[A1P] Retrieve the certificates automatically

Instead of using hardcoded certificates in the container, let's retrieve
them automatically.

Issue-ID: OOM-2681
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: If08469469fecdc8bf86d080980f221e5941a2329

4 files changed, 134 insertions, 6 deletions

diff --git a/kubernetes/a1policymanagement/requirements.yaml b/kubernetes/a1policymanagement/requirements.yaml
index e570cb0b32..1872e91a0f 100644
--- a/kubernetes/a1policymanagement/requirements.yaml
+++ b/kubernetes/a1policymanagement/requirements.yaml
@@ -18,6 +18,9 @@ dependencies:
   - name: common
     version: ~7.x-0
     repository: '@local'
+  - name: certInitializer
+    version: ~7.x-0
+    repository: '@local'
   - name: repositoryGenerator
     version: ~7.x-0
     repository: '@local'
\ No newline at end of file
diff --git a/kubernetes/a1policymanagement/resources/config/application.yaml b/kubernetes/a1policymanagement/resources/config/application.yaml
new file mode 100644
index 0000000000..37754ca00c
--- /dev/null
+++ b/kubernetes/a1policymanagement/resources/config/application.yaml
@@ -0,0 +1,74 @@
+{{/*
+#
+# ============LICENSE_START=======================================================
+# ONAP : ccsdk oran
+# ================================================================================
+# Copyright (C) 2020 Nordix Foundation. All rights reserved.
+# Copyright (C) 2021 Orange. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+#
+*/}}
+spring:
+  profiles:
+    active: prod
+  main:
+    allow-bean-definition-overriding: true
+  aop:
+    auto: false
+management:
+  endpoints:
+    web:
+      exposure:
+        # Enabling of springboot actuator features. See springboot documentation.
+        include: "loggers,logfile,health,info,metrics,threaddump,heapdump"
+
+logging:
+  # Configuration of logging
+  level:
+    ROOT: DEBUG
+    org.springframework: DEBUG
+    org.springframework.data: DEBUG
+    org.springframework.web.reactive.function.client.ExchangeFunctions: DEBUG
+    org.onap.ccsdk.oran.a1policymanagementservice: DEBUG
+  file:
+    name: /var/log/policy-agent/application.log
+server:
+  # Configuration of the HTTP/REST server. The parameters are defined and handeled by the springboot framework.
+  # See springboot documentation.
+  port: 8433
+  http-port: 8081
+  ssl:
+    key-store-type: PKCS12
+    key-store-password: ${KEYSTORE_PASSWORD}
+    key-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+    key-password: ${KEYSTORE_PASSWORD}
+    key-alias: {{ .Values.certInitializer.fqi }}
+app:
+  # Location of the component configuration file. The file will only be used if the Consul database is not used;
+  # configuration from the Consul will override the file.
+  filepath: /opt/app/policy-agent/data/application_configuration.json
+  webclient:
+    # Configuration of the trust store used for the HTTP client (outgoing requests)
+    # The file location and the password for the truststore is only relevant if trust-store-used == true
+    # Note that the same keystore as for the server is used.
+    trust-store-used: false
+    trust-store-password: ${TRUSTSORE_PASSWORD}
+    trust-store: {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+    # Configuration of usage of HTTP Proxy for the southbound accesses.
+    # The HTTP proxy (if configured) will only be used for accessing NearRT RIC:s
+    http.proxy-host:
+    http.proxy-port: 0
diff --git a/kubernetes/a1policymanagement/templates/deployment.yaml b/kubernetes/a1policymanagement/templates/deployment.yaml
index ce2e2732e6..43431f0a35 100644
--- a/kubernetes/a1policymanagement/templates/deployment.yaml
+++ b/kubernetes/a1policymanagement/templates/deployment.yaml
@@ -27,7 +27,7 @@ spec:
     metadata:
       labels: {{- include "common.labels" . | nindent 8 }}
     spec:
-      initContainers:
+      initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
       - name: {{ include "common.name" . }}-bootstrap-config
         image: {{ include "repositoryGenerator.image.envsubst" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
@@ -35,13 +35,22 @@ spec:
         - sh
         args:
         - -c
-        - "cd /config-input && for PFILE in `ls -1`; do envsubst <${PFILE} >/config/${PFILE}; chmod o+w /config/${PFILE}; done"
+        - |
+          export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop\
+            | xargs -0)
+          cd /config-input
+          for PFILE in `ls -1`
+          do
+            envsubst <${PFILE} >/config/${PFILE}
+            chmod o+w /config/${PFILE}
+          done
+          cat /config/application.yaml
         env:
         - name: A1CONTROLLER_USER
           {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "login") | indent 10 }}
         - name: A1CONTROLLER_PASSWORD
           {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "controller-secret" "key" "password") | indent 10 }}
-        volumeMounts:
+        volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
         - mountPath: /config-input
           name: {{ include "common.fullname" . }}-policy-conf-input
         - mountPath: /config
@@ -86,11 +95,15 @@ spec:
             scheme: {{ if (include "common.needTLS" .) }}HTTPS{{ else }}HTTP{{ end }}
           initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
           periodSeconds: {{ .Values.liveness.periodSeconds }}
-        volumeMounts:
+        volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+        - name: config
+          mountPath: /opt/app/policy-agent/data/application_configuration.json
+          subPath: application_configuration.json
         - name: config
-          mountPath: /opt/app/policy-agent/data
+          mountPath: /opt/app/policy-agent/config/application.yaml
+          subPath: application.yaml
         resources: {{ include "common.resources" . | nindent 10 }}
-      volumes:
+      volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
         - name: {{ include "common.fullname" . }}-policy-conf-input
           configMap:
             name: {{ include "common.fullname" . }}-policy-conf
diff --git a/kubernetes/a1policymanagement/values.yaml b/kubernetes/a1policymanagement/values.yaml
index a1602c569c..e118b35cfd 100644
--- a/kubernetes/a1policymanagement/values.yaml
+++ b/kubernetes/a1policymanagement/values.yaml
@@ -29,6 +29,44 @@ secrets:
     password: '{{ .Values.a1controller.password }}'
     passwordPolicy: required
 
+#################################################################
+# AAF part
+#################################################################
+certInitializer:
+  nameOverride: a1p-cert-initializer
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  # aafDeployCredsExternalSecret: some secret
+  fqdn: a1p
+  fqi: a1p@a1p.onap.org
+  public_fqdn: a1p.onap.org
+  cadi_longitude: "0.0"
+  cadi_latitude: "0.0"
+  app_ns: org.osaaf.aaf
+  credsPath: /opt/app/osaaf/local
+  fqi_namespace: org.onap.a1p
+  aaf_add_config: |
+    echo "*** changing them into shell safe ones"
+    export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    export TRUSTSORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    cd {{ .Values.credsPath }}
+    keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+      -storepass "${cadi_keystore_password_p12}" \
+      -keystore {{ .Values.fqi_namespace }}.p12
+    keytool -storepasswd -new "${TRUSTSORE_PASSWORD}" \
+      -storepass "${cadi_truststore_password}" \
+      -keystore {{ .Values.fqi_namespace }}.trust.jks
+    echo "*** set key password as same password as keystore password"
+    keytool -keypasswd -new "${KEYSTORE_PASSWORD}" \
+      -keystore {{ .Values.fqi_namespace }}.p12 \
+      -keypass "${cadi_keystore_password_p12}" \
+      -storepass "${KEYSTORE_PASSWORD}" -alias {{ .Values.fqi }}
+    echo "*** save the generated passwords"
+    echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > mycreds.prop
+    echo "TRUSTSORE_PASSWORD=${TRUSTSORE_PASSWORD}" >> mycreds.prop
+    echo "*** change ownership of certificates to targeted user"
+    chown -R 1000 .
+
 image: onap/ccsdk-oran-a1policymanagementservice:1.0.1
 userID: 1000 #Should match with image-defined user ID
 groupID: 999 #Should match with image-defined group ID