[PLATFORM] Generate Cert-Service certs with Cert-Manager

Utilize Cert-Manager to secure communication between
Cert-Service and its clients, adjust templates and
configs.

Issue-ID: OOM-2712
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I96426b1a184b4d254575e76d29214d9deda08cce
Signed-off-by: Remigiusz Janeczek <remigiusz.janeczek@nokia.com>

3 files changed, 23 insertions, 46 deletions

diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml
index 87509d11bc..b10896d2ce 100644
--- a/kubernetes/common/cmpv2Certificate/requirements.yaml
+++ b/kubernetes/common/cmpv2Certificate/requirements.yaml
@@ -19,3 +19,6 @@ dependencies:
   - name: repositoryGenerator
     version: ~8.x-0
     repository: 'file://../repositoryGenerator'
+  - name: cmpv2Config
+    version: ~8.x-0
+    repository: 'file://../cmpv2Config'
diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
index 58cc9c7249..f80b06b4d3 100644
--- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
+++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
@@ -62,7 +62,7 @@ There also need to be some includes used in a target component deployment (inden
 
 {{- define "common.certServiceClient.initContainer" -}}
 {{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
 {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
 {{- range $index, $certificate := $dot.Values.certificates -}}
@@ -97,11 +97,14 @@ There also need to be some includes used in a target component deployment (inden
 {{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}}
 {{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}}
 {{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}}
-{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}}
-{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}}
-{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}}
-{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}}
-{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}}
+{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}}
+{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}}
+{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}}
+{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}}
+{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}}
+{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}}
+{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}}
+{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}}
 - name: certs-init-{{ $index }}
   image: {{ include "repositoryGenerator.image.certserviceclient" $dot }}
   imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
@@ -133,11 +136,17 @@ There also need to be some includes used in a target component deployment (inden
     - name: KEYSTORE_PATH
       value: {{ $keystorePath | quote }}
     - name: KEYSTORE_PASSWORD
-      value: {{ $keystorePassword | quote }}
+      valueFrom:
+        secretKeyRef:
+          name: {{ $keystorePasswordSecret | quote}}
+          key: {{ $keystorePasswordSecretKey | quote}}
     - name: TRUSTSTORE_PATH
       value: {{ $truststorePath | quote }}
     - name: TRUSTSTORE_PASSWORD
-      value: {{ $truststorePassword | quote }}
+      valueFrom:
+        secretKeyRef:
+          name: {{ $truststorePasswordSecret | quote}}
+          key: {{ $truststorePasswordSecretKey | quote}}
   terminationMessagePath: /dev/termination-log
   terminationMessagePolicy: File
   volumeMounts:
@@ -151,10 +160,10 @@ There also need to be some includes used in a target component deployment (inden
 
 {{- define "common.certServiceClient.volumes" -}}
 {{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
 {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
-{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}}
+{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}}
 - name: certservice-tls-volume
   secret:
     secretName: {{ $certificatesSecretName }}
@@ -168,7 +177,7 @@ There also need to be some includes used in a target component deployment (inden
 
 {{- define "common.certServiceClient.volumeMounts" -}}
 {{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
 {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
 {{- range $index, $certificate := $dot.Values.certificates -}}
diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml
index b7531431c4..504947525d 100644
--- a/kubernetes/common/cmpv2Certificate/values.yaml
+++ b/kubernetes/common/cmpv2Certificate/values.yaml
@@ -11,38 +11,3 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
-#################################################################
-# Global configuration default values that can be inherited by
-# all subcharts.
-#################################################################
-global:
-  # Enabling CMPv2
-  cmpv2Enabled: true
-  CMPv2CertManagerIntegration: false
-
-  certificate:
-    default:
-      subject:
-        organization: "Linux-Foundation"
-        country: "US"
-        locality: "San-Francisco"
-        province: "California"
-        organizationalUnit: "ONAP"
-
-  platform:
-    certServiceClient:
-      secret:
-        name: oom-cert-service-client-tls-secret
-        mountPath: /etc/onap/oom/certservice/certs/
-      envVariables:
-        certPath: "/var/custom-certs"
-        # Client configuration related
-        caName: "RA"
-        requestURL: "https://oom-cert-service:8443/v1/certificate/"
-        requestTimeout: "30000"
-        keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
-        outputType: "P12"
-        keystorePassword: "secret"
-        truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
-        truststorePassword: "secret"