aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-05-01 01:46:37 +0200
committerKrzysztof Opasiak <k.opasiak@samsung.com>2020-05-06 17:38:13 +0200
commit020cdb94ca5c6ca3fb4690b1118c08779f3b4d95 (patch)
tree6341e44e8b8e2602393f048bc03f59fa81fd99fc
parent693b49fc8116ea27635c26590bf85a6746868ea4 (diff)
[COMMON] Add new template for obtaining certificate
Add new template that can be used to obtain certificate by component. Make also a PoC with NBI. Strongly based on aaf-config template. Issue-ID: AAF-1134 Change-Id: I10cb2a7b36a8dc436be337518cc15431aabbbc5d Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
-rw-r--r--kubernetes/common/certInitializer/Chart.yaml18
-rw-r--r--kubernetes/common/certInitializer/requirements.yaml18
-rw-r--r--kubernetes/common/certInitializer/templates/_certInitializer.yaml152
-rw-r--r--kubernetes/common/certInitializer/templates/configmap.yaml (renamed from kubernetes/nbi/templates/configmap-aaf-add-config.yaml)13
-rw-r--r--kubernetes/common/certInitializer/templates/secret.yaml17
-rw-r--r--kubernetes/common/certInitializer/values.yaml42
-rw-r--r--kubernetes/nbi/requirements.yaml3
-rw-r--r--kubernetes/nbi/templates/deployment.yaml12
-rw-r--r--kubernetes/nbi/values.yaml20
9 files changed, 270 insertions, 25 deletions
diff --git a/kubernetes/common/certInitializer/Chart.yaml b/kubernetes/common/certInitializer/Chart.yaml
new file mode 100644
index 0000000000..3b20045b1f
--- /dev/null
+++ b/kubernetes/common/certInitializer/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2017 Amdocs, Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: Template used to obtain certificates in onap
+name: certInitializer
+version: 6.0.0
diff --git a/kubernetes/common/certInitializer/requirements.yaml b/kubernetes/common/certInitializer/requirements.yaml
new file mode 100644
index 0000000000..237f1d1354
--- /dev/null
+++ b/kubernetes/common/certInitializer/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2018 Amdocs, Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: common
+ version: ~6.x-0
+ repository: 'file://../common'
diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
new file mode 100644
index 0000000000..e4a878b420
--- /dev/null
+++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
@@ -0,0 +1,152 @@
+{{/*
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+
+
+{{- define "common.certInitializer._aafConfigVolumeName" -}}
+ {{ include "common.fullname" . }}-aaf-config
+{{- end -}}
+
+{{- define "common.certInitializer._aafAddConfigVolumeName" -}}
+ {{ print "aaf-add-config" }}
+{{- end -}}
+
+{{/*
+ common templates to enable cert initialization for applictaions
+
+ In deployments/jobs/stateful include:
+ initContainers:
+ {{ include "common.certInitializer.initContainer" . | nindent XX }}
+
+ containers:
+ volumeMounts:
+ {{- include "common.certInitializer.volumeMount" . | nindent XX }}
+ volumes:
+ {{- include "common.certInitializer.volume" . | nindent XX}}
+*/}}
+{{- define "common.certInitializer._initContainer" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
+{{- $initName := default "certInitializer" -}}
+{{/* Our version of helm doesn't support deepCopy so we need this nasty trick */}}
+{{- $subchartDot := mergeOverwrite (fromJson (toJson $dot)) (dict "Chart" (set (fromJson (toJson .Chart)) "Name" $initRoot.nameOverride) "Values" $initRoot) }}
+- name: {{ include "common.name" $dot }}-aaf-readiness
+ image: "{{ $dot.Values.global.readinessRepository }}/{{ $dot.Values.global.readinessImage }}"
+ imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
+ command:
+ - /root/ready.py
+ args:
+ - --container-name
+ - aaf-locate
+ - --container-name
+ - aaf-cm
+ - --container-name
+ - aaf-service
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+- name: {{ include "common.name" $dot }}-aaf-config
+ image: {{ (default $dot.Values.repository $dot.Values.global.repository) }}/{{ $dot.Values.global.aafAgentImage }}
+ imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
+ volumeMounts:
+ - mountPath: {{ $initRoot.mountPath }}
+ name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
+{{- if $initRoot.aaf_add_config }}
+ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
+ mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
+ subPath: aaf-add-config.sh
+{{- end }}
+ command:
+ - sh
+ - -c
+ - |
+ #!/usr/bin/env bash
+ /opt/app/aaf_config/bin/agent.sh
+{{- if $initRoot.aaf_add_config }}
+ /opt/app/aaf_config/bin/aaf-add-config.sh
+{{- end }}
+ env:
+ - name: APP_FQI
+ value: "{{ $initRoot.fqi }}"
+ - name: aaf_locate_url
+ value: "https://aaf-locate.{{ $dot.Release.Namespace}}:8095"
+ - name: aaf_locator_container
+ value: "oom"
+ - name: aaf_locator_container_ns
+ value: "{{ $dot.Release.Namespace }}"
+ - name: aaf_locator_fqdn
+ value: "{{ $initRoot.fqdn }}"
+ - name: aaf_locator_app_ns
+ value: "{{ $initRoot.app_ns }}"
+ - name: DEPLOY_FQI
+ {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "login") | indent 6 }}
+ - name: DEPLOY_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "password") | indent 6 }}
+ #Note: want to put this on Nodes, eventually
+ - name: cadi_longitude
+ value: "{{ default "52.3" $initRoot.cadi_longitude }}"
+ - name: cadi_latitude
+ value: "{{ default "13.2" $initRoot.cadi_latitude }}"
+ #Hello specific. Clients don't don't need this, unless Registering with AAF Locator
+ - name: aaf_locator_public_fqdn
+ value: "{{ $initRoot.public_fqdn | default "" }}"
+{{- end -}}
+
+{{- define "common.certInitializer._volumeMount" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
+- mountPath: {{ $initRoot.mountPath }}
+ name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
+{{- end -}}
+
+{{- define "common.certInitializer._volumes" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
+{{- $subchartDot := mergeOverwrite (fromJson (toJson $dot)) (dict "Chart" (set (fromJson (toJson .Chart)) "Name" $initRoot.nameOverride) "Values" $initRoot) }}
+- name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
+ emptyDir:
+ medium: Memory
+{{- if $initRoot.aaf_add_config }}
+- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
+ configMap:
+ name: {{ include "common.fullname" $subchartDot }}-add-config
+ defaultMode: 0700
+{{- end -}}
+{{- end -}}
+
+{{- define "common.certInitializer.initContainer" -}}
+{{- $dot := default . .dot -}}
+ {{- if $dot.Values.global.aafEnabled }}
+ {{ include "common.certInitializer._initContainer" . }}
+ {{- end -}}
+{{- end -}}
+
+{{- define "common.certInitializer.volumeMount" -}}
+{{- $dot := default . .dot -}}
+ {{- if $dot.Values.global.aafEnabled }}
+ {{- include "common.certInitializer._volumeMount" . }}
+ {{- end -}}
+{{- end -}}
+
+{{- define "common.certInitializer.volumes" -}}
+{{- $dot := default . .dot -}}
+ {{- if $dot.Values.global.aafEnabled }}
+ {{- include "common.certInitializer._volumes" . }}
+ {{- end -}}
+{{- end -}}
diff --git a/kubernetes/nbi/templates/configmap-aaf-add-config.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml
index fe099b140d..640dafd67e 100644
--- a/kubernetes/nbi/templates/configmap-aaf-add-config.yaml
+++ b/kubernetes/common/certInitializer/templates/configmap.yaml
@@ -1,6 +1,5 @@
-{{ if .Values.global.aafEnabled }}
{{/*
-# Copyright © 2020 Bitnami, AT&T, Amdocs, Bell Canada, highstreet technologies, Orange
+# Copyright © 2020 Samsung Electronics
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -15,14 +14,12 @@
# limitations under the License.
*/}}
-{{- if .Values.aafConfig.addconfig -}}
+{{ if .Values.aaf_add_config }}
apiVersion: v1
kind: ConfigMap
-{{- $suffix := "aaf-add-config" }}
+{{- $suffix := "add-config" }}
metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
data:
- aaf-add-config.sh: |-
- /opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.aafConfig.credsPath }}/mycreds.prop
-{{- end -}}
+ aaf-add-config.sh: |
+ {{ tpl .Values.aaf_add_config . | indent 4 }}
{{- end -}}
diff --git a/kubernetes/common/certInitializer/templates/secret.yaml b/kubernetes/common/certInitializer/templates/secret.yaml
new file mode 100644
index 0000000000..34932b713d
--- /dev/null
+++ b/kubernetes/common/certInitializer/templates/secret.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml
new file mode 100644
index 0000000000..b55ba5e2f3
--- /dev/null
+++ b/kubernetes/common/certInitializer/values.yaml
@@ -0,0 +1,42 @@
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+global:
+ readinessRepository: oomk8s
+ readinessImage: readiness-check:2.0.2
+ aafAgentImage: onap/aaf/aaf_agent:2.1.20
+ aafEnabled: true
+
+pullPolicy: Always
+
+secrets:
+ - uid: deployer-creds
+ type: basicAuth
+ externalSecret: '{{ ternary (tpl (default "" .Values.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}'
+ login: '{{ .Values.aafDeployFqi }}'
+ password: '{{ .Values.aafDeployPass }}'
+ passwordPolicy: required
+
+aafDeployFqi: "changeme"
+fqdn: ""
+app_ns: "org.osaaf.aaf"
+fqi: ""
+fqi_namespace: ""
+public_fqdn: "aaf.osaaf.org"
+aafDeployFqi: "deployer@people.osaaf.org"
+aafDeployPass: demo123456!
+cadi_latitude: "38.0"
+cadi_longitude: "-72.0"
+aaf_add_config: ""
+mountPath: "/opt/app/osaaf"
diff --git a/kubernetes/nbi/requirements.yaml b/kubernetes/nbi/requirements.yaml
index 4bd4fd863e..7ce343627a 100644
--- a/kubernetes/nbi/requirements.yaml
+++ b/kubernetes/nbi/requirements.yaml
@@ -20,6 +20,9 @@ dependencies:
# a part of this chart's package and will not
# be published independently to a repo (at this point)
repository: '@local'
+ - name: certInitializer
+ version: ~6.x-0
+ repository: '@local'
- name: mongo
version: ~6.x-0
repository: '@local'
diff --git a/kubernetes/nbi/templates/deployment.yaml b/kubernetes/nbi/templates/deployment.yaml
index 1b4195c733..22dd4a1ded 100644
--- a/kubernetes/nbi/templates/deployment.yaml
+++ b/kubernetes/nbi/templates/deployment.yaml
@@ -33,7 +33,7 @@ spec:
name: {{ include "common.fullname" . }}
spec:
{{- if .Values.global.aafEnabled }}
- initContainers: {{ include "common.aaf-config" . | nindent 6 }}
+ initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
{{- end }}
containers:
- name: {{ include "common.name" . }}
@@ -49,11 +49,11 @@ spec:
args:
- -c
- |
- export $(grep '^c' {{ .Values.aafConfig.credsPath }}/mycreds.prop | xargs -0)
+ export $(grep '^c' {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
export JAVA_OPTS="-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \
- -Dserver.ssl.key-store={{ .Values.aafConfig.credsPath }}/org.onap.nbi.p12 \
+ -Dserver.ssl.key-store={{ .Values.certInitializer.credsPath }}/org.onap.nbi.p12 \
-Dserver.ssl.key-store-type=PKCS12 \
- -Djavax.net.ssl.trustStore={{ .Values.aafConfig.credsPath }}/org.onap.nbi.trust.jks \
+ -Djavax.net.ssl.trustStore={{ .Values.certInitializer.credsPath }}/org.onap.nbi.trust.jks \
-Dserver.ssl.key-store-password=$cadi_keystore_password_p12 \
-Djavax.net.ssl.trustStoreType=jks\
-Djava.security.egd=file:/dev/./urandom -Dserver.port=8443"
@@ -122,7 +122,7 @@ spec:
value: "msb-discovery.{{ include "common.namespace" . }}"
- name: MSB_DISCOVERY_PORT
value: "10081"
- volumeMounts: {{ include "common.aaf-config-volume-mountpath" . | nindent 12 }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 12 }}
- mountPath: /etc/localtime
name: localtime
readOnly: true
@@ -148,7 +148,7 @@ spec:
# name: esr-server-logs
# - mountPath: /usr/share/filebeat/data
# name: esr-server-filebeat
- volumes: {{ include "common.aaf-config-volumes" . | nindent 8 }}
+ volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
- name: localtime
hostPath:
path: /etc/localtime
diff --git a/kubernetes/nbi/values.yaml b/kubernetes/nbi/values.yaml
index 6381d83e27..4fe092e603 100644
--- a/kubernetes/nbi/values.yaml
+++ b/kubernetes/nbi/values.yaml
@@ -36,7 +36,8 @@ global:
#################################################################
# AAF part
#################################################################
-aafConfig:
+certInitializer:
+ nameOverride: nbi-cert-initializer
aafDeployFqi: deployer@people.osaaf.org
aafDeployPass: demo123456!
# aafDeployCredsExternalSecret: some secret
@@ -45,13 +46,16 @@ aafConfig:
public_fqdn: nbi.onap.org
cadi_longitude: "0.0"
cadi_latitude: "0.0"
- credsPath: /opt/app/osaaf/local
app_ns: org.osaaf.aaf
+ credsPath: /opt/app/osaaf/local
+ aaf_add_config: >
+ /opt/app/aaf_config/bin/agent.sh;
+ /opt/app/aaf_config/bin/agent.sh local showpass
+ {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+
+aafConfig:
permission_user: 1000
permission_group: 999
- addconfig: true
- secret_uid: &aaf_secret_uid nbi-aaf-deploy-creds
-
#################################################################
# Secrets metaconfig
@@ -63,12 +67,6 @@ secrets:
externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}'
login: '{{ .Values.config.db.userName }}'
password: '{{ .Values.config.db.userPassword }}'
- - uid: *aaf_secret_uid
- type: basicAuth
- externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDisabled" .Values.global.aafEnabled }}'
- login: '{{ .Values.aafConfig.aafDeployFqi }}'
- password: '{{ .Values.aafConfig.aafDeployPass }}'
- passwordPolicy: required
subChartsOnly:
enabled: true