[CLI] Retrieve certificates automatically

Instead of having hardocoded certificates, use certManager in order to
retrieve them.

Issue-ID: OOM-2684
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I20df713b7552b27392407db985fd402c259874e4

6 files changed, 119 insertions, 65 deletions

diff --git a/kubernetes/cli/requirements.yaml b/kubernetes/cli/requirements.yaml
index 1e08aaf3cd..2050d85f07 100644
--- a/kubernetes/cli/requirements.yaml
+++ b/kubernetes/cli/requirements.yaml
@@ -19,6 +19,9 @@ dependencies:
     # a part of this chart's package and will not
     # be published independently to a repo (at this point)
     repository: '@local'
+  - name: certInitializer
+    version: ~7.x-0
+    repository: '@local'
   - name: repositoryGenerator
     version: ~7.x-0
     repository: '@local'
diff --git a/kubernetes/cli/resources/certificates/ocomp.pem b/kubernetes/cli/resources/certificates/ocomp.pem
deleted file mode 100644
index 5321c65d21..0000000000
--- a/kubernetes/cli/resources/certificates/ocomp.pem
+++ /dev/null
@@ -1,49 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDDIyIm/AvmgI0A
-DDVZb6pe8Qlh9YHoGnm5I3S3dvu1YBT6jLvP7N1v1BAx6+xxg4RQ2v+WAxUwKgy3
-gSo2mhmBwPZGlhLX+IdbT+sb7Cl/xfB7kkegLsnWhlM4YEtlAQW8FYi9gMqssBiO
-lk6zlWqVrShNC566vpEURQOjU1CanZWMhXtYzw4gbMBGlrC54EtRwmn6a7Gp/avA
-FZ05c/7BQyfFq/jc7ttmaeNtYdFwPkuljdE/0h4ZtmZjY5hxrBkCHUXtf/obhxep
-q5PzR16MA1zwis+OHoadqm4qP8w9Wo7KNQo62Sm6zB4gbQO+qA/ZwcSHlJNPAavt
-7KB3lIN1AgMBAAECggEAcXtgJC3WOeGunkV7TRzchsREgZyGRNYIzftpqDxg27UZ
-3i+0FZKZoKxCEtYyNj2W2HLTyojWbKE3rgxG4WQyyzvNvXUPVlwpU5ghkaaA59bU
-KPkEAIrVRJXvlcyibAXxMNWRJSveMhli3qFY+aU+S/dchZnpYI7szk3odLZCHPfd
-7KWMOlm3RYUGo4XIXY9nqAgsgg0ml3s5NUoLwVtxtZFocEiLTxTuvjsirE+IVYNx
-kgGJ5EYpfCkAPQkNF+L27BHrrQpGdmQnCft3iqkGJa8+oPE0DY+TPoY1VNoPmKKg
-CTDouuaJQHq62MvkSj2EauHBshzzrL6UhW5FpqybIQKBgQDl40/jhvZ3i64rXUB+
-3GXFnSJuhG6ys/bHQBP+rtHCdyYlfgEe3ZjSKq16HNFErgUBXiVjR+VvPS2m/r9R
-zYCD9jJ9YYfAdcyo58kZZrut8atu94G0Un9hNz5nQ+hy9YNOsI8woJdCfw41jGcx
-A1hP05fDxw5Ozi2uZBhwI39keQKBgQDZTVbuASj4tMgsHHgpqVt0j6nD3t4kG5h5
-333arMmklsWrX1nnEHE73S72JO/sz0GJtAu7EpjMNkZlTmZz+U5geuhfrTLEGrti
-MG8o9VakLbxdZBVbpHznoY+bb6o5pW6jKyOR9jPuX5AhgAj8eeP5OOU5nHh/2wOG
-HMZyDak/3QKBgFTBI5j9Dy0v4Dy4mqiq1RKwRht809sqolb/dt+00Dzj9Lpp5Dve
-8xK5DVAyA61QgyPn89zQivQiGAyzaxHbs//y6tZy+LuqMpQrMGcfCx6sNMoqkjVL
-HQ9YcLddv/tyLMD8My54Zovrj++KHhlh5FM57YAOiWXgedMLsD7Xt4XxAoGBAJk8
-X6vQp5rSqUHqBZajdfm5gWa9l/rwdtKilraJGFz3cYdK4zP9NUyYyhALtiFReg7o
-J0mRcKy5LWUtJzRrPyjsI0es9Fqz2yX/r7O7ZpC6K9XTyPfqA6a4GHPtB6ZFEcMA
-ncHFU5OqUhI9npikP+40f/jjbVoEEPUW/53YIl0FAoGAR7g3so9iKRttgfMTpA3G
-U480A8tTxZpP3agmvGvOw8HuLXzjGU5P6cntFGNxg1fDOOi8Qf+726gowMDij2nK
-ACewXgS8aix8l0U/kzoUL4yUuc4AwobOMyefhCJ89hFaLRZn1LNKZIuNKcWApekh
-kxMQk6Ent5/OF/yYOsIzlLs=
------END PRIVATE KEY-----
------BEGIN CERTIFICATE-----
-MIIDXTCCAkWgAwIBAgIJAITRlPCTLzArMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
-BAYTAklOMQswCQYDVQQIDAJLQTEMMAoGA1UEBwwDQkxSMQwwCgYDVQQKDANDTEkx
-DTALBgNVBAMMBG9uYXAwHhcNMjAwMjIxMTAyOTM4WhcNNDcwNzA4MTAyOTM4WjBF
-MQswCQYDVQQGEwJJTjELMAkGA1UECAwCS0ExDDAKBgNVBAcMA0JMUjEMMAoGA1UE
-CgwDQ0xJMQ0wCwYDVQQDDARvbmFwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-CgKCAQEAwyMiJvwL5oCNAAw1WW+qXvEJYfWB6Bp5uSN0t3b7tWAU+oy7z+zdb9QQ
-MevscYOEUNr/lgMVMCoMt4EqNpoZgcD2RpYS1/iHW0/rG+wpf8Xwe5JHoC7J1oZT
-OGBLZQEFvBWIvYDKrLAYjpZOs5Vqla0oTQueur6RFEUDo1NQmp2VjIV7WM8OIGzA
-RpawueBLUcJp+muxqf2rwBWdOXP+wUMnxav43O7bZmnjbWHRcD5LpY3RP9IeGbZm
-Y2OYcawZAh1F7X/6G4cXqauT80dejANc8IrPjh6GnapuKj/MPVqOyjUKOtkpuswe
-IG0DvqgP2cHEh5STTwGr7eygd5SDdQIDAQABo1AwTjAdBgNVHQ4EFgQUP0Dxq/ZI
-TM5F62E87YD+09zk+7wwHwYDVR0jBBgwFoAUP0Dxq/ZITM5F62E87YD+09zk+7ww
-DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAqPlrvhP2ah4z5sDw/z31
-5v/20VKfQVDDeq3MHXRC2QCD3GR32aZYXSdtTKsBAS+jFzV42+T8ry0XBKPR0gtg
-O2oZzfUkTG3eyAmOE1PFUIf+JaQiYN1v5uFsIhDbMngzvB66F9SCD5zzsSVv++DG
-5YDqJFgHadp8BmTOkiA8u6YnnKF8UgBYwfuZFsSgzIDOjyLYULase+nqJVG841UN
-MMWQzqyhHmzIvXcY3kYBbtI7n0ryW0u1ZkomBZs/DbixZ2w6G1K3UONHgdIX6uf4
-hca+vTR3xZuPJ9dXhwNhZVfQZr3SfGW89Xmu/LOGx+lZoAxFXw5PdbA0LPi5k+wU
-xg==
------END CERTIFICATE-----
diff --git a/kubernetes/cli/resources/configuration/lighttpd.conf b/kubernetes/cli/resources/configuration/lighttpd.conf
new file mode 100644
index 0000000000..0809868b35
--- /dev/null
+++ b/kubernetes/cli/resources/configuration/lighttpd.conf
@@ -0,0 +1,55 @@
+{{/*
+# Copyright 2018 Huawei Technologies Co., Ltd.
+# Copyright 2021 Huawei Technologies Co., Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+server.document-root = "/var/www-data/servers/open-cli/"
+server.username             = "www-data"
+server.groupname            = "www-data"
+server.port                 = 443
+ssl.engine                  = "enable"
+ssl.pemfile                 = "{{ .Values.certInitializer.credsPath }}/certs/fullchain.pem"
+
+mimetype.assign = (
+  ".html" => "text/html",
+  ".txt" => "text/plain",
+  ".jpg" => "image/jpeg",
+  ".png" => "image/png"
+)
+
+index-file.names = ( "index.html" )
+dir-listing.activate = "disable"
+
+
+server.modules = (
+        "mod_access",
+        "mod_proxy",
+        "mod_alias",
+        "mod_compress",
+        "mod_redirect",
+#       "mod_rewrite",
+)
+
+#server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
+server.errorlog             = "/var/log/lighttpd/error.log"
+server.pid-file             = "/var/run/lighttpd.pid"
+#compress.cache-dir          = "/var/cache/lighttpd/compress/"
+#compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )
+
+# default listening port for IPv6 falls back to the IPv4 port
+## Use ipv6 if available
+#include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
+#include_shell "/usr/share/lighttpd/create-mime.assign.pl"
+#include_shell "/usr/share/lighttpd/include-conf-enabled.pl"
\ No newline at end of file
diff --git a/kubernetes/cli/templates/secrets.yaml b/kubernetes/cli/templates/configmap.yaml
index 213b709026..ae515a0ec5 100644
--- a/kubernetes/cli/templates/secrets.yaml
+++ b/kubernetes/cli/templates/configmap.yaml
@@ -1,11 +1,11 @@
 {{/*
-# Copyright 2020 Huawei Technologies Co., Ltd.
+# Copyright © 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#       http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
@@ -15,17 +15,14 @@
 */}}
 
 apiVersion: v1
-kind: Secret
+kind: ConfigMap
 metadata:
-  name: ocomp-pem
+  name: {{ include "common.fullname" . }}-lighttpd
   namespace: {{ include "common.namespace" . }}
   labels:
     app: {{ include "common.name" . }}
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
     release: {{ include "common.release" . }}
     heritage: {{ .Release.Service }}
-type: Opaque
 data:
-  ocomp.pem:
-{{ tpl (.Files.Glob "resources/certificates/ocomp.pem").AsSecrets . | indent 2 }}
-
+{{ tpl (.Files.Glob "resources/configuration/*").AsConfig . | indent 2 }}
\ No newline at end of file
diff --git a/kubernetes/cli/templates/deployment.yaml b/kubernetes/cli/templates/deployment.yaml
index 74b2d2df37..735308754f 100644
--- a/kubernetes/cli/templates/deployment.yaml
+++ b/kubernetes/cli/templates/deployment.yaml
@@ -35,6 +35,7 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
+      initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
       containers:
         - name: {{ include "common.name" . }}
           image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
@@ -56,10 +57,10 @@ spec:
               port: {{ .Values.service.internalPort }}
             initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
             periodSeconds: {{ .Values.readiness.periodSeconds }}
-          volumeMounts:
-          - name: ocomp-pem
-            mountPath: "/etc/lighttpd/ocomp.pem"
-            subPath: ocomp.pem
+          volumeMounts: {{- include "common.certInitializer.volumeMount" . | nindent 10 }}
+          - name: lighttpd
+            mountPath: "/etc/lighttpd/lighttpd.conf"
+            subPath: lighttpd.conf
             readOnly: true
           env:
             - name: OPEN_CLI_MODE
@@ -74,9 +75,9 @@ spec:
         affinity:
 {{ toYaml .Values.affinity | indent 10 }}
         {{- end }}
-      volumes:
-      - name: ocomp-pem
-        secret:
-          secretName: ocomp-pem
+      volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
+      - name: lighttpd
+        configMap:
+          name: {{ include "common.fullname" . }}-lighttpd
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/cli/values.yaml b/kubernetes/cli/values.yaml
index 6e711c51c0..85b18388b4 100644
--- a/kubernetes/cli/values.yaml
+++ b/kubernetes/cli/values.yaml
@@ -17,6 +17,53 @@
 #################################################################
 global:
   nodePortPrefix: 302
+
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+  nameOverride: cli-cert-initializer
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  # aafDeployCredsExternalSecret: some secret
+  fqdn: "cli"
+  app_ns: "org.osaaf.aaf"
+  fqi_namespace: "org.onap.cli"
+  fqi: "cli@cli.onap.org"
+  public_fqdn: "aaf.osaaf.org"
+  cadi_longitude: "0.0"
+  cadi_latitude: "0.0"
+  credsPath: /opt/app/osaaf/local
+  aaf_add_config: |
+    echo "*** retrieving password for keystore and trustore"
+    export $(/opt/app/aaf_config/bin/agent.sh local showpass \
+      {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
+    if [ -z "$cadi_keystore_password_p12" ]
+    then
+      echo "  /!\ certificates retrieval failed"
+      exit 1
+    else
+      echo "*** transform AAF certs into pem files"
+      mkdir -p {{ .Values.credsPath }}/certs
+      keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
+        -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
+        -alias ca_local_0 \
+        -storepass $cadi_truststore_password
+      openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+        -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \
+        -passin pass:$cadi_keystore_password_p12 \
+        -passout pass:$cadi_keystore_password_p12
+      echo "*** generating needed file"
+      cat {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+          {{ .Values.credsPath }}/certs/cert.pem \
+          {{ .Values.credsPath }}/certs/cacert.pem \
+          > {{ .Values.credsPath }}/certs/fullchain.pem;
+      cat {{ .Values.credsPath }}/certs/fullchain.pem
+      echo "*** change ownership of certificates to targeted user"
+      chown -R 33 {{ .Values.credsPath }}
+    fi
+
+
 #################################################################
 # Application configuration defaults.
 #################################################################