summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2021-05-06 22:21:01 +0000
committerGerrit Code Review <gerrit@onap.org>2021-05-06 22:21:01 +0000
commit452c96ab637494a9ae5fdd3a6457c43af152aaa3 (patch)
tree490c5e4abca50f3becb99086d18895b20aa8733c
parentfc58c5c4bd7f25caefd4893a8909ec8cb42362d7 (diff)
parentda711dd6a353c79e2d8990815e18b91dfe2354b3 (diff)
Merge "[COMMON][CERTINIT] Generate cert with certInit"
-rw-r--r--kubernetes/common/certInitializer/resources/ingress/onboard.sh35
-rw-r--r--kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh (renamed from kubernetes/common/certInitializer/resources/retrieval_check.sh)3
-rw-r--r--kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh32
-rw-r--r--kubernetes/common/certInitializer/templates/_certInitializer.yaml9
-rw-r--r--kubernetes/common/certInitializer/templates/configmap.yaml15
-rw-r--r--kubernetes/common/certInitializer/templates/job.yaml44
-rw-r--r--kubernetes/common/certInitializer/values.yaml1
7 files changed, 137 insertions, 2 deletions
diff --git a/kubernetes/common/certInitializer/resources/ingress/onboard.sh b/kubernetes/common/certInitializer/resources/ingress/onboard.sh
new file mode 100644
index 0000000000..9cc5ec580e
--- /dev/null
+++ b/kubernetes/common/certInitializer/resources/ingress/onboard.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+{{/*
+# Copyright © 2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/ -}}
+
+echo "*** retrieving certificates and keys"
+export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0)
+export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0)
+export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0)
+echo "*** creating tls secret"
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ tpl .Values.ingressTlsSecret . }}
+ namespace: {{ include "common.namespace" . }}
+data:
+ ca.crt: "${CACERT}"
+ tls.crt: "${CRT}"
+ tls.key: '${KEY}'
+type: kubernetes.io/tls
+EOF
diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh
index 25e47693de..76f384502f 100644
--- a/kubernetes/common/certInitializer/resources/retrieval_check.sh
+++ b/kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh
@@ -14,7 +14,8 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-*/}}
+*/ -}}
+
echo "*** retrieving passwords for certificates"
export $(/opt/app/aaf_config/bin/agent.sh local showpass \
{{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
diff --git a/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh b/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh
new file mode 100644
index 0000000000..f201eadd0a
--- /dev/null
+++ b/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/ -}}
+
+echo "--- Cert transformation for use with Ingress"
+echo "*** transform AAF certs into pem files"
+mkdir -p {{ .Values.credsPath }}/certs
+keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
+ -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
+ -alias ca_local_0 \
+ -storepass $cadi_truststore_password
+openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -out {{ .Values.credsPath }}/certs/tls.crt -nokeys \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+ {{ .Values.credsPath }}/certs/tls.key
+echo "--- Done"
diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
index 3b165a4c20..f3ba8a24e0 100644
--- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml
+++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2020 Bell Canada, Samsung Electronics
+# Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,6 +59,11 @@
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
subPath: retrieval_check.sh
+{{- if hasKey $initRoot "ingressTlsSecret" }}
+ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
+ mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh
+ subPath: tls_certs_configure.sh
+{{- end }}
{{- if $initRoot.aaf_add_config }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
@@ -69,6 +75,9 @@
- |
/opt/app/aaf_config/bin/agent.sh
. /opt/app/aaf_config/bin/retrieval_check.sh
+{{- if hasKey $initRoot "ingressTlsSecret" }}
+ /opt/app/aaf_config/bin/tls_certs_configure.sh
+{{- end -}}
{{- if $initRoot.aaf_add_config }}
/opt/app/aaf_config/bin/aaf-add-config.sh
{{- end }}
diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml
index 1e9254abef..abd1575774 100644
--- a/kubernetes/common/certInitializer/templates/configmap.yaml
+++ b/kubernetes/common/certInitializer/templates/configmap.yaml
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2020 Samsung Electronics
+# Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,8 +20,20 @@ kind: ConfigMap
{{- $suffix := "add-config" }}
metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
data:
-{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/retrieval/retrieval_check.sh").AsConfig . | indent 2 }}
+{{- if hasKey .Values "ingressTlsSecret" }}
+{{ tpl (.Files.Glob "resources/retrieval/tls_certs_configure.sh").AsConfig . | indent 2 }}
+{{- end }}
{{ if .Values.aaf_add_config }}
aaf-add-config.sh: |
{{ tpl .Values.aaf_add_config . | indent 4 | trim }}
{{- end }}
+{{- if hasKey .Values "ingressTlsSecret" }}
+---
+apiVersion: v1
+kind: ConfigMap
+{{- $suffix := "ingress" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+data:
+{{ tpl (.Files.Glob "resources/ingress/onboard.sh").AsConfig . | indent 2 }}
+{{- end }}
diff --git a/kubernetes/common/certInitializer/templates/job.yaml b/kubernetes/common/certInitializer/templates/job.yaml
new file mode 100644
index 0000000000..331a58c310
--- /dev/null
+++ b/kubernetes/common/certInitializer/templates/job.yaml
@@ -0,0 +1,44 @@
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if hasKey .Values "ingressTlsSecret" }}
+apiVersion: batch/v1
+kind: Job
+{{- $suffix := "set-tls-secret" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+spec:
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ initContainers: {{ include "common.certInitializer.initContainer" (dict "dot" . "initRoot" .Values) | nindent 6 }}
+ containers:
+ - name: create tls secret
+ command:
+ - /ingress/onboard.sh
+ image: {{ include "repositoryGenerator.image.kubectl" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" (dict "dot" . "initRoot" .Values) | nindent 8 }}
+ - name: ingress-scripts
+ mountPath: /ingress
+ volumes: {{ include "common.certInitializer.volumes" (dict "dot" . "initRoot" .Values) | nindent 6 }}
+ - name: localtime
+ hostPath:
+ path: /etc/localtime
+ - name: ingress-scripts
+ configMap:
+ name: {{ include "common.fullname" . }}-ingress
+ defaultMode: 0777
+{{- end}}
diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml
index 74a2b37568..747c94f4d1 100644
--- a/kubernetes/common/certInitializer/values.yaml
+++ b/kubernetes/common/certInitializer/values.yaml
@@ -63,6 +63,7 @@ truststoreMountpath: ""
truststoreOutputFileName: truststore.jks
truststorePassword: changeit
envVarToCheck: cadi_keystore_password_p12
+# ingressTlsSecret:
# This introduces implicit dependency on cert-wrapper
# if you are using cert initializer cert-wrapper has to be also deployed.