[SO] Add TLS configuration for SO API Ingress

Instead of terminating TLS on SO POD, let's terminate it on its Ingress.
This patch uses certInitializer to create the right certificates and put them in
a secret.
This secret is then referenced on SO Ingress.

Issue-ID: SO-3078
Issue-ID: SO-3237
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Icdc8cf6fc84cb3b3c337b4f4e5320980eee06337

5 files changed, 28 insertions, 4 deletions

diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat
index 84bd723aad..298274ed0f 100644
--- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat
+++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat
@@ -62,7 +62,7 @@ so@so.onap.org|sdc-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|roo
 so@so.onap.org|sdnc-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'localhost', 'sdnc-simulator'}|aaf_admin@osaaf.org|{'pkcs12'}
 so@so.onap.org|so-apih|local|/opt/app/osaaf/local||mailto:rp6768@att.com|org.onap.so|root|30|{'mso-asdc-controller-svc', 'mso-bpmn-infra-svc', 'mso-catalog-db-adapter-svc', 'mso-openstack-adapter-svc', 'mso-request-db-adapter-svc', 'mso-sdnc-adapter-svc'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
 so@so.onap.org|so-client|local|/opt/app/osaaf/local||mailto:rp6768@att.com|org.onap.so|root|30||mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
-so@so.onap.org|so|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so.api.simpledemo.onap.org', 'so.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'}
+so@so.onap.org|so|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so.api.simpledemo.onap.org', 'so.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'}
 so@so.onap.org|so-vnfm-adapter|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so-vnfm-adapter', 'so-vnfm-adapter.onap'}|aaf_admin@osaaf.org|{'pkcs12'}
 so@so.onap.org|so-vnfm-simulator|local|/opt/app/osaaf/local||mailto:|org.onap.so|root|30|{'so-vnfm-simulator', 'so-vnfm-simulator.onap'}|aaf_admin@osaaf.org|{'pkcs12'}
 tester1@test.portal.onap.org|tester1|aaf|/||mailto:|org.onap.portal.test|root|30||@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
diff --git a/kubernetes/common/certInitializer/templates/job.yaml b/kubernetes/common/certInitializer/templates/job.yaml
index 331a58c310..2acb423511 100644
--- a/kubernetes/common/certInitializer/templates/job.yaml
+++ b/kubernetes/common/certInitializer/templates/job.yaml
@@ -20,12 +20,13 @@ kind: Job
 {{- $suffix := "set-tls-secret" }}
 metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
 spec:
+  backoffLimit: 20
   template:
     metadata: {{- include "common.templateMetadata" . | nindent 6 }}
     spec:
       initContainers: {{ include "common.certInitializer.initContainer" (dict "dot" . "initRoot" .Values) | nindent 6 }}
       containers:
-      - name: create tls secret
+      - name: create-tls-secret
         command:
           - /ingress/onboard.sh
         image: {{ include "repositoryGenerator.image.kubectl" . }}
@@ -41,4 +42,5 @@ spec:
         configMap:
           name: {{ include "common.fullname" . }}-ingress
           defaultMode: 0777
+      restartPolicy: Never
 {{- end}}
diff --git a/kubernetes/so/components/soHelpers/values.yaml b/kubernetes/so/components/soHelpers/values.yaml
index 938a6f9d00..2417d2553c 100755
--- a/kubernetes/so/components/soHelpers/values.yaml
+++ b/kubernetes/so/components/soHelpers/values.yaml
@@ -34,11 +34,11 @@ certInitializer:
   fqdn: so
   fqi: so@so.onap.org
   public_fqdn: so.onap.org
+  fqi_namespace: org.onap.so
   cadi_longitude: '0.0'
   cadi_latitude: '0.0'
   app_ns: org.osaaf.aaf
   credsPath: /opt/app/osaaf/local
-  qi_namespace: org.onap.so
   aaf_add_config: |
     echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop
     echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop
diff --git a/kubernetes/so/requirements.yaml b/kubernetes/so/requirements.yaml
index f2fc70c1f9..af95ab85ce 100755
--- a/kubernetes/so/requirements.yaml
+++ b/kubernetes/so/requirements.yaml
@@ -18,6 +18,9 @@ dependencies:
     # a part of this chart's package and will not
     # be published independently to a repo (at this point)
     repository: '@local'
+  - name: certInitializer
+    version: ~8.x-0
+    repository: '@local'
   - name: readinessCheck
     version: ~8.x-0
     repository: '@local'
diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml
index ca2fe07b22..064415927f 100755
--- a/kubernetes/so/values.yaml
+++ b/kubernetes/so/values.yaml
@@ -151,6 +151,24 @@ aaf:
   trustore: org.onap.so.trust.jks
 
 #################################################################
+# AAF part for Ingress
+#################################################################
+certInitializer:
+  nameOverride: so-tls-cert
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  # aafDeployCredsExternalSecret: some secret
+  fqdn: so
+  fqi: so@so.onap.org
+  public_fqdn: so.onap.org
+  fqi_namespace: org.onap.so
+  cadi_longitude: '0.0'
+  cadi_latitude: '0.0'
+  app_ns: org.osaaf.aaf
+  credsPath: /opt/app/osaaf/local
+  ingressTlsSecret: '{{ include "common.release" . }}-so-ingress-certs'
+
+#################################################################
 # Application configuration defaults.
 #################################################################
 
@@ -263,7 +281,8 @@ ingress:
       name: 'so'
       port: 8080
   config:
-    ssl: 'none'
+    tls:
+      secret: '{{ include "common.release" . }}-so-ingress-certs'
 
 mso:
   adapters: