From 1d8fd7b6b5c01209ad5de744558459966b73dce7 Mon Sep 17 00:00:00 2001
From: Remigiusz Janeczek <remigiusz.janeczek@nokia.com>
Date: Tue, 1 Sep 2020 08:46:58 +0200
Subject: [k8splugin] Add support to move CMPv2 keystore in place of AAFCertMan
 keystore

Make secret with certs for cert-service-client container configurable

Issue-ID: DCAEGEN2-2253
Signed-off-by: Remigiusz Janeczek <remigiusz.janeczek@nokia.com>
Change-Id: Ia17d3a1f32d2118aa6d5380e32ac5afb5ad2d017
---
 k8s/ChangeLog.md           |  4 ++++
 k8s/configure/configure.py |  2 ++
 k8s/k8sclient/k8sclient.py | 27 ++++++++++++++++++++++++---
 k8s/k8splugin_types.yaml   |  2 +-
 k8s/pom.xml                |  2 +-
 k8s/setup.py               |  4 ++--
 k8s/tests/common.py        |  2 ++
 7 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/k8s/ChangeLog.md b/k8s/ChangeLog.md
index 7c014e8..7d2f4ea 100644
--- a/k8s/ChangeLog.md
+++ b/k8s/ChangeLog.md
@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [3.4.1]
+* DCAEGEN2-2253 - Add support to move CMPv2 keystore in place of AAF CertMan keystore
+* Make secret for cert-service-client container configurable
+
 ## [3.4.0]
 * DCAEGEN2-2253 - Add support to truststore merger init container
 
diff --git a/k8s/configure/configure.py b/k8s/configure/configure.py
index fbf578c..dc21dd9 100644
--- a/k8s/configure/configure.py
+++ b/k8s/configure/configure.py
@@ -47,6 +47,7 @@ EXT_TLS_ORGANIZATION = "Linux-Foundation"
 EXT_TLS_STATE = "California"
 EXT_TLS_ORGANIZATIONAL_UNIT = "ONAP"
 EXT_TLS_LOCATION = "San-Francisco"
+EXT_TLS_CERT_SECRET_NAME = "aaf-cert-service-client-tls-secret"
 EXT_TLS_KEYSTORE_PASSWORD = "secret"
 EXT_TLS_TRUSTSTORE_PASSWORD = "secret"
 
@@ -83,6 +84,7 @@ def _set_defaults():
             "state" : EXT_TLS_STATE,                              # State name, for which certificate will be created
             "organizational_unit" : EXT_TLS_ORGANIZATIONAL_UNIT,  # Organizational unit name, for which certificate will be created
             "location" : EXT_TLS_LOCATION,                        # Location name, for which certificate will be created
+            "cert_secret_name": EXT_TLS_CERT_SECRET_NAME,         # Name of secret containing keystore and truststore for secure communication of Cert Service Client and Cert Service
             "keystore_password" : EXT_TLS_KEYSTORE_PASSWORD,      # Password to keystore file
             "truststore_password" : EXT_TLS_TRUSTSTORE_PASSWORD   # Password to truststore file
         },
diff --git a/k8s/k8sclient/k8sclient.py b/k8s/k8sclient/k8sclient.py
index 4b58b0e..a41d32d 100644
--- a/k8s/k8sclient/k8sclient.py
+++ b/k8s/k8sclient/k8sclient.py
@@ -47,7 +47,7 @@ PORTS = re.compile("^([0-9]+)(/(udp|UDP|tcp|TCP))?:([0-9]+)$")
 MOUNT_PATH = "/etc/onap/aaf/certservice/certs/"
 KEYSTORE_PATH = MOUNT_PATH + "certServiceClient-keystore.jks"
 TRUSTSTORE_PATH = MOUNT_PATH + "truststore.jks"
-CERT_SECRET_NAME = "aaf-cert-service-client-tls-secret"
+DEFAULT_CERT_TYPE = "p12"
 
 def _create_deployment_name(component_name):
     return "dep-{0}".format(component_name)[:63]
@@ -356,7 +356,7 @@ def _add_external_tls_init_container(ctx, init_containers, volumes, external_cer
     env["TRUSTSTORE_PASSWORD"] = external_tls_config.get("truststore_password")
 
     # Create the volumes and volume mounts
-    sec = client.V1SecretVolumeSource(secret_name=CERT_SECRET_NAME)
+    sec = client.V1SecretVolumeSource(secret_name=external_tls_config.get("cert_secret_name"))
     volumes.append(client.V1Volume(name="tls-volume", secret=sec))
     init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=external_cert.get("external_cert_directory")),
                           client.V1VolumeMount(name="tls-volume", mount_path=MOUNT_PATH)]
@@ -379,7 +379,7 @@ def _add_truststore_merger_init_container(ctx, init_containers, tls_info, tls_co
 
     ext_cert_dir = tls_cert_dir + "external/"
 
-    output_type = (external_cert.get("cert_type") or 'p12').lower()
+    output_type = (external_cert.get("cert_type") or DEFAULT_CERT_TYPE).lower()
     ext_truststore_path = ext_cert_dir + "truststore." + _get_file_extension(output_type)
     ext_truststore_pass = ''
     if output_type != 'pem':
@@ -388,9 +388,13 @@ def _add_truststore_merger_init_container(ctx, init_containers, tls_info, tls_co
     env = {}
     env["TRUSTSTORES_PATHS"] = tls_cert_file_path + ":" + ext_truststore_path
     env["TRUSTSTORES_PASSWORDS_PATHS"] = tls_cert_file_pass + ":" + ext_truststore_pass
+    env["KEYSTORE_SOURCE_PATHS"] = _get_keystore_source_paths(output_type, ext_cert_dir)
+    env["KEYSTORE_DESTINATION_PATHS"] = _get_keystore_destination_paths(output_type, tls_cert_dir)
 
     ctx.logger.info("TRUSTSTORES_PATHS:            " + env["TRUSTSTORES_PATHS"])
     ctx.logger.info("TRUSTSTORES_PASSWORDS_PATHS:  " + env["TRUSTSTORES_PASSWORDS_PATHS"])
+    ctx.logger.info("KEYSTORE_SOURCE_PATHS:        " + env["KEYSTORE_SOURCE_PATHS"])
+    ctx.logger.info("KEYSTORE_DESTINATION_PATHS:   " + env["KEYSTORE_DESTINATION_PATHS"])
 
     # Create the volumes and volume mounts
     init_volume_mounts = [client.V1VolumeMount(name="tls-info", mount_path=tls_cert_dir)]
@@ -398,6 +402,7 @@ def _add_truststore_merger_init_container(ctx, init_containers, tls_info, tls_co
     # Create the init container
     init_containers.append(_create_container_object("truststore-merger", docker_image, False, volume_mounts=init_volume_mounts, env=env))
 
+
 def _get_file_extension(output_type):
     return {
         'p12': 'p12',
@@ -405,6 +410,22 @@ def _get_file_extension(output_type):
         'jks': 'jks',
     }[output_type]
 
+def _get_keystore_source_paths(output_type, ext_cert_dir):
+    source_paths_template = {
+        'p12': "{0}keystore.p12:{0}keystore.pass",
+        'jks': "{0}keystore.jks:{0}keystore.pass",
+        'pem': "{0}keystore.pem:{0}key.pem",
+    }[output_type]
+    return source_paths_template.format(ext_cert_dir)
+
+def _get_keystore_destination_paths(output_type, tls_cert_dir):
+    destination_paths_template = {
+        'p12': "{0}cert.p12:{0}p12.pass",
+        'jks': "{0}cert.jks:{0}jks.pass",
+        'pem': "{0}cert.pem:{0}key.pem",
+    }[output_type]
+    return destination_paths_template.format(tls_cert_dir)
+
 def _process_port_map(port_map):
     service_ports = []      # Ports exposed internally on the k8s network
     exposed_ports = []      # Ports to be mapped to ports on the k8s nodes via NodePort
diff --git a/k8s/k8splugin_types.yaml b/k8s/k8splugin_types.yaml
index 81bd7ff..f6c518b 100644
--- a/k8s/k8splugin_types.yaml
+++ b/k8s/k8splugin_types.yaml
@@ -23,7 +23,7 @@ plugins:
   k8s:
     executor: 'central_deployment_agent'
     package_name: k8splugin
-    package_version: 3.4.0
+    package_version: 3.4.1
 
 data_types:
 
diff --git a/k8s/pom.xml b/k8s/pom.xml
index 31cc737..5cdc265 100644
--- a/k8s/pom.xml
+++ b/k8s/pom.xml
@@ -28,7 +28,7 @@ limitations under the License.
   <groupId>org.onap.dcaegen2.platform.plugins</groupId>
   <artifactId>k8s</artifactId>
   <name>k8s-plugin</name>
-  <version>3.4.0-SNAPSHOT</version>
+  <version>3.4.1-SNAPSHOT</version>
   <url>http://maven.apache.org</url>
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
diff --git a/k8s/setup.py b/k8s/setup.py
index fb6efcb..ad1072e 100644
--- a/k8s/setup.py
+++ b/k8s/setup.py
@@ -23,8 +23,8 @@ from setuptools import setup
 setup(
     name='k8splugin',
     description='Cloudify plugin for containerized components deployed using Kubernetes',
-    version="3.4.0",
-    author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek, Jan Malkiewicz',
+    version="3.4.1",
+    author='J. F. Lucas, Michael Hwang, Tommy Carpenter, Joanna Jeremicz, Sylwia Jakubek, Jan Malkiewicz, Remigiusz Janeczek',
     packages=['k8splugin','k8sclient','configure'],
     zip_safe=False,
     install_requires=[
diff --git a/k8s/tests/common.py b/k8s/tests/common.py
index 35d34ba..91d4d41 100644
--- a/k8s/tests/common.py
+++ b/k8s/tests/common.py
@@ -175,6 +175,8 @@ def verify_truststore_merger(dep):
     expected_envs = {
         "TRUSTSTORES_PATHS": "/opt/dcae/cacert/trust.jks:/opt/dcae/cacert/external/truststore.p12",
         "TRUSTSTORES_PASSWORDS_PATHS": "/opt/dcae/cacert/trust.pass:/opt/dcae/cacert/external/truststore.pass",
+        "KEYSTORE_SOURCE_PATHS": "/opt/dcae/cacert/external/keystore.p12:/opt/dcae/cacert/external/keystore.pass",
+        "KEYSTORE_DESTINATION_PATHS":  "/opt/dcae/cacert/cert.p12:/opt/dcae/cacert/p12.pass"
     }
 
     envs = {k.name: k.value for k in cert_container.env}
-- 
cgit 1.2.3-korg