[APPC][CDT] Automatically retrieve certificates

Instead of using hardcoded certificates in container, use
certInitializer in order to retrieve them.

Issue-ID: OOM-2682
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I93b7a1a0bddf2540e222ec4406d0cfd12f6f5e5e

5 files changed, 134 insertions, 3 deletions

diff --git a/kubernetes/appc/components/appc-cdt/requirements.yaml b/kubernetes/appc/components/appc-cdt/requirements.yaml
index 5f5f1b145c..8fda7eb81d 100644
--- a/kubernetes/appc/components/appc-cdt/requirements.yaml
+++ b/kubernetes/appc/components/appc-cdt/requirements.yaml
@@ -16,6 +16,9 @@ dependencies:
   - name: common
     version: ~7.x-0
     repository: '@local'
+  - name: certInitializer
+    version: ~7.x-0
+    repository: '@local'
   - name: repositoryGenerator
     version: ~7.x-0
     repository: '@local'
diff --git a/kubernetes/appc/components/appc-cdt/resources/entrypoint/startCdt.sh b/kubernetes/appc/components/appc-cdt/resources/entrypoint/startCdt.sh
new file mode 100755
index 0000000000..b5fa5248fa
--- /dev/null
+++ b/kubernetes/appc/components/appc-cdt/resources/entrypoint/startCdt.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+###
+# ============LICENSE_START=======================================================
+# APPC
+# ================================================================================
+# Copyright (C) 2018-2019 AT&T Intellectual Property. All rights reserved.
+# Copyright (C) 2021 Orange Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+###
+
+if [ -z "$CDT_PORT" ]
+then
+  CDT_PORT="30232"
+fi
+echo "Setting CDT port to $CDT_PORT"
+sed -i -e "s/30290/$CDT_PORT/" /opt/cdt/main.bundle.js
+
+CDT_HOME=/opt/cdt; export CDT_HOME
+LOG_DIR=/opt/cdt/logs; export LOG_DIR
+MaxLogSize=3000000; export MaxLogSize
+PORT=18080; export PORT
+if [ -z "$HTTPS_KEY_FILE" ]
+then
+  HTTPS_KEY_FILE=/opt/cert/cdt-key.pem
+  export HTTPS_KEY_FILE
+fi
+if [ -z "$HTTPS_CERT_FILE" ]
+then
+  HTTPS_CERT_FILE=/opt/cert/cdt-cert.pem
+  export HTTPS_CERT_FILE
+fi
+echo "*** cert file: ${HTTPS_CERT_FILE}"
+echo "*** key file : ${HTTPS_KEY_FILE}"
+node $CDT_HOME/app/ndserver.js
\ No newline at end of file
diff --git a/kubernetes/appc/components/appc-cdt/templates/configmap.yaml b/kubernetes/appc/components/appc-cdt/templates/configmap.yaml
new file mode 100644
index 0000000000..fea0ec2f7a
--- /dev/null
+++ b/kubernetes/appc/components/appc-cdt/templates/configmap.yaml
@@ -0,0 +1,28 @@
+{{/*
+# Copyright © 2021 Orange.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-entrypoint
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ include "common.release" . }}
+    heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/entrypoint/*").AsConfig . | indent 2 }}
diff --git a/kubernetes/appc/components/appc-cdt/templates/deployment.yaml b/kubernetes/appc/components/appc-cdt/templates/deployment.yaml
index ebcabf5112..fb15897ae1 100644
--- a/kubernetes/appc/components/appc-cdt/templates/deployment.yaml
+++ b/kubernetes/appc/components/appc-cdt/templates/deployment.yaml
@@ -35,7 +35,7 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
-      initContainers:
+      initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
       containers:
         - name: {{ include "common.name" . }}
           image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
@@ -65,10 +65,17 @@ spec:
           # for nodePort3. This value will be configured in appc main chart in appc-cdt section.
           - name: CDT_PORT
             value: "{{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.nodePort3 }}"
-          volumeMounts:
+          - name: HTTPS_KEY_FILE
+            value: {{ .Values.certInitializer.credsPath }}/certs/key.pem
+          - name: HTTPS_CERT_FILE
+            value: {{ .Values.certInitializer.credsPath }}/certs/cert.pem
+          volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
+          - mountPath: /opt/startCdt.sh
+            name: entrypoint
+            subPath: startCdt.sh
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
@@ -79,9 +86,13 @@ spec:
         affinity:
 {{ toYaml .Values.affinity | indent 10 }}
         {{- end }}
-      volumes:
+      volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
         - name: localtime
           hostPath:
             path: /etc/localtime
+        - name: entrypoint
+          configMap:
+            name: {{ include "common.fullname" . }}-entrypoint
+            defaultMode: 0755
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/appc/components/appc-cdt/values.yaml b/kubernetes/appc/components/appc-cdt/values.yaml
index b3dab719bd..3b1ff47116 100644
--- a/kubernetes/appc/components/appc-cdt/values.yaml
+++ b/kubernetes/appc/components/appc-cdt/values.yaml
@@ -18,6 +18,48 @@
 global:
   nodePortPrefix: 302
 
+
+#################################################################
+# AAF part
+#################################################################
+
+# dependency / sub-chart configuration
+certInitializer:
+  nameOverride: appc-cdt-cert-initializer
+  truststoreMountpath: /opt/onap/appc/data/stores
+  fqdn: "appc-cdt"
+  app_ns: "org.osaaf.aaf"
+  fqi: "appc-cdt@appc-cdt.onap.org"
+  fqi_namespace: org.onap.appc-cdt
+  public_fqdn: "appc-cdt.onap.org"
+  aafDeployFqi: "deployer@people.osaaf.org"
+  aafDeployPass: demo123456!
+  cadi_latitude: "38.0"
+  cadi_longitude: "-72.0"
+  credsPath: /opt/app/osaaf/local
+  aaf_add_config: |
+    echo "*** retrieving password for keystore"
+    export $(/opt/app/aaf_config/bin/agent.sh local showpass \
+      {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
+    if [ -z "$cadi_keystore_password_p12" ]
+    then
+      echo "  /!\ certificates retrieval failed"
+      exit 1
+    else
+      cd {{ .Values.credsPath }};
+      mkdir -p certs;
+      echo "*** transform AAF certs into pem files"
+      mkdir -p {{ .Values.credsPath }}/certs
+      openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+        -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
+        -passin pass:$cadi_keystore_password_p12 \
+        -passout pass:$cadi_keystore_password_p12
+      echo "*** copy key file"
+      cp {{ .Values.fqi_namespace }}.key certs/key.pem;
+      echo "*** change ownership of certificates to targeted user"
+      chown -R 1000 {{ .Values.credsPath }}
+    fi
+
 #################################################################
 # Application configuration defaults.
 #################################################################