From b61f538e0c907ab84501bda27ea62cc1bfcbe369 Mon Sep 17 00:00:00 2001
From: Michal Ptacek <m.ptacek@partner.samsung.com>
Date: Mon, 12 Nov 2018 07:14:52 +0000
Subject: Propagate rootCA to policy pods

Fix distribution of rootCA certificate to relevant pods

Change-Id: Icc4a42efffca62b388fb6b4cd081a9b4a830fa24
Signed-off-by: Michal Zegan  <m.zegan@samsung.com>
Signed-off-by: Michal Ptacek <m.ptacek@partner.samsung.com>
Issue-ID: INT-718
---
 onap-offline/bash/tools/common-functions.sh |   2 +-
 onap-offline/patches/offline-changes.patch  | 244 ++++++++++++++++++++++++++++
 2 files changed, 245 insertions(+), 1 deletion(-)

diff --git a/onap-offline/bash/tools/common-functions.sh b/onap-offline/bash/tools/common-functions.sh
index 0a6e26f..53e8035 100755
--- a/onap-offline/bash/tools/common-functions.sh
+++ b/onap-offline/bash/tools/common-functions.sh
@@ -573,7 +573,7 @@ deploy_onap() {
     sleep 5
     helm repo add local http://127.0.0.1:8879
     make all
-    helm install local/onap -n dev --namespace onap
+    helm install local/onap -n dev --namespace onap --set "global.cacert=$(cat ${CERTS_TARGET_PATH}/rootCAcert.crt)"
     popd
 }
 
diff --git a/onap-offline/patches/offline-changes.patch b/onap-offline/patches/offline-changes.patch
index b55e58a..5238da4 100644
--- a/onap-offline/patches/offline-changes.patch
+++ b/onap-offline/patches/offline-changes.patch
@@ -370,3 +370,247 @@ index accdff9..fa83daf 100644
            ports:
            - containerPort: {{ .Values.service.internalPort }}
            # disable liveness probe when breakpoints set in debugger
+--- oom/kubernetes/common/common/templates/_cacert.tpl	1970-01-01 00:00:00.000000000 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/common/common/templates/_cacert.tpl	2018-11-02 15:09:31.781688957 +0000
+@@ -0,0 +1,62 @@
++#This template adds volume for access to ca certificate.
++#Template is ignored when cacert not set.
++{{- define "common.cacert-volume" }}
++{{- if .Values.global.cacert }}
++- name: cacert
++  configMap:
++    name: {{ include "common.namespace" . }}-root-ca-cert
++{{- end }}
++{{- end }}
++
++#This template mounts the CA certificate in an ubuntu compatible way.
++#It is mounted to /usr/local/share/ca-certificates/cacert.crt.
++#Template is ignored if cacert not set.
++{{- define "common.cacert-mount-ubuntu" }}
++{{- if .Values.global.cacert }}
++- mountPath: "/usr/local/share/ca-certificates/cacert.crt"
++  name: cacert
++  subPath: certificate
++{{- end }}
++{{- end }}
++
++#This template creates an empty volume used to store system certificates (includes java keystore).
++{{- define "common.system-ca-store-volume" }}
++{{- if .Values.global.cacert }}
++- name: system-ca-store
++  emptyDir:
++{{- end }}
++{{- end }}
++
++#This template mounts system ca store volume to /etc/ssl/certs (ubuntu specific).
++#Template is ignored in case cacert is not given.
++{{- define "common.system-ca-store-mount-ubuntu" }}
++{{- if .Values.global.cacert }}
++- mountPath: "/etc/ssl/certs"
++  name: system-ca-store
++{{- end }}
++{{- end }}
++
++#This template is a template for an init container.
++#This init container can be declared to update system's ca store for ubuntu containers.
++#It runs as root using the same image as the main one.
++#It expects /etc/ssl/certs to be mounted as a volume.
++#It has to be shared with the main container.
++#This template is ignored if cacert is not given as helm value.
++{{- define "common.update-system-ca-store-ubuntu" }}
++{{- if .Values.global.cacert }}
++- command:
++  - "/bin/bash"
++  - "-c"
++  - |
++      mkdir -p /etc/ssl/certs/java
++      update-ca-certificates
++  name: update-system-ca-store
++  imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
++  image: {{ include "common.repository" . }}/{{ .Values.image }}
++  securityContext:
++    runAsUser: 0
++  volumeMounts:
++{{ include "common.cacert-mount-ubuntu" . | indent 2 }}
++{{ include "common.system-ca-store-mount-ubuntu" . | indent 2 }}
++{{- end }}
++{{- end }}
+--- oom/kubernetes/onap/templates/configmap.yaml	1970-01-01 00:00:00.000000000 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/onap/templates/configmap.yaml	2018-11-02 15:09:31.804689107 +0000
+@@ -0,0 +1,15 @@
++{{ if .Values.global.cacert -}}
++apiVersion: v1
++kind: ConfigMap
++metadata:
++  name: {{ include "common.namespace" . }}-root-ca-cert
++  namespace: {{ include "common.namespace" . }}
++  labels:
++    app: {{ include "common.name" . }}
++    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
++    release: {{ .Release.Name }}
++    heritage: {{ .Release.Service }}
++data:
++  certificate: |
++{{ .Values.global.cacert | indent 4 }}
++{{- end }}
+--- oom/kubernetes/policy/charts/brmsgw/templates/deployment.yaml	2018-11-06 07:38:46.341849402 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/brmsgw/templates/deployment.yaml	2018-11-02 15:09:31.808689133 +0000
+@@ -45,6 +45,7 @@
+         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+         name: {{ include "common.name" . }}-readiness
++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
+       containers:
+       - command:
+         - /bin/bash
+@@ -68,6 +69,8 @@
+           initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+           periodSeconds: {{ .Values.readiness.periodSeconds }}
+         volumeMounts:
++{{ include "common.cacert-mount-ubuntu" . | indent 8 }}
++{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }}
+         - mountPath: /etc/localtime
+           name: localtime
+           readOnly: true
+@@ -94,6 +97,8 @@
+ {{ toYaml .Values.affinity | indent 10 }}
+       {{- end }}
+       volumes:
++{{ include "common.cacert-volume" . | indent 8 }}
++{{ include "common.system-ca-store-volume" . | indent 8 }}
+         - name: localtime
+           hostPath:
+             path: /etc/localtime
+--- oom/kubernetes/policy/charts/drools/templates/statefulset.yaml	2018-11-06 07:38:46.343849404 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/drools/templates/statefulset.yaml	2018-11-02 15:09:31.810689146 +0000
+@@ -51,6 +51,8 @@
+         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+         name: {{ include "common.name" . }}-readiness
++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
++{{ include "policy.update-policy-keystore" . | indent 6 }}
+       containers:
+         - name: {{ include "common.name" . }}
+           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+@@ -78,6 +80,9 @@
+           - name: REPLICAS
+             value: "{{ .Values.replicaCount }}"
+           volumeMounts:
++{{ include "common.cacert-mount-ubuntu" . | indent 10 }}
++{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }}
++{{ include "policy.keystore-mount" . | indent 10 }}
+           - mountPath: /etc/localtime
+             name: localtime
+             readOnly: true
+@@ -136,6 +141,9 @@
+ {{ toYaml .Values.affinity | indent 10 }}
+         {{- end }}
+       volumes:
++{{ include "common.cacert-volume" . | indent 8 }}
++{{ include "common.system-ca-store-volume" . | indent 8 }}
++{{ include "policy.keystore-storage-volume" . | indent 8 }}
+         - name: localtime
+           hostPath:
+             path: /etc/localtime
+--- oom/kubernetes/policy/charts/pdp/templates/statefulset.yaml	2018-11-06 07:38:46.345849405 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/pdp/templates/statefulset.yaml	2018-11-02 15:09:31.812689159 +0000
+@@ -49,6 +49,7 @@
+         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+         name: {{ include "common.name" . }}-readiness
++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
+       containers:
+       - command:
+         - /bin/bash
+@@ -72,6 +73,8 @@
+           initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+           periodSeconds: {{ .Values.readiness.periodSeconds }}
+         volumeMounts:
++{{ include "common.cacert-mount-ubuntu" . | indent 8 }}
++{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }}
+         - mountPath: /etc/localtime
+           name: localtime
+           readOnly: true
+@@ -121,6 +124,8 @@
+ {{ toYaml .Values.affinity | indent 10 }}
+         {{- end }}
+       volumes:
++{{ include "common.cacert-volume" . | indent 6 }}
++{{ include "common.system-ca-store-volume" . | indent 6 }}
+       - name: localtime
+         hostPath:
+           path: /etc/localtime
+--- oom/kubernetes/policy/charts/policy-common/templates/_keystore.tpl	1970-01-01 00:00:00.000000000 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/policy-common/templates/_keystore.tpl	2018-11-02 15:09:31.812689159 +0000
+@@ -0,0 +1,43 @@
++#This template creates a volume for storing policy-keystore with imported ca.
++#It is ignored if cacert was not given.
++{{- define "policy.keystore-storage-volume" }}
++{{- if .Values.global.cacert }}
++- name: keystore-storage
++  emptyDir:
++{{- end }}
++{{- end }}
++
++#This template mounts policy-keystore in appropriate place for policy components to take it.
++#It is ignored if cacert is not given.
++{{- define "policy.keystore-mount" }}
++{{- if .Values.global.cacert }}
++- mountPath: "/tmp/policy-install/config/policy-keystore"
++  name: keystore-storage
++  subPath: policy-keystore
++{{- end }}
++{{- end }}
++
++#This will extract a policy keystore and then import
++#the root cacert of offline nexus into it.
++#This template expects a volume named keystore-storage where policy-keystore will be put.
++#It also expects volume named cacert where the file "certificate" will contain the cert to import.
++#Template is ignored if ca certificate not given.
++{{- define "policy.update-policy-keystore" }}
++{{- if .Values.global.cacert }}
++- command:
++  - "/bin/bash"
++  - "-c"
++  - |
++      set -e
++      tar -xzf base-*.tar.gz etc/ssl/policy-keystore
++      cp etc/ssl/policy-keystore keystore-storage/
++      keytool -import -keystore keystore-storage/policy-keystore -storepass "Pol1cy_0nap" -noprompt -file /usr/local/share/ca-certificates/cacert.crt
++  name: update-policy-keystore
++  imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
++  image: {{ include "common.repository" . }}/{{ .Values.image }}
++  volumeMounts:
++  - mountPath: "/tmp/policy-install/keystore-storage"
++    name: keystore-storage
++{{ include "common.cacert-mount-ubuntu" . | indent 2 }}
++{{- end }}
++{{- end }}
+--- oom/kubernetes/policy/templates/deployment.yaml	2018-11-06 07:38:46.346849406 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/templates/deployment.yaml	2018-11-02 15:09:31.813689166 +0000
+@@ -45,6 +45,7 @@
+         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+         name: {{ include "common.name" . }}-readiness
++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
+       containers:
+         - command:
+           - /bin/bash
+@@ -72,6 +73,8 @@
+           - name: PRELOAD_POLICIES
+             value: "{{ .Values.config.preloadPolicies }}"
+           volumeMounts:
++{{ include "common.cacert-mount-ubuntu" . | indent 10 }}
++{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }}
+           - mountPath: /etc/localtime
+             name: localtime
+             readOnly: true
+@@ -136,6 +139,8 @@
+ {{ toYaml .Values.affinity | indent 10 }}
+         {{- end }}
+       volumes:
++{{ include "common.cacert-volume" . | indent 8 }}
++{{ include "common.system-ca-store-volume" . | indent 8 }}
+         - name: localtime
+           hostPath:
+             path: /etc/localtime
-- 
cgit 1.2.3-korg