From 81a0a2ed19dda1916df0a4695069e612697ba7c7 Mon Sep 17 00:00:00 2001 From: Jack Lucas Date: Fri, 22 Nov 2019 17:32:55 -0500 Subject: Provide truststore in JKS format Issue-ID: DCAEGEN2-1938 Signed-off-by: Jack Lucas Change-Id: Ibd10d4e833bede448ebbc9b5e0e5be5a84155835 --- tls-init-container/dcae-cert-setup.sh | 23 ++++++++++++++++++++++- tls-init-container/pom.xml | 2 +- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/tls-init-container/dcae-cert-setup.sh b/tls-init-container/dcae-cert-setup.sh index da52569..e3b5dbe 100755 --- a/tls-init-container/dcae-cert-setup.sh +++ b/tls-init-container/dcae-cert-setup.sh @@ -29,7 +29,7 @@ export DEPLOY_PASSWORD=${DEPLOY_PASSWORD:-"demo123456!"} export cadi_longitude=${cadi_longitude:-"-72.0"} export cadi_latitude=${cadi_latitude:-"38.0"} -# For now, we can deault aaf_locator_fqdn +# For now, we can default aaf_locator_fqdn # This points to the single DCAE cert with many SANs, # as used in previous releases # When we have individual certs per component, we will override this @@ -37,6 +37,10 @@ export cadi_latitude=${cadi_latitude:-"38.0"} # or via the k8s plugin export aaf_locator_fqdn=${aaf_locator_fqdn:-"dcae"} +# Our own environment variable to signal that the tls-init-container +# is being run for a component that is a TLS server +export TLS_SERVER=${TLS_SERVER:-"true"} + # Directory where AAF agent puts artifacts ARTIFACTS=/opt/app/osaaf/local # Directory where DCAE apps expect artifacts @@ -45,10 +49,20 @@ TARGET=/opt/app/osaaf # AAF namespace for the certs--used in naming artifacts AAFNS=org.onap.dcae +# Dummy certificate FQDN for client-only components +# Must be set up in AAF, but won't actually be used +DUMMY_FQDN=dcae + # Clean out any existing artifacts rm -rf ${ARTIFACTS} rm -f ${TARGET}/* +# Set the dummy FQDN for a client-only component +if [ "${TLS_SERVER}" == "false" ] +then + export aaf_locator_fqdn=${DUMMY_FQDN} +fi + # Get the certificate artifacts from AAF /opt/app/aaf_config/bin/agent.sh @@ -70,3 +84,10 @@ chmod 644 ${TARGET}/cert.pem ${TARGET}/key.pem # Get the ONAP AAF CA certificate -- pass in an empty password, since the trust store doesn't have one echo "" | keytool -exportcert -rfc -file ${TARGET}/cacert.pem -keystore ${ARTIFACTS}/${AAFNS}.trust.jks -alias ca_local_0 + +# Remove server-related files for client-only components +if [ "${TLS_SERVER}" == "false" ] +then + rm ${TARGET}/cert.p12 ${TARGET}/cert.jks ${TARGET}/cert.pem ${TARGET}/key.pem ${TARGET}/p12.pass ${TARGET}/jks.pass + rm ${ARTIFACTS}/${AAFNS}.p12 ${ARTIFACTS}/${AAFNS}.jks +fi \ No newline at end of file diff --git a/tls-init-container/pom.xml b/tls-init-container/pom.xml index a25a0bf..a439050 100644 --- a/tls-init-container/pom.xml +++ b/tls-init-container/pom.xml @@ -27,7 +27,7 @@ limitations under the License. org.onap.dcaegen2.deployments tls-init-container dcaegen2-deployments-tls-init-container - 2.0.1 + 2.1.0 http://maven.apache.org UTF-8 -- cgit 1.2.3-korg