Add cert manager support to netconf simulator

Issue-ID: INT-2051
Signed-off-by: Krzysztof Kuzmicki <krzysztof.kuzmicki@nokia.com>
Change-Id: Iebae4cdce78744492a5a7fb53ddcd1db7fd2585d

9 files changed, 371 insertions, 4 deletions

diff --git a/helm/netconf/resources/set-up-netopeer.sh b/helm/netconf/resources/set-up-netopeer.sh
new file mode 100644
index 0000000..20a52c3
--- /dev/null
+++ b/helm/netconf/resources/set-up-netopeer.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+###
+# ============LICENSE_START=======================================================
+# Netconf Server
+# ================================================================================
+# Copyright (C) 2022 Nokia. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+
+echo "[INFO] Starting NETCONF Server app configuration ..."
+
+  if [ "$#" -gt 1 ]; then
+
+    ## Set up variable
+    cert_service_cert_dir=/tmp/certs
+    SCRIPTS_DIR=$PWD/"$(dirname $0)"
+    enable_tls=${ENABLE_TLS:-false}
+    kafka_host_name=${KAFKA_HOST_NAME:-"localhost"}
+    kafka_port=${KAFKA_PORT:-9092}
+    kafka_topic=${KAFKA_TOPIC=-"config:1:1"}
+    models_config_path=$1
+    models_configuration_file_name=${MODELS_CONFIGURATION_FILE_NAME:-models-configuration.ini}
+
+    ## Install all modules from given directory
+    $SCRIPTS_DIR/install-all-module-from-directory.sh $1
+
+    ## If TLS is enabled start initializing certificates
+    if [[ "$enable_tls" == "true" ]]; then
+      if [ "$#" -ge 2 ]; then
+        echo "[INFO] Initializing TLS"
+        if [ -d "$cert_service_cert_dir" ]; then
+          echo "[INFO] Preparing certificates when certificates are from onap cert manager"
+          cp -rL /tmp/certs/* /resources/certs/
+          openssl x509 -pubkey -noout -in /resources/certs/server.crt  > /resources/certs/server_pub.key
+        fi
+        $SCRIPTS_DIR/install-tls-with-custom-certificates.sh  $SCRIPTS_DIR/tls $2
+      else
+        echo "[ERROR] Missing second argument: path to file with certificates for TLS."
+      fi
+    fi
+
+    echo "[INFO] NETCONF Server configuration finished."
+
+    ## Run netconf server application
+    $SCRIPTS_DIR/run-netconf-server-application.sh $models_config_path $models_configuration_file_name $kafka_host_name $kafka_port $kafka_topic
+
+    ## Run sysrepo supervisor
+    echo "[INFO] Starting Netopeer Server ..."
+    /usr/bin/supervisord -c /etc/supervisord.conf
+
+  else
+    echo "[ERROR] Unable to configure application. Provide all required arguments."
+  fi
diff --git a/helm/netconf/templates/_helpers.tpl b/helm/netconf/templates/_helpers.tpl
index 1b0ef5c..2b620b9 100644
--- a/helm/netconf/templates/_helpers.tpl
+++ b/helm/netconf/templates/_helpers.tpl
@@ -1,3 +1,19 @@
+{{/*
+# Copyright © 2022 Nokia. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
@@ -51,3 +67,28 @@ app.kubernetes.io/name: {{ include "netconf-server.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Define dns names in certificate
+*/}}
+{{- define "netconf.serverCertificates.dnsNames" -}}
+{{- range $dnsName := $.Values.serverCertificates.dnsNames }}
+- {{ $dnsName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define dns names in certificate
+*/}}
+{{- define "netconf.clientCertificates.dnsNames" -}}
+{{- range $dnsName := $.Values.clientCertificates.dnsNames }}
+- {{ $dnsName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Common namespace
+*/}}
+{{- define "netconf.namespace" -}}
+  {{- default .Release.Namespace .Values.nsPrefix -}}
+{{- end -}}
+
diff --git a/helm/netconf/templates/certificate.yaml b/helm/netconf/templates/certificate.yaml
new file mode 100644
index 0000000..00c147b
--- /dev/null
+++ b/helm/netconf/templates/certificate.yaml
@@ -0,0 +1,70 @@
+# Copyright © 2022 Nokia. All rights reserved.

+#

+# Licensed under the Apache License, Version 2.0 (the "License");

+# you may not use this file except in compliance with the License.

+# You may obtain a copy of the License at

+#

+#       http://www.apache.org/licenses/LICENSE-2.0

+#

+# Unless required by applicable law or agreed to in writing, software

+# distributed under the License is distributed on an "AS IS" BASIS,

+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+# See the License for the specific language governing permissions and

+# limitations under the License.

+

+{{- if .Values.config.certService.enabled }}

+apiVersion: cert-manager.io/v1

+kind: Certificate

+metadata:

+  namespace: {{ include "netconf.namespace" . }}

+  name: '{{ .Values.clientCertificates.name }}-cert'

+spec:

+  commonName: {{ .Values.clientCertificates.commonName }}

+  secretName: '{{ .Values.clientCertificates.name }}-secret'

+  renewBefore: {{ .Values.clientCertificates.renewBefore }}

+  duration: {{ .Values.clientCertificates.duration }}

+  subject:

+    organizations:

+      - {{ .Values.clientCertificates.subject.organization }}

+    countries:

+      - {{ .Values.clientCertificates.subject.country }}

+    localities:

+      - {{ .Values.clientCertificates.subject.locality }}

+    provinces:

+      - {{ .Values.clientCertificates.subject.province }}

+    organizationalUnits:

+      - {{ .Values.clientCertificates.subject.organizationalUnit }}

+  issuerRef:

+    group: {{ .Values.clientCertificates.issuerRef.group }}

+    kind: {{ .Values.clientCertificates.issuerRef.kind }}

+    name: {{ .Values.clientCertificates.issuerRef.name }}

+  dnsNames: {{ include "netconf.clientCertificates.dnsNames" . | indent 4 }}

+

+---

+apiVersion: cert-manager.io/v1

+kind: Certificate

+metadata:

+  namespace: {{ include "netconf.namespace" . }}

+  name: '{{ .Values.serverCertificates.name }}-cert'

+spec:

+  commonName: {{ .Values.serverCertificates.commonName }}

+  secretName: '{{ .Values.serverCertificates.name }}-secret'

+  renewBefore: {{ .Values.serverCertificates.renewBefore }}

+  duration: {{ .Values.serverCertificates.duration }}

+  subject:

+    organizations:

+      - {{ .Values.serverCertificates.subject.organization }}

+    countries:

+      - {{ .Values.serverCertificates.subject.country }}

+    localities:

+      - {{ .Values.serverCertificates.subject.locality }}

+    provinces:

+      - {{ .Values.serverCertificates.subject.province }}

+    organizationalUnits:

+      - {{ .Values.serverCertificates.subject.organizationalUnit }}

+  issuerRef:

+    group: {{ .Values.serverCertificates.issuerRef.group }}

+    kind: {{ .Values.serverCertificates.issuerRef.kind }}

+    name: {{ .Values.serverCertificates.issuerRef.name }}

+  dnsNames: {{ include "netconf.serverCertificates.dnsNames" . | indent 4 }}

+{{- end }}

diff --git a/helm/netconf/templates/configmap.yaml b/helm/netconf/templates/configmap.yaml
new file mode 100644
index 0000000..900f43a
--- /dev/null
+++ b/helm/netconf/templates/configmap.yaml
@@ -0,0 +1,25 @@
+# Copyright © 2022 Nokia. All rights reserved.

+#

+# Licensed under the Apache License, Version 2.0 (the "License");

+# you may not use this file except in compliance with the License.

+# You may obtain a copy of the License at

+#

+#       http://www.apache.org/licenses/LICENSE-2.0

+#

+# Unless required by applicable law or agreed to in writing, software

+# distributed under the License is distributed on an "AS IS" BASIS,

+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+# See the License for the specific language governing permissions and

+# limitations under the License.

+

+{{- if .Values.config.certService.enabled }}

+apiVersion: v1

+kind: ConfigMap

+metadata:

+  name: {{ include "netconf-server.fullname" . }}-prep-certs

+  namespace: {{ include "netconf.namespace" . }}

+  labels:

+    {{- include "netconf-server.labels" . | nindent 4 }}

+data:

+  {{ tpl (.Files.Glob "resources/set-up-netopeer.sh").AsConfig . | indent 2 }}

+{{- end }}
\ No newline at end of file
diff --git a/helm/netconf/templates/deployment.yaml b/helm/netconf/templates/deployment.yaml
index 4a4663a..0b1af99 100644
--- a/helm/netconf/templates/deployment.yaml
+++ b/helm/netconf/templates/deployment.yaml
@@ -1,7 +1,22 @@
+# Copyright © 2022 Nokia. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "netconf-server.fullname" . }}
+  namespace: {{ include "netconf.namespace" . }}
   labels:
     {{- include "netconf-server.labels" . | nindent 4 }}
 spec:
@@ -28,6 +43,8 @@ spec:
         - env:
           - name: KAFKA_HOST_NAME
             value: {{ .Values.config.kafka_hostname | quote }}
+          - name: ENABLE_TLS
+            value: {{ .Values.config.tls.enabled | quote }}
           name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
@@ -41,6 +58,14 @@ spec:
             httpGet:
               path: /readiness
               port: {{ .Values.service.port }}
+          {{- if .Values.config.certService.enabled }}
+          volumeMounts:
+            - name: certstore
+              mountPath: {{ .Values.certsDir }}
+            - name: prep-certs
+              mountPath: /scripts/set-up-netopeer.sh
+              subPath: set-up-netopeer.sh
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -53,4 +78,33 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.config.certService.enabled }}
+      volumes:
+        - name: certstore
+          projected:
+            sources:
+              - secret:
+                  name: '{{.Values.clientCertificates.name}}-secret'
+                  items:
+                    - key: tls.key
+                      path: client.key
+                    - key: tls.crt
+                      path: client.crt
+                    - key: ca.crt
+                      path: ca.crt
+              - secret:
+                  name: '{{.Values.serverCertificates.name}}-secret'
+                  items:
+                    - key: tls.key
+                      path: server.key
+                    - key: tls.crt
+                      path: server.crt
+        - name: prep-certs
+          configMap:
+            name: {{ include "netconf-server.fullname" . }}-prep-certs
+            defaultMode: 0777
+      {{- end }}
+
+
+
 
diff --git a/helm/netconf/templates/secret.yaml b/helm/netconf/templates/secret.yaml
new file mode 100644
index 0000000..a9e21e2
--- /dev/null
+++ b/helm/netconf/templates/secret.yaml
@@ -0,0 +1,34 @@
+# Copyright © 2022 Nokia. All rights reserved.

+#

+# Licensed under the Apache License, Version 2.0 (the "License");

+# you may not use this file except in compliance with the License.

+# You may obtain a copy of the License at

+#

+#       http://www.apache.org/licenses/LICENSE-2.0

+#

+# Unless required by applicable law or agreed to in writing, software

+# distributed under the License is distributed on an "AS IS" BASIS,

+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+# See the License for the specific language governing permissions and

+# limitations under the License.

+

+{{- if .Values.config.certService.enabled }}

+apiVersion: v1

+kind: Secret

+metadata:

+  name: '{{ .Values.clientCertificates.name }}-secret'

+  namespace: {{ include "netconf.namespace" . }}

+data:

+  p12.pass: MjNlOTE3NzVjOTE4ZTRmNjY4ZTFhYzgyZDY5ZjExYWU0ZWU0ZGM2MTM3YzUwMzZkZjE3MmEyODJhYTA5

+type: Opaque

+

+---

+apiVersion: v1

+kind: Secret

+metadata:

+  name: '{{ .Values.serverCertificates.name }}-secret'

+  namespace: {{ include "netconf.namespace" . }}

+data:

+  p12.pass: MjNlOTE3NzVjOTE4ZTRmNjY4ZTFhYzgyZDY5ZjExYWU0ZWU0ZGM2MTM3YzUwMzZkZjE3MmEyODJhYTA5

+type: Opaque

+{{- end }}

diff --git a/helm/netconf/templates/service.yaml b/helm/netconf/templates/service.yaml
index e359b81..81688fc 100644
--- a/helm/netconf/templates/service.yaml
+++ b/helm/netconf/templates/service.yaml
@@ -1,7 +1,22 @@
+# Copyright © 2022 Nokia. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "netconf-server.fullname" . }}
+  namespace: {{ include "netconf.namespace" . }}
   labels:
     {{- include "netconf-server.labels" . | nindent 4 }}
 spec:
diff --git a/helm/netconf/values.yaml b/helm/netconf/values.yaml
index 3feebe1..9bd8862 100644
--- a/helm/netconf/values.yaml
+++ b/helm/netconf/values.yaml
@@ -1,6 +1,16 @@
-# Default values for ves-client.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
+# Copyright © 2022 Nokia. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
 replicaCount: 1
 
@@ -47,9 +57,61 @@ kafka:
 
 config:
   kafka_hostname: "nf-simulator-kafka"
+  tls:
+    enabled: true
+  certService:
+    enabled: true
 
 nodeSelector: {}
 
 tolerations: []
 
 affinity: {}
+
+certsDir: "/tmp/certs"
+
+serverCertificates:
+  name: netconfserver
+  dnsNames:
+    - netconfserver
+  renewBefore: 720h #30 days
+  duration: 8760h #365 days
+  commonName: netconfserver
+  subject:
+    organization: "Linux-Foundation"
+    country: "US"
+    locality: "San-Francisco"
+    province: "California"
+    organizationalUnit: "ONAP"
+  #    issuer:
+  #      group: certmanager.onap.org
+  #      kind: CMPv2Issuer
+  #      name: cmpv2-issuer-onap
+  issuerRef:
+    group: certmanager.onap.org
+    kind: CMPv2Issuer
+    name: cmpv2-issuer-onap
+  #  ipAddresses: "127.0.0.1"
+
+clientCertificates:
+  name: netconfclient
+  dnsNames:
+    - netconfclient
+  renewBefore: 720h #30 days
+  duration: 8760h #365 days
+  commonName: netconfclient
+  subject:
+    organization: "Linux-Foundation"
+    country: "US"
+    locality: "San-Francisco"
+    province: "California"
+    organizationalUnit: "ONAP"
+  #    issuer:
+  #      group: certmanager.onap.org
+  #      kind: CMPv2Issuer
+  #      name: cmpv2-issuer-onap
+  issuerRef:
+    group: certmanager.onap.org
+    kind: CMPv2Issuer
+    name: cmpv2-issuer-onap
+  #  ipAddresses: "127.0.0.1"
diff --git a/helm/ves-client/values_cmpv2.yaml b/helm/ves-client/values_cmpv2.yaml
index 5a8a60d..dc401be 100644
--- a/helm/ves-client/values_cmpv2.yaml
+++ b/helm/ves-client/values_cmpv2.yaml
@@ -14,11 +14,12 @@ mongodb:
 
 certInitializer:
   nameOverride: vesclient-cert-initializer-cmpv2
-            
+
 
 certificates:
   name: ves-client-cert-cmpv2
   secretName: ves-client-secret-cmpv2
+  commonName: dcae-ves-collector
   keystores:
     jks:
       create: true