From cc3141d86b6b9c18948b067d59387f7a3acaa39a Mon Sep 17 00:00:00 2001
From: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Date: Mon, 8 Feb 2021 15:59:33 +0100
Subject: [VID] Automatically retrieve certificates

Use certInitializer in order to retrieve the certificates instead of
hardcoding them.

Issue-ID: VID-959
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I72eb09cd2719995ee05141034936f8e0589c7ad1
---
 kubernetes/vid/requirements.yaml                   |   5 ++-
 kubernetes/vid/resources/certs/org.onap.vid.jks    | Bin 3597 -> 0 bytes
 .../vid/resources/certs/org.onap.vid.trust.jks     | Bin 1413 -> 0 bytes
 kubernetes/vid/templates/deployment.yaml           |  29 +++++++-----
 kubernetes/vid/templates/secrets.yaml              |  15 +------
 kubernetes/vid/values.yaml                         |  49 ++++++++++++++++++++-
 6 files changed, 72 insertions(+), 26 deletions(-)
 delete mode 100644 kubernetes/vid/resources/certs/org.onap.vid.jks
 delete mode 100644 kubernetes/vid/resources/certs/org.onap.vid.trust.jks

diff --git a/kubernetes/vid/requirements.yaml b/kubernetes/vid/requirements.yaml
index c6554cada2..34ad968757 100644
--- a/kubernetes/vid/requirements.yaml
+++ b/kubernetes/vid/requirements.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
+# Copyright © 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,6 +20,9 @@ dependencies:
     # a part of this chart's package and will not
     # be published independently to a repo (at this point)
     repository: '@local'
+  - name: certInitializer
+    version: ~7.x-0
+    repository: '@local'
   - name: mariadb-galera
     version: ~7.x-0
     repository: '@local'
@@ -30,4 +34,3 @@ dependencies:
   - name: repositoryGenerator
     version: ~7.x-0
     repository: '@local'
-
diff --git a/kubernetes/vid/resources/certs/org.onap.vid.jks b/kubernetes/vid/resources/certs/org.onap.vid.jks
deleted file mode 100644
index a05f12d857..0000000000
Binary files a/kubernetes/vid/resources/certs/org.onap.vid.jks and /dev/null differ
diff --git a/kubernetes/vid/resources/certs/org.onap.vid.trust.jks b/kubernetes/vid/resources/certs/org.onap.vid.trust.jks
deleted file mode 100644
index 4caf7be652..0000000000
Binary files a/kubernetes/vid/resources/certs/org.onap.vid.trust.jks and /dev/null differ
diff --git a/kubernetes/vid/templates/deployment.yaml b/kubernetes/vid/templates/deployment.yaml
index 2e74daa730..8872863e42 100644
--- a/kubernetes/vid/templates/deployment.yaml
+++ b/kubernetes/vid/templates/deployment.yaml
@@ -1,6 +1,7 @@
 {{/*
 # Copyright © 2017 Amdocs, Bell Canada
 # Copyright © 2020 Samsung Electronics
+# Copyright © 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -36,7 +37,7 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
-      initContainers:
+      initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
       - command:
         - /app/ready.py
         args:
@@ -55,6 +56,15 @@ spec:
         - name: {{ include "common.name" . }}
           image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          {{- if .Values.global.aafEnabled }}
+          command:
+          - sh
+          args:
+          - -c
+          - |
+            export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+            /tmp/vid/localize.sh
+          {{- end }}
           ports:
           - containerPort: {{ .Values.service.internalPort }}
           # disable liveness probe when breakpoints set in debugger
@@ -100,8 +110,6 @@ spec:
               value: "{{ .Values.config.roleaccesscentralized }}"
             - name: VID_CONTACT_US_LINK
               value: "{{ .Values.config.vidcontactuslink }}"
-            - name: VID_KEYSTORE_PASSWORD
-              value: {{ .Values.config.vidkeystorepassword | quote }}
             - name: VID_UEB_URL_LIST
               value: message-router.{{ include "common.namespace" . }}
             - name: VID_MYSQL_HOST
@@ -116,9 +124,13 @@ spec:
               {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "vid-db-user-secret" "key" "password") | indent 14 }}
             - name: VID_MYSQL_MAXCONNECTIONS
               value: "{{ .Values.config.vidmysqlmaxconnections }}"
-          volumeMounts:
-          - mountPath: /opt/app/vid/etc
-            name: vid-certs
+            {{- if .Values.global.aafEnabled }}
+            - name: VID_KEYSTORE_FILENAME
+              value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.jks"
+            - name: VID_TRUSTSTORE_FILENAME
+              value: "{{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks"
+            {{- end }}
+          volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
@@ -149,10 +161,7 @@ spec:
             name: vid-logs
           - mountPath: /usr/share/filebeat/data
             name: vid-data-filebeat
-      volumes:
-        - name: vid-certs
-          secret:
-            secretName: {{ include "common.fullname" . }}-certs
+      volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
         - name: localtime
           hostPath:
             path: /etc/localtime
diff --git a/kubernetes/vid/templates/secrets.yaml b/kubernetes/vid/templates/secrets.yaml
index 72934fffd8..670838c6cf 100644
--- a/kubernetes/vid/templates/secrets.yaml
+++ b/kubernetes/vid/templates/secrets.yaml
@@ -1,6 +1,7 @@
 {{/*
 # Copyright © 2017 Amdocs, Bell Canada
 # Copyright © 2020 Samsung Electronics
+# Copyright © 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,17 +17,3 @@
 */}}
 
 {{ include "common.secretFast" . }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}-certs
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }}
diff --git a/kubernetes/vid/values.yaml b/kubernetes/vid/values.yaml
index 8e8a17ae84..4510dc6908 100644
--- a/kubernetes/vid/values.yaml
+++ b/kubernetes/vid/values.yaml
@@ -1,5 +1,6 @@
 # Copyright © 2017 Amdocs, Bell Canada
 # Copyright © 2020 Samsung Electronics
+# Copyright © 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -36,6 +37,53 @@ secrets:
     login: '{{ .Values.config.db.userName }}'
     password: '{{ .Values.config.db.userPassword }}'
 
+#################################################################
+# AAF part
+#################################################################
+certInitializer:
+  nameOverride: vid-cert-initializer
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  # aafDeployCredsExternalSecret: some secret
+  fqdn: vid
+  fqi: vid@vid.onap.org
+  public_fqdn: vid.onap.org
+  fqi_namespace: "org.onap.vid"
+  cadi_longitude: "0.0"
+  cadi_latitude: "0.0"
+  app_ns: org.osaaf.aaf
+  credsPath: /opt/app/osaaf/local
+  aaf_add_config: |
+    echo "*** retrieving password for keystore and trustore"
+    export $(/opt/app/aaf_config/bin/agent.sh local showpass \
+    {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
+    if [ -z "$cadi_keystore_password" ]
+    then
+      echo "  /!\ certificates retrieval failed"
+      exit 1
+    else
+      echo "*** changing them into shell safe ones"
+      export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+      export TRUSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+      cd {{ .Values.credsPath }}
+      keytool -storepasswd -new "${KEYSTORE_PASSWD}" \
+        -storepass "${cadi_keystore_password_jks}" \
+        -keystore {{ .Values.fqi_namespace }}.jks
+      keytool -storepasswd -new "${TRUSTORE_PASSWD}" \
+        -storepass "${cadi_truststore_password}" \
+        -keystore {{ .Values.fqi_namespace }}.trust.jks
+      echo "*** set key password as same password as keystore password"
+      keytool -keypasswd -new "${KEYSTORE_PASSWD}" \
+        -keystore {{ .Values.fqi_namespace }}.jks \
+        -keypass "${cadi_keystore_password_jks}" \
+        -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }}
+      echo "*** save the generated passwords"
+      echo "VID_KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop
+      echo "VID_TRUSTSTORE_PASSWORD=${TRUSTORE_PASSWD}" >> mycreds.prop
+      echo "*** change ownership of certificates to targeted user"
+      chown -R 1000 .
+    fi
+
 subChartsOnly:
   enabled: true
 
@@ -49,7 +97,6 @@ config:
     userName: vidadmin
 #    userCredentialsExternalSecret: some secret
 #    userPassword: password
-  vidkeystorepassword: 'F:.\,csU\&ew8\;tdVitnfo\}O\!g'
   asdcclientrestauth: "Basic dmlkOktwOGJKNFNYc3pNMFdYbGhhazNlSGxjc2UyZ0F3ODR2YW9HR21KdlV5MlU="
   asdcclientrestport: "8443"
   vidaaiport: "8443"
-- 
cgit 1.2.3-korg