
-        caName: "RA"
-        requestURL: "https://oom-cert-service:8443/v1/certificate/"
-        requestTimeout: "30000"
-        keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
-        outputType: "P12"
-        keystorePassword: "secret"
-        truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
-        truststorePassword: "secret"
diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml
index b6ee064302..695e40616c 100644
--- a/kubernetes/common/cmpv2Config/values.yaml
+++ b/kubernetes/common/cmpv2Config/values.yaml
@@ -12,22 +12,40 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 global:
+
+  # Enabling CMPv2
+  cmpv2Enabled: true
+  CMPv2CertManagerIntegration: false
+
+  certificate:
+    default:
+      subject:
+        organization: "Linux-Foundation"
+        country: "US"
+        locality: "San-Francisco"
+        province: "California"
+        organizationalUnit: "ONAP"
+
   platform:
+    certificates:
+      clientSecretName: oom-cert-service-client-tls-secret
+      keystoreKeyRef: keystore.jks
+      truststoreKeyRef: truststore.jks
+      keystorePasswordSecretName: oom-cert-service-keystore-password
+      keystorePasswordSecretKey: password
+      truststorePasswordSecretName: oom-cert-service-truststore-password
+      truststorePasswordSecretKey: password
     certServiceClient:
       image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
-      secretName: oom-cert-service-client-tls-secret
+      certificatesSecretMountPath: /etc/onap/oom/certservice/certs/
       envVariables:
+        certPath: "/var/custom-certs"
         # Certificate related
-        cmpv2Organization: "Linux-Foundation"
-        cmpv2OrganizationalUnit: "ONAP"
-        cmpv2Location: "San-Francisco"
-        cmpv2State: "California"
-        cmpv2Country: "US"
+        caName: "RA"
         # Client configuration related
         requestURL: "https://oom-cert-service:8443/v1/certificate/"
         requestTimeout: "30000"
-        keystorePassword: "secret"
-        truststorePassword: "secret"
+        outputType: "P12"
     certPostProcessor:
       image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
 
diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json
index 6018abe309..3c769fca5f 100644
--- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json
+++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json
@@ -44,14 +44,18 @@
     "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certServiceClient.image }}",
     "request_url": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestURL }}",
     "timeout": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestTimeout }}",
-    "country": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Country }}",
-    "organization": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Organization }}",
-    "state": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2State }}",
-    "organizational_unit": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }}",
-    "location": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Location }}",
-    "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certServiceClient.secretName }}",
-    "keystore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.keystorePassword }}",
-    "truststore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.truststorePassword }}"
+    "country": "{{ .Values.cmpv2Config.global.certificate.default.subject.country }}",
+    "organization": "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}",
+    "state": "{{ .Values.cmpv2Config.global.certificate.default.subject.province }}",
+    "organizational_unit": "{{ .Values.cmpv2Config.global.certificate.default.subject.organizationalUnit }}",
+    "location": "{{ .Values.cmpv2Config.global.certificate.default.subject.locality }}",
+    "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName }}",
+    "keystore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystoreKeyRef }}",
+    "truststore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststoreKeyRef }}",
+    "keystore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}",
+    "keystore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretKey }}",
+    "truststore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretName }}",
+    "truststore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretKey }}"
   },
   "cert_post_processor": {
     "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certPostProcessor.image }}"
diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml
index 1135c053d9..fcc8f6d4b0 100644
--- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml
@@ -55,7 +55,7 @@ config:
 # Application configuration defaults.
 #################################################################
 # application image
-image: onap/org.onap.dcaegen2.deployments.cm-container:4.4.2
+image: onap/org.onap.dcaegen2.deployments.cm-container:4.5.0
 pullPolicy: Always
 
 # name of shared ConfigMap with kubeconfig for multiple clusters
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index b008acf6f3..ca9ccd48f4 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -196,28 +196,25 @@ global:
   cmpv2Enabled: true
   CMPv2CertManagerIntegration: false
   platform:
+    certificates:
+      clientSecretName: oom-cert-service-client-tls-secret
+      keystoreKeyRef: keystore.jks
+      truststoreKeyRef: truststore.jks
+      keystorePasswordSecretName: oom-cert-service-certificates-password
+      keystorePasswordSecretKey: password
+      truststorePasswordSecretName: oom-cert-service-certificates-password
+      truststorePasswordSecretKey: password
     certServiceClient:
       image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
-      secret:
-        name: oom-cert-service-client-tls-secret
-        mountPath: /etc/onap/oom/certservice/certs/
+      certificatesSecretMountPath: /etc/onap/oom/certservice/certs/
       envVariables:
         certPath: "/var/custom-certs"
         # Certificate related
-        cmpv2Organization: "Linux-Foundation"
-        cmpv2OrganizationalUnit: "ONAP"
-        cmpv2Location: "San-Francisco"
-        cmpv2State: "California"
-        cmpv2Country: "US"
-        # Client configuration related
         caName: "RA"
+        # Client configuration related
         requestURL: "https://oom-cert-service:8443/v1/certificate/"
         requestTimeout: "30000"
-        keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
         outputType: "P12"
-        keystorePassword: "secret"
-        truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
-        truststorePassword: "secret"
 
   # Indicates offline deployment build
   # Set to true if you are rendering helm charts for offline deployment
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
index 0614819930..c34ebad982 100644
--- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
+++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
@@ -73,10 +73,10 @@ cmpv2issuer:
   certEndpoint: v1/certificate
   caName: RA
   certSecretRef:
-    name: cmpv2-issuer-secret
-    certRef: certServiceServer-cert.pem
-    keyRef: certServiceServer-key.pem
-    cacertRef: truststore.pem
+    name: oom-cert-service-server-tls-secret
+    certRef: tls.crt
+    keyRef: tls.key
+    cacertRef: ca.crt
 
 
 
diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile
deleted file mode 100644
index ea0cb8aae4..0000000000
--- a/kubernetes/platform/components/oom-cert-service/Makefile
+++ /dev/null
@@ -1,183 +0,0 @@
-CERTS_DIR = resources
-CURRENT_DIR := ${CURDIR}
-DOCKER_CONTAINER = generate-certs
-DOCKER_EXEC = docker exec ${DOCKER_CONTAINER}
-
-all: start_docker \
-     clear_all \
-     root_generate_keys \
-     root_create_certificate \
-     root_self_sign_certificate \
-     client_generate_keys \
-     client_generate_csr \
-     client_sign_certificate_by_root \
-     client_import_root_certificate \
-     client_convert_certificate_to_jks \
-     server_generate_keys \
-     server_generate_csr \
-     server_sign_certificate_by_root \
-     server_import_root_certificate \
-     server_convert_certificate_to_jks \
-     server_convert_certificate_to_p12 \
-     convert_truststore_to_p12 \
-     convert_truststore_to_pem \
-     server_export_certificate_to_pem \
-     server_export_key_to_pem \
-     clear_unused_files \
-     stop_docker
-
-.PHONY: all
-
-# Starts docker container for generating certificates - deletes first, if already running
-start_docker:
-	@make stop_docker
-	$(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2))
-	$(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2))
-	$(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE))
-	$(eval USERNAME :=$(shell id -u))
-	$(eval GROUP :=$(shell id -g))
-	docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE)
-
-# Stops docker container for generating  certificates. 'true' is used to return 0 status code, if container is already deleted
-stop_docker:
-	docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true
-
-#Clear all files related to certificates
-clear_all:
-	@make clear_existing_certificates
-	@make clear_unused_files
-
-#Clear certificates
-clear_existing_certificates:
-	@echo "Clear certificates"
-	${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem
-	@echo "#####done#####"
-
-#Generate root private and public keys
-root_generate_keys:
-	@echo "Generate root private and public keys"
-	${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
-    -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
-    -storepass secret -ext BasicConstraints:critical="ca:true"
-	@echo "#####done#####"
-
-#Export public key as certificate
-root_create_certificate:
-	@echo "(Export public key as certificate)"
-	${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
-	@echo "#####done#####"
-
-#Self-signed root (import root certificate into truststore)
-root_self_sign_certificate:
-	@echo "(Self-signed root (import root certificate into truststore))"
-	${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
-	@echo "#####done#####"
-
-#Generate certService's client private and public keys
-client_generate_keys:
-	@echo "Generate certService's client private and public keys"
-	${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \
-    -keystore certServiceClient-keystore.jks -storetype JKS \
-    -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
-    -keypass secret -storepass secret
-	@echo "####done####"
-
-#Generate certificate signing request for certService's client
-client_generate_csr:
-	@echo "Generate certificate signing request for certService's client"
-	${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
-	@echo "####done####"
-
-#Sign certService's client certificate by root CA
-client_sign_certificate_by_root:
-	@echo "Sign certService's client certificate by root CA"
-	${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
-    -outfile certServiceClientByRoot.crt -rfc -ext bc=0  -ext ExtendedkeyUsage="serverAuth,clientAuth"
-	@echo "####done####"
-
-#Import root certificate into client
-client_import_root_certificate:
-	@echo "Import root certificate into intermediate"
-	${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt"
-	@echo "####done####"
-
-#Import signed certificate into certService's client
-client_convert_certificate_to_jks:
-	@echo "Import signed certificate into certService's client"
-	${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
-	@echo "####done####"
-
-#Generate certService private and public keys
-server_generate_keys:
-	@echo "Generate certService private and public keys"
-	${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \
-    -keystore certServiceServer-keystore.jks -storetype JKS \
-    -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
-    -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
-	@echo "####done####"
-
-#Generate certificate signing request for certService
-server_generate_csr:
-	@echo "Generate certificate signing request for certService"
-	${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr
-	@echo "####done####"
-
-#Sign certService certificate by root CA
-server_sign_certificate_by_root:
-	@echo "Sign certService certificate by root CA"
-	${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
-    -outfile certServiceServerByRoot.crt -rfc -ext bc=0  -ext ExtendedkeyUsage="serverAuth,clientAuth" \
-    -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost"
-	@echo "####done####"
-
-#Import root certificate into server
-server_import_root_certificate:
-	@echo "Import root certificate into intermediate(server)"
-	${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt"
-	@echo "####done####"
-
-#Import signed certificate into certService
-server_convert_certificate_to_jks:
-	@echo "Import signed certificate into certService"
-	${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \
-    -storepass secret -noprompt
-	@echo "####done####"
-
-#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
-server_convert_certificate_to_p12:
-	@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
-	${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
-        -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
-	@echo "#####done#####"
-
-#Convert truststore(.jks) to PCKS12 format(.p12)
-convert_truststore_to_p12:
-	@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
-	${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \
-        -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret
-	@echo "#####done#####"
-
-#Convert truststore(.p12) to PEM format(.pem)
-convert_truststore_to_pem:
-	@echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)"
-	${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret
-	@echo "#####done#####"
-
-#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem)
-server_export_certificate_to_pem:
-	@echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)"
-	${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem
-	@echo "#####done#####"
-
-#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem)
-server_export_key_to_pem:
-	@echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)"
-	${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem
-	@echo "#####done#####"
-
-
-#Clear unused certificates
-clear_unused_files:
-	@echo "Clear unused certificates"
-	${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt  certServiceServer.csr truststore.p12
-	@echo "#####done#####"
diff --git a/kubernetes/platform/components/oom-cert-service/requirements.yaml b/kubernetes/platform/components/oom-cert-service/requirements.yaml
index e89dc58027..6177278552 100644
--- a/kubernetes/platform/components/oom-cert-service/requirements.yaml
+++ b/kubernetes/platform/components/oom-cert-service/requirements.yaml
@@ -19,3 +19,9 @@ dependencies:
   - name: repositoryGenerator
     version: ~8.x-0
     repository: '@local'
+  - name: certManagerCertificate
+    version: ~8.x-0
+    repository: '@local'
+  - name: cmpv2Config
+    version: ~8.x-0
+    repository: '@local'
\ No newline at end of file
diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
new file mode 100644
index 0000000000..fd317703e3
--- /dev/null
+++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2020-2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "certManagerCertificate.certificate" . }}
diff --git a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml
index c4d7440b20..9a6abd4eb9 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml
@@ -93,9 +93,9 @@ spec:
             - name: ROOT_CERT
               value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}"
             - name: KEYSTORE_PASSWORD
-              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 14 }}
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }}
             - name: TRUSTSTORE_PASSWORD
-              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 14 }}
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }}
           livenessProbe:
             exec:
               command:
diff --git a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml
new file mode 100644
index 0000000000..9047ab73d3
--- /dev/null
+++ b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml
@@ -0,0 +1,32 @@
+{{/*
+  # Copyright © 2021, Nokia
+  #
+  # Licensed under the Apache License, Version 2.0 (the "License");
+  # you may not use this file except in compliance with the License.
+  # You may obtain a copy of the License at
+  #
+  #       http://www.apache.org/licenses/LICENSE-2.0
+  #
+  # Unless required by applicable law or agreed to in writing, software
+  # distributed under the License is distributed on an "AS IS" BASIS,
+  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  # See the License for the specific language governing permissions and
+  # limitations under the License.
+*/}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Values.tls.issuer.selfsigning.name }}
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Values.tls.issuer.ca.name }}
+  namespace: {{ include "common.namespace" . }}
+spec:
+  ca:
+    secretName: {{ .Values.tls.issuer.ca.secret.name }}
\ No newline at end of file
diff --git a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
index 2d47e6f57c..5401801af5 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
@@ -28,42 +28,5 @@ data:
   {{ (.Files.Glob "resources/default/cmpServers.json").AsSecrets }}
 {{ end }}
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.global.certService.certServiceClient.secret.name | default .Values.tls.client.secret.defaultName }}
-type: Opaque
-data:
-  certServiceClient-keystore.jks:
-  {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }}
-  truststore.jks:
-  {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.tls.server.secret.name }}
-type: Opaque
-data:
-  certServiceServer-keystore.jks:
-  {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }}
-  certServiceServer-keystore.p12:
-  {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }}
-  truststore.jks:
-  {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
-  root.crt:
-  {{ (.Files.Glob "resources/root.crt").AsSecrets }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.tls.provider.secret.name }}
-type: Opaque
-data:
-  certServiceServer-key.pem:
-  {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }}
-  certServiceServer-cert.pem:
-  {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }}
-  truststore.pem:
-  {{ (.Files.Glob "resources/truststore.pem").AsSecrets }}
+
 {{ end -}}
diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml
index 537b025fb0..829d3a01d1 100644
--- a/kubernetes/platform/components/oom-cert-service/values.yaml
+++ b/kubernetes/platform/components/oom-cert-service/values.yaml
@@ -79,38 +79,40 @@ cmpServers:
     mountPath: /etc/onap/oom/certservice
 
 tls:
+  issuer:
+    selfsigning:
+      name: &selfSigningIssuer cmpv2-selfsigning-issuer
+    ca:
+      name: &caIssuer cmpv2-ca-issuer
+      secret:
+        name: &caKeyPairSecret  cmpv2-ca-key-pair
   server:
     secret:
-      name: oom-cert-service-server-tls-secret
+      name: &serverSecret oom-cert-service-server-tls-secret
     volume:
       name: oom-cert-service-server-tls-volume
       mountPath: /etc/onap/oom/certservice/certs/
   client:
     secret:
       defaultName: oom-cert-service-client-tls-secret
-  provider:
-    secret:
-      name: cmpv2-issuer-secret
 
 envs:
   keystore:
-    jksName: certServiceServer-keystore.jks
-    p12Name: certServiceServer-keystore.p12
-    pemName: certServiceServer-keystore.pem
+    jksName: keystore.jks
+    p12Name: keystore.p12
+    pemName: tls.crt
   truststore:
     jksName: truststore.jks
-    crtName: root.crt
-    pemName: truststore.pem
+    crtName: ca.crt
+    pemName: tls.crt
   httpsPort: 8443
 
 # External secrets with credentials can be provided to override default credentials defined below,
 # by uncommenting and filling appropriate *ExternalSecret value
 credentials:
   tls:
-    keystorePassword: secret
-    truststorePassword: secret
-    #keystorePasswordExternalSecret:
-    #truststorePasswordExternalSecret:
+    certificatesPassword: secret
+    #certificatesPasswordExternalSecret:
   # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
   cmp:
     # Used only if cmpv2 testing is enabled
@@ -126,17 +128,11 @@ credentials:
       # rv: unused
 
 secrets:
-  - uid: keystore-password
-    name: '{{ include "common.release" . }}-keystore-password'
-    type: password
-    externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}'
-    password: '{{ .Values.credentials.tls.keystorePassword }}'
-    passwordPolicy: required
-  - uid: truststore-password
-    name: '{{ include "common.release" . }}-truststore-password'
+  - uid: certificates-password
+    name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}'
     type: password
-    externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}'
-    password: '{{ .Values.credentials.tls.truststorePassword }}'
+    externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}'
+    password: '{{ .Values.credentials.tls.certificatesPassword }}'
     passwordPolicy: required
   # Below values are relevant only if global addTestingComponents flag is enabled
   - uid: ejbca-server-client-iak
@@ -155,3 +151,65 @@ secrets:
     type: password
     externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
     password: '{{ .Values.credentials.cmp.ra.rv }}'
+
+# Certificates definitions
+certificates:
+  - name: selfsigned-cert
+    secretName: *caKeyPairSecret
+    isCA: true
+    commonName: root.com
+    subject:
+      organization: Root Company
+      country: PL
+      locality: Wroclaw
+      province: Dolny Slask
+      organizationalUnit: Root Org
+    issuer:
+      name: *selfSigningIssuer
+      kind: Issuer
+  - name: cert-service-server-cert
+    secretName: *serverSecret
+    commonName: oom-cert-service
+    dnsNames:
+      - oom-cert-service
+      - localhost
+    subject:
+      organization: certServiceServer org
+      country: PL
+      locality: Wroclaw
+      province: Dolny Slask
+      organizationalUnit: certServiceServer company
+    usages:
+      - server auth
+      - client auth
+    keystore:
+      outputType:
+        - jks
+        - p12
+      passwordSecretRef:
+        name: *certificatesPasswordSecretName
+        key: password
+    issuer:
+      name: *caIssuer
+      kind: Issuer
+  - name: cert-service-client-cert
+    secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}'
+    commonName: certServiceClient.com
+    subject:
+      organization: certServiceClient org
+      country: PL
+      locality: Wroclaw
+      province: Dolny Slask
+      organizationalUnit: certServiceClient company
+    usages:
+      - server auth
+      - client auth
+    keystore:
+      outputType:
+        - jks
+      passwordSecretRef:
+        name: *certificatesPasswordSecretName
+        key: password
+    issuer:
+      name: *caIssuer
+      kind: Issuer
diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml
index 399740ed05..d842ae5177 100644
--- a/kubernetes/sdnc/values.yaml
+++ b/kubernetes/sdnc/values.yaml
@@ -195,6 +195,7 @@ certificates:
       outputType:
         - jks
       passwordSecretRef:
+        create: true
         name: sdnc-cmpv2-keystore-password
         key: password
     issuer: