Improve VES Client helm charts in order to use certificates from AAF or CMPv2istanbul

Issue-ID: INT-1954 Signed-off-by: Grzegorz Lis <grzegorz.lis@nokia.com> Change-Id: I449350101e8af43aabefccded31d6c6c5e717c2c
author: Grzegorz-Lis <grzegorz.lis@nokia.com> 2021-08-04 06:59:03 +0000
committer: Grzegorz Lis <grzegorz.lis@nokia.com> 2021-08-05 13:08:15 +0000
commit: f739bd6b7e48edad36966a00894dc08de0c4de21 (patch)
tree: f867439285c9f3261c46476a5c158984713d6c6a
parent: 5c43a0c2c3412b416c2ae560f34059063e647012 (diff)
12 files changed, 335 insertions, 41 deletions
diff --git a/helm/ves-client/Chart.yaml b/helm/ves-client/Chart.yaml
index 1629944..613c988 100644
--- a/helm/ves-client/Chart.yaml
+++ b/helm/ves-client/Chart.yaml
@@ -26,9 +26,12 @@ dependencies:
     version: 10.x
     repository: https://charts.bitnami.com/bitnami
     condition: mongodb.enabled
-  - name: mongo-express
-    version: 2.x
-    repository: https://cowboysysop.github.io/charts/
-  - name: repositoryGenerator
+  - name: certInitializer
     version: ~8.x-0
     repository: '@local'
+  - name: common
+    version: ~8.x-0
+    # local reference to common chart, as it is
+    # a part of this chart's package and will not
+    # be published independently to a repo (at this point)
+    repository: '@local'
diff --git a/helm/ves-client/templates/NOTES.txt b/helm/ves-client/templates/NOTES.txt
new file mode 100644
index 0000000..d6e6f53
--- /dev/null
+++ b/helm/ves-client/templates/NOTES.txt
@@ -0,0 +1,17 @@
+Application Configuration
+
+Basic authentication:
+config:
+  useCerts: false
+
+Certificate authentication with AAF:
+config:
+  useCerts: true
+
+certMethod: "aaf"
+
+Certificate authentication with CMPv2:
+config:
+  useCerts: true
+
+certMethod: "cmpv2"
diff --git a/helm/ves-client/templates/_helpers.tpl b/helm/ves-client/templates/_helpers.tpl
index 1d8fd9f..e64ffcf 100644
--- a/helm/ves-client/templates/_helpers.tpl
+++ b/helm/ves-client/templates/_helpers.tpl
@@ -1,4 +1,3 @@
-{{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
 */}}
@@ -51,3 +50,13 @@ app.kubernetes.io/name: {{ include "ves-client.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ves-client.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ves-client.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/helm/ves-client/templates/certificate.yaml b/helm/ves-client/templates/certificate.yaml
new file mode 100644
index 0000000..4dc0110
--- /dev/null
+++ b/helm/ves-client/templates/certificate.yaml
@@ -0,0 +1,41 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+{{- with .Values.certificates }}
+metadata:
+  name: {{ .name }}
+  namespace: {{ .namespace }}
+spec:
+  secretName:  {{ .secretName }}
+  commonName:  {{ .commonName }}
+  renewBefore: {{ .renewBefore }}
+  {{- if .duration }}
+  duration:    {{ .duration }}
+  {{- end }}
+  subject:
+    organizations:
+      - {{ .subject.organization }}
+    countries:
+      - {{ .subject.country }}
+    localities:
+      - {{ .subject.locality }}
+    provinces:
+      - {{ .subject.province }}
+    organizationalUnits:
+      - {{ .subject.organizationalUnit }}
+  issuerRef:
+    group: {{ .issuerRef.group }}
+    kind: {{ .issuerRef.kind }}
+    name: {{ .issuerRef.name }}
+  {{- if .dnsNames }}
+  dnsNames:
+    {{- range $.Values.certificates.dnsNames }}
+    - {{ . }}
+    {{- end }}
+  {{- end }}
+  {{- if .ipAddresses }}
+  ipAddresses:
+    - {{ .ipAddresses }}
+  {{- end }}
+  keystores:
+    {{- toYaml .keystores | nindent 4 }}
+{{- end }}
diff --git a/helm/ves-client/templates/configmap.yaml b/helm/ves-client/templates/configmap.yaml
index 4717c38..59c91c9 100644
--- a/helm/ves-client/templates/configmap.yaml
+++ b/helm/ves-client/templates/configmap.yaml
@@ -1,11 +1,6 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ .Chart.Name }}-configmap
-binaryData:
-  {{- $files := .Files }}
-  {{- range $key, $value := .Files }}
-  {{- if hasPrefix "resources/" $key }}
-  {{ $key | trimPrefix "resources/" }}: {{ $files.Get $key | b64enc | quote }} 
-  {{- end }}
-  {{- end }}
+  name: {{ .Values.configMapName }}
+data:
+{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }}
diff --git a/helm/ves-client/templates/deployment.yaml b/helm/ves-client/templates/deployment.yaml
index 6220ced..090cee6 100644
--- a/helm/ves-client/templates/deployment.yaml
+++ b/helm/ves-client/templates/deployment.yaml
@@ -5,7 +5,9 @@ metadata:
   labels:
     {{- include "ves-client.labels" . | nindent 4 }}
 spec:
+{{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
+{{- end }}
   selector:
     matchLabels:
       {{- include "ves-client.selectorLabels" . | nindent 6 }}
@@ -24,30 +26,85 @@ spec:
       {{- end }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+        {{ if eq .Values.certMethod "aaf" }}
+        - name: {{ include "common.name" . }}-readiness
+          env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          image: {{ .Values.certInitializer.image }}
+          imagePullPolicy: {{ .Values.pullPolicy | default .Values.pullPolicy }}
+          volumeMounts:
+            - name: {{ .Values.aafVolumeName }}
+              mountPath: /opt/app/osaaf
+        {{- end }}
       containers:
-        - env:
+        - env: 
           - name: MONGO_HOSTNAME
-            value: {{ .Values.config.mongoDbServer | quote }}
+            value: {{ .Values.config.mongoDbName | quote }}
           - name: USE_CERTIFICATE_FOR_AUTHORIZATION
-            value: {{ .Values.config.useCertForAuth | quote }}
-          name: {{ .Chart.Name }}
+            value: {{ .Values.config.useCerts | quote }}
+          - name: STRICT_HOSTNAME_VERIFICATION
+            value: {{ .Values.config.strictHost | quote }}
+          name: {{ .Values.configMapName }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
-            - containerPort: {{ .Values.config.containerPort }}
+            - containerPort: {{ .Values.service.port }}
               protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /simulator/config
+              port: 5000
+            initialDelaySeconds: 10
+            periodSeconds: 30
+            timeoutSeconds: 1
+            successThreshold: 1 
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /simulator/config
+              port: 5000
+            initialDelaySeconds: 60
+            periodSeconds: 15
+            timeoutSeconds: 1
+            successThreshold: 1
+            failureThreshold: 3
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           volumeMounts:
-            - name: store-map
-              mountPath: {{ .Values.storeMap.directory }}
+            - name: templates
+              mountPath: {{ .Values.templatesDir }}
+            {{ if eq .Values.certMethod "cmpv2" }}
+            - name: certstore
+              mountPath: {{ .Values.certsDir }}
+            {{- end }}
+            {{ if eq .Values.certMethod "aaf" }}
+            - name: {{ .Values.aafVolumeName }}
+              mountPath: /app/store
+            {{- end }}
+                                          
       volumes:
-        - name: store-map
+        - name: templates
           configMap:
-            name: {{ .Chart.Name }}-configmap
+            name: {{ .Values.configMapName }}
             defaultMode: 0755
+        {{ if eq .Values.certMethod "cmpv2" }}
+        - name: certstore
+          secret:
+            secretName: {{.Values.certificates.secretName}}
+            defaultMode: 0400
+        {{- end }}
+        {{ if eq .Values.certMethod "aaf" }}
+        {{ include "common.certInitializer.volumes" . | nindent 8 }}
+        - name: {{ .Values.aafVolumeName }}
+          emptyDir: {}
+        {{- end }} 
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -60,4 +117,3 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-
diff --git a/helm/ves-client/templates/secret.yaml b/helm/ves-client/templates/secret.yaml
new file mode 100644
index 0000000..dd3cf87
--- /dev/null
+++ b/helm/ves-client/templates/secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secretName }}
+data:
+  p12.pass: MjNlOTE3NzVjOTE4ZTRmNjY4ZTFhYzgyZDY5ZjExYWU0ZWU0ZGM2MTM3YzUwMzZkZjE3MmEyODJhYTA5
+type: Opaque
+
diff --git a/helm/ves-client/templates/service.yaml b/helm/ves-client/templates/service.yaml
index ad67f9b..3e23296 100644
--- a/helm/ves-client/templates/service.yaml
+++ b/helm/ves-client/templates/service.yaml
@@ -10,6 +10,6 @@ spec:
     - port: {{ .Values.service.port }}
       targetPort: {{ .Values.service.port }}
       protocol: TCP
-      name: {{ .Values.service.port | quote }}
+      name: {{ .Values.service.name }}
   selector:
     {{- include "ves-client.selectorLabels" . | nindent 4 }}
diff --git a/helm/ves-client/values.yaml b/helm/ves-client/values.yaml
index 7ad63d3..0a475ae 100644
--- a/helm/ves-client/values.yaml
+++ b/helm/ves-client/values.yaml
@@ -1,36 +1,88 @@
-# Default values for ves-client.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
+global:
+  importCustomCertsEnabled: false
+
+certMethod: "aaf"
+aafVolumeName: aaf-vol-store
 
 replicaCount: 1
 
 image:
   repository: onap/org.onap.integration.nfsimulator.vesclient
   pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
   tag: ""
 
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: "ves-client"
+secretName: ves-client-secret
+configMapName: ves-client-configmap
+certificateName: ves-client-certificate
+
 config:
-  mongoDbServer: nf-simulator-mongodb
-  useCertForAuth: true
-  containerPort: 5000
+  strictHost: false
+  useCerts: false
+  mongoDbName: ves-client-db
+
+templatesDir: "/app/template"
+certsDir: "/app/certs"
 
-storeMap:
-  directory: "/app/store"
+ingress:
+  enabled: false
+
+certInitializer:
+  nameOverride: vesclient-cert-initializer
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  # aafDeployCredsExternalSecret: some secret
+  fqdn: ves-client
+  fqi: ves-client@vesclient.onap.org
+  public_fqdn: ves-client.onap.org
+  fqi_namespace: "org.onap.vesclient"
+  cadi_longitude: "0.0"
+  cadi_latitude: "0.0"
+  app_ns: org.osaaf.aaf
+  credsPath: /opt/app/osaaf/local
+  image: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
+  mountPath: "/opt/app/osaaf"
+  appMountPath: "/opt/app/osaaf"
 
 podAnnotations: {}
 
 podSecurityContext: {}
+  # fsGroup: 2000
 
 securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
 
 service:
   type: NodePort
   port: 5000
+  name: ves-client-port-name
 
 resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
 
 nodeSelector: {}
 
@@ -38,17 +90,49 @@ tolerations: []
 
 affinity: {}
 
-mongo-express:
-  fullnameOverride: "nf-simulator-mongo-express"
-  mongodbServer: nf-simulator-mongodb
-  nameOverride: mongo-express
-  mongodbAdminPassword: zXcVbN123!
-
 mongodb:
-  fullnameOverride: "nf-simulator-mongodb"
+  fullnameOverride: "ves-client-db"
   persistence:
     enabled: false
   auth:
     rootPassword: zXcVbN123!
-    database: pnf_simulator
+    database: simulator
     username: root
+
+certificates:
+  name: ves-client-cert
+  secretName: ves-client-secret
+  commonName: ves-client
+  dnsNames:
+    - ves-client
+  renewBefore: 720h #30 days
+  duration: 8760h #365 days
+  subject:
+    organization: "Linux-Foundation"
+    country: "US"
+    locality: "San-Francisco"
+    province: "California"
+    organizationalUnit: "ONAP"
+#    issuer:
+#      group: certmanager.onap.org
+#      kind: CMPv2Issuer
+#      name: cmpv2-issuer-onap
+  issuerRef:
+    group: certmanager.onap.org
+    kind: CMPv2Issuer
+    name: cmpv2-issuer-onap
+
+#  ipAddresses: "127.0.0.1"
+
+  keystores:
+    jks:
+      create: true
+      passwordSecretRef:
+        name: ves-client-secret
+        key:  p12.pass
+    pkcs12:
+      create: true
+      passwordSecretRef:
+        name: ves-client-secret
+        key: p12.pass
+
diff --git a/helm/ves-client/values_aaf.yaml b/helm/ves-client/values_aaf.yaml
new file mode 100644
index 0000000..cae94a9
--- /dev/null
+++ b/helm/ves-client/values_aaf.yaml
@@ -0,0 +1,33 @@
+certMethod: "aaf"
+
+fullnameOverride: "ves-client-aaf"
+secretName: ves-client-secret-aaf
+configMapName: ves-client-configmap-aaf
+certificateName: ves-client-certificate-aaf
+
+config:
+  useCerts: true
+  mongoDbName: ves-client-db-aaf
+
+mongodb:
+  fullnameOverride: "ves-client-db-aaf"
+
+certInitializer:
+  nameOverride: vesclient-cert-initializer-aaf
+            
+
+certificates:
+  name: ves-client-cert-aaf
+  secretName: ves-client-secret-aaf
+  keystores:
+    jks:
+      create: true
+      passwordSecretRef:
+        name: ves-client-secret-aaf
+        key:  p12.pass
+    pkcs12:
+      create: true
+      passwordSecretRef:
+        name: ves-client-secret-aaf
+        key: p12.pass
+
diff --git a/helm/ves-client/values_basic.yaml b/helm/ves-client/values_basic.yaml
new file mode 100644
index 0000000..bfde366
--- /dev/null
+++ b/helm/ves-client/values_basic.yaml
@@ -0,0 +1,15 @@
+fullnameOverride: "ves-client-basic"
+secretName: "ves-client-secret-basic"
+configMapName: "ves-client-configmap-basic"
+certificateName: "ves-client-certificate-basic"
+
+config:
+  useCerts: false
+  mongoDbName: ves-client-db-basic
+
+mongodb:
+  fullnameOverride: "ves-client-db-basic"
+
+certInitializer:
+  nameOverride: vesclient-cert-initializer-basic
+            
diff --git a/helm/ves-client/values_cmpv2.yaml b/helm/ves-client/values_cmpv2.yaml
new file mode 100644
index 0000000..5a8a60d
--- /dev/null
+++ b/helm/ves-client/values_cmpv2.yaml
@@ -0,0 +1,33 @@
+certMethod: "cmpv2"
+
+fullnameOverride: "ves-client-cmpv2"
+secretName: ves-client-secret-cmpv2
+configMapName: ves-client-configmap-cmpv2
+certificateName: ves-client-certificate-cmpv2
+
+config:
+  useCerts: true
+  mongoDbName: ves-client-db-cmpv2
+
+mongodb:
+  fullnameOverride: "ves-client-db-cmpv2"
+
+certInitializer:
+  nameOverride: vesclient-cert-initializer-cmpv2
+            
+
+certificates:
+  name: ves-client-cert-cmpv2
+  secretName: ves-client-secret-cmpv2
+  keystores:
+    jks:
+      create: true
+      passwordSecretRef:
+        name: ves-client-secret-cmpv2
+        key:  p12.pass
+    pkcs12:
+      create: true
+      passwordSecretRef:
+        name: ves-client-secret-cmpv2
+        key: p12.pass
+
author	Grzegorz-Lis <grzegorz.lis@nokia.com>	2021-08-04 06:59:03 +0000
committer	Grzegorz Lis <grzegorz.lis@nokia.com>	2021-08-05 13:08:15 +0000
commit	f739bd6b7e48edad36966a00894dc08de0c4de21 (patch)
tree	f867439285c9f3261c46476a5c158984713d6c6a
parent	5c43a0c2c3412b416c2ae560f34059063e647012 (diff)