diff options
| author |   Michal Ptacek <m.ptacek@partner.samsung.com> | 2018-11-12 07:14:52 +0000 |
|---|---|---|
| committer | Michal Ptacek <m.ptacek@partner.samsung.com> | 2018-11-12 07:27:59 +0000 |
| commit | b61f538e0c907ab84501bda27ea62cc1bfcbe369 (patch) | |
| tree | a8b0edc3428bda938d6fc495f7dfa9bc336255e1 | |
| parent | 9eb261c143810fca859f27770be766fef4e4a367 (diff) | |
Propagate rootCA to policy pods
Fix distribution of rootCA certificate to relevant pods
Change-Id: Icc4a42efffca62b388fb6b4cd081a9b4a830fa24
Signed-off-by: Michal Zegan <m.zegan@samsung.com>
Signed-off-by: Michal Ptacek <m.ptacek@partner.samsung.com>
Issue-ID: INT-718
| -rwxr-xr-x | onap-offline/bash/tools/common-functions.sh | 2 | ||||
| -rw-r--r-- | onap-offline/patches/offline-changes.patch | 244 |
2 files changed, 245 insertions, 1 deletions
diff --git a/onap-offline/bash/tools/common-functions.sh b/onap-offline/bash/tools/common-functions.sh index 0a6e26f..53e8035 100755 --- a/onap-offline/bash/tools/common-functions.sh +++ b/onap-offline/bash/tools/common-functions.sh @@ -573,7 +573,7 @@ deploy_onap() { sleep 5 helm repo add local http://127.0.0.1:8879 make all - helm install local/onap -n dev --namespace onap + helm install local/onap -n dev --namespace onap --set "global.cacert=$(cat ${CERTS_TARGET_PATH}/rootCAcert.crt)" popd } diff --git a/onap-offline/patches/offline-changes.patch b/onap-offline/patches/offline-changes.patch index b55e58a..5238da4 100644 --- a/onap-offline/patches/offline-changes.patch +++ b/onap-offline/patches/offline-changes.patch @@ -370,3 +370,247 @@ index accdff9..fa83daf 100644 ports: - containerPort: {{ .Values.service.internalPort }} # disable liveness probe when breakpoints set in debugger +--- oom/kubernetes/common/common/templates/_cacert.tpl 1970-01-01 00:00:00.000000000 +0000 ++++ onap-dev/install/onap-offline/resources/oom/kubernetes/common/common/templates/_cacert.tpl 2018-11-02 15:09:31.781688957 +0000 +@@ -0,0 +1,62 @@ ++#This template adds volume for access to ca certificate. ++#Template is ignored when cacert not set. ++{{- define "common.cacert-volume" }} ++{{- if .Values.global.cacert }} ++- name: cacert ++ configMap: ++ name: {{ include "common.namespace" . }}-root-ca-cert ++{{- end }} ++{{- end }} ++ ++#This template mounts the CA certificate in an ubuntu compatible way. ++#It is mounted to /usr/local/share/ca-certificates/cacert.crt. ++#Template is ignored if cacert not set. ++{{- define "common.cacert-mount-ubuntu" }} ++{{- if .Values.global.cacert }} ++- mountPath: "/usr/local/share/ca-certificates/cacert.crt" ++ name: cacert ++ subPath: certificate ++{{- end }} ++{{- end }} ++ ++#This template creates an empty volume used to store system certificates (includes java keystore). ++{{- define "common.system-ca-store-volume" }} ++{{- if .Values.global.cacert }} ++- name: system-ca-store ++ emptyDir: ++{{- end }} ++{{- end }} ++ ++#This template mounts system ca store volume to /etc/ssl/certs (ubuntu specific). ++#Template is ignored in case cacert is not given. ++{{- define "common.system-ca-store-mount-ubuntu" }} ++{{- if .Values.global.cacert }} ++- mountPath: "/etc/ssl/certs" ++ name: system-ca-store ++{{- end }} ++{{- end }} ++ ++#This template is a template for an init container. ++#This init container can be declared to update system's ca store for ubuntu containers. ++#It runs as root using the same image as the main one. ++#It expects /etc/ssl/certs to be mounted as a volume. ++#It has to be shared with the main container. ++#This template is ignored if cacert is not given as helm value. ++{{- define "common.update-system-ca-store-ubuntu" }} ++{{- if .Values.global.cacert }} ++- command: ++ - "/bin/bash" ++ - "-c" ++ - | ++ mkdir -p /etc/ssl/certs/java ++ update-ca-certificates ++ name: update-system-ca-store ++ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} ++ image: {{ include "common.repository" . }}/{{ .Values.image }} ++ securityContext: ++ runAsUser: 0 ++ volumeMounts: ++{{ include "common.cacert-mount-ubuntu" . | indent 2 }} ++{{ include "common.system-ca-store-mount-ubuntu" . | indent 2 }} ++{{- end }} ++{{- end }} +--- oom/kubernetes/onap/templates/configmap.yaml 1970-01-01 00:00:00.000000000 +0000 ++++ onap-dev/install/onap-offline/resources/oom/kubernetes/onap/templates/configmap.yaml 2018-11-02 15:09:31.804689107 +0000 +@@ -0,0 +1,15 @@ ++{{ if .Values.global.cacert -}} ++apiVersion: v1 ++kind: ConfigMap ++metadata: ++ name: {{ include "common.namespace" . }}-root-ca-cert ++ namespace: {{ include "common.namespace" . }} ++ labels: ++ app: {{ include "common.name" . }} ++ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} ++ release: {{ .Release.Name }} ++ heritage: {{ .Release.Service }} ++data: ++ certificate: | ++{{ .Values.global.cacert | indent 4 }} ++{{- end }} +--- oom/kubernetes/policy/charts/brmsgw/templates/deployment.yaml 2018-11-06 07:38:46.341849402 +0000 ++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/brmsgw/templates/deployment.yaml 2018-11-02 15:09:31.808689133 +0000 +@@ -45,6 +45,7 @@ + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness ++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} + containers: + - command: + - /bin/bash +@@ -68,6 +69,8 @@ + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: ++{{ include "common.cacert-mount-ubuntu" . | indent 8 }} ++{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }} + - mountPath: /etc/localtime + name: localtime + readOnly: true +@@ -94,6 +97,8 @@ + {{ toYaml .Values.affinity | indent 10 }} + {{- end }} + volumes: ++{{ include "common.cacert-volume" . | indent 8 }} ++{{ include "common.system-ca-store-volume" . | indent 8 }} + - name: localtime + hostPath: + path: /etc/localtime +--- oom/kubernetes/policy/charts/drools/templates/statefulset.yaml 2018-11-06 07:38:46.343849404 +0000 ++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/drools/templates/statefulset.yaml 2018-11-02 15:09:31.810689146 +0000 +@@ -51,6 +51,8 @@ + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness ++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} ++{{ include "policy.update-policy-keystore" . | indent 6 }} + containers: + - name: {{ include "common.name" . }} + image: "{{ include "common.repository" . }}/{{ .Values.image }}" +@@ -78,6 +80,9 @@ + - name: REPLICAS + value: "{{ .Values.replicaCount }}" + volumeMounts: ++{{ include "common.cacert-mount-ubuntu" . | indent 10 }} ++{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }} ++{{ include "policy.keystore-mount" . | indent 10 }} + - mountPath: /etc/localtime + name: localtime + readOnly: true +@@ -136,6 +141,9 @@ + {{ toYaml .Values.affinity | indent 10 }} + {{- end }} + volumes: ++{{ include "common.cacert-volume" . | indent 8 }} ++{{ include "common.system-ca-store-volume" . | indent 8 }} ++{{ include "policy.keystore-storage-volume" . | indent 8 }} + - name: localtime + hostPath: + path: /etc/localtime +--- oom/kubernetes/policy/charts/pdp/templates/statefulset.yaml 2018-11-06 07:38:46.345849405 +0000 ++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/pdp/templates/statefulset.yaml 2018-11-02 15:09:31.812689159 +0000 +@@ -49,6 +49,7 @@ + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness ++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} + containers: + - command: + - /bin/bash +@@ -72,6 +73,8 @@ + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + volumeMounts: ++{{ include "common.cacert-mount-ubuntu" . | indent 8 }} ++{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }} + - mountPath: /etc/localtime + name: localtime + readOnly: true +@@ -121,6 +124,8 @@ + {{ toYaml .Values.affinity | indent 10 }} + {{- end }} + volumes: ++{{ include "common.cacert-volume" . | indent 6 }} ++{{ include "common.system-ca-store-volume" . | indent 6 }} + - name: localtime + hostPath: + path: /etc/localtime +--- oom/kubernetes/policy/charts/policy-common/templates/_keystore.tpl 1970-01-01 00:00:00.000000000 +0000 ++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/policy-common/templates/_keystore.tpl 2018-11-02 15:09:31.812689159 +0000 +@@ -0,0 +1,43 @@ ++#This template creates a volume for storing policy-keystore with imported ca. ++#It is ignored if cacert was not given. ++{{- define "policy.keystore-storage-volume" }} ++{{- if .Values.global.cacert }} ++- name: keystore-storage ++ emptyDir: ++{{- end }} ++{{- end }} ++ ++#This template mounts policy-keystore in appropriate place for policy components to take it. ++#It is ignored if cacert is not given. ++{{- define "policy.keystore-mount" }} ++{{- if .Values.global.cacert }} ++- mountPath: "/tmp/policy-install/config/policy-keystore" ++ name: keystore-storage ++ subPath: policy-keystore ++{{- end }} ++{{- end }} ++ ++#This will extract a policy keystore and then import ++#the root cacert of offline nexus into it. ++#This template expects a volume named keystore-storage where policy-keystore will be put. ++#It also expects volume named cacert where the file "certificate" will contain the cert to import. ++#Template is ignored if ca certificate not given. ++{{- define "policy.update-policy-keystore" }} ++{{- if .Values.global.cacert }} ++- command: ++ - "/bin/bash" ++ - "-c" ++ - | ++ set -e ++ tar -xzf base-*.tar.gz etc/ssl/policy-keystore ++ cp etc/ssl/policy-keystore keystore-storage/ ++ keytool -import -keystore keystore-storage/policy-keystore -storepass "Pol1cy_0nap" -noprompt -file /usr/local/share/ca-certificates/cacert.crt ++ name: update-policy-keystore ++ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} ++ image: {{ include "common.repository" . }}/{{ .Values.image }} ++ volumeMounts: ++ - mountPath: "/tmp/policy-install/keystore-storage" ++ name: keystore-storage ++{{ include "common.cacert-mount-ubuntu" . | indent 2 }} ++{{- end }} ++{{- end }} +--- oom/kubernetes/policy/templates/deployment.yaml 2018-11-06 07:38:46.346849406 +0000 ++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/templates/deployment.yaml 2018-11-02 15:09:31.813689166 +0000 +@@ -45,6 +45,7 @@ + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + name: {{ include "common.name" . }}-readiness ++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} + containers: + - command: + - /bin/bash +@@ -72,6 +73,8 @@ + - name: PRELOAD_POLICIES + value: "{{ .Values.config.preloadPolicies }}" + volumeMounts: ++{{ include "common.cacert-mount-ubuntu" . | indent 10 }} ++{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }} + - mountPath: /etc/localtime + name: localtime + readOnly: true +@@ -136,6 +139,8 @@ + {{ toYaml .Values.affinity | indent 10 }} + {{- end }} + volumes: ++{{ include "common.cacert-volume" . | indent 8 }} ++{{ include "common.system-ca-store-volume" . | indent 8 }} + - name: localtime + hostPath: + path: /etc/localtime |