diff options
| author |   Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-11-18 11:31:06 +0100 |
|---|---|---|
| committer | Jan Malkiewicz <jan.malkiewicz@nokia.com> | 2020-12-03 05:56:27 +0000 |
| commit | 741fb0b880f98e2859dc996c17394a7352ba3cfd (patch) | |
| tree | 6bb03f05752ac4018408f4cdfb0d24030f67c320 /kubernetes/platform/components/oom-cert-service | |
| parent | c6b46889bd9a72f85a06b8ce29b854ac1f922ca7 (diff) | |
[CMPv2-CERT-PROVIDER] Add helm chart for K8s external provider
Cert Service K8s external provider ia a part of certificate distribution infrastructure in ONAP.
The main functionality of the provider is to forward Certificate Signing Requests (CSRs) created by cert-mananger (https://cert-manager.io) to CertServiceAPI.
More information can found on a dedicated page: https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration.
Issue-ID: OOM-2560
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: Ibc94d5db5cac9649d47143406b47ce179beddd14
Diffstat (limited to 'kubernetes/platform/components/oom-cert-service')
6 files changed, 60 insertions, 6 deletions
diff --git a/kubernetes/platform/components/oom-cert-service/.gitignore b/kubernetes/platform/components/oom-cert-service/.gitignore new file mode 100644 index 0000000000..d5e121c17d --- /dev/null +++ b/kubernetes/platform/components/oom-cert-service/.gitignore @@ -0,0 +1,5 @@ +resources/*.jks +resources/*.pem +resources/*.p12 +resources/*.crt +resources/*.csr diff --git a/kubernetes/platform/components/oom-cert-service/.helmignore b/kubernetes/platform/components/oom-cert-service/.helmignore index 50af031725..5d9272cd5d 100644 --- a/kubernetes/platform/components/oom-cert-service/.helmignore +++ b/kubernetes/platform/components/oom-cert-service/.helmignore @@ -20,3 +20,4 @@ .idea/ *.tmproj .vscode/ + diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile index 736a19fbd4..ea0cb8aae4 100644 --- a/kubernetes/platform/components/oom-cert-service/Makefile +++ b/kubernetes/platform/components/oom-cert-service/Makefile @@ -19,6 +19,10 @@ all: start_docker \ server_import_root_certificate \ server_convert_certificate_to_jks \ server_convert_certificate_to_p12 \ + convert_truststore_to_p12 \ + convert_truststore_to_pem \ + server_export_certificate_to_pem \ + server_export_key_to_pem \ clear_unused_files \ stop_docker @@ -32,7 +36,7 @@ start_docker: $(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE)) $(eval USERNAME :=$(shell id -u)) $(eval GROUP :=$(shell id -g)) - docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/app -w /app --entrypoint "sh" -td $(FULL_JAVA_IMAGE) + docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE) # Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted stop_docker: @@ -46,7 +50,7 @@ clear_all: #Clear certificates clear_existing_certificates: @echo "Clear certificates" - ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 + ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem @echo "#####done#####" #Generate root private and public keys @@ -146,8 +150,34 @@ server_convert_certificate_to_p12: -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret @echo "#####done#####" +#Convert truststore(.jks) to PCKS12 format(.p12) +convert_truststore_to_p12: + @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" + ${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \ + -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret + @echo "#####done#####" + +#Convert truststore(.p12) to PEM format(.pem) +convert_truststore_to_pem: + @echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)" + ${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret + @echo "#####done#####" + +#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem) +server_export_certificate_to_pem: + @echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)" + ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem + @echo "#####done#####" + +#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem) +server_export_key_to_pem: + @echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)" + ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem + @echo "#####done#####" + + #Clear unused certificates clear_unused_files: @echo "Clear unused certificates" - ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr + ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr truststore.p12 @echo "#####done#####" diff --git a/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json b/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json index 358f2a82c7..c6d76c1f57 100644 --- a/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json +++ b/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json @@ -1,3 +1,3 @@ { "cmpv2Servers": [] -}
\ No newline at end of file +} diff --git a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml index 280922a014..2d47e6f57c 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml @@ -53,4 +53,17 @@ data: {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} root.crt: {{ (.Files.Glob "resources/root.crt").AsSecrets }} -{{ end -}}
\ No newline at end of file +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.tls.provider.secret.name }} +type: Opaque +data: + certServiceServer-key.pem: + {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }} + certServiceServer-cert.pem: + {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }} + truststore.pem: + {{ (.Files.Glob "resources/truststore.pem").AsSecrets }} +{{ end -}} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index ee51ec7a7d..5e2a1be4e4 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -34,7 +34,7 @@ service: port_protocol: http # Certificates generation configuration -certificateGenerationImage: onap/integration-java11:7.1.0 +certificateGenerationImage: onap/integration-java11:7.2.0 # Deployment configuration repository: "nexus3.onap.org:10001" @@ -88,14 +88,19 @@ tls: client: secret: defaultName: oom-cert-service-client-tls-secret + provider: + secret: + name: cmpv2-issuer-secret envs: keystore: jksName: certServiceServer-keystore.jks p12Name: certServiceServer-keystore.p12 + pemName: certServiceServer-keystore.pem truststore: jksName: truststore.jks crtName: root.crt + pemName: truststore.pem httpsPort: 8443 # External secrets with credentials can be provided to override default credentials defined below, |