diff options
-rw-r--r-- | .gitignore | 3 | ||||
-rw-r--r-- | kubernetes/aaf/.gitignore | 1 | ||||
-rwxr-xr-x | kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml | 5 | ||||
-rwxr-xr-x | kubernetes/cds/components/cds-blueprints-processor/values.yaml | 2 | ||||
-rw-r--r-- | kubernetes/common/cmpv2Config/values.yaml | 4 | ||||
-rw-r--r-- | kubernetes/common/common/templates/_certificate.tpl | 192 | ||||
-rw-r--r-- | kubernetes/contrib/.gitignore | 1 | ||||
-rw-r--r-- | kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml | 2 | ||||
-rw-r--r-- | kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml | 2 | ||||
-rwxr-xr-x | kubernetes/onap/values.yaml | 28 | ||||
-rw-r--r-- | kubernetes/platform/components/cmpv2-cert-provider/values.yaml | 2 | ||||
-rw-r--r-- | kubernetes/platform/components/oom-cert-service/values.yaml | 2 | ||||
-rw-r--r-- | kubernetes/sdnc/templates/certificates.yaml | 19 | ||||
-rw-r--r-- | kubernetes/sdnc/values.yaml | 26 |
14 files changed, 275 insertions, 14 deletions
diff --git a/.gitignore b/.gitignore index 11c7e801d7..cb4cb34579 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,6 @@ requirements.lock # Mac OS *DS_Store* + +# dist +dist diff --git a/kubernetes/aaf/.gitignore b/kubernetes/aaf/.gitignore index 3a4f8ba352..71fbb5cbb9 100644 --- a/kubernetes/aaf/.gitignore +++ b/kubernetes/aaf/.gitignore @@ -1 +1,2 @@ /sms/ +components/dist diff --git a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml index f321e54fd1..9645b20cd2 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/templates/deployment.yaml @@ -109,11 +109,8 @@ spec: env: - name: APP_CONFIG_HOME value: {{ .Values.config.appConfigDir }} - - name: USE_SCRIPT_COMPILE_CACHE - value: {{ .Values.config.useScriptCompileCache | quote }} - # Cluster should only be enabled when replicaCount is more than 2 and useScriptCompileCache is set to false otherwise it won't work properly - name: CLUSTER_ENABLED - value: {{ if and (gt (int (.Values.replicaCount)) 2) (not .Values.config.useScriptCompileCache) }} {{ .Values.cluster.enabled | quote }} {{ else }} "false" {{ end }} + value: {{ if (gt (int (.Values.replicaCount)) 2) }} {{ .Values.cluster.enabled | quote }} {{ else }} "false" {{ end }} - name: CLUSTER_ID value: {{ .Values.cluster.clusterName }} - name: CLUSTER_NODE_ID diff --git a/kubernetes/cds/components/cds-blueprints-processor/values.yaml b/kubernetes/cds/components/cds-blueprints-processor/values.yaml index 629b8252cc..1b456983f7 100755 --- a/kubernetes/cds/components/cds-blueprints-processor/values.yaml +++ b/kubernetes/cds/components/cds-blueprints-processor/values.yaml @@ -60,7 +60,6 @@ debugEnabled: false # application configuration config: appConfigDir: /opt/app/onap/config - useScriptCompileCache: false sdncDB: dbService: mariadb-galera dbPort: 3306 @@ -130,7 +129,6 @@ persistence: cluster: # Cannot have cluster enabled if the replicaCount is not at least 3 - # AND config value useScriptCompileCache is not set to false enabled: true clusterName: cds-cluster diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index c22f9731b5..19b87b1afa 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -14,7 +14,7 @@ global: platform: certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.1 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2 secretName: oom-cert-service-client-tls-secret envVariables: # Certificate related @@ -29,5 +29,5 @@ global: keystorePassword: "secret" truststorePassword: "secret" certPostProcessor: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.1 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.2 diff --git a/kubernetes/common/common/templates/_certificate.tpl b/kubernetes/common/common/templates/_certificate.tpl new file mode 100644 index 0000000000..74f81af901 --- /dev/null +++ b/kubernetes/common/common/templates/_certificate.tpl @@ -0,0 +1,192 @@ +{{/*# +# Copyright © 2020, Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.*/}} + +{{/* +# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io). +# +# To request a certificate following steps are to be done: +# - create an object 'certificates' in the values.yaml +# - create a file templates/certificates.yaml and invoke the function "commom.certificate". +# +# Here is an example of the certificate request for a component: +# +# Directory structure: +# component +# templates +# certifictes.yaml +# values.yaml +# +# To be added in the file certificates.yamll +# +# To be added in the file values.yaml +# 1. Minimal version (certificates only in PEM format) +# certificates: +# - name: onap-component-certificate +# secretName: onap-component-certificate +# commonName: component.onap.org +# 2. Extended version (with defined own issuer and additional certificate format): +# certificates: +# - name: onap-component-certificate +# secretName: onap-component-certificate +# commonName: component.onap.org +# dnsNames: +# - component.onap.org +# issuer: +# group: certmanager.onap.org +# kind: CMPv2Issuer +# name: cmpv2-issuer-for-the-component +# p12Keystore: +# create: true +# passwordSecretRef: +# name: secret-name +# key: secret-key +# jksKeystore: +# create: true +# passwordSecretRef: +# name: secret-name +# key: secret-key +# +# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. +# Other mandatory fields for the certificate definition do not have to be defined directly, +# in that case they will be taken from default values. +# +# Default values are defined in file onap/values.yaml (see-> global.certificate.default) +# and can be overriden during onap installation process. +# +*/}} + +{{- define "common.certificate" -}} +{{- $dot := default . .dot -}} +{{- $certificates := $dot.Values.certificates -}} + +{{ range $certificate := $certificates }} +{{/*# General certifiacate attributes #*/}} +{{- $name := $certificate.name -}} +{{- $secretName := $certificate.secretName -}} +{{- $commonName := default $dot.Values.global.certificate.default.commonName $certificate.commonName -}} +{{- $renewBefore := default $dot.Values.global.certificate.default.renewBefore $certificate.renewBefore -}} +{{- $duration := $certificate.duration -}} +{{- $namespace := default $dot.Release.Namespace $dot.Values.global.certificate.default.namespace -}} +{{- if $certificate.namespace -}} +{{- $namespace = default $namespace $certificate.namespace -}} +{{- end -}} +{{/*# SAN's #*/}} +{{- $dnsNames := default $dot.Values.global.certificate.default.dnsNames $certificate.dnsNames -}} +{{- $ipAddresses := default $dot.Values.global.certificate.default.ipAddresses $certificate.ipAddresses -}} +{{- $uris := default $dot.Values.global.certificate.default.uris $certificate.uris -}} +{{- $emailAddresses := default $dot.Values.global.certificate.default.emailAddresses $certificate.emailAddresses -}} +{{/*# Subject #*/}} +{{- $subject := $dot.Values.global.certificate.default.subject -}} +{{- if $certificate.subject -}} +{{- $subject = mergeOverwrite $subject $certificate.subject -}} +{{- end -}} +{{/*# Issuer #*/}} +{{- $issuer := $dot.Values.global.certificate.default.issuer -}} +{{- if $certificate.issuer -}} +{{- $issuer = mergeOverwrite $issuer $certificate.issuer -}} +{{- end -}} +{{/*# Keystores #*/}} +{{- $createJksKeystore := $dot.Values.global.certificate.default.jksKeystore.create -}} +{{- $jksKeystorePasswordSecretName := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.name -}} +{{- $jksKeystorePasswordSecreKey := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.key -}} +{{- $createP12Keystore := $dot.Values.global.certificate.default.p12Keystore.create -}} +{{- $p12KeystorePasswordSecretName := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.name -}} +{{- $p12KeystorePasswordSecreKey := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.key -}} +{{- if $certificate.jksKeystore -}} +{{- $createJksKeystore = default $createJksKeystore $certificate.jksKeystore.create -}} +{{- if $certificate.jksKeystore.passwordSecretRef -}} +{{- $jksKeystorePasswordSecretName = default $jksKeystorePasswordSecretName $certificate.jksKeystore.passwordSecretRef.name -}} +{{- $jksKeystorePasswordSecreKey = default $jksKeystorePasswordSecreKey $certificate.jksKeystore.passwordSecretRef.key -}} +{{- end -}} +{{- end -}} +{{- if $certificate.p12Keystore -}} +{{- $createP12Keystore = default $createP12Keystore $certificate.p12Keystore.create -}} +{{- if $certificate.p12Keystore.passwordSecretRef -}} +{{- $p12KeystorePasswordSecretName = default $p12KeystorePasswordSecretName $certificate.p12Keystore.passwordSecretRef.name -}} +{{- $p12KeystorePasswordSecreKey = default $p12KeystorePasswordSecreKey $certificate.p12Keystore.passwordSecretRef.key -}} +{{- end -}} +{{- end -}} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $name }} + namespace: {{ $namespace }} +spec: + secretName: {{ $secretName }} + commonName: {{ $commonName }} + renewBefore: {{ $renewBefore }} + {{- if $duration }} + duration: {{ $duration }} + {{- end }} + subject: + organizations: + - {{ $subject.organization }} + countries: + - {{ $subject.country }} + localities: + - {{ $subject.locality }} + provinces: + - {{ $subject.province }} + organizationalUnits: + - {{ $subject.organizationalUnit }} + {{- if $dnsNames }} + dnsNames: + {{- range $dnsName := $dnsNames }} + - {{ $dnsName }} + {{- end }} + {{- end }} + {{- if $ipAddresses }} + ipAddresses: + {{- range $ipAddress := $ipAddresses }} + - {{ $ipAddress }} + {{- end }} + {{- end }} + {{- if $uris }} + uris: + {{- range $uri := $uris }} + - {{ $uri }} + {{- end }} + {{- end }} + {{- if $emailAddresses }} + emailAddresses: + {{- range $emailAddress := $emailAddresses }} + - {{ $emailAddress }} + {{- end }} + {{- end }} + issuerRef: + group: {{ $issuer.group }} + kind: {{ $issuer.kind }} + name: {{ $issuer.name }} + {{- if or $createJksKeystore $createP12Keystore }} + keystores: + {{- if $createJksKeystore }} + jks: + create: {{ $createJksKeystore }} + passwordSecretRef: + name: {{ $jksKeystorePasswordSecretName }} + key: {{ $jksKeystorePasswordSecreKey }} + {{- end }} + {{- if $createP12Keystore }} + pkcs12: + create: {{ $createP12Keystore }} + passwordSecretRef: + name: {{ $p12KeystorePasswordSecretName }} + key: {{ $p12KeystorePasswordSecreKey }} + {{- end }} + {{- end }} +{{ end }} + +{{- end -}} diff --git a/kubernetes/contrib/.gitignore b/kubernetes/contrib/.gitignore new file mode 100644 index 0000000000..7020381894 --- /dev/null +++ b/kubernetes/contrib/.gitignore @@ -0,0 +1 @@ +components/dist diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml index a3bff07fb2..bbc06113d3 100644 --- a/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-bootstrap/values.yaml @@ -103,7 +103,7 @@ mongo: disableNfsProvisioner: true # application image -image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:2.2.1 +image: onap/org.onap.dcaegen2.deployments.k8s-bootstrap-container:2.2.3 default_k8s_location: central # DCAE component images to be deployed via Cloudify Manager diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml index c13d3cebe6..e187e119dc 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml @@ -49,7 +49,7 @@ config: # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.deployments.cm-container:3.4.1 +image: onap/org.onap.dcaegen2.deployments.cm-container:3.4.2 pullPolicy: Always # name of shared ConfigMap with kubeconfig for multiple clusters diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 1998539726..5376940938 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -172,11 +172,37 @@ global: aafEnabled: true aafAgentImage: onap/aaf/aaf_agent:2.1.20 + # default values for certificates + certificate: + default: + renewBefore: 8h + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + issuer: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap + p12Keystore: + create: false + passwordSecretRef: + name: "" + key: "" + jksKeystore: + create: false + passwordSecretRef: + name: "" + key: "" + # Enabling CMPv2 cmpv2Enabled: true + CMPv2CertManagerIntegration: false platform: certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.1 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2 secret: name: oom-cert-service-client-tls-secret mountPath: /etc/onap/oom/certservice/certs/ diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index 990c36d7a3..0614819930 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -38,7 +38,7 @@ service: # Deployment configuration deployment: name: oom-certservice-cmpv2issuer - image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.3.0 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.3.2 proxyImage: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0 # fol local development use IfNotPresent pullPolicy: Always diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index bd415c06b1..8f31124e41 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -38,7 +38,7 @@ certificateGenerationImage: onap/integration-java11:7.2.0 # Deployment configuration repository: "nexus3.onap.org:10001" -image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.1 +image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.2 pullPolicy: Always replicaCount: 1 diff --git a/kubernetes/sdnc/templates/certificates.yaml b/kubernetes/sdnc/templates/certificates.yaml new file mode 100644 index 0000000000..dda16176a5 --- /dev/null +++ b/kubernetes/sdnc/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2020 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if .Values.global.CMPv2CertManagerIntegration }} +{{ include "common.certificate" . }} +{{ end }} diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index f4f09107bb..1d2fa266ea 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -32,9 +32,10 @@ global: service: mariadb-galera # Enabling CMPv2 cmpv2Enabled: true + CMPv2CertManagerIntegration: false platform: certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.1 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2 secret: name: oom-cert-service-client-tls-secret mountPath: /etc/onap/oom/certservice/certs/ @@ -132,6 +133,29 @@ secrets: login: '{{ .Values.config.scaleoutUser }}' password: '{{ .Values.config.scaleoutPassword }}' passwordPolicy: required + - uid: keystore-password + type: password + password: secret + passwordPolicy: required +################################################################# +# Certificates +################################################################# +certificates: + - name: onap-sdnc-certificate + secretName: onap-sdnc-certificate + commonName: sdnc.simpledemo.onap.org + dnsNames: + - sdnc.simpledemo.onap.org + p12Keystore: + create: true + passwordSecretRef: + name: keystore-password + key: password + jksKeystore: + create: true + passwordSecretRef: + name: keystore-password + key: password ################################################################# # Application configuration defaults. ################################################################# |