summaryrefslogtreecommitdiffstats
path: root/kubernetes/common/certManagerCertificate
diff options
context:
space:
mode:
authorPiotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>2021-01-12 17:37:08 +0100
committerPiotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>2021-02-05 14:48:06 +0100
commit595710111489903aa963c028c364584cb5bebaa4 (patch)
tree4cdaf12041b840d138837dc04cc50e160836b135 /kubernetes/common/certManagerCertificate
parentf812cf9697596afd71b871aaff22fd22c599da74 (diff)
[COMMON] Create certManagerCertificate chart
- Create certManagerCertificate chart for Certificate template - Change default values for duration and renewBefore - Add creation Secret with keystore password - Use template in SDNC (add volumes and volumesMounts) Issue-ID: OOM-2568 Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> Change-Id: Ib70d91b599fa6813ed0a6d5b96206508f2fdafcf
Diffstat (limited to 'kubernetes/common/certManagerCertificate')
-rw-r--r--kubernetes/common/certManagerCertificate/Chart.yaml18
-rw-r--r--kubernetes/common/certManagerCertificate/requirements.yaml18
-rw-r--r--kubernetes/common/certManagerCertificate/templates/_certificate.tpl219
-rw-r--r--kubernetes/common/certManagerCertificate/values.yaml29
4 files changed, 284 insertions, 0 deletions
diff --git a/kubernetes/common/certManagerCertificate/Chart.yaml b/kubernetes/common/certManagerCertificate/Chart.yaml
new file mode 100644
index 0000000000..305d25251d
--- /dev/null
+++ b/kubernetes/common/certManagerCertificate/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+name: certManagerCertificate
+description: A Helm chart for Cert-Manager Certificate CRD template
+version: 7.0.0
diff --git a/kubernetes/common/certManagerCertificate/requirements.yaml b/kubernetes/common/certManagerCertificate/requirements.yaml
new file mode 100644
index 0000000000..6bcaed05a8
--- /dev/null
+++ b/kubernetes/common/certManagerCertificate/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: common
+ version: ~7.x-0
+ repository: 'file://../common'
diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
new file mode 100644
index 0000000000..4e43f621de
--- /dev/null
+++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
@@ -0,0 +1,219 @@
+{{/*#
+# Copyright © 2020-2021, Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.*/}}
+
+{{/*
+# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io).
+#
+# To request a certificate following steps are to be done:
+# - create an object 'certificates' in the values.yaml
+# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate".
+#
+# Here is an example of the certificate request for a component:
+#
+# Directory structure:
+# component
+# templates
+# certifictes.yaml
+# values.yaml
+#
+# To be added in the file certificates.yamll
+#
+# To be added in the file values.yaml
+# 1. Minimal version (certificates only in PEM format)
+# certificates:
+# - commonName: component.onap.org
+#
+# 2. Extended version (with defined own issuer and additional certificate format):
+# certificates:
+# - name: onap-component-certificate
+# secretName: onap-component-certificate
+# commonName: component.onap.org
+# dnsNames:
+# - component.onap.org
+# issuer:
+# group: certmanager.onap.org
+# kind: CMPv2Issuer
+# name: cmpv2-issuer-for-the-component
+# keystore:
+# outputType:
+# - p12
+# - jks
+# passwordSecretRef:
+# name: secret-name
+# key: secret-key
+#
+# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
+# Other mandatory fields for the certificate definition do not have to be defined directly,
+# in that case they will be taken from default values.
+#
+# Default values are defined in file onap/values.yaml (see-> global.certificate.default)
+# and can be overriden during onap installation process.
+#
+*/}}
+
+{{- define "certManagerCertificate.certificate" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+
+{{- $certificates := $dot.Values.certificates -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global }}
+
+{{ range $i, $certificate := $certificates }}
+{{/*# General certifiacate attributes #*/}}
+{{- $name := include "common.fullname" $dot -}}
+{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}}
+{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}}
+{{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}}
+{{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}}
+{{- $namespace := $dot.Release.Namespace -}}
+{{/*# SAN's #*/}}
+{{- $dnsNames := $certificate.dnsNames -}}
+{{- $ipAddresses := $certificate.ipAddresses -}}
+{{- $uris := $certificate.uris -}}
+{{- $emailAddresses := $certificate.emailAddresses -}}
+{{/*# Subject #*/}}
+{{- $subject := $subchartGlobal.certificate.default.subject -}}
+{{- if $certificate.subject -}}
+{{- $subject = $certificate.subject -}}
+{{- end -}}
+{{/*# Issuer #*/}}
+{{- $issuer := $subchartGlobal.certificate.default.issuer -}}
+{{- if $certificate.issuer -}}
+{{- $issuer = $certificate.issuer -}}
+{{- end -}}
+---
+{{- if $certificate.keystore }}
+ {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}}
+ {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $passwordSecretRef.name }}
+ namespace: {{ $namespace }}
+type: Opaque
+stringData:
+ {{ $passwordSecretRef.key }}: {{ $password }}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ $certName }}
+ namespace: {{ $namespace }}
+spec:
+ secretName: {{ $secretName }}
+ commonName: {{ $commonName }}
+ renewBefore: {{ $renewBefore }}
+ {{- if $duration }}
+ duration: {{ $duration }}
+ {{- end }}
+ subject:
+ organizations:
+ - {{ $subject.organization }}
+ countries:
+ - {{ $subject.country }}
+ localities:
+ - {{ $subject.locality }}
+ provinces:
+ - {{ $subject.province }}
+ organizationalUnits:
+ - {{ $subject.organizationalUnit }}
+ {{- if $dnsNames }}
+ dnsNames:
+ {{- range $dnsName := $dnsNames }}
+ - {{ $dnsName }}
+ {{- end }}
+ {{- end }}
+ {{- if $ipAddresses }}
+ ipAddresses:
+ {{- range $ipAddress := $ipAddresses }}
+ - {{ $ipAddress }}
+ {{- end }}
+ {{- end }}
+ {{- if $uris }}
+ uris:
+ {{- range $uri := $uris }}
+ - {{ $uri }}
+ {{- end }}
+ {{- end }}
+ {{- if $emailAddresses }}
+ emailAddresses:
+ {{- range $emailAddress := $emailAddresses }}
+ - {{ $emailAddress }}
+ {{- end }}
+ {{- end }}
+ issuerRef:
+ group: {{ $issuer.group }}
+ kind: {{ $issuer.kind }}
+ name: {{ $issuer.name }}
+ {{- if $certificate.keystore }}
+ keystores:
+ {{- range $outputType := $certificate.keystore.outputType }}
+ {{- if eq $outputType "p12" }}
+ {{- $outputType = "pkcs12" }}
+ {{- end }}
+ {{ $outputType }}:
+ create: true
+ passwordSecretRef:
+ name: {{ $certificate.keystore.passwordSecretRef.name }}
+ key: {{ $certificate.keystore.passwordSecretRef.key }}
+ {{- end }}
+ {{- end }}
+{{ end }}
+{{- end -}}
+
+{{- define "common.certManager.volumeMounts" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+ {{- range $i, $certificate := $dot.Values.certificates -}}
+ {{- $mountPath := $certificate.mountPath -}}
+- mountPath: {{ $mountPath }}
+ name: certmanager-certs-volume-{{ $i }}
+ {{- end -}}
+{{- end -}}
+
+{{- define "common.certManager.volumes" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- $certificates := $dot.Values.certificates -}}
+ {{- range $i, $certificate := $certificates -}}
+ {{- $name := include "common.fullname" $dot -}}
+ {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+- name: certmanager-certs-volume-{{ $i }}
+ projected:
+ sources:
+ - secret:
+ name: {{ $certificatesSecretName }}
+ {{- if $certificate.keystore }}
+ items:
+ {{- range $outputType := $certificate.keystore.outputType }}
+ - key: keystore.{{ $outputType }}
+ path: keystore.{{ $outputType }}
+ - key: truststore.{{ $outputType }}
+ path: truststore.{{ $outputType }}
+ {{- end }}
+ - secret:
+ name: {{ $certificate.keystore.passwordSecretRef.name }}
+ items:
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: keystore.pass
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: truststore.pass
+ {{- end }}
+ {{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/certManagerCertificate/values.yaml b/kubernetes/common/certManagerCertificate/values.yaml
new file mode 100644
index 0000000000..d60cdf6cbe
--- /dev/null
+++ b/kubernetes/common/certManagerCertificate/values.yaml
@@ -0,0 +1,29 @@
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+global:
+# default values for certificates
+ certificate:
+ default:
+ renewBefore: 720h #30 days
+ duration: 8760h #365 days
+ subject:
+ organization: "Linux-Foundation"
+ country: "US"
+ locality: "San-Francisco"
+ province: "California"
+ organizationalUnit: "ONAP"
+ issuer:
+ group: certmanager.onap.org
+ kind: CMPv2Issuer
+ name: cmpv2-issuer-onap