diff options
22 files changed, 262 insertions, 101 deletions
diff --git a/docs/oom_cloud_setup_guide.rst b/docs/oom_cloud_setup_guide.rst index 8431cf794a..033ba43fe4 100644 --- a/docs/oom_cloud_setup_guide.rst +++ b/docs/oom_cloud_setup_guide.rst @@ -46,9 +46,9 @@ The versions of Kubernetes that are supported by OOM are as follows: .. table:: OOM Software Requirements - ============== =========== ======= ======== ======== - Release Kubernetes Helm kubectl Docker - ============== =========== ======= ======== ======== + ============== =========== ======= ======== ======== ============ + Release Kubernetes Helm kubectl Docker Cert-Manager + ============== =========== ======= ======== ======== ============ amsterdam 1.7.x 2.3.x 1.7.x 1.12.x beijing 1.8.10 2.8.2 1.8.10 17.03.x casablanca 1.11.5 2.9.1 1.11.5 17.03.x @@ -57,7 +57,8 @@ The versions of Kubernetes that are supported by OOM are as follows: frankfurt 1.15.9 2.16.6 1.15.11 18.09.x guilin 1.15.11 2.16.10 1.15.11 18.09.x Honolulu 1.19.9 3.5.2 1.19.9 19.03.x - ============== =========== ======= ======== ======== + Istanbul 1.2.0 + ============== =========== ======= ======== ======== ============ .. note:: Guilin version also supports Kubernetes up to version 1.19.x and should work diff --git a/docs/oom_quickstart_guide.rst b/docs/oom_quickstart_guide.rst index 2fedc091d8..d573c94bb0 100644 --- a/docs/oom_quickstart_guide.rst +++ b/docs/oom_quickstart_guide.rst @@ -33,13 +33,19 @@ where <BRANCH> can be an official release tag, such as > cp -R ~/oom/kubernetes/helm/plugins/ ~/.local/share/helm/plugins > helm plugin install https://github.com/chartmuseum/helm-push.git -**Step 3** Install Chartmuseum:: +**Step 3.** Install Chartmuseum:: > curl -LO https://s3.amazonaws.com/chartmuseum/release/latest/bin/linux/amd64/chartmuseum > chmod +x ./chartmuseum > mv ./chartmuseum /usr/local/bin -**Step 4.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or +**Step 4.** Install Cert-Manager:: + + > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml + +More details can be found :doc:`here <oom_setup_paas>`. + +**Step 5.** Customize the Helm charts like `oom/kubernetes/onap/values.yaml` or an override file like `onap-all.yaml`, `onap-vfw.yaml` or `openstack.yaml` file to suit your deployment with items like the OpenStack tenant information. @@ -67,12 +73,6 @@ to suit your deployment with items like the OpenStack tenant information. -.. note:: - If you want to use CMPv2 certificate onboarding, Cert-Manager must be installed. - :doc:`Click here <oom_setup_paas>` to see how to install Cert-Manager. - - - a. Enabling/Disabling Components: Here is an example of the nominal entries that need to be provided. We have different values file available for different contexts. @@ -154,7 +154,7 @@ Example Keystone v3 (required for Rocky and later releases) :language: yaml -**Step 5.** To setup a local Helm server to server up the ONAP charts:: +**Step 6.** To setup a local Helm server to server up the ONAP charts:: > chartmuseum --storage local --storage-local-rootdir ~/helm3-storage -port 8879 & @@ -163,13 +163,13 @@ follows:: > helm repo add local http://127.0.0.1:8879 -**Step 6.** Verify your Helm repository setup with:: +**Step 7.** Verify your Helm repository setup with:: > helm repo list NAME URL local http://127.0.0.1:8879 -**Step 7.** Build a local Helm repository (from the kubernetes directory):: +**Step 8.** Build a local Helm repository (from the kubernetes directory):: > make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] all ; make SKIP_LINT=TRUE [HELM_BIN=<HELM_PATH>] onap @@ -177,7 +177,7 @@ follows:: Sets the helm binary to be used. The default value use helm from PATH -**Step 8.** Display the onap charts that available to be deployed:: +**Step 9.** Display the onap charts that available to be deployed:: > helm repo update > helm search repo onap @@ -189,7 +189,7 @@ follows:: to your deployment charts or values be sure to use ``make`` to update your local Helm repository. -**Step 9.** Once the repo is setup, installation of ONAP can be done with a +**Step 10.** Once the repo is setup, installation of ONAP can be done with a single command .. note:: @@ -237,7 +237,7 @@ needs. you want to use to deploy VNFs from ONAP and/or additional parameters for the embedded tests. -**Step 10.** Verify ONAP installation +**Step 11.** Verify ONAP installation Use the following to monitor your deployment and determine when ONAP is ready for use:: @@ -251,7 +251,7 @@ for use:: > ~/oom/kubernetes/robot/ete-k8s.sh onap health -**Step 11.** Undeploy ONAP +**Step 12.** Undeploy ONAP :: > helm undeploy dev diff --git a/docs/oom_setup_paas.rst b/docs/oom_setup_paas.rst index 258a4eeadf..845fd473e0 100644 --- a/docs/oom_setup_paas.rst +++ b/docs/oom_setup_paas.rst @@ -9,11 +9,11 @@ .. _oom_setup_paas: -ONAP PaaS set-up (optional) -########################### +ONAP PaaS set-up +################ Starting from Honolulu release, Cert-Manager and Prometheus Stack are a part -of k8s PaaS for ONAP operations and can be optionally installed to provide +of k8s PaaS for ONAP operations and can be installed to provide additional functionality for ONAP engineers. The versions of PaaS compoents that are supported by OOM are as follows: @@ -63,8 +63,8 @@ Installation can be as simple as:: > kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml -Prometheus Stack -================ +Prometheus Stack (optional) +=========================== Prometheus is an open-source systems monitoring and alerting toolkit with an active ecosystem. diff --git a/docs/oom_user_guide.rst b/docs/oom_user_guide.rst index 02f5c483b5..3a707e25ea 100644 --- a/docs/oom_user_guide.rst +++ b/docs/oom_user_guide.rst @@ -55,8 +55,8 @@ ONAP with a few simple commands. Pre-requisites -------------- -Your environment must have both the Kubernetes `kubectl` and Helm setup as a -one time activity. +Your environment must have the Kubernetes `kubectl` with Cert-Manager +and Helm setup as a one time activity. Install Kubectl ~~~~~~~~~~~~~~~ @@ -78,6 +78,11 @@ Verify that the Kubernetes config is correct:: At this point you should see Kubernetes pods running. +Install Cert-Manager +~~~~~~~~~~~~~~~~~~~~ +Details on how to install Cert-Manager can be found +:doc:`here <oom_setup_paas>`. + Install Helm ~~~~~~~~~~~~ Helm is used by OOM for package and configuration management. To install Helm, diff --git a/kubernetes/appc/components/appc-cdt/values.yaml b/kubernetes/appc/components/appc-cdt/values.yaml index 3b1ff47116..5765d3482d 100644 --- a/kubernetes/appc/components/appc-cdt/values.yaml +++ b/kubernetes/appc/components/appc-cdt/values.yaml @@ -38,27 +38,17 @@ certInitializer: cadi_longitude: "-72.0" credsPath: /opt/app/osaaf/local aaf_add_config: | - echo "*** retrieving password for keystore" - export $(/opt/app/aaf_config/bin/agent.sh local showpass \ - {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0) - if [ -z "$cadi_keystore_password_p12" ] - then - echo " /!\ certificates retrieval failed" - exit 1 - else - cd {{ .Values.credsPath }}; - mkdir -p certs; - echo "*** transform AAF certs into pem files" - mkdir -p {{ .Values.credsPath }}/certs - openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ - -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ - -passin pass:$cadi_keystore_password_p12 \ - -passout pass:$cadi_keystore_password_p12 - echo "*** copy key file" - cp {{ .Values.fqi_namespace }}.key certs/key.pem; - echo "*** change ownership of certificates to targeted user" - chown -R 1000 {{ .Values.credsPath }} - fi + echo "*** transform AAF certs into pem files" + mkdir -p {{ .Values.credsPath }}/certs + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -nokeys -out {{ .Values.credsPath }}/certs/cert.pem \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key file" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \ + {{ .Values.credsPath }}/certs/key.pem + echo "*** change ownership of certificates to targeted user" + chown -R 1000 {{ .Values.credsPath }} ################################################################# # Application configuration defaults. diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh index 2fd6db1360..85f5aac246 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh @@ -65,7 +65,7 @@ DBINIT_DIR=${DBINIT_DIR:-/opt/opendaylight/current/daexim} # Wait for database to init properly # echo "Waiting for mariadbgalera" -until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql &> /dev/null +until mysql -h {{.Values.config.mariadbGaleraSVCName}}.{{.Release.Namespace}} -u root -p${MYSQL_PASSWD} mysql >/dev/null 2>&1 do printf "." sleep 1 diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index ec1ce944c9..cb4153e778 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -58,7 +58,8 @@ done # Prepare truststore output file if [ "$AAF_ENABLED" = "true" ] then - mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME + echo "AAF is enabled, use 'AAF' truststore" + export TRUSTSTORE_OUTPUT_FILENAME=${ONAP_TRUSTSTORE} else echo "AAF is disabled, using JRE truststore" cp $JRE_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index 108873b31d..2b9461e50e 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -189,6 +189,8 @@ spec: {{ end }} {{- end -}} +{{/*Using templates below allows read and write access to volume mounted at $mountPath*/}} + {{- define "common.certManager.volumeMounts" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} @@ -217,8 +219,14 @@ spec: sources: - secret: name: {{ $certificatesSecretName }} - {{- if $certificate.keystore }} items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} {{- range $outputType := $certificate.keystore.outputType }} - key: keystore.{{ $outputType }} path: keystore.{{ $outputType }} @@ -248,4 +256,55 @@ spec: {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}} {{- end -}} {{ $certsLinkCommand }} -{{- end -}}
\ No newline at end of file +{{- end -}} + +{{/*Using templates below allows only read access to volume mounted at $mountPath*/}} + +{{- define "common.certManager.volumeMountsReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} + {{- range $i, $certificate := $dot.Values.certificates -}} + {{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: certmanager-certs-volume-{{ $i }} + {{- end -}} +{{- end -}} + +{{- define "common.certManager.volumesReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- $certificates := $dot.Values.certificates -}} + {{- range $i, $certificate := $certificates -}} + {{- $name := include "common.fullname" $dot -}} + {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +- name: certmanager-certs-volume-{{ $i }} + projected: + sources: + - secret: + name: {{ $certificatesSecretName }} + items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} + {{- range $outputType := $certificate.keystore.outputType }} + - key: keystore.{{ $outputType }} + path: keystore.{{ $outputType }} + - key: truststore.{{ $outputType }} + path: truststore.{{ $outputType }} + {{- end }} + - secret: + name: {{ $certificate.keystore.passwordSecretRef.name }} + items: + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: keystore.pass + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: truststore.pass + {{- end }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 9c9cc7074d..10a63ebbcf 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -3,6 +3,7 @@ # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. # Copyright (c) 2021 AT&T Intellectual Property. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -190,6 +191,7 @@ spec: - mountPath: /opt/app/osaaf name: tls-info {{- end }} + {{ include "dcaegen2-services-common._certPostProcessor" . | nindent 4 }} containers: - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} @@ -197,7 +199,7 @@ spec: env: {{- if $certDir }} - name: DCAE_CA_CERTPATH - value: {{ $certDir}}/cacert.pem + value: {{ $certDir }}/cacert.pem {{- end }} - name: CONSUL_HOST value: consul-server.onap @@ -245,6 +247,9 @@ spec: {{- if $certDir }} - mountPath: {{ $certDir }} name: tls-info + {{- if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 8 -}} + {{- end -}} {{- end }} {{- if $policy }} - name: policy-shared @@ -291,7 +296,7 @@ spec: name: onap-policy-xacml-pdp-api-creds key: password - name: POLICY_SYNC_PDP_URL - value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969 + value : http{{ if (include "common.needTLS" .) }}s{{ end }}://policy-xacml-pdp:6969 - name: POLICY_SYNC_OUTFILE value : "/etc/policies/policies.json" - name: POLICY_SYNC_V1_DECISION_ENDPOINT @@ -339,6 +344,9 @@ spec: {{- if $certDir }} - emptyDir: {} name: tls-info + {{ if and .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{ include "common.certManager.volumesReadOnly" . | nindent 6 }} + {{- end }} {{- end }} {{- if $policy }} - name: policy-shared @@ -347,3 +355,49 @@ spec: imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" {{ end -}} + +{{/* + For internal use + + Template to attach CertPostProcessor which merges CMPv2 truststore with AAF truststore + and swaps keystore files. +*/}} +{{- define "dcaegen2-services-common._certPostProcessor" -}} + {{- $certDir := default "" .Values.certDirectory . -}} + {{- if and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration -}} + {{- $cmpv2Certificate := (index .Values.certificates 0) -}} + {{- $cmpv2CertificateDir := $cmpv2Certificate.mountPath -}} + {{- $certType := "pem" -}} + {{- if $cmpv2Certificate.keystore -}} + {{- $certType = (index $cmpv2Certificate.keystore.outputType 0) -}} + {{- end -}} + {{- $truststoresPaths := printf "%s/%s:%s/%s" $certDir "cacert.pem" $cmpv2CertificateDir "cacert.pem" -}} + {{- $truststoresPasswordPaths := ":" -}} + {{- $keystoreSourcePaths := printf "%s/%s:%s/%s" $cmpv2CertificateDir "cert.pem" $cmpv2CertificateDir "key.pem" -}} + {{- $keystoreDestinationPaths := printf "%s/%s:%s/%s" $certDir "cert.pem" $certDir "key.pem" -}} + {{- if not (eq $certType "pem") -}} + {{- $truststoresPaths = printf "%s/%s:%s/%s.%s" $certDir "trust.jks" $cmpv2CertificateDir "truststore" $certType -}} + {{- $truststoresPasswordPaths = printf "%s/%s:%s/%s" $certDir "trust.pass" $cmpv2CertificateDir "truststore.pass" -}} + {{- $keystoreSourcePaths = printf "%s/%s.%s:%s/%s" $cmpv2CertificateDir "keystore" $certType $cmpv2CertificateDir "keystore.pass" -}} + {{- $keystoreDestinationPaths = printf "%s/%s.%s:%s/%s.pass" $certDir "cert" $certType $certDir $certType -}} + {{- end }} + - name: cert-post-processor + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.certPostProcessorImage }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: + {{- include "common.resources" . | nindent 4 }} + volumeMounts: + - mountPath: {{ $certDir }} + name: tls-info + {{- include "common.certManager.volumeMountsReadOnly" . | nindent 4 }} + env: + - name: TRUSTSTORES_PATHS + value: {{ $truststoresPaths | quote}} + - name: TRUSTSTORES_PASSWORDS_PATHS + value: {{ $truststoresPasswordPaths | quote }} + - name: KEYSTORE_SOURCE_PATHS + value: {{ $keystoreSourcePaths | quote }} + - name: KEYSTORE_DESTINATION_PATHS + value: {{ $keystoreDestinationPaths | quote }} + {{- end }} +{{- end -}} diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml index cd69da8346..cbd07dc486 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/values.yaml @@ -15,4 +15,4 @@ # limitations under the License. # ============LICENSE_END========================================================= # dcaegen2-services-common templates get any values from the scope -# they are passed. There are no locally-defined values.
\ No newline at end of file +# they are passed. There are no locally-defined values. diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml index 639fc2c740..929cdbbc5f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/requirements.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,3 +26,6 @@ dependencies: - name: dcaegen2-services-common version: ~8.x-0 repository: 'file://../../common/dcaegen2-services-common' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml new file mode 100644 index 0000000000..0db2138a4f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{ include "certManagerCertificate.certificate" . }} +{{ end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index cec332218d..bb65f37f73 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 ################################################################# # Application configuration defaults. @@ -62,6 +64,24 @@ secrets: password: '{{ .Values.aafCreds.password }}' passwordPolicy: required +# CMPv2 certificate +# It is used only when global parameter cmpv2Enabled is true +# Disabled by default +certificates: + - mountPath: /etc/ves-hv/ssl/external + commonName: dcae-hv-ves-collector + dnsNames: + - dcae-hv-ves-collector + - hv-ves-collector + - hv-ves + keystore: + outputType: + - jks + passwordSecretRef: + name: hv-ves-cmpv2-keystore-password + key: password + create: true + # dependencies readinessCheck: wait_for: diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml index 639fc2c740..929cdbbc5f 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/requirements.yaml @@ -1,4 +1,5 @@ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -25,3 +26,6 @@ dependencies: - name: dcaegen2-services-common version: ~8.x-0 repository: 'file://../../common/dcaegen2-services-common' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml new file mode 100644 index 0000000000..0db2138a4f --- /dev/null +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if and .Values.certDirectory .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{ include "certManagerCertificate.certificate" . }} +{{ end }} diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index 62c640453b..081bcdcc1a 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -1,6 +1,7 @@ #============LICENSE_START======================================================== # ================================================================================ # Copyright (c) 2021 J. F. Lucas. All rights reserved. +# Copyright (c) 2021 Nokia. All rights reserved. # ================================================================================ # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -34,6 +35,7 @@ filebeatConfig: ################################################################# tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.0 +certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 ################################################################# # Application configuration defaults. @@ -55,6 +57,24 @@ certDirectory: /opt/app/dcae-certificate # and key from AAF and mount them in certDirectory. tlsServer: true +# CMPv2 certificate +# It is used only when global parameter cmpv2Enabled is true +# Disabled by default +certificates: + - mountPath: /opt/app/dcae-certificate/external + commonName: dcae-ves-collector + dnsNames: + - dcae-ves-collector + - ves-collector + - ves + keystore: + outputType: + - jks + passwordSecretRef: + name: ves-cmpv2-keystore-password + key: password + create: true + # dependencies readinessCheck: wait_for: diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh index a7e394d4ae..44e8e56aa5 100755 --- a/kubernetes/helm/plugins/deploy/deploy.sh +++ b/kubernetes/helm/plugins/deploy/deploy.sh @@ -54,7 +54,7 @@ generate_overrides() { cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \ | sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES else - SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(cut -d':' -f1 <<<"$START")" + SUBCHART_DIR="$CACHE_SUBCHART_DIR/$(echo "$START" |cut -d':' -f1)" if [[ -d "$SUBCHART_DIR" ]]; then if [[ -z "$END" ]]; then cat $COMPUTED_OVERRIDES | sed -n '/^'"$START"'/,/'"$END"'/p' \ @@ -96,8 +96,8 @@ deploy() { RELEASE=$1 CHART_URL=$2 FLAGS=${@:3} - CHART_REPO="$(cut -d'/' -f1 <<<"$CHART_URL")" - CHART_NAME="$(cut -d'/' -f2 <<<"$CHART_URL")" + CHART_REPO="$(echo "$CHART_URL" |cut -d'/' -f1)" + CHART_NAME="$(echo "$CHART_URL" |cut -d'/' -f2)" if [[ $HELM_VER = "v3."* ]]; then CACHE_DIR=~/.local/share/helm/plugins/deploy/cache else @@ -146,9 +146,9 @@ deploy() { DEPLOY_FLAGS=$(resolve_deploy_flags "$FLAGS") # determine if upgrading individual subchart or entire parent + subcharts - SUBCHART_RELEASE="$(cut -d'-' -f2 <<<"$RELEASE")" + SUBCHART_RELEASE="$(echo "$RELEASE" |cut -d'-' -f2)" # update specified subchart without parent - RELEASE="$(cut -d'-' -f1 <<<"$RELEASE")" + RELEASE="$(echo "$RELEASE" |cut -d'-' -f1)" if [[ $SUBCHART_RELEASE = $RELEASE ]]; then SUBCHART_RELEASE= fi diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index c34ebad982..fd34b1ef28 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -73,7 +73,7 @@ cmpv2issuer: certEndpoint: v1/certificate caName: RA certSecretRef: - name: oom-cert-service-server-tls-secret + name: oom-cert-service-client-tls-secret certRef: tls.crt keyRef: tls.key cacertRef: ca.crt diff --git a/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml deleted file mode 100644 index ba12874eb6..0000000000 --- a/kubernetes/platform/components/oom-cert-service/templates/fake_deployment.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* - # Copyright © 2020, Nokia - # - # Licensed under the Apache License, Version 2.0 (the "License"); - # you may not use this file except in compliance with the License. - # You may obtain a copy of the License at - # - # http://www.apache.org/licenses/LICENSE-2.0 - # - # Unless required by applicable law or agreed to in writing, software - # distributed under the License is distributed on an "AS IS" BASIS, - # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - # See the License for the specific language governing permissions and - # limitations under the License. -*/}} - -{{- if .Values.global.offlineDeploymentBuild }} -apiVersion: apps/v1 -kind: Deployment -metadata: {{- include "common.resourceMetadata" . | nindent 2 }} -spec: - replicas: {{ .Values.replicaCount }} - selector: {{- include "common.selectors" . | nindent 4 }} - template: - metadata: {{- include "common.templateMetadata" . | nindent 6 }} - spec: - containers: - - name: {{ include "common.name" . }} - image: {{ include "common.repository" . }}/{{ .Values.certificateGenerationImage }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} -{{ end -}} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 829d3a01d1..2e149683d7 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -22,7 +22,6 @@ global: # Standard OOM pullPolicy: "Always" repository: "nexus3.onap.org:10001" - offlineDeploymentBuild: false # Service configuration @@ -33,9 +32,6 @@ service: port: 8443 port_protocol: http -# Certificates generation configuration -certificateGenerationImage: onap/integration-java11:7.2.0 - # Deployment configuration repository: "nexus3.onap.org:10001" image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3 diff --git a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh index 390241fa1d..c4a21b927f 100644 --- a/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh +++ b/kubernetes/portal/components/portal-mariadb/resources/config/mariadb/docker-entrypoint.sh @@ -107,7 +107,7 @@ docker_temp_server_start() { if [ -z "$DATABASE_ALREADY_EXISTS" ]; then extraArgs+=( '--dont-use-mysql-root-password' ) fi - if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then + if echo 'SELECT 1' |docker_process_sql "${extraArgs[@]}" --database=mysql >/dev/null 2>&1; then break fi sleep 1 @@ -263,19 +263,19 @@ docker_setup_db() { # Creates a custom database and user if specified if [ -n "$MYSQL_DATABASE" ]; then mysql_note "Creating database ${MYSQL_DATABASE}" - docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" + echo "CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;" |docker_process_sql --database=mysql fi if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then mysql_note "Creating user ${MYSQL_USER}" - docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" + echo "CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;" |docker_process_sql --database=mysql if [ -n "$MYSQL_DATABASE" ]; then mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}" - docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" + echo "GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;" |docker_process_sql --database=mysql fi - docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;" + echo "FLUSH PRIVILEGES ;" |docker_process_sql --database=mysql fi } diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml index 5c530fea72..af53fd6708 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml @@ -93,7 +93,7 @@ spec: memory: 20Mi {{- end }} - name: volume-permissions - image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }} + image: {{ include "repositoryGenerator.image.busybox" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} command: - sh |