summaryrefslogtreecommitdiffstats
path: root/kubernetes/common
diff options
context:
space:
mode:
authorPiotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>2021-01-12 17:37:08 +0100
committerPiotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>2021-02-05 14:48:06 +0100
commit595710111489903aa963c028c364584cb5bebaa4 (patch)
tree4cdaf12041b840d138837dc04cc50e160836b135 /kubernetes/common
parentf812cf9697596afd71b871aaff22fd22c599da74 (diff)
[COMMON] Create certManagerCertificate chart
- Create certManagerCertificate chart for Certificate template - Change default values for duration and renewBefore - Add creation Secret with keystore password - Use template in SDNC (add volumes and volumesMounts) Issue-ID: OOM-2568 Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> Change-Id: Ib70d91b599fa6813ed0a6d5b96206508f2fdafcf
Diffstat (limited to 'kubernetes/common')
-rw-r--r--kubernetes/common/certManagerCertificate/Chart.yaml18
-rw-r--r--kubernetes/common/certManagerCertificate/requirements.yaml18
-rw-r--r--kubernetes/common/certManagerCertificate/templates/_certificate.tpl219
-rw-r--r--kubernetes/common/certManagerCertificate/values.yaml29
-rw-r--r--kubernetes/common/common/templates/_certificate.tpl192
5 files changed, 284 insertions, 192 deletions
diff --git a/kubernetes/common/certManagerCertificate/Chart.yaml b/kubernetes/common/certManagerCertificate/Chart.yaml
new file mode 100644
index 0000000000..305d25251d
--- /dev/null
+++ b/kubernetes/common/certManagerCertificate/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+name: certManagerCertificate
+description: A Helm chart for Cert-Manager Certificate CRD template
+version: 7.0.0
diff --git a/kubernetes/common/certManagerCertificate/requirements.yaml b/kubernetes/common/certManagerCertificate/requirements.yaml
new file mode 100644
index 0000000000..6bcaed05a8
--- /dev/null
+++ b/kubernetes/common/certManagerCertificate/requirements.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: common
+ version: ~7.x-0
+ repository: 'file://../common'
diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
new file mode 100644
index 0000000000..4e43f621de
--- /dev/null
+++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
@@ -0,0 +1,219 @@
+{{/*#
+# Copyright © 2020-2021, Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.*/}}
+
+{{/*
+# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io).
+#
+# To request a certificate following steps are to be done:
+# - create an object 'certificates' in the values.yaml
+# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate".
+#
+# Here is an example of the certificate request for a component:
+#
+# Directory structure:
+# component
+# templates
+# certifictes.yaml
+# values.yaml
+#
+# To be added in the file certificates.yamll
+#
+# To be added in the file values.yaml
+# 1. Minimal version (certificates only in PEM format)
+# certificates:
+# - commonName: component.onap.org
+#
+# 2. Extended version (with defined own issuer and additional certificate format):
+# certificates:
+# - name: onap-component-certificate
+# secretName: onap-component-certificate
+# commonName: component.onap.org
+# dnsNames:
+# - component.onap.org
+# issuer:
+# group: certmanager.onap.org
+# kind: CMPv2Issuer
+# name: cmpv2-issuer-for-the-component
+# keystore:
+# outputType:
+# - p12
+# - jks
+# passwordSecretRef:
+# name: secret-name
+# key: secret-key
+#
+# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
+# Other mandatory fields for the certificate definition do not have to be defined directly,
+# in that case they will be taken from default values.
+#
+# Default values are defined in file onap/values.yaml (see-> global.certificate.default)
+# and can be overriden during onap installation process.
+#
+*/}}
+
+{{- define "certManagerCertificate.certificate" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+
+{{- $certificates := $dot.Values.certificates -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global }}
+
+{{ range $i, $certificate := $certificates }}
+{{/*# General certifiacate attributes #*/}}
+{{- $name := include "common.fullname" $dot -}}
+{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}}
+{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}}
+{{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}}
+{{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}}
+{{- $namespace := $dot.Release.Namespace -}}
+{{/*# SAN's #*/}}
+{{- $dnsNames := $certificate.dnsNames -}}
+{{- $ipAddresses := $certificate.ipAddresses -}}
+{{- $uris := $certificate.uris -}}
+{{- $emailAddresses := $certificate.emailAddresses -}}
+{{/*# Subject #*/}}
+{{- $subject := $subchartGlobal.certificate.default.subject -}}
+{{- if $certificate.subject -}}
+{{- $subject = $certificate.subject -}}
+{{- end -}}
+{{/*# Issuer #*/}}
+{{- $issuer := $subchartGlobal.certificate.default.issuer -}}
+{{- if $certificate.issuer -}}
+{{- $issuer = $certificate.issuer -}}
+{{- end -}}
+---
+{{- if $certificate.keystore }}
+ {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}}
+ {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ $passwordSecretRef.name }}
+ namespace: {{ $namespace }}
+type: Opaque
+stringData:
+ {{ $passwordSecretRef.key }}: {{ $password }}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ $certName }}
+ namespace: {{ $namespace }}
+spec:
+ secretName: {{ $secretName }}
+ commonName: {{ $commonName }}
+ renewBefore: {{ $renewBefore }}
+ {{- if $duration }}
+ duration: {{ $duration }}
+ {{- end }}
+ subject:
+ organizations:
+ - {{ $subject.organization }}
+ countries:
+ - {{ $subject.country }}
+ localities:
+ - {{ $subject.locality }}
+ provinces:
+ - {{ $subject.province }}
+ organizationalUnits:
+ - {{ $subject.organizationalUnit }}
+ {{- if $dnsNames }}
+ dnsNames:
+ {{- range $dnsName := $dnsNames }}
+ - {{ $dnsName }}
+ {{- end }}
+ {{- end }}
+ {{- if $ipAddresses }}
+ ipAddresses:
+ {{- range $ipAddress := $ipAddresses }}
+ - {{ $ipAddress }}
+ {{- end }}
+ {{- end }}
+ {{- if $uris }}
+ uris:
+ {{- range $uri := $uris }}
+ - {{ $uri }}
+ {{- end }}
+ {{- end }}
+ {{- if $emailAddresses }}
+ emailAddresses:
+ {{- range $emailAddress := $emailAddresses }}
+ - {{ $emailAddress }}
+ {{- end }}
+ {{- end }}
+ issuerRef:
+ group: {{ $issuer.group }}
+ kind: {{ $issuer.kind }}
+ name: {{ $issuer.name }}
+ {{- if $certificate.keystore }}
+ keystores:
+ {{- range $outputType := $certificate.keystore.outputType }}
+ {{- if eq $outputType "p12" }}
+ {{- $outputType = "pkcs12" }}
+ {{- end }}
+ {{ $outputType }}:
+ create: true
+ passwordSecretRef:
+ name: {{ $certificate.keystore.passwordSecretRef.name }}
+ key: {{ $certificate.keystore.passwordSecretRef.key }}
+ {{- end }}
+ {{- end }}
+{{ end }}
+{{- end -}}
+
+{{- define "common.certManager.volumeMounts" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+ {{- range $i, $certificate := $dot.Values.certificates -}}
+ {{- $mountPath := $certificate.mountPath -}}
+- mountPath: {{ $mountPath }}
+ name: certmanager-certs-volume-{{ $i }}
+ {{- end -}}
+{{- end -}}
+
+{{- define "common.certManager.volumes" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- $certificates := $dot.Values.certificates -}}
+ {{- range $i, $certificate := $certificates -}}
+ {{- $name := include "common.fullname" $dot -}}
+ {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+- name: certmanager-certs-volume-{{ $i }}
+ projected:
+ sources:
+ - secret:
+ name: {{ $certificatesSecretName }}
+ {{- if $certificate.keystore }}
+ items:
+ {{- range $outputType := $certificate.keystore.outputType }}
+ - key: keystore.{{ $outputType }}
+ path: keystore.{{ $outputType }}
+ - key: truststore.{{ $outputType }}
+ path: truststore.{{ $outputType }}
+ {{- end }}
+ - secret:
+ name: {{ $certificate.keystore.passwordSecretRef.name }}
+ items:
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: keystore.pass
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: truststore.pass
+ {{- end }}
+ {{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/certManagerCertificate/values.yaml b/kubernetes/common/certManagerCertificate/values.yaml
new file mode 100644
index 0000000000..d60cdf6cbe
--- /dev/null
+++ b/kubernetes/common/certManagerCertificate/values.yaml
@@ -0,0 +1,29 @@
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+global:
+# default values for certificates
+ certificate:
+ default:
+ renewBefore: 720h #30 days
+ duration: 8760h #365 days
+ subject:
+ organization: "Linux-Foundation"
+ country: "US"
+ locality: "San-Francisco"
+ province: "California"
+ organizationalUnit: "ONAP"
+ issuer:
+ group: certmanager.onap.org
+ kind: CMPv2Issuer
+ name: cmpv2-issuer-onap
diff --git a/kubernetes/common/common/templates/_certificate.tpl b/kubernetes/common/common/templates/_certificate.tpl
deleted file mode 100644
index d3313b2bc1..0000000000
--- a/kubernetes/common/common/templates/_certificate.tpl
+++ /dev/null
@@ -1,192 +0,0 @@
-{{/*#
-# Copyright © 2020, Nokia
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.*/}}
-
-{{/*
-# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io).
-#
-# To request a certificate following steps are to be done:
-# - create an object 'certificates' in the values.yaml
-# - create a file templates/certificates.yaml and invoke the function "commom.certificate".
-#
-# Here is an example of the certificate request for a component:
-#
-# Directory structure:
-# component
-# templates
-# certifictes.yaml
-# values.yaml
-#
-# To be added in the file certificates.yamll
-#
-# To be added in the file values.yaml
-# 1. Minimal version (certificates only in PEM format)
-# certificates:
-# - commonName: component.onap.org
-#
-# 2. Extended version (with defined own issuer and additional certificate format):
-# certificates:
-# - name: onap-component-certificate
-# secretName: onap-component-certificate
-# commonName: component.onap.org
-# dnsNames:
-# - component.onap.org
-# issuer:
-# group: certmanager.onap.org
-# kind: CMPv2Issuer
-# name: cmpv2-issuer-for-the-component
-# p12Keystore:
-# create: true
-# passwordSecretRef:
-# name: secret-name
-# key: secret-key
-# jksKeystore:
-# create: true
-# passwordSecretRef:
-# name: secret-name
-# key: secret-key
-#
-# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
-# Other mandatory fields for the certificate definition do not have to be defined directly,
-# in that case they will be taken from default values.
-#
-# Default values are defined in file onap/values.yaml (see-> global.certificate.default)
-# and can be overriden during onap installation process.
-#
-*/}}
-
-{{- define "common.certificate" -}}
-{{- $dot := default . .dot -}}
-{{- $certificates := $dot.Values.certificates -}}
-
-{{ range $i, $certificate := $certificates }}
-{{/*# General certifiacate attributes #*/}}
-{{- $name := include "common.fullname" $dot -}}
-{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}}
-{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
-{{- $commonName := default $dot.Values.global.certificate.default.commonName $certificate.commonName -}}
-{{- $renewBefore := default $dot.Values.global.certificate.default.renewBefore $certificate.renewBefore -}}
-{{- $duration := $certificate.duration -}}
-{{- $namespace := default $dot.Release.Namespace $dot.Values.global.certificate.default.namespace -}}
-{{- if $certificate.namespace -}}
-{{- $namespace = default $namespace $certificate.namespace -}}
-{{- end -}}
-{{/*# SAN's #*/}}
-{{- $dnsNames := default $dot.Values.global.certificate.default.dnsNames $certificate.dnsNames -}}
-{{- $ipAddresses := default $dot.Values.global.certificate.default.ipAddresses $certificate.ipAddresses -}}
-{{- $uris := default $dot.Values.global.certificate.default.uris $certificate.uris -}}
-{{- $emailAddresses := default $dot.Values.global.certificate.default.emailAddresses $certificate.emailAddresses -}}
-{{/*# Subject #*/}}
-{{- $subject := $dot.Values.global.certificate.default.subject -}}
-{{- if $certificate.subject -}}
-{{- $subject = mergeOverwrite $subject $certificate.subject -}}
-{{- end -}}
-{{/*# Issuer #*/}}
-{{- $issuer := $dot.Values.global.certificate.default.issuer -}}
-{{- if $certificate.issuer -}}
-{{- $issuer = mergeOverwrite $issuer $certificate.issuer -}}
-{{- end -}}
-{{/*# Keystores #*/}}
-{{- $createJksKeystore := $dot.Values.global.certificate.default.jksKeystore.create -}}
-{{- $jksKeystorePasswordSecretName := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.name -}}
-{{- $jksKeystorePasswordSecreKey := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.key -}}
-{{- $createP12Keystore := $dot.Values.global.certificate.default.p12Keystore.create -}}
-{{- $p12KeystorePasswordSecretName := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.name -}}
-{{- $p12KeystorePasswordSecreKey := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.key -}}
-{{- if $certificate.jksKeystore -}}
-{{- $createJksKeystore = default $createJksKeystore $certificate.jksKeystore.create -}}
-{{- if $certificate.jksKeystore.passwordSecretRef -}}
-{{- $jksKeystorePasswordSecretName = default $jksKeystorePasswordSecretName $certificate.jksKeystore.passwordSecretRef.name -}}
-{{- $jksKeystorePasswordSecreKey = default $jksKeystorePasswordSecreKey $certificate.jksKeystore.passwordSecretRef.key -}}
-{{- end -}}
-{{- end -}}
-{{- if $certificate.p12Keystore -}}
-{{- $createP12Keystore = default $createP12Keystore $certificate.p12Keystore.create -}}
-{{- if $certificate.p12Keystore.passwordSecretRef -}}
-{{- $p12KeystorePasswordSecretName = default $p12KeystorePasswordSecretName $certificate.p12Keystore.passwordSecretRef.name -}}
-{{- $p12KeystorePasswordSecreKey = default $p12KeystorePasswordSecreKey $certificate.p12Keystore.passwordSecretRef.key -}}
-{{- end -}}
-{{- end -}}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- name: {{ $certName }}
- namespace: {{ $namespace }}
-spec:
- secretName: {{ $secretName }}
- commonName: {{ $commonName }}
- renewBefore: {{ $renewBefore }}
- {{- if $duration }}
- duration: {{ $duration }}
- {{- end }}
- subject:
- organizations:
- - {{ $subject.organization }}
- countries:
- - {{ $subject.country }}
- localities:
- - {{ $subject.locality }}
- provinces:
- - {{ $subject.province }}
- organizationalUnits:
- - {{ $subject.organizationalUnit }}
- {{- if $dnsNames }}
- dnsNames:
- {{- range $dnsName := $dnsNames }}
- - {{ $dnsName }}
- {{- end }}
- {{- end }}
- {{- if $ipAddresses }}
- ipAddresses:
- {{- range $ipAddress := $ipAddresses }}
- - {{ $ipAddress }}
- {{- end }}
- {{- end }}
- {{- if $uris }}
- uris:
- {{- range $uri := $uris }}
- - {{ $uri }}
- {{- end }}
- {{- end }}
- {{- if $emailAddresses }}
- emailAddresses:
- {{- range $emailAddress := $emailAddresses }}
- - {{ $emailAddress }}
- {{- end }}
- {{- end }}
- issuerRef:
- group: {{ $issuer.group }}
- kind: {{ $issuer.kind }}
- name: {{ $issuer.name }}
- {{- if or $createJksKeystore $createP12Keystore }}
- keystores:
- {{- if $createJksKeystore }}
- jks:
- create: {{ $createJksKeystore }}
- passwordSecretRef:
- name: {{ $jksKeystorePasswordSecretName }}
- key: {{ $jksKeystorePasswordSecreKey }}
- {{- end }}
- {{- if $createP12Keystore }}
- pkcs12:
- create: {{ $createP12Keystore }}
- passwordSecretRef:
- name: {{ $p12KeystorePasswordSecretName }}
- key: {{ $p12KeystorePasswordSecreKey }}
- {{- end }}
- {{- end }}
-{{ end }}
-
-{{- end -}}