aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/aaf/components/aaf-sshsm
diff options
context:
space:
mode:
authorKrzysztof Opasiak <k.opasiak@samsung.com>2020-06-11 12:38:48 +0000
committerGerrit Code Review <gerrit@onap.org>2020-06-11 12:38:48 +0000
commit02cf42587f566a39713613f18830feacf036a2df (patch)
treee9ee5c733ede14ec987e081b2acc7f6bb55181a7 /kubernetes/aaf/components/aaf-sshsm
parentb6584466e5aff8904241d8107baa722788a8e6a8 (diff)
parent0de302ad6212185c842ce7232319e19d994dd520 (diff)
Merge "[AAF SMS] Use certInitializer for certificates"
Diffstat (limited to 'kubernetes/aaf/components/aaf-sshsm')
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/Chart.yaml18
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/README.md24
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/Chart.yaml18
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/configmap.yaml25
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/job.yaml75
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/statefulset.yaml89
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/values.yaml60
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/Chart.yaml18
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/configmap.yaml25
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/job.yaml106
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pv.yaml19
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pvc.yaml19
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/values.yaml69
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/Chart.yaml18
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/templates/job.yaml131
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/values.yaml61
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/requirements.yaml18
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd1
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle1
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml17
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml17
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml17
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml17
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml22
-rw-r--r--kubernetes/aaf/components/aaf-sshsm/values.yaml84
25 files changed, 969 insertions, 0 deletions
diff --git a/kubernetes/aaf/components/aaf-sshsm/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/Chart.yaml
new file mode 100644
index 0000000000..d39b561905
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: ONAP Hardware Security Components
+name: aaf-sshsm
+version: 6.0.0
diff --git a/kubernetes/aaf/components/aaf-sshsm/README.md b/kubernetes/aaf/components/aaf-sshsm/README.md
new file mode 100644
index 0000000000..a6f2e62cb9
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/README.md
@@ -0,0 +1,24 @@
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Helm Chart for ONAP Hardware Security Components
+
+This includes the following Kubernetes services:
+
+1. dist-center - A service that is used to create and distribute private keys
+2. abrmd - A service that manages access to the TPM device
+
+# Service Dependencies
+
+All services depend on AAF \ No newline at end of file
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/Chart.yaml
new file mode 100644
index 0000000000..499b82caaf
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: ONAP Trusted Platform Module Resource Manager
+name: aaf-sshsm-abrmd
+version: 6.0.0
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/configmap.yaml
new file mode 100644
index 0000000000..8d1faf7e32
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/configmap.yaml
@@ -0,0 +1,25 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if and .Values.global.tpm.enabled .Values.global.abrmd.enabled -}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+data:
+{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
+
+{{- end -}}
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/job.yaml
new file mode 100644
index 0000000000..23fe79d716
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/job.yaml
@@ -0,0 +1,75 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if and .Values.global.tpm.enabled .Values.global.abrmd.enabled -}}
+
+apiVersion: batch/v1
+kind: Job
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+ backoffLimit: 2
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ restartPolicy: Never
+ containers:
+ - name: {{ include "common.name" . }}-job
+ image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command: ["/abrmd/bin/initialize_tpm.sh"]
+ workingDir: /abrmd/bin
+ securityContext:
+ privileged: true
+ env:
+ - name: TPM_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: ABRMD_DATA
+ value: /abrmd/data
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-data
+ mountPath: /abrmd/data
+ - name: {{ include "common.fullname" . }}-tpm-device
+ mountPath: /dev/tpm0
+ - name: {{ include "common.fullname" . }}-tpmconfig
+ mountPath: "/abrmd/cred/"
+ readOnly: true
+ resources: {{ toYaml .Values.resources | nindent 10 }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end -}}
+ {{- if .Values.global.tpm.enabled }}
+ {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }}
+ {{- end -}}
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ resources: {{ include "common.resources" . | nindent 10 }}
+ volumes:
+ - name: {{ include "common.fullname" . }}-data
+ persistentVolumeClaim:
+ claimName: {{ include "common.release" . }}-aaf-sshsm-data
+ - name: {{ include "common.fullname" . }}-tpm-device
+ hostPath:
+ path: /dev/tpm0
+ - name: {{ include "common.fullname" . }}-tpmconfig
+ secret:
+ secretName: {{ include "common.release" . }}-aaf-sshsm
+ imagePullSecrets:
+ - name: "{{ include "common.namespace" . }}-docker-registry-key"
+
+{{- end -}}
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/statefulset.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/statefulset.yaml
new file mode 100644
index 0000000000..c624ccfc4d
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/templates/statefulset.yaml
@@ -0,0 +1,89 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if and .Values.global.tpm.enabled .Values.global.abrmd.enabled -}}
+
+apiVersion: apps/v1
+kind: StatefulSet
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+ selector: {{- include "common.selectors" . | nindent 4 }}
+ replicas: {{ .Values.replicaCount }}
+ serviceName:
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ initContainers:
+ - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-job-complete
+ command:
+ - /root/job_complete.py
+ args:
+ - -j
+ - "{{ include "common.fullname" . }}-init"
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ resources:
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ requests:
+ cpu: 3m
+ memory: 20Mi
+ containers:
+ - image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ name: {{ include "common.name" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command: ["/abrmd/bin/run_abrmd.sh"]
+ workingDir: /abrmd/bin
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-dbus
+ mountPath: /var/run/dbus
+ - name: {{ include "common.fullname" . }}-tpm-device
+ mountPath: /dev/tpm0
+ - mountPath: /etc/localtime
+ name: localtime
+ readOnly: true
+ resources: {{ include "common.resources" . | nindent 10 }}
+ nodeSelector:
+ {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+ {{- end -}}
+ {{- if .Values.global.tpm.enabled }}
+ {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }}
+ {{- end -}}
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ volumes:
+ - name: localtime
+ hostPath:
+ path: /etc/localtime
+ - name: {{ include "common.fullname" . }}-dbus
+ persistentVolumeClaim:
+ claimName: {{ include "common.release" . }}-aaf-sshsm-dbus
+ - name: {{ include "common.fullname" . }}-tpm-device
+ hostPath:
+ path: /dev/tpm0
+
+{{- end -}}
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/values.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/values.yaml
new file mode 100644
index 0000000000..2a733632bf
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-abrmd/values.yaml
@@ -0,0 +1,60 @@
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+
+#################################################################
+# Application configuration defaults.
+#################################################################
+# application image
+repository: nexus3.onap.org:10001
+image: onap/aaf/abrmd:4.0.0
+pullPolicy: Always
+
+# flag to enable debugging - application support required
+debugEnabled: false
+
+# application configuration
+# Example:
+# default number of instances
+replicaCount: 1
+
+# TPM specific node selection is done at parent chart aaf-sshsm
+nodeSelector: {}
+
+affinity: {}
+
+ingress:
+ enabled: false
+
+# Configure resource requests and limits
+flavor: small
+resources:
+ small:
+ limits:
+ cpu: 20m
+ memory: 50Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
+ large:
+ limits:
+ cpu: 400m
+ memory: 1Gi
+ requests:
+ cpu: 10m
+ memory: 100Mi
+ unlimited: {}
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/Chart.yaml
new file mode 100644
index 0000000000..22ba3da019
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: ONAP Trusted Platform Module Distribution Center
+name: aaf-sshsm-distcenter
+version: 6.0.0
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/configmap.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/configmap.yaml
new file mode 100644
index 0000000000..99176fcdf6
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/configmap.yaml
@@ -0,0 +1,25 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.global.distcenter.enabled -}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+data:
+{{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}
+
+{{- end -}}
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/job.yaml
new file mode 100644
index 0000000000..fb48c7df4a
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/job.yaml
@@ -0,0 +1,106 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.global.distcenter.enabled -}}
+
+apiVersion: batch/v1
+kind: Job
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ serviceName:
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ restartPolicy: Never
+ initContainers:
+{{- if .Values.global.tpm.enabled }}
+ - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-readiness
+ command:
+ - /root/job_complete.py
+ args:
+ - -j
+ - "{{ include "common.release" . }}-aaf-sshsm-abrmd-init"
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ resources:
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ requests:
+ cpu: 3m
+ memory: 20Mi
+{{ else }}
+ - image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-gen-passphrase
+ command: ["sh", "-c", "/usr/bin/openssl rand -base64 12 >/distcenter/data/passphrase"]
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ volumeMounts:
+ - mountPath: /etc/localtime
+ name: localtime
+ readOnly: true
+ - name: {{ include "common.fullname" . }}-data
+ mountPath: /distcenter/data
+ resources:
+ limits:
+ cpu: 1
+ memory: 100Mi
+ requests:
+ cpu: 3m
+ memory: 20Mi
+{{- end }}
+ containers:
+ - image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ name: {{ include "common.name" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command: ["/entrypoint.sh"]
+ workingDir: /distcenter
+ volumeMounts:
+ - mountPath: /etc/localtime
+ name: localtime
+ readOnly: true
+ - name: {{ include "common.fullname" . }}-data
+ mountPath: /distcenter/data
+ resources: {{ include "common.resources" . | nindent 10 }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+ {{- end -}}
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ volumes:
+ - name: localtime
+ hostPath:
+ path: /etc/localtime
+ - name: {{ include "common.fullname" . }}-data
+ persistentVolumeClaim:
+ claimName: {{ include "common.release" . }}-aaf-sshsm
+ imagePullSecrets:
+ - name: "{{ include "common.namespace" . }}-docker-registry-key"
+
+{{- end -}}
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pv.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pv.yaml
new file mode 100644
index 0000000000..bf0ef74be2
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pv.yaml
@@ -0,0 +1,19 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.global.distcenter.enabled -}}
+{{ include "common.PV" . }}
+{{- end -}}
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pvc.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pvc.yaml
new file mode 100644
index 0000000000..a13b7f353b
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/templates/pvc.yaml
@@ -0,0 +1,19 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.global.distcenter.enabled -}}
+{{ include "common.PVC" . }}
+{{- end -}}
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/values.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/values.yaml
new file mode 100644
index 0000000000..94791be713
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-distcenter/values.yaml
@@ -0,0 +1,69 @@
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+global:
+ persistence: {}
+
+#################################################################
+# Application configuration defaults.
+#################################################################
+# application image
+repository: nexus3.onap.org:10001
+image: onap/aaf/distcenter:4.0.0
+pullPolicy: Always
+
+# flag to enable debugging - application support required
+debugEnabled: false
+
+# application configuration
+# Example:
+# default number of instances
+replicaCount: 1
+
+nodeSelector: {}
+
+affinity: {}
+
+persistence:
+ enabled: true
+ volumeReclaimPolicy: Retain
+ accessMode: ReadWriteOnce
+ size: 10Mi
+ mountPath: /dockerdata-nfs
+ mountSubPath: sshsm/distcenter/data
+
+ingress:
+ enabled: false
+
+# Configure resource requests and limits
+flavor: small
+resources:
+ small:
+ limits:
+ cpu: 20m
+ memory: 50Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
+ large:
+ limits:
+ cpu: 400m
+ memory: 1Gi
+ requests:
+ cpu: 10m
+ memory: 100Mi
+ unlimited: {}
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/Chart.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/Chart.yaml
new file mode 100644
index 0000000000..b64e0c331a
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: ONAP Trusted Platform Module Test CA Service
+name: aaf-sshsm-testca
+version: 6.0.0
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/templates/job.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/templates/job.yaml
new file mode 100644
index 0000000000..a64f483d74
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/templates/job.yaml
@@ -0,0 +1,131 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if .Values.global.testca.enabled -}}
+
+apiVersion: batch/v1
+kind: Job
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ restartPolicy: Never
+ initContainers:
+ - image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-distcenter-ready
+ command:
+ - /root/job_complete.py
+ args:
+ - -j
+ - "{{ include "common.release" . }}-aaf-sshsm-distcenter"
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ resources:
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ requests:
+ cpu: 3m
+ memory: 20Mi
+{{- if .Values.global.tpm.enabled }}
+ - image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ name: {{ include "common.name" . }}-abrmd-ready
+ command: ["sh", "/sshsm/bin/abrmd_ready.sh", "300"]
+ workingDir: /testca/bin
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ volumeMounts:
+ - name: {{ include "common.fullname" . }}-dbus
+ mountPath: /var/run/dbus
+ resources:
+ limits:
+ cpu: 100m
+ memory: 100Mi
+ requests:
+ cpu: 3m
+ memory: 20Mi
+{{- end }}
+ containers:
+ - image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+ name: {{ include "common.name" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command: ["./import.sh"]
+ workingDir: /testca/bin
+ env:
+{{- if .Values.global.tpm.enabled }}
+ - name: TPM_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ - name: DATA_FOLDER
+ value: /testca/data/host_$(TPM_NODE_NAME)
+{{ else }}
+ - name: DATA_FOLDER
+ value: /testca/data
+{{- end }}
+ - name: SECRETS_FOLDER
+ value: /testca/secrets
+ volumeMounts:
+ - mountPath: /etc/localtime
+ name: localtime
+ readOnly: true
+ - name: {{ include "common.fullname" . }}-data
+ mountPath: /testca/data
+ - name: {{ include "common.fullname" . }}-dbus
+ mountPath: /var/run/dbus
+ - name: {{ include "common.fullname" . }}-secrets
+ mountPath: /testca/secrets
+ readOnly: true
+ resources: {{ include "common.resources" . | nindent 10 }}
+ nodeSelector:
+ {{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+ {{- end -}}
+ {{- if .Values.global.tpm.enabled }}
+ {{ (printf "%s: \"%s\"" .Values.global.tpm.nodeLabel .Values.global.tpm.nodeLabelValue) }}
+ {{- end -}}
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 8 }}
+ {{- end }}
+ volumes:
+ - name: localtime
+ hostPath:
+ path: /etc/localtime
+ - name: {{ include "common.fullname" . }}-data
+ persistentVolumeClaim:
+ claimName: {{ include "common.release" . }}-aaf-sshsm
+ - name: {{ include "common.fullname" . }}-dbus
+ persistentVolumeClaim:
+ claimName: {{ include "common.release" . }}-aaf-sshsm-dbus
+ - name: {{ include "common.fullname" . }}-secrets
+ secret:
+ secretName: {{ include "common.release" . }}-aaf-sshsm
+ imagePullSecrets:
+ - name: "{{ include "common.namespace" . }}-docker-registry-key"
+
+{{- end -}}
diff --git a/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/values.yaml b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/values.yaml
new file mode 100644
index 0000000000..dd04c93bd7
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/charts/aaf-sshsm-testca/values.yaml
@@ -0,0 +1,61 @@
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+
+enabled: true
+
+#################################################################
+# Application configuration defaults.
+#################################################################
+# application image
+repository: nexus3.onap.org:10001
+image: onap/aaf/testcaservice:4.0.0
+pullPolicy: Always
+
+# flag to enable debugging - application support required
+debugEnabled: false
+
+# application configuration
+# Example:
+# default number of instances
+replicaCount: 1
+
+nodeSelector: {}
+
+affinity: {}
+
+ingress:
+ enabled: false
+
+# Configure resource requests and limits
+flavor: small
+resources:
+ small:
+ limits:
+ cpu: 50m
+ memory: 100Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
+ large:
+ limits:
+ cpu: 400m
+ memory: 1Gi
+ requests:
+ cpu: 10m
+ memory: 100Mi
+ unlimited: {}
diff --git a/kubernetes/aaf/components/aaf-sshsm/requirements.yaml b/kubernetes/aaf/components/aaf-sshsm/requirements.yaml
new file mode 100644
index 0000000000..0704a2c9df
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: common
+ version: ~6.x-0
+ repository: '@local'
diff --git a/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd b/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd
new file mode 100644
index 0000000000..640b325898
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/resources/config/prk_passwd
@@ -0,0 +1 @@
+cHJpbWFyeXBhc3N3b3JkCg==
diff --git a/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle b/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle
new file mode 100644
index 0000000000..b8b9d8ddb0
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/resources/config/srk_handle
@@ -0,0 +1 @@
+MHg4MTAwMDAyMwo=
diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml
new file mode 100644
index 0000000000..b566b11458
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/templates/pv-data.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.PV" (dict "dot" . "persistenceInfos" .Values.persistence.data) }}
diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml
new file mode 100644
index 0000000000..b3e7f9fabd
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/templates/pv-dbus.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.PV" (dict "dot" . "suffix" "dbus" "persistenceInfos" .Values.persistence.dbus) }}
diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml
new file mode 100644
index 0000000000..b8971cc03c
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/templates/pvc-data.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.PVC" (dict "dot" . "persistenceInfos" .Values.persistence.data) }}
diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml
new file mode 100644
index 0000000000..7297d6f81d
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/templates/pvc-dbus.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "common.PVC" (dict "dot" . "suffix" "dbus" "persistenceInfos" .Values.persistence.dbus) }}
diff --git a/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml b/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml
new file mode 100644
index 0000000000..50b6f36cd3
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/templates/secret.yaml
@@ -0,0 +1,22 @@
+# Copyright 2018 Intel Corporation, Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "common.fullname" . }}
+ namespace: {{ include "common.namespace" . }}
+type: Opaque
+data:
+{{ (.Files.Glob "resources/config/*").AsSecrets | indent 2 }} \ No newline at end of file
diff --git a/kubernetes/aaf/components/aaf-sshsm/values.yaml b/kubernetes/aaf/components/aaf-sshsm/values.yaml
new file mode 100644
index 0000000000..30fb0d2f2f
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-sshsm/values.yaml
@@ -0,0 +1,84 @@
+# Copyright 2018 Intel Corporation, Inc
+# Modifications © 2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#################################################################
+# Global configuration defaults.
+#################################################################
+global:
+ nodePortPrefix: 302
+ # Readiness image
+ readinessRepository: oomk8s
+ readinessImage: readiness-check:2.0.2
+ # Ubuntu Init image
+ ubuntuInitRepository: registry.hub.docker.com
+ ubuntuInitImage: oomk8s/ubuntu-init:2.0.0
+ # Logging image
+ loggingRepository: docker.elastic.co
+ loggingImage: beats/filebeat:5.5.0
+ # BusyBox image
+ busyboxRepository: registry.hub.docker.com
+ busyboxImage: library/busybox:1.31
+ # Standard OOM
+ pullPolicy: "Always"
+ repository: "nexus3.onap.org:10001"
+
+ tpm:
+ enabled: false
+ # if enabled, nodeselector will use the below
+ # values in the nodeselector section of the pod
+ nodeLabel: "tpm-node"
+ nodeLabelValue: "true"
+ abrmd:
+ enabled: true
+ distcenter:
+ enabled: true
+ testca:
+ enabled: true
+ persistence: {}
+
+persistence:
+ enabled: true
+ data:
+ enabled: true
+ size: 10Mi
+ volumeReclaimPolicy: Retain
+ accessMode: ReadWriteOnce
+ mountSubPath: sshsm/data
+ dbus:
+ enabled: true
+ size: 10Mi
+ volumeReclaimPolicy: Retain
+ accessMode: ReadWriteOnce
+ mountSubPath: sshsm/dbus
+
+
+
+# Configure resource requests and limits
+resources:
+ small:
+ limits:
+ cpu: 20m
+ memory: 50Mi
+ requests:
+ cpu: 10m
+ memory: 10Mi
+ large:
+ limits:
+ cpu: 400m
+ memory: 1Gi
+ requests:
+ cpu: 10m
+ memory: 100Mi
+ unlimited: {}