aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Malkiewicz <jan.malkiewicz@nokia.com>2020-12-08 15:08:01 +0100
committerSylvain Desbureaux <sylvain.desbureaux@orange.com>2021-01-06 07:05:48 +0000
commit0e53c9f6efd5508ad4878781cb45f76df65b0a0c (patch)
tree3a6fca5a9453d21561f4df8bc4ab00ddb34a9c1a
parent281262c757a35bd065d60c4c50b78b619fc372a9 (diff)
[CMPV2] Add a template for Certificate (cert-manager)
This commit introduces a template for requesting a cert-manager certificate. See: https://cert-manager.io. It consist of the following parts: - a template for creating certificate in commons component - a definition of a certifcate object in sdnc component Issue-ID: OOM-2568 Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com> Change-Id: If58b8f12eff075d058db5a0fee3b2db5c2c93a17
-rw-r--r--.gitignore3
-rw-r--r--kubernetes/aaf/.gitignore1
-rw-r--r--kubernetes/common/common/templates/_certificate.tpl192
-rw-r--r--kubernetes/contrib/.gitignore1
-rwxr-xr-xkubernetes/onap/values.yaml26
-rw-r--r--kubernetes/sdnc/templates/certificates.yaml19
-rw-r--r--kubernetes/sdnc/values.yaml24
7 files changed, 266 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
index 11c7e801d7..cb4cb34579 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,6 @@ requirements.lock
# Mac OS
*DS_Store*
+
+# dist
+dist
diff --git a/kubernetes/aaf/.gitignore b/kubernetes/aaf/.gitignore
index 3a4f8ba352..71fbb5cbb9 100644
--- a/kubernetes/aaf/.gitignore
+++ b/kubernetes/aaf/.gitignore
@@ -1 +1,2 @@
/sms/
+components/dist
diff --git a/kubernetes/common/common/templates/_certificate.tpl b/kubernetes/common/common/templates/_certificate.tpl
new file mode 100644
index 0000000000..74f81af901
--- /dev/null
+++ b/kubernetes/common/common/templates/_certificate.tpl
@@ -0,0 +1,192 @@
+{{/*#
+# Copyright © 2020, Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.*/}}
+
+{{/*
+# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io).
+#
+# To request a certificate following steps are to be done:
+# - create an object 'certificates' in the values.yaml
+# - create a file templates/certificates.yaml and invoke the function "commom.certificate".
+#
+# Here is an example of the certificate request for a component:
+#
+# Directory structure:
+# component
+# templates
+# certifictes.yaml
+# values.yaml
+#
+# To be added in the file certificates.yamll
+#
+# To be added in the file values.yaml
+# 1. Minimal version (certificates only in PEM format)
+# certificates:
+# - name: onap-component-certificate
+# secretName: onap-component-certificate
+# commonName: component.onap.org
+# 2. Extended version (with defined own issuer and additional certificate format):
+# certificates:
+# - name: onap-component-certificate
+# secretName: onap-component-certificate
+# commonName: component.onap.org
+# dnsNames:
+# - component.onap.org
+# issuer:
+# group: certmanager.onap.org
+# kind: CMPv2Issuer
+# name: cmpv2-issuer-for-the-component
+# p12Keystore:
+# create: true
+# passwordSecretRef:
+# name: secret-name
+# key: secret-key
+# jksKeystore:
+# create: true
+# passwordSecretRef:
+# name: secret-name
+# key: secret-key
+#
+# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
+# Other mandatory fields for the certificate definition do not have to be defined directly,
+# in that case they will be taken from default values.
+#
+# Default values are defined in file onap/values.yaml (see-> global.certificate.default)
+# and can be overriden during onap installation process.
+#
+*/}}
+
+{{- define "common.certificate" -}}
+{{- $dot := default . .dot -}}
+{{- $certificates := $dot.Values.certificates -}}
+
+{{ range $certificate := $certificates }}
+{{/*# General certifiacate attributes #*/}}
+{{- $name := $certificate.name -}}
+{{- $secretName := $certificate.secretName -}}
+{{- $commonName := default $dot.Values.global.certificate.default.commonName $certificate.commonName -}}
+{{- $renewBefore := default $dot.Values.global.certificate.default.renewBefore $certificate.renewBefore -}}
+{{- $duration := $certificate.duration -}}
+{{- $namespace := default $dot.Release.Namespace $dot.Values.global.certificate.default.namespace -}}
+{{- if $certificate.namespace -}}
+{{- $namespace = default $namespace $certificate.namespace -}}
+{{- end -}}
+{{/*# SAN's #*/}}
+{{- $dnsNames := default $dot.Values.global.certificate.default.dnsNames $certificate.dnsNames -}}
+{{- $ipAddresses := default $dot.Values.global.certificate.default.ipAddresses $certificate.ipAddresses -}}
+{{- $uris := default $dot.Values.global.certificate.default.uris $certificate.uris -}}
+{{- $emailAddresses := default $dot.Values.global.certificate.default.emailAddresses $certificate.emailAddresses -}}
+{{/*# Subject #*/}}
+{{- $subject := $dot.Values.global.certificate.default.subject -}}
+{{- if $certificate.subject -}}
+{{- $subject = mergeOverwrite $subject $certificate.subject -}}
+{{- end -}}
+{{/*# Issuer #*/}}
+{{- $issuer := $dot.Values.global.certificate.default.issuer -}}
+{{- if $certificate.issuer -}}
+{{- $issuer = mergeOverwrite $issuer $certificate.issuer -}}
+{{- end -}}
+{{/*# Keystores #*/}}
+{{- $createJksKeystore := $dot.Values.global.certificate.default.jksKeystore.create -}}
+{{- $jksKeystorePasswordSecretName := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.name -}}
+{{- $jksKeystorePasswordSecreKey := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.key -}}
+{{- $createP12Keystore := $dot.Values.global.certificate.default.p12Keystore.create -}}
+{{- $p12KeystorePasswordSecretName := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.name -}}
+{{- $p12KeystorePasswordSecreKey := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.key -}}
+{{- if $certificate.jksKeystore -}}
+{{- $createJksKeystore = default $createJksKeystore $certificate.jksKeystore.create -}}
+{{- if $certificate.jksKeystore.passwordSecretRef -}}
+{{- $jksKeystorePasswordSecretName = default $jksKeystorePasswordSecretName $certificate.jksKeystore.passwordSecretRef.name -}}
+{{- $jksKeystorePasswordSecreKey = default $jksKeystorePasswordSecreKey $certificate.jksKeystore.passwordSecretRef.key -}}
+{{- end -}}
+{{- end -}}
+{{- if $certificate.p12Keystore -}}
+{{- $createP12Keystore = default $createP12Keystore $certificate.p12Keystore.create -}}
+{{- if $certificate.p12Keystore.passwordSecretRef -}}
+{{- $p12KeystorePasswordSecretName = default $p12KeystorePasswordSecretName $certificate.p12Keystore.passwordSecretRef.name -}}
+{{- $p12KeystorePasswordSecreKey = default $p12KeystorePasswordSecreKey $certificate.p12Keystore.passwordSecretRef.key -}}
+{{- end -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ $name }}
+ namespace: {{ $namespace }}
+spec:
+ secretName: {{ $secretName }}
+ commonName: {{ $commonName }}
+ renewBefore: {{ $renewBefore }}
+ {{- if $duration }}
+ duration: {{ $duration }}
+ {{- end }}
+ subject:
+ organizations:
+ - {{ $subject.organization }}
+ countries:
+ - {{ $subject.country }}
+ localities:
+ - {{ $subject.locality }}
+ provinces:
+ - {{ $subject.province }}
+ organizationalUnits:
+ - {{ $subject.organizationalUnit }}
+ {{- if $dnsNames }}
+ dnsNames:
+ {{- range $dnsName := $dnsNames }}
+ - {{ $dnsName }}
+ {{- end }}
+ {{- end }}
+ {{- if $ipAddresses }}
+ ipAddresses:
+ {{- range $ipAddress := $ipAddresses }}
+ - {{ $ipAddress }}
+ {{- end }}
+ {{- end }}
+ {{- if $uris }}
+ uris:
+ {{- range $uri := $uris }}
+ - {{ $uri }}
+ {{- end }}
+ {{- end }}
+ {{- if $emailAddresses }}
+ emailAddresses:
+ {{- range $emailAddress := $emailAddresses }}
+ - {{ $emailAddress }}
+ {{- end }}
+ {{- end }}
+ issuerRef:
+ group: {{ $issuer.group }}
+ kind: {{ $issuer.kind }}
+ name: {{ $issuer.name }}
+ {{- if or $createJksKeystore $createP12Keystore }}
+ keystores:
+ {{- if $createJksKeystore }}
+ jks:
+ create: {{ $createJksKeystore }}
+ passwordSecretRef:
+ name: {{ $jksKeystorePasswordSecretName }}
+ key: {{ $jksKeystorePasswordSecreKey }}
+ {{- end }}
+ {{- if $createP12Keystore }}
+ pkcs12:
+ create: {{ $createP12Keystore }}
+ passwordSecretRef:
+ name: {{ $p12KeystorePasswordSecretName }}
+ key: {{ $p12KeystorePasswordSecreKey }}
+ {{- end }}
+ {{- end }}
+{{ end }}
+
+{{- end -}}
diff --git a/kubernetes/contrib/.gitignore b/kubernetes/contrib/.gitignore
new file mode 100644
index 0000000000..7020381894
--- /dev/null
+++ b/kubernetes/contrib/.gitignore
@@ -0,0 +1 @@
+components/dist
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index 1998539726..c416f0ddec 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -172,8 +172,34 @@ global:
aafEnabled: true
aafAgentImage: onap/aaf/aaf_agent:2.1.20
+ # default values for certificates
+ certificate:
+ default:
+ renewBefore: 8h
+ subject:
+ organization: "Linux-Foundation"
+ country: "US"
+ locality: "San-Francisco"
+ province: "California"
+ organizationalUnit: "ONAP"
+ issuer:
+ group: certmanager.onap.org
+ kind: CMPv2Issuer
+ name: cmpv2-issuer-onap
+ p12Keystore:
+ create: false
+ passwordSecretRef:
+ name: ""
+ key: ""
+ jksKeystore:
+ create: false
+ passwordSecretRef:
+ name: ""
+ key: ""
+
# Enabling CMPv2
cmpv2Enabled: true
+ CMPv2CertManagerIntegration: false
platform:
certServiceClient:
image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.1
diff --git a/kubernetes/sdnc/templates/certificates.yaml b/kubernetes/sdnc/templates/certificates.yaml
new file mode 100644
index 0000000000..dda16176a5
--- /dev/null
+++ b/kubernetes/sdnc/templates/certificates.yaml
@@ -0,0 +1,19 @@
+{{/*
+# Copyright © 2020 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+{{ include "common.certificate" . }}
+{{ end }}
diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml
index f4f09107bb..44e179114e 100644
--- a/kubernetes/sdnc/values.yaml
+++ b/kubernetes/sdnc/values.yaml
@@ -32,6 +32,7 @@ global:
service: mariadb-galera
# Enabling CMPv2
cmpv2Enabled: true
+ CMPv2CertManagerIntegration: false
platform:
certServiceClient:
image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.1
@@ -132,6 +133,29 @@ secrets:
login: '{{ .Values.config.scaleoutUser }}'
password: '{{ .Values.config.scaleoutPassword }}'
passwordPolicy: required
+ - uid: keystore-password
+ type: password
+ password: secret
+ passwordPolicy: required
+#################################################################
+# Certificates
+#################################################################
+certificates:
+ - name: onap-sdnc-certificate
+ secretName: onap-sdnc-certificate
+ commonName: sdnc.simpledemo.onap.org
+ dnsNames:
+ - sdnc.simpledemo.onap.org
+ p12Keystore:
+ create: true
+ passwordSecretRef:
+ name: keystore-password
+ key: password
+ jksKeystore:
+ create: true
+ passwordSecretRef:
+ name: keystore-password
+ key: password
#################################################################
# Application configuration defaults.
#################################################################