diff options
author | Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> | 2021-03-26 13:06:35 +0100 |
---|---|---|
committer | Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> | 2021-04-22 14:08:36 +0000 |
commit | 3267293a468d65a8bae755da77d2a48a9e25663a (patch) | |
tree | 542bc3419c8637b32baa7cb2b2db694b9cae10cd /kubernetes/platform/components/oom-cert-service/values.yaml | |
parent | 1b162638763115959a0960a1195618f571d5499b (diff) |
[PLATFORM] Generate Cert-Service certs with Cert-Manager
Utilize Cert-Manager to secure communication between
Cert-Service and its clients, adjust templates and
configs.
Issue-ID: OOM-2712
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I96426b1a184b4d254575e76d29214d9deda08cce
Signed-off-by: Remigiusz Janeczek <remigiusz.janeczek@nokia.com>
Diffstat (limited to 'kubernetes/platform/components/oom-cert-service/values.yaml')
-rw-r--r-- | kubernetes/platform/components/oom-cert-service/values.yaml | 104 |
1 files changed, 81 insertions, 23 deletions
diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 537b025fb0..829d3a01d1 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -79,38 +79,40 @@ cmpServers: mountPath: /etc/onap/oom/certservice tls: + issuer: + selfsigning: + name: &selfSigningIssuer cmpv2-selfsigning-issuer + ca: + name: &caIssuer cmpv2-ca-issuer + secret: + name: &caKeyPairSecret cmpv2-ca-key-pair server: secret: - name: oom-cert-service-server-tls-secret + name: &serverSecret oom-cert-service-server-tls-secret volume: name: oom-cert-service-server-tls-volume mountPath: /etc/onap/oom/certservice/certs/ client: secret: defaultName: oom-cert-service-client-tls-secret - provider: - secret: - name: cmpv2-issuer-secret envs: keystore: - jksName: certServiceServer-keystore.jks - p12Name: certServiceServer-keystore.p12 - pemName: certServiceServer-keystore.pem + jksName: keystore.jks + p12Name: keystore.p12 + pemName: tls.crt truststore: jksName: truststore.jks - crtName: root.crt - pemName: truststore.pem + crtName: ca.crt + pemName: tls.crt httpsPort: 8443 # External secrets with credentials can be provided to override default credentials defined below, # by uncommenting and filling appropriate *ExternalSecret value credentials: tls: - keystorePassword: secret - truststorePassword: secret - #keystorePasswordExternalSecret: - #truststorePasswordExternalSecret: + certificatesPassword: secret + #certificatesPasswordExternalSecret: # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled cmp: # Used only if cmpv2 testing is enabled @@ -126,17 +128,11 @@ credentials: # rv: unused secrets: - - uid: keystore-password - name: '{{ include "common.release" . }}-keystore-password' - type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.keystorePassword }}' - passwordPolicy: required - - uid: truststore-password - name: '{{ include "common.release" . }}-truststore-password' + - uid: certificates-password + name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}' type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.truststorePassword }}' + externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}' + password: '{{ .Values.credentials.tls.certificatesPassword }}' passwordPolicy: required # Below values are relevant only if global addTestingComponents flag is enabled - uid: ejbca-server-client-iak @@ -155,3 +151,65 @@ secrets: type: password externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}' password: '{{ .Values.credentials.cmp.ra.rv }}' + +# Certificates definitions +certificates: + - name: selfsigned-cert + secretName: *caKeyPairSecret + isCA: true + commonName: root.com + subject: + organization: Root Company + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: Root Org + issuer: + name: *selfSigningIssuer + kind: Issuer + - name: cert-service-server-cert + secretName: *serverSecret + commonName: oom-cert-service + dnsNames: + - oom-cert-service + - localhost + subject: + organization: certServiceServer org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceServer company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + - p12 + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer + - name: cert-service-client-cert + secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}' + commonName: certServiceClient.com + subject: + organization: certServiceClient org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceClient company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer |