diff options
author | Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-11-18 11:31:06 +0100 |
---|---|---|
committer | Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-12-03 05:56:27 +0000 |
commit | 741fb0b880f98e2859dc996c17394a7352ba3cfd (patch) | |
tree | 6bb03f05752ac4018408f4cdfb0d24030f67c320 /kubernetes/platform/components/cmpv2-cert-provider | |
parent | c6b46889bd9a72f85a06b8ce29b854ac1f922ca7 (diff) |
[CMPv2-CERT-PROVIDER] Add helm chart for K8s external provider
Cert Service K8s external provider ia a part of certificate distribution infrastructure in ONAP.
The main functionality of the provider is to forward Certificate Signing Requests (CSRs) created by cert-mananger (https://cert-manager.io) to CertServiceAPI.
More information can found on a dedicated page: https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration.
Issue-ID: OOM-2560
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: Ibc94d5db5cac9649d47143406b47ce179beddd14
Diffstat (limited to 'kubernetes/platform/components/cmpv2-cert-provider')
9 files changed, 584 insertions, 0 deletions
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/.helmignore b/kubernetes/platform/components/cmpv2-cert-provider/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/kubernetes/platform/components/cmpv2-cert-provider/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml new file mode 100644 index 0000000000..38446f1bfa --- /dev/null +++ b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2020 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: ONAP CMPv2 certificate external provider for cert-manager +name: cmpv2-cert-provider +version: 7.0.0 diff --git a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml new file mode 100644 index 0000000000..0bc24afe86 --- /dev/null +++ b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml @@ -0,0 +1,138 @@ +# ============LICENSE_START======================================================= +# Copyright (c) 2020 Nokia +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: cmpv2issuers.certmanager.onap.org +spec: + group: certmanager.onap.org + names: + kind: CMPv2Issuer + listKind: CMPv2IssuerList + plural: cmpv2issuers + singular: cmpv2issuer + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + description: CMPv2Issuer is the Schema for the cmpv2issuers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/cmpv2api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/cmpv2api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CMPv2IssuerSpec defines the desired state of CMPv2Issuer + properties: + url: + description: URL to CertService API. + type: string + healthEndpoint: + description: Path of health check endpoint. + type: string + certEndpoint: + description: Path of cerfificate signing enpoint. + type: string + caName: + description: Name of the external CA server configured on CertService API side. + type: string + certSecretRef: + description: Reference to K8s secret which contains certificate, private key and CA certificate + needed to connect to CertService API (which requires client certificate authentication) + properties: + name: + description: The name of K8s secret to select certificates from. Secret must be in the same + namespace as CMPv2Issuer. + type: string + keyRef: + description: The key of the secret to select private key from. Must be a + valid secret key. + type: string + certRef: + description: The key of the secret to select cert from. Must be a + valid secret key. + type: string + cacertRef: + description: The key of the secret to select cacert from. Must be a + valid secret key. + type: string + required: + - name + - keyRef + - certRef + - cacertRef + type: object + required: + - url + - healthEndpoint + - certEndpoint + - caName + - certSecretRef + type: object + status: + description: CMPv2IssuerStatus defines the observed state of CMPv2Issuer + properties: + conditions: + items: + description: CMPv2IssuerCondition contains condition information for + the certservice issuer. + properties: + lastTransitionTime: + description: LastTransitionTime is the timestamp corresponding + to the last status change of this condition. + format: date-time + type: string + message: + description: Message is a human readable description of the details + of the last transition, complementing reason. + type: string + reason: + description: Reason is a brief machine readable explanation for + the condition's last transition. + type: string + status: + allOf: + - enum: + - "True" + - "False" + - Unknown + description: Status of the condition, one of ('True', 'False', + 'Unknown'). + type: string + type: + description: Type of the condition, currently ('Ready'). + enum: + - Ready + type: string + required: + - status + - type + type: object + type: array + type: object + type: object diff --git a/kubernetes/platform/components/cmpv2-cert-provider/requirements.yaml b/kubernetes/platform/components/cmpv2-cert-provider/requirements.yaml new file mode 100644 index 0000000000..def35866d7 --- /dev/null +++ b/kubernetes/platform/components/cmpv2-cert-provider/requirements.yaml @@ -0,0 +1,17 @@ +# Copyright © 2020 Nokia +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + dependencies: + - name: common + version: ~7.x-0 + repository: '@local' diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml new file mode 100644 index 0000000000..9ba61a5f57 --- /dev/null +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml @@ -0,0 +1,34 @@ +{{ if .Values.global.CMPv2CertManagerIntegration }} + +# ============LICENSE_START======================================================= +# Copyright (c) 2020 Nokia +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: certmanager.onap.org/v1 +kind: CMPv2Issuer +metadata: + name: {{ .Values.cmpv2issuer.name }} + namespace: {{ include "common.namespace" . }} +spec: + url: {{ .Values.cmpv2issuer.url }} + healthEndpoint: {{ .Values.cmpv2issuer.healthcheckEndpoint }} + certEndpoint: {{ .Values.cmpv2issuer.certEndpoint }} + caName: {{ .Values.cmpv2issuer.caName }} + certSecretRef: + name: {{ .Values.cmpv2issuer.certSecretRef.name }} + keyRef: {{ .Values.cmpv2issuer.certSecretRef.keyRef }} + certRef: {{ .Values.cmpv2issuer.certSecretRef.certRef }} + cacertRef: {{ .Values.cmpv2issuer.certSecretRef.cacertRef }} +{{ end }} diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml new file mode 100644 index 0000000000..3f0027f1be --- /dev/null +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml @@ -0,0 +1,71 @@ +{{ if .Values.global.CMPv2CertManagerIntegration }} + +# ============LICENSE_START======================================================= +# Copyright (c) 2020 Nokia +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + control-plane: controller-manager + name: {{ include "common.fullname" . }} + namespace: {{ include "common.namespace" . }} +spec: + replicas: 1 + selector: + matchLabels: + control-plane: controller-manager + template: + metadata: + labels: + control-plane: controller-manager + spec: + containers: + - name: {{ .Values.deploymentProxy.name }} + image: {{ .Values.deploymentProxy.image }} + imagePullPolicy: {{ .Values.deploymentProxy.pullPolicy }} + args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --logtostderr=true + - --v=10 + ports: + - containerPort: 8443 + name: https + resources: + limits: + cpu: {{ .Values.deploymentProxy.resources.limits.cpu }} + memory: {{ .Values.deploymentProxy.resources.limits.memory }} + requests: + cpu: {{ .Values.deploymentProxy.resources.requests.cpu }} + memory: {{ .Values.deploymentProxy.resources.requests.memory }} + - name: provider + image: {{ .Values.global.repository }}{{if .Values.global.repository }}/{{ end }}{{ .Values.deployment.image }} + imagePullPolicy: {{ .Values.deployment.pullPolicy }} + command: + - /oom-certservice-cmpv2issuer + args: + - --metrics-addr=127.0.0.1:8080 + - --log-level={{ .Values.deployment.logLevel }} + resources: + limits: + cpu: {{ .Values.deployment.resources.limits.cpu }} + memory: {{ .Values.deployment.resources.limits.memory }} + requests: + cpu: {{ .Values.deployment.resources.requests.cpu }} + memory: {{ .Values.deployment.resources.requests.memory }} + terminationGracePeriodSeconds: 10 +{{ end }} diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml new file mode 100644 index 0000000000..add5622f41 --- /dev/null +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml @@ -0,0 +1,167 @@ +{{ if .Values.global.CMPv2CertManagerIntegration }} + +# ============LICENSE_START======================================================= +# Copyright (c) 2020 Nokia +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cmpv2-issuer-leader-election-role + namespace: {{ include "common.namespace" . }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cmpv2-issuer-manager-role +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - cert-manager.io + resources: + - certificaterequests + verbs: + - get + - list + - update + - watch + - apiGroups: + - cert-manager.io + resources: + - certificaterequests/status + verbs: + - get + - patch + - update + - apiGroups: + - certmanager.onap.org + resources: + - cmpv2issuers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - certmanager.onap.org + resources: + - cmpv2issuers/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cmpv2-issuer-proxy-role +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cmpv2-issuer-leader-election-rolebinding + namespace: {{ include "common.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cmpv2-issuer-leader-election-role +subjects: + - kind: ServiceAccount + name: default + namespace: {{ include "common.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cmpv2-issuer-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cmpv2-issuer-manager-role +subjects: + - kind: ServiceAccount + name: default + namespace: {{ include "common.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cmpv2-issuer-proxy-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cmpv2-issuer-proxy-role +subjects: + - kind: ServiceAccount + name: default + namespace: {{ include "common.namespace" . }} +{{ end }} diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml new file mode 100644 index 0000000000..152bd68ba6 --- /dev/null +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml @@ -0,0 +1,38 @@ +{{ if .Values.global.CMPv2CertManagerIntegration }} + +# ============LICENSE_START======================================================= +# Copyright (c) 2020 Nokia +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/port: "8443" + prometheus.io/scheme: https + prometheus.io/scrape: "true" + labels: + control-plane: controller-manager + name: {{ .Values.service.name }} + namespace: {{ include "common.namespace" . }} +spec: + type: {{ .Values.service.type }} + ports: + - name: {{ .Values.service.ports.name }} + port: {{ .Values.service.ports.port }} + targetPort: {{ .Values.service.ports.targetPort }} + selector: + control-plane: controller-manager +{{ end }} diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml new file mode 100644 index 0000000000..5ea763a812 --- /dev/null +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -0,0 +1,79 @@ +# Copyright © 2020, Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Global +global: + nodePortPrefix: 302 + readinessImage: onap/oom/readiness:3.0.1 + loggingRepository: docker.elastic.co + loggingImage: beats/filebeat:5.5.0 + busyboxRepository: registry.hub.docker.com + busyboxImage: library/busybox:latest + repository: "nexus3.onap.org:10001" + CMPv2CertManagerIntegration: false + +namespace: onap + +# Service configuration +service: + name: oom-certservice-cmpv2issuer-metrics-service + type: ClusterIP + ports: + name: https + port: 8443 + targetPort: https + +# Deployment configuration +deployment: + name: oom-certservice-cmpv2issuer + image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.3.0 + proxyImage: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + # fol local development use IfNotPresent + pullPolicy: Always + logLevel: debug + resources: + limits: + cpu: 250m + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi +deploymentProxy: + name: kube-rbac-proxy + image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 + pullPolicy: IfNotPresent + resources: + limits: + cpu: 250m + memory: 128Mi + requests: + cpu: 50m + memory: 32Mi + +# CMPv2Issuer +cmpv2issuer: + name: cmpv2-issuer-onap + url: https://oom-cert-service:8443 + healthcheckEndpoint: actuator/health + certEndpoint: v1/certificate + caName: RA + certSecretRef: + name: cmpv2-issuer-secret + certRef: certServiceServer-cert.pem + keyRef: certServiceServer-key.pem + cacertRef: truststore.pem + + + + |