diff options
author | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-04-27 14:52:52 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2021-04-27 14:52:52 +0000 |
commit | f7db74aa20a656940a2d8a626ebf62c6efaa32f9 (patch) | |
tree | afb942bb3edf8d203c12f5615f14ecabcb6cb44e | |
parent | 7d3ddcdcdcbb00c495a5ac93df9cf30e8f929963 (diff) | |
parent | 3267293a468d65a8bae755da77d2a48a9e25663a (diff) |
Merge "[PLATFORM] Generate Cert-Service certs with Cert-Manager"
19 files changed, 247 insertions, 334 deletions
diff --git a/docs/oom_quickstart_guide.rst b/docs/oom_quickstart_guide.rst index 5136e537f6..2fedc091d8 100644 --- a/docs/oom_quickstart_guide.rst +++ b/docs/oom_quickstart_guide.rst @@ -67,6 +67,12 @@ to suit your deployment with items like the OpenStack tenant information. +.. note:: + If you want to use CMPv2 certificate onboarding, Cert-Manager must be installed. + :doc:`Click here <oom_setup_paas>` to see how to install Cert-Manager. + + + a. Enabling/Disabling Components: Here is an example of the nominal entries that need to be provided. We have different values file available for different contexts. diff --git a/kubernetes/common/certManagerCertificate/requirements.yaml b/kubernetes/common/certManagerCertificate/requirements.yaml index 210a02c65c..83becb0a33 100644 --- a/kubernetes/common/certManagerCertificate/requirements.yaml +++ b/kubernetes/common/certManagerCertificate/requirements.yaml @@ -16,3 +16,6 @@ dependencies: - name: common version: ~8.x-0 repository: 'file://../common' + - name: cmpv2Config + version: ~8.x-0 + repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index f820c30ca9..108873b31d 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -18,7 +18,7 @@ # # To request a certificate following steps are to be done: # - create an object 'certificates' in the values.yaml -# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate". +# - create a file templates/certificate.yaml and invoke the function "certManagerCertificate.certificate". # # Here is an example of the certificate request for a component: # @@ -53,6 +53,7 @@ # passwordSecretRef: # name: secret-name # key: secret-key +# create: true # # Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. # Other mandatory fields for the certificate definition do not have to be defined directly, @@ -74,7 +75,7 @@ {{/*# General certifiacate attributes #*/}} {{- $name := include "common.fullname" $dot -}} {{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}} -{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +{{- $secretName := default (printf "%s-secret-%d" $name $i) (tpl (default "" $certificate.secretName) $ ) -}} {{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} {{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}} {{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}} @@ -94,10 +95,11 @@ {{- if $certificate.issuer -}} {{- $issuer = $certificate.issuer -}} {{- end -}} ---- -{{- if $certificate.keystore }} +{{/*# Secret #*/}} +{{ if $certificate.keystore -}} {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}} - {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }} + {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote -}} + {{- if $passwordSecretRef.create }} apiVersion: v1 kind: Secret metadata: @@ -106,7 +108,8 @@ metadata: type: Opaque stringData: {{ $passwordSecretRef.key }}: {{ $password }} -{{- end }} + {{- end }} +{{ end -}} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -120,6 +123,15 @@ spec: {{- if $duration }} duration: {{ $duration }} {{- end }} + {{- if $certificate.isCA }} + isCA: {{ $certificate.isCA }} + {{- end }} + {{- if $certificate.usages }} + usages: + {{- range $usage := $certificate.usages }} + - {{ $usage }} + {{- end }} + {{- end }} subject: organizations: - {{ $subject.organization }} @@ -156,7 +168,9 @@ spec: {{- end }} {{- end }} issuerRef: + {{- if not (eq $issuer.kind "Issuer" ) }} group: {{ $issuer.group }} + {{- end }} kind: {{ $issuer.kind }} name: {{ $issuer.name }} {{- if $certificate.keystore }} @@ -168,7 +182,7 @@ spec: {{ $outputType }}: create: true passwordSecretRef: - name: {{ $certificate.keystore.passwordSecretRef.name }} + name: {{ tpl (default "" $certificate.keystore.passwordSecretRef.name) $ }} key: {{ $certificate.keystore.passwordSecretRef.key }} {{- end }} {{- end }} @@ -234,4 +248,4 @@ spec: {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}} {{- end -}} {{ $certsLinkCommand }} -{{- end -}} +{{- end -}}
\ No newline at end of file diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml index 87509d11bc..b10896d2ce 100644 --- a/kubernetes/common/cmpv2Certificate/requirements.yaml +++ b/kubernetes/common/cmpv2Certificate/requirements.yaml @@ -19,3 +19,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: 'file://../repositoryGenerator' + - name: cmpv2Config + version: ~8.x-0 + repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl index 58cc9c7249..f80b06b4d3 100644 --- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl +++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl @@ -62,7 +62,7 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.initContainer" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} {{- range $index, $certificate := $dot.Values.certificates -}} @@ -97,11 +97,14 @@ There also need to be some includes used in a target component deployment (inden {{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} {{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} {{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} -{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}} -{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}} -{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}} -{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}} -{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}} +{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}} +{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}} +{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}} +{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}} +{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}} +{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}} +{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}} +{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}} - name: certs-init-{{ $index }} image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} @@ -133,11 +136,17 @@ There also need to be some includes used in a target component deployment (inden - name: KEYSTORE_PATH value: {{ $keystorePath | quote }} - name: KEYSTORE_PASSWORD - value: {{ $keystorePassword | quote }} + valueFrom: + secretKeyRef: + name: {{ $keystorePasswordSecret | quote}} + key: {{ $keystorePasswordSecretKey | quote}} - name: TRUSTSTORE_PATH value: {{ $truststorePath | quote }} - name: TRUSTSTORE_PASSWORD - value: {{ $truststorePassword | quote }} + valueFrom: + secretKeyRef: + name: {{ $truststorePasswordSecret | quote}} + key: {{ $truststorePasswordSecretKey | quote}} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -151,10 +160,10 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.volumes" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}} +{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}} - name: certservice-tls-volume secret: secretName: {{ $certificatesSecretName }} @@ -168,7 +177,7 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.volumeMounts" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} {{- range $index, $certificate := $dot.Values.certificates -}} diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml index b7531431c4..504947525d 100644 --- a/kubernetes/common/cmpv2Certificate/values.yaml +++ b/kubernetes/common/cmpv2Certificate/values.yaml @@ -11,38 +11,3 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -################################################################# -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - # Enabling CMPv2 - cmpv2Enabled: true - CMPv2CertManagerIntegration: false - - certificate: - default: - subject: - organization: "Linux-Foundation" - country: "US" - locality: "San-Francisco" - province: "California" - organizationalUnit: "ONAP" - - platform: - certServiceClient: - secret: - name: oom-cert-service-client-tls-secret - mountPath: /etc/onap/oom/certservice/certs/ - envVariables: - certPath: "/var/custom-certs" - # Client configuration related - caName: "RA" - requestURL: "https://oom-cert-service:8443/v1/certificate/" - requestTimeout: "30000" - keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" - outputType: "P12" - keystorePassword: "secret" - truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" - truststorePassword: "secret" diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index b6ee064302..695e40616c 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -12,22 +12,40 @@ # See the License for the specific language governing permissions and # limitations under the License. global: + + # Enabling CMPv2 + cmpv2Enabled: true + CMPv2CertManagerIntegration: false + + certificate: + default: + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + platform: + certificates: + clientSecretName: oom-cert-service-client-tls-secret + keystoreKeyRef: keystore.jks + truststoreKeyRef: truststore.jks + keystorePasswordSecretName: oom-cert-service-keystore-password + keystorePasswordSecretKey: password + truststorePasswordSecretName: oom-cert-service-truststore-password + truststorePasswordSecretKey: password certServiceClient: image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - secretName: oom-cert-service-client-tls-secret + certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ envVariables: + certPath: "/var/custom-certs" # Certificate related - cmpv2Organization: "Linux-Foundation" - cmpv2OrganizationalUnit: "ONAP" - cmpv2Location: "San-Francisco" - cmpv2State: "California" - cmpv2Country: "US" + caName: "RA" # Client configuration related requestURL: "https://oom-cert-service:8443/v1/certificate/" requestTimeout: "30000" - keystorePassword: "secret" - truststorePassword: "secret" + outputType: "P12" certPostProcessor: image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json index 6018abe309..3c769fca5f 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json @@ -44,14 +44,18 @@ "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certServiceClient.image }}", "request_url": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestURL }}", "timeout": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestTimeout }}", - "country": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Country }}", - "organization": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Organization }}", - "state": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2State }}", - "organizational_unit": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }}", - "location": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Location }}", - "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certServiceClient.secretName }}", - "keystore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.keystorePassword }}", - "truststore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.truststorePassword }}" + "country": "{{ .Values.cmpv2Config.global.certificate.default.subject.country }}", + "organization": "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}", + "state": "{{ .Values.cmpv2Config.global.certificate.default.subject.province }}", + "organizational_unit": "{{ .Values.cmpv2Config.global.certificate.default.subject.organizationalUnit }}", + "location": "{{ .Values.cmpv2Config.global.certificate.default.subject.locality }}", + "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName }}", + "keystore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystoreKeyRef }}", + "truststore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststoreKeyRef }}", + "keystore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}", + "keystore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretKey }}", + "truststore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretName }}", + "truststore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretKey }}" }, "cert_post_processor": { "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certPostProcessor.image }}" diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml index 1135c053d9..fcc8f6d4b0 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml @@ -55,7 +55,7 @@ config: # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.deployments.cm-container:4.4.2 +image: onap/org.onap.dcaegen2.deployments.cm-container:4.5.0 pullPolicy: Always # name of shared ConfigMap with kubeconfig for multiple clusters diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index b008acf6f3..ca9ccd48f4 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -196,28 +196,25 @@ global: cmpv2Enabled: true CMPv2CertManagerIntegration: false platform: + certificates: + clientSecretName: oom-cert-service-client-tls-secret + keystoreKeyRef: keystore.jks + truststoreKeyRef: truststore.jks + keystorePasswordSecretName: oom-cert-service-certificates-password + keystorePasswordSecretKey: password + truststorePasswordSecretName: oom-cert-service-certificates-password + truststorePasswordSecretKey: password certServiceClient: image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - secret: - name: oom-cert-service-client-tls-secret - mountPath: /etc/onap/oom/certservice/certs/ + certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ envVariables: certPath: "/var/custom-certs" # Certificate related - cmpv2Organization: "Linux-Foundation" - cmpv2OrganizationalUnit: "ONAP" - cmpv2Location: "San-Francisco" - cmpv2State: "California" - cmpv2Country: "US" - # Client configuration related caName: "RA" + # Client configuration related requestURL: "https://oom-cert-service:8443/v1/certificate/" requestTimeout: "30000" - keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" outputType: "P12" - keystorePassword: "secret" - truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" - truststorePassword: "secret" # Indicates offline deployment build # Set to true if you are rendering helm charts for offline deployment diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index 0614819930..c34ebad982 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -73,10 +73,10 @@ cmpv2issuer: certEndpoint: v1/certificate caName: RA certSecretRef: - name: cmpv2-issuer-secret - certRef: certServiceServer-cert.pem - keyRef: certServiceServer-key.pem - cacertRef: truststore.pem + name: oom-cert-service-server-tls-secret + certRef: tls.crt + keyRef: tls.key + cacertRef: ca.crt diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile deleted file mode 100644 index ea0cb8aae4..0000000000 --- a/kubernetes/platform/components/oom-cert-service/Makefile +++ /dev/null @@ -1,183 +0,0 @@ -CERTS_DIR = resources -CURRENT_DIR := ${CURDIR} -DOCKER_CONTAINER = generate-certs -DOCKER_EXEC = docker exec ${DOCKER_CONTAINER} - -all: start_docker \ - clear_all \ - root_generate_keys \ - root_create_certificate \ - root_self_sign_certificate \ - client_generate_keys \ - client_generate_csr \ - client_sign_certificate_by_root \ - client_import_root_certificate \ - client_convert_certificate_to_jks \ - server_generate_keys \ - server_generate_csr \ - server_sign_certificate_by_root \ - server_import_root_certificate \ - server_convert_certificate_to_jks \ - server_convert_certificate_to_p12 \ - convert_truststore_to_p12 \ - convert_truststore_to_pem \ - server_export_certificate_to_pem \ - server_export_key_to_pem \ - clear_unused_files \ - stop_docker - -.PHONY: all - -# Starts docker container for generating certificates - deletes first, if already running -start_docker: - @make stop_docker - $(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2)) - $(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2)) - $(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE)) - $(eval USERNAME :=$(shell id -u)) - $(eval GROUP :=$(shell id -g)) - docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE) - -# Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted -stop_docker: - docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true - -#Clear all files related to certificates -clear_all: - @make clear_existing_certificates - @make clear_unused_files - -#Clear certificates -clear_existing_certificates: - @echo "Clear certificates" - ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem - @echo "#####done#####" - -#Generate root private and public keys -root_generate_keys: - @echo "Generate root private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ - -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ - -storepass secret -ext BasicConstraints:critical="ca:true" - @echo "#####done#####" - -#Export public key as certificate -root_create_certificate: - @echo "(Export public key as certificate)" - ${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc - @echo "#####done#####" - -#Self-signed root (import root certificate into truststore) -root_self_sign_certificate: - @echo "(Self-signed root (import root certificate into truststore))" - ${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt - @echo "#####done#####" - -#Generate certService's client private and public keys -client_generate_keys: - @echo "Generate certService's client private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \ - -keystore certServiceClient-keystore.jks -storetype JKS \ - -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret - @echo "####done####" - -#Generate certificate signing request for certService's client -client_generate_csr: - @echo "Generate certificate signing request for certService's client" - ${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr - @echo "####done####" - -#Sign certService's client certificate by root CA -client_sign_certificate_by_root: - @echo "Sign certService's client certificate by root CA" - ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ - -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" - @echo "####done####" - -#Import root certificate into client -client_import_root_certificate: - @echo "Import root certificate into intermediate" - ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt" - @echo "####done####" - -#Import signed certificate into certService's client -client_convert_certificate_to_jks: - @echo "Import signed certificate into certService's client" - ${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt - @echo "####done####" - -#Generate certService private and public keys -server_generate_keys: - @echo "Generate certService private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \ - -keystore certServiceServer-keystore.jks -storetype JKS \ - -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" - @echo "####done####" - -#Generate certificate signing request for certService -server_generate_csr: - @echo "Generate certificate signing request for certService" - ${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr - @echo "####done####" - -#Sign certService certificate by root CA -server_sign_certificate_by_root: - @echo "Sign certService certificate by root CA" - ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ - -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ - -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost" - @echo "####done####" - -#Import root certificate into server -server_import_root_certificate: - @echo "Import root certificate into intermediate(server)" - ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt" - @echo "####done####" - -#Import signed certificate into certService -server_convert_certificate_to_jks: - @echo "Import signed certificate into certService" - ${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \ - -storepass secret -noprompt - @echo "####done####" - -#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) -server_convert_certificate_to_p12: - @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" - ${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ - -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret - @echo "#####done#####" - -#Convert truststore(.jks) to PCKS12 format(.p12) -convert_truststore_to_p12: - @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" - ${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \ - -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret - @echo "#####done#####" - -#Convert truststore(.p12) to PEM format(.pem) -convert_truststore_to_pem: - @echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret - @echo "#####done#####" - -#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem) -server_export_certificate_to_pem: - @echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem - @echo "#####done#####" - -#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem) -server_export_key_to_pem: - @echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem - @echo "#####done#####" - - -#Clear unused certificates -clear_unused_files: - @echo "Clear unused certificates" - ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr truststore.p12 - @echo "#####done#####" diff --git a/kubernetes/platform/components/oom-cert-service/requirements.yaml b/kubernetes/platform/components/oom-cert-service/requirements.yaml index e89dc58027..6177278552 100644 --- a/kubernetes/platform/components/oom-cert-service/requirements.yaml +++ b/kubernetes/platform/components/oom-cert-service/requirements.yaml @@ -19,3 +19,9 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' + - name: cmpv2Config + version: ~8.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml new file mode 100644 index 0000000000..fd317703e3 --- /dev/null +++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2020-2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "certManagerCertificate.certificate" . }} diff --git a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml index c4d7440b20..9a6abd4eb9 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml @@ -93,9 +93,9 @@ spec: - name: ROOT_CERT value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}" - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 14 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }} - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 14 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }} livenessProbe: exec: command: diff --git a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml new file mode 100644 index 0000000000..9047ab73d3 --- /dev/null +++ b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml @@ -0,0 +1,32 @@ +{{/* + # Copyright © 2021, Nokia + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} + +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.selfsigning.name }} + namespace: {{ include "common.namespace" . }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.ca.name }} + namespace: {{ include "common.namespace" . }} +spec: + ca: + secretName: {{ .Values.tls.issuer.ca.secret.name }}
\ No newline at end of file diff --git a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml index 2d47e6f57c..5401801af5 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml @@ -28,42 +28,5 @@ data: {{ (.Files.Glob "resources/default/cmpServers.json").AsSecrets }} {{ end }} --- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.global.certService.certServiceClient.secret.name | default .Values.tls.client.secret.defaultName }} -type: Opaque -data: - certServiceClient-keystore.jks: - {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }} - truststore.jks: - {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.tls.server.secret.name }} -type: Opaque -data: - certServiceServer-keystore.jks: - {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }} - certServiceServer-keystore.p12: - {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }} - truststore.jks: - {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} - root.crt: - {{ (.Files.Glob "resources/root.crt").AsSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.tls.provider.secret.name }} -type: Opaque -data: - certServiceServer-key.pem: - {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }} - certServiceServer-cert.pem: - {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }} - truststore.pem: - {{ (.Files.Glob "resources/truststore.pem").AsSecrets }} + {{ end -}} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 537b025fb0..829d3a01d1 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -79,38 +79,40 @@ cmpServers: mountPath: /etc/onap/oom/certservice tls: + issuer: + selfsigning: + name: &selfSigningIssuer cmpv2-selfsigning-issuer + ca: + name: &caIssuer cmpv2-ca-issuer + secret: + name: &caKeyPairSecret cmpv2-ca-key-pair server: secret: - name: oom-cert-service-server-tls-secret + name: &serverSecret oom-cert-service-server-tls-secret volume: name: oom-cert-service-server-tls-volume mountPath: /etc/onap/oom/certservice/certs/ client: secret: defaultName: oom-cert-service-client-tls-secret - provider: - secret: - name: cmpv2-issuer-secret envs: keystore: - jksName: certServiceServer-keystore.jks - p12Name: certServiceServer-keystore.p12 - pemName: certServiceServer-keystore.pem + jksName: keystore.jks + p12Name: keystore.p12 + pemName: tls.crt truststore: jksName: truststore.jks - crtName: root.crt - pemName: truststore.pem + crtName: ca.crt + pemName: tls.crt httpsPort: 8443 # External secrets with credentials can be provided to override default credentials defined below, # by uncommenting and filling appropriate *ExternalSecret value credentials: tls: - keystorePassword: secret - truststorePassword: secret - #keystorePasswordExternalSecret: - #truststorePasswordExternalSecret: + certificatesPassword: secret + #certificatesPasswordExternalSecret: # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled cmp: # Used only if cmpv2 testing is enabled @@ -126,17 +128,11 @@ credentials: # rv: unused secrets: - - uid: keystore-password - name: '{{ include "common.release" . }}-keystore-password' - type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.keystorePassword }}' - passwordPolicy: required - - uid: truststore-password - name: '{{ include "common.release" . }}-truststore-password' + - uid: certificates-password + name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}' type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.truststorePassword }}' + externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}' + password: '{{ .Values.credentials.tls.certificatesPassword }}' passwordPolicy: required # Below values are relevant only if global addTestingComponents flag is enabled - uid: ejbca-server-client-iak @@ -155,3 +151,65 @@ secrets: type: password externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}' password: '{{ .Values.credentials.cmp.ra.rv }}' + +# Certificates definitions +certificates: + - name: selfsigned-cert + secretName: *caKeyPairSecret + isCA: true + commonName: root.com + subject: + organization: Root Company + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: Root Org + issuer: + name: *selfSigningIssuer + kind: Issuer + - name: cert-service-server-cert + secretName: *serverSecret + commonName: oom-cert-service + dnsNames: + - oom-cert-service + - localhost + subject: + organization: certServiceServer org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceServer company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + - p12 + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer + - name: cert-service-client-cert + secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}' + commonName: certServiceClient.com + subject: + organization: certServiceClient org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceClient company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index fc093b8637..43201fef4b 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -195,6 +195,7 @@ certificates: outputType: - jks passwordSecretRef: + create: true name: sdnc-cmpv2-keystore-password key: password issuer: |