summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Geissler <andreas-geissler@telekom.de>2022-07-26 13:51:08 +0200
committerAndreas Geissler <andreas-geissler@telekom.de>2022-08-23 11:07:43 +0000
commit9794a7b6c51208c55586ec8bd4e96723c6ad7d5f (patch)
tree0095d105c1af05dd415b86ed257a498042920d24
parent46461e1970d7c938dbe360c0f61d5793ea786146 (diff)
[PLATFORM] Create Ingress Certificates for ServiceMesh
Add issuers and self-signed certificates for the Ingress controller Additionally a new override file is created for Istio Ingress setup Issue-ID: OOM-3001 Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de> Change-Id: I6da12e54ecc4bbb15e3bcf1aa259e50f5be320b6
-rw-r--r--kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml148
-rw-r--r--kubernetes/platform/components/oom-cert-service/templates/certificate.yaml53
-rw-r--r--kubernetes/platform/components/oom-cert-service/templates/issuer.yaml24
-rw-r--r--kubernetes/platform/components/oom-cert-service/values.yaml18
4 files changed, 242 insertions, 1 deletions
diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml
new file mode 100644
index 0000000000..dc98a422cc
--- /dev/null
+++ b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml
@@ -0,0 +1,148 @@
+# Copyright © 2019 Amdocs, Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+###################################################################
+# This override file enables helm charts for all ONAP applications.
+###################################################################
+#ingress virtualhost based configuration
+global:
+ ingress:
+ enabled: true
+ # All http requests via ingress will be redirected
+ config:
+ ssl: "redirect"
+ # you can set an own Secret containing a certificate
+ # tls:
+ # secret: 'my-ingress-cert'
+ # optional: Namespace of the Istio IngressGateway
+ namespace: istio-ingress
+ # don't need ejbca server
+ addTestingComponents: &testing false
+ centralizedLoggingEnabled: &centralizedLogging false
+ # Disabling CMPv2
+ cmpv2Enabled: false
+
+cassandra:
+ enabled: true
+mariadb-galera:
+ enabled: true
+postgres:
+ enabled: true
+aaf:
+ enabled: false
+ aaf-sms:
+ cps:
+ # you must always set the same values as value set in cps.enabled
+ enabled: true
+aai:
+ enabled: true
+appc:
+ enabled: false
+cds:
+ enabled: true
+cli:
+ enabled: true
+# Today, "contrib" chart that hosting these components must also be enabled
+# in order to make it work. So `contrib.enabled` must have the same value than
+# addTestingComponents
+contrib:
+ enabled: *testing
+consul:
+ enabled: true
+cps:
+ enabled: true
+dcaegen2:
+ enabled: true
+dcaegen2-services:
+ enabled: true
+ dcae-datafile-collector:
+ enabled: true
+ dcae-datalake-admin-ui:
+ enabled: true
+ dcae-datalake-des:
+ enabled: true
+ dcae-datalake-feeder:
+ enabled: true
+ dcae-heartbeat:
+ enabled: true
+ dcae-hv-ves-collector:
+ enabled: true
+ dcae-kpi-ms:
+ enabled: true
+ dcae-ms-healthcheck:
+ enabled: true
+ dcae-pm-mapper:
+ enabled: true
+ dcae-pmsh:
+ enabled: true
+ dcae-prh:
+ enabled: true
+ dcae-restconf-collector:
+ enabled: true
+ dcae-slice-analysis-ms:
+ enabled: true
+ dcae-snmptrap-collector:
+ enabled: true
+ dcae-son-handler:
+ enabled: true
+ dcae-tcagen2:
+ enabled: true
+ dcae-ves-collector:
+ enabled: true
+ dcae-ves-mapper:
+ enabled: true
+ dcae-ves-openapi-manager:
+ enabled: true
+dcaemod:
+ enabled: true
+holmes:
+ enabled: true
+dmaap:
+ enabled: true
+oof:
+ enabled: true
+msb:
+ enabled: true
+multicloud:
+ enabled: true
+nbi:
+ enabled: true
+policy:
+ enabled: true
+portal:
+ enabled: false
+robot:
+ enabled: true
+sdc:
+ enabled: true
+sdnc:
+ enabled: true
+so:
+ enabled: true
+strimzi:
+ enabled: true
+uui:
+ enabled: true
+vfc:
+ enabled: true
+vid:
+ enabled: false
+vnfsdk:
+ enabled: true
+modeling:
+ enabled: true
+platform:
+ enabled: true
+a1policymanagement:
+ enabled: true
diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
index fd317703e3..8f49424b54 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
@@ -14,4 +14,57 @@
# limitations under the License.
*/}}
+{{- if .Values.global.cmpv2Enabled }}
{{ include "certManagerCertificate.certificate" . }}
+{{- end -}}
+
+{{- if (include "common.onServiceMesh" .) }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ingress-ca-certificate
+ namespace: {{ .Values.tls.issuer.ingressCa.namespace }}
+spec:
+ isCA: true
+ commonName: "{{ .Values.global.ingress.virtualhost.baseurl }}" #not important as it is self signed
+ secretName: {{ .Values.tls.issuer.ingressCa.secret.name }}
+ usages:
+ - server auth
+ - client auth
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: {{ .Values.tls.issuer.ingressSelfsigned.name }}
+ kind: Issuer
+ group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ingress-selfsigned-certificate
+ namespace: {{ .Values.tls.issuer.ingressSelfsigned.namespace }}
+spec:
+ secretName: ingress-tls-secret
+ privateKey:
+ rotationPolicy: Always
+ algorithm: RSA
+ encoding: PKCS1
+ size: 4096
+ duration: 9000h0m0s # 1 Year
+ renewBefore: 4000h0m0s #9 months
+ commonName: "*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+# usages:
+# - server auth
+# - client auth
+ dnsNames:
+ - {{ .Values.global.ingress.virtualhost.baseurl }}
+ - "*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+ - "*.*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+ - "*.*.*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+ issuerRef:
+ name: {{ .Values.tls.issuer.ingressCa.name }}
+ kind: Issuer
+ group: cert-manager.io
+{{- end -}}
diff --git a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml
index 9047ab73d3..1220ad35a9 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml
@@ -14,6 +14,7 @@
# limitations under the License.
*/}}
+{{- if .Values.global.cmpv2Enabled }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
@@ -29,4 +30,25 @@ metadata:
namespace: {{ include "common.namespace" . }}
spec:
ca:
- secretName: {{ .Values.tls.issuer.ca.secret.name }} \ No newline at end of file
+ secretName: {{ .Values.tls.issuer.ca.secret.name }}
+{{- end -}}
+
+{{- if (include "common.onServiceMesh" .) }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ .Values.tls.issuer.ingressSelfsigned.name }}
+ namespace: {{ .Values.tls.issuer.ingressSelfsigned.namespace }}
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ .Values.tls.issuer.ingressCa.name }}
+ namespace: {{ .Values.tls.issuer.ingressCa.namespace }}
+spec:
+ ca:
+ secretName: {{ .Values.tls.issuer.ingressCa.secret.name }}
+{{- end -}} \ No newline at end of file
diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml
index c74fe9b2c0..7778c03e34 100644
--- a/kubernetes/platform/components/oom-cert-service/values.yaml
+++ b/kubernetes/platform/components/oom-cert-service/values.yaml
@@ -22,6 +22,16 @@ global:
# Standard OOM
pullPolicy: "Always"
repository: "nexus3.onap.org:10001"
+ ingress:
+ enabled: true
+ # All http requests via ingress will be redirected
+ config:
+ ssl: "redirect"
+ # you can set an own Secret containing a certificate
+ # tls:
+ # secret: 'my-ingress-cert'
+ # optional: Namespace of the Istio IngressGateway
+ namespace: &ingressNamespace istio-ingress
# Service configuration
@@ -82,6 +92,14 @@ tls:
name: &caIssuer cmpv2-issuer-onap
secret:
name: &caKeyPairSecret cmpv2-ca-key-pair
+ ingressSelfsigned:
+ name: ingress-selfsigned-issuer
+ namespace: *ingressNamespace
+ ingressCa:
+ name: ingress-ca-issuer
+ namespace: *ingressNamespace
+ secret:
+ name: ingress-ca-key-pair
server:
secret:
name: &serverSecret oom-cert-service-server-tls-secret