diff options
49 files changed, 99 insertions, 323 deletions
diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml index 83d00a7545..e3f88b1c37 100644 --- a/kubernetes/appc/values.yaml +++ b/kubernetes/appc/values.yaml @@ -143,7 +143,8 @@ dgbuilder: dbServiceName: *appc-db service: name: appc-dgbuilder - + serviceAccount: + nameOverride: appc-dgbuilder ingress: enabled: false service: diff --git a/kubernetes/common/cmpv2Certificate/Chart.yaml b/kubernetes/common/cmpv2Certificate/Chart.yaml deleted file mode 100644 index 6641ec6954..0000000000 --- a/kubernetes/common/cmpv2Certificate/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright © 2021 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: v1 -description: Template used to add cmpv2 certificates to components -name: cmpv2Certificate -version: 8.0.0 diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml deleted file mode 100644 index b10896d2ce..0000000000 --- a/kubernetes/common/cmpv2Certificate/requirements.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# Copyright © 2021 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -dependencies: - - name: common - version: ~8.x-0 - repository: 'file://../common' - - name: repositoryGenerator - version: ~8.x-0 - repository: 'file://../repositoryGenerator' - - name: cmpv2Config - version: ~8.x-0 - repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl deleted file mode 100644 index f80b06b4d3..0000000000 --- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl +++ /dev/null @@ -1,189 +0,0 @@ -{{/* -# Copyright © 2021 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} - -{{/* -In order to use certServiceClient it is needed do define certificates array in target component values.yaml. Each -certificate will be requested from separate init container - -Minimum example of array in target component values.yaml: -certificates: - - mountPath: /var/custom-certs - commonName: common-name - -Full example (other fields are ignored): -certificates: - - mountPath: /var/custom-certs - caName: RA - keystore: - outputType: - - jks - commonName: common-name - dnsNames: - - dns-name-1 - - dns-name-2 - ipAddresses: - - 192.168.0.1 - - 192.168.0.2 - emailAddresses: - - email-1@onap.org - - email-2@onap.org - uris: - - http://uri-1.onap.org - - http://uri-2.onap.org - subject: - organization: Linux-Foundation - country: US - locality: San Francisco - province: California - organizationalUnit: ONAP - -There also need to be some includes used in a target component deployment (indent values may need to be adjusted): - 1. In initContainers section: - {{ include "common.certServiceClient.initContainer" . | indent 6 }} - 2. In volumeMounts section of container using certificates: - {{ include "common.certServiceClient.volumeMounts" . | indent 10 }} - 3. In volumes section: - {{ include "common.certServiceClient.volumes" . | indent 8 }} - -*/}} - -{{- define "common.certServiceClient.initContainer" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} -{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} -{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- range $index, $certificate := $dot.Values.certificates -}} -{{/*# General certifiacate attributes #*/}} -{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} -{{/*# SAN's #*/}} -{{- $dnsNames := default (list) $certificate.dnsNames -}} -{{- $ipAddresses := default (list) $certificate.ipAddresses -}} -{{- $uris := default (list) $certificate.uris -}} -{{- $emailAddresses := default (list) $certificate.emailAddresses -}} -{{- $sansList := concat $dnsNames $ipAddresses $uris $emailAddresses -}} -{{- $sans := join "," $sansList }} -{{/*# Subject #*/}} -{{- $organization := $subchartGlobal.certificate.default.subject.organization -}} -{{- $country := $subchartGlobal.certificate.default.subject.country -}} -{{- $locality := $subchartGlobal.certificate.default.subject.locality -}} -{{- $province := $subchartGlobal.certificate.default.subject.province -}} -{{- $orgUnit := $subchartGlobal.certificate.default.subject.organizationalUnit -}} -{{- if $certificate.subject -}} -{{- $organization := $certificate.subject.organization -}} -{{- $country := $certificate.subject.country -}} -{{- $locality := $certificate.subject.locality -}} -{{- $province := $certificate.subject.province -}} -{{- $orgUnit := $certificate.subject.organizationalUnit -}} -{{- end -}} -{{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}} -{{- $outputType := $subchartGlobal.platform.certServiceClient.envVariables.outputType -}} -{{- if $certificate.keystore -}} -{{- $outputTypeList := (required "'outputType' in 'keystore' section is required." $certificate.keystore.outputType) -}} -{{- $outputType = mustFirst ($outputTypeList) | upper -}} -{{- end -}} -{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} -{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} -{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} -{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}} -{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}} -{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}} -{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}} -{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}} -{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}} -{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}} -{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}} -- name: certs-init-{{ $index }} - image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} - imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} - env: - - name: REQUEST_URL - value: {{ $requestUrl | quote }} - - name: REQUEST_TIMEOUT - value: {{ $requestTimeout | quote }} - - name: OUTPUT_PATH - value: {{ $certPath | quote }} - - name: OUTPUT_TYPE - value: {{ $outputType | quote }} - - name: CA_NAME - value: {{ $caName | quote }} - - name: COMMON_NAME - value: {{ $commonName | quote }} - - name: SANS - value: {{ $sans | quote }} - - name: ORGANIZATION - value: {{ $organization | quote }} - - name: ORGANIZATION_UNIT - value: {{ $orgUnit | quote }} - - name: LOCATION - value: {{ $locality | quote }} - - name: STATE - value: {{ $province | quote }} - - name: COUNTRY - value: {{ $country | quote }} - - name: KEYSTORE_PATH - value: {{ $keystorePath | quote }} - - name: KEYSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $keystorePasswordSecret | quote}} - key: {{ $keystorePasswordSecretKey | quote}} - - name: TRUSTSTORE_PATH - value: {{ $truststorePath | quote }} - - name: TRUSTSTORE_PASSWORD - valueFrom: - secretKeyRef: - name: {{ $truststorePasswordSecret | quote}} - key: {{ $truststorePasswordSecretKey | quote}} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: {{ $certPath }} - name: cmpv2-certs-volume-{{ $index }} - - mountPath: {{ $certificatesSecretMountPath }} - name: certservice-tls-volume -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "common.certServiceClient.volumes" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} -{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} -{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}} -- name: certservice-tls-volume - secret: - secretName: {{ $certificatesSecretName }} -{{ range $index, $certificate := $dot.Values.certificates -}} -- name: cmpv2-certs-volume-{{ $index }} - emptyDir: - medium: Memory -{{- end -}} -{{- end -}} -{{- end -}} - -{{- define "common.certServiceClient.volumeMounts" -}} -{{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} -{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} -{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- range $index, $certificate := $dot.Values.certificates -}} -{{- $mountPath := $certificate.mountPath -}} -- mountPath: {{ $mountPath }} - name: cmpv2-certs-volume-{{ $index }} -{{ end -}} -{{- end -}} -{{- end -}} diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml deleted file mode 100644 index 504947525d..0000000000 --- a/kubernetes/common/cmpv2Certificate/values.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# Copyright © 2021 Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 695e40616c..02595b348d 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -15,7 +15,6 @@ global: # Enabling CMPv2 cmpv2Enabled: true - CMPv2CertManagerIntegration: false certificate: default: @@ -35,17 +34,6 @@ global: keystorePasswordSecretKey: password truststorePasswordSecretName: oom-cert-service-truststore-password truststorePasswordSecretKey: password - certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ - envVariables: - certPath: "/var/custom-certs" - # Certificate related - caName: "RA" - # Client configuration related - requestURL: "https://oom-cert-service:8443/v1/certificate/" - requestTimeout: "30000" - outputType: "P12" certPostProcessor: image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 diff --git a/kubernetes/common/dgbuilder/requirements.yaml b/kubernetes/common/dgbuilder/requirements.yaml index 0157b7063e..1bbab11af4 100644 --- a/kubernetes/common/dgbuilder/requirements.yaml +++ b/kubernetes/common/dgbuilder/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: 'file://../repositoryGenerator' + - name: serviceAccount + version: ~8.x-0 + repository: 'file://../serviceAccount' diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml index ad3e4cf128..6538ad0836 100644 --- a/kubernetes/common/dgbuilder/templates/deployment.yaml +++ b/kubernetes/common/dgbuilder/templates/deployment.yaml @@ -128,6 +128,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: localtime diff --git a/kubernetes/common/dgbuilder/values.yaml b/kubernetes/common/dgbuilder/values.yaml index ae1d85795d..0f91bbd882 100644 --- a/kubernetes/common/dgbuilder/values.yaml +++ b/kubernetes/common/dgbuilder/values.yaml @@ -186,3 +186,8 @@ resources: memory: 4Gi unlimited: {} +#Pods Service Account +serviceAccount: + nameOverride: dgbuilder + roles: + - read diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index 91f21ab0c9..87dd5c29e9 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -83,10 +83,6 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "curlImage") .) }} {{- end -}} -{{- define "repositoryGenerator.image.certserviceclient" -}} - {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }} -{{- end -}} - {{- define "repositoryGenerator.image.dcaepolicysync" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "dcaePolicySyncImage") .) }} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index 8a68f6dd9c..bf21e2da08 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -23,7 +23,6 @@ global: # common global images busyboxImage: busybox:1.32 curlImage: curlimages/curl:7.69.1 - certServiceClientImage: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 envsubstImage: dibi/envsubst:1 # there's only latest image for htpasswd htpasswdImage: xmartlabs/htpasswd:latest @@ -56,7 +55,6 @@ global: imageRepoMapping: busyboxImage: dockerHubRepository curlImage: dockerHubRepository - certServiceClientImage: repository envsubstImage: dockerHubRepository htpasswdImage: dockerHubRepository jreImage: repository diff --git a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl index 310d9ae662..328a4c625f 100644 --- a/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl +++ b/kubernetes/dcaegen2-services/common/dcaegen2-services-common/templates/_deployment.tpl @@ -495,7 +495,7 @@ spec: */}} {{- define "dcaegen2-services-common.shouldUseCmpv2Certificates" -}} {{- $certDir := default "" .Values.certDirectory . -}} - {{- if (and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration .Values.useCmpv2Certificates) -}} + {{- if (and $certDir .Values.certificates .Values.global.cmpv2Enabled .Values.useCmpv2Certificates) -}} true {{- end -}} {{- end -}} diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml index 223789a75f..64e4ba9b43 100644 --- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml @@ -68,7 +68,6 @@ secrets: # It is used only when: # - certDirectory is set # - global cmpv2Enabled flag is set to true -# - global CertManagerIntegration flag is set to true # - flag useCmpv2Certificates is set to true # Disabled by default useCmpv2Certificates: false diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml index 9e08ea1a69..982d770595 100644 --- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml +++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml @@ -61,7 +61,6 @@ tlsServer: true # It is used only when: # - certDirectory is set # - global cmpv2Enabled flag is set to true -# - global CertManagerIntegration flag is set to true # - flag useCmpv2Certificates is set to true # Disabled by default useCmpv2Certificates: false diff --git a/kubernetes/dcaegen2-services/templates/configmap.yaml b/kubernetes/dcaegen2-services/templates/configmap.yaml index 32451cdee7..92662a251e 100644 --- a/kubernetes/dcaegen2-services/templates/configmap.yaml +++ b/kubernetes/dcaegen2-services/templates/configmap.yaml @@ -40,4 +40,4 @@ metadata: name: {{ include "common.release" . }}-dcae-external-repo-configmap-sa91-rel16 namespace: {{ include "common.namespace" . }} data: -{{ (.Files.Glob "resources/external/schema/sa91-rel16/*").AsConfig | indent 2 }}
\ No newline at end of file +{{ (.Files.Glob "resources/external/schemas/sa91-rel16/*").AsConfig | indent 2 }}
\ No newline at end of file diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json index 3c769fca5f..fb1a40edfd 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json @@ -41,9 +41,6 @@ "ca_cert_configmap": "{{ include "common.fullname" . }}-dcae-cacert" }, "external_cert": { - "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certServiceClient.image }}", - "request_url": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestURL }}", - "timeout": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestTimeout }}", "country": "{{ .Values.cmpv2Config.global.certificate.default.subject.country }}", "organization": "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}", "state": "{{ .Values.cmpv2Config.global.certificate.default.subject.province }}", @@ -61,7 +58,7 @@ "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certPostProcessor.image }}" }, "cmpv2_issuer": { - "enabled": "{{ .Values.global.CMPv2CertManagerIntegration }}", + "enabled": "true", "name": "{{ .Values.cmpv2issuer.name }}" } } diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml index fcc8f6d4b0..313ac9b34d 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml @@ -28,8 +28,6 @@ global: repositoryCred: user: docker password: docker - # Enabling CMPv2 with CertManager - CMPv2CertManagerIntegration: false cmpv2issuer: name: cmpv2-issuer-onap diff --git a/kubernetes/onap/resources/overrides/onap-all.yaml b/kubernetes/onap/resources/overrides/onap-all.yaml index d6c447240d..521cf2ff8b 100644 --- a/kubernetes/onap/resources/overrides/onap-all.yaml +++ b/kubernetes/onap/resources/overrides/onap-all.yaml @@ -20,7 +20,6 @@ global: addTestingComponents: &testing true centralizedLoggingEnabled: ¢ralizedLogging false - CMPv2CertManagerIntegration: false cassandra: enabled: true mariadb-galera: diff --git a/kubernetes/onap/resources/overrides/oom-cert-service-environment.yaml b/kubernetes/onap/resources/overrides/oom-cert-service-environment.yaml index 643d3065c1..7b3603c041 100644 --- a/kubernetes/onap/resources/overrides/oom-cert-service-environment.yaml +++ b/kubernetes/onap/resources/overrides/oom-cert-service-environment.yaml @@ -1,5 +1,5 @@ # Copyright © 2020 Nordix Foundation -# Modifications Copyright © 2020 Nokia +# Modifications Copyright © 2020-2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -35,15 +35,17 @@ ################################################################# global: cmpv2Enabled: true - CMPv2CertManagerIntegration: true - platform: - certServiceClient: - envVariables: - # Certificate related - cmpv2Organization: "Linux-Foundation" - cmpv2OrganizationalUnit: "ONAP" - cmpv2Location: "San-Francisco" - cmpv2State: "California" - cmpv2Country: "US" - # Client configuration related - caName: "RA" + certificate: + default: + renewBefore: 720h #30 days + duration: 8760h #365 days + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + issuer: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index d91284a6c3..0e2b13b473 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -194,7 +194,6 @@ global: # Enabling CMPv2 cmpv2Enabled: true - CMPv2CertManagerIntegration: false platform: certificates: clientSecretName: oom-cert-service-client-tls-secret @@ -204,17 +203,6 @@ global: keystorePasswordSecretKey: password truststorePasswordSecretName: oom-cert-service-certificates-password truststorePasswordSecretKey: password - certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ - envVariables: - certPath: "/var/custom-certs" - # Certificate related - caName: "RA" - # Client configuration related - requestURL: "https://oom-cert-service:8443/v1/certificate/" - requestTimeout: "30000" - outputType: "P12" # Indicates offline deployment build # Set to true if you are rendering helm charts for offline deployment diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml index 9ba61a5f57..ae4ae81f02 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml @@ -1,4 +1,4 @@ -{{ if .Values.global.CMPv2CertManagerIntegration }} +{{ if .Values.global.cmpv2Enabled }} # ============LICENSE_START======================================================= # Copyright (c) 2020 Nokia diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml index 3a993734e4..8bcbc1f7d0 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml @@ -1,4 +1,4 @@ -{{ if .Values.global.CMPv2CertManagerIntegration }} +{{ if .Values.global.cmpv2Enabled }} # ============LICENSE_START======================================================= # Copyright (c) 2020 Nokia diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml index add5622f41..f976a80268 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml @@ -1,4 +1,4 @@ -{{ if .Values.global.CMPv2CertManagerIntegration }} +{{ if .Values.global.cmpv2Enabled }} # ============LICENSE_START======================================================= # Copyright (c) 2020 Nokia diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml index 152bd68ba6..bc689cc68f 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml @@ -1,4 +1,4 @@ -{{ if .Values.global.CMPv2CertManagerIntegration }} +{{ if .Values.global.cmpv2Enabled }} # ============LICENSE_START======================================================= # Copyright (c) 2020 Nokia diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index fd34b1ef28..55c4d0beac 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -21,7 +21,6 @@ global: busyboxRepository: registry.hub.docker.com busyboxImage: library/busybox:latest repository: "nexus3.onap.org:10001" - CMPv2CertManagerIntegration: false namespace: onap diff --git a/kubernetes/platform/values.yaml b/kubernetes/platform/values.yaml index d21fb791e2..a30dabbcc2 100644 --- a/kubernetes/platform/values.yaml +++ b/kubernetes/platform/values.yaml @@ -28,11 +28,6 @@ global: cmpv2Enabled: true addTestingComponents: false - certService: - certServiceClient: - secret: - name: oom-cert-service-client-tls-secret - ################################################################# # Application configuration defaults. ################################################################# diff --git a/kubernetes/sdc/components/sdc-be/requirements.yaml b/kubernetes/sdc/components/sdc-be/requirements.yaml index b36d051041..b684a0e11f 100644 --- a/kubernetes/sdc/components/sdc-be/requirements.yaml +++ b/kubernetes/sdc/components/sdc-be/requirements.yaml @@ -24,3 +24,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml index 346534ce57..d731a56c5c 100644 --- a/kubernetes/sdc/components/sdc-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-be/templates/deployment.yaml @@ -197,6 +197,7 @@ spec: requests: cpu: 3m memory: 20Mi + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: {{ include "common.fullname" . }}-localtime hostPath: diff --git a/kubernetes/sdc/components/sdc-be/values.yaml b/kubernetes/sdc/components/sdc-be/values.yaml index 3e5c58b0bc..070583bfc2 100644 --- a/kubernetes/sdc/components/sdc-be/values.yaml +++ b/kubernetes/sdc/components/sdc-be/values.yaml @@ -161,3 +161,9 @@ resources: cpu: 200m memory: 2Gi unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: sdc-be + roles: + - read diff --git a/kubernetes/sdc/components/sdc-cs/requirements.yaml b/kubernetes/sdc/components/sdc-cs/requirements.yaml index 8febe6fac4..7d9ea04952 100644 --- a/kubernetes/sdc/components/sdc-cs/requirements.yaml +++ b/kubernetes/sdc/components/sdc-cs/requirements.yaml @@ -24,3 +24,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/sdc/components/sdc-cs/templates/job.yaml b/kubernetes/sdc/components/sdc-cs/templates/job.yaml index bb218bbfae..fb849b9f25 100644 --- a/kubernetes/sdc/components/sdc-cs/templates/job.yaml +++ b/kubernetes/sdc/components/sdc-cs/templates/job.yaml @@ -96,6 +96,7 @@ spec: requests: cpu: 200m memory: 300Mi + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: {{ include "common.fullname" . }}-environments configMap: diff --git a/kubernetes/sdc/components/sdc-cs/values.yaml b/kubernetes/sdc/components/sdc-cs/values.yaml index 2308f95fb2..fed4769202 100644 --- a/kubernetes/sdc/components/sdc-cs/values.yaml +++ b/kubernetes/sdc/components/sdc-cs/values.yaml @@ -103,3 +103,9 @@ persistence: ingress: enabled: false + +#Pods Service Account +serviceAccount: + nameOverride: sdc-cs + roles: + - read diff --git a/kubernetes/sdc/components/sdc-fe/requirements.yaml b/kubernetes/sdc/components/sdc-fe/requirements.yaml index b36d051041..b684a0e11f 100644 --- a/kubernetes/sdc/components/sdc-fe/requirements.yaml +++ b/kubernetes/sdc/components/sdc-fe/requirements.yaml @@ -24,3 +24,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml index 407d61c904..dcb17d0ba2 100644 --- a/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-fe/templates/deployment.yaml @@ -189,6 +189,7 @@ spec: requests: cpu: 3m memory: 20Mi + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: {{ include "common.fullname" . }}-localtime hostPath: diff --git a/kubernetes/sdc/components/sdc-fe/values.yaml b/kubernetes/sdc/components/sdc-fe/values.yaml index 82afc4d3db..e9b2eee8db 100644 --- a/kubernetes/sdc/components/sdc-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-fe/values.yaml @@ -143,3 +143,9 @@ resources: cpu: 80m memory: 2Gi unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: sdc-fe + roles: + - read diff --git a/kubernetes/sdc/components/sdc-onboarding-be/requirements.yaml b/kubernetes/sdc/components/sdc-onboarding-be/requirements.yaml index b36d051041..b684a0e11f 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/requirements.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/requirements.yaml @@ -24,3 +24,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml index 257f8b79a5..2bd53ff91b 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/templates/deployment.yaml @@ -213,6 +213,7 @@ spec: requests: cpu: 3m memory: 20Mi + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }} - name: {{ include "common.fullname" . }}-localtime hostPath: diff --git a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml index f09958e811..aa7d535db3 100644 --- a/kubernetes/sdc/components/sdc-onboarding-be/values.yaml +++ b/kubernetes/sdc/components/sdc-onboarding-be/values.yaml @@ -175,3 +175,9 @@ resources: cpu: 80m memory: 2Gi unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: sdc-onboarding-be + roles: + - read diff --git a/kubernetes/sdc/components/sdc-wfd-be/requirements.yaml b/kubernetes/sdc/components/sdc-wfd-be/requirements.yaml index b36d051041..b684a0e11f 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/requirements.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/requirements.yaml @@ -24,3 +24,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml index de75092f8a..343bda8ff9 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/templates/deployment.yaml @@ -144,6 +144,7 @@ spec: value: "{{ .Values.config.serverSSLTrustStoreType }}" volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} resources: {{ include "common.resources" . | nindent 12 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdc/components/sdc-wfd-be/values.yaml b/kubernetes/sdc/components/sdc-wfd-be/values.yaml index d4414f1986..8b61567114 100644 --- a/kubernetes/sdc/components/sdc-wfd-be/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-be/values.yaml @@ -160,3 +160,9 @@ resources: cpu: 80m memory: 2Gi unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: sdc-wfd-be + roles: + - read diff --git a/kubernetes/sdc/components/sdc-wfd-fe/requirements.yaml b/kubernetes/sdc/components/sdc-wfd-fe/requirements.yaml index b36d051041..b684a0e11f 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/requirements.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/requirements.yaml @@ -24,3 +24,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml index b8073d723d..d221c07612 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/templates/deployment.yaml @@ -178,6 +178,7 @@ spec: requests: cpu: 3m memory: 20Mi + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: {{ include "common.fullname" . }}-localtime hostPath: diff --git a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml index 3cc9b9542f..d8ee5c8285 100644 --- a/kubernetes/sdc/components/sdc-wfd-fe/values.yaml +++ b/kubernetes/sdc/components/sdc-wfd-fe/values.yaml @@ -139,3 +139,9 @@ resources: cpu: 80m memory: 2Gi unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: sdc-wfd-fe + roles: + - read diff --git a/kubernetes/sdnc/requirements.yaml b/kubernetes/sdnc/requirements.yaml index 0c82f9581d..ac0e6ed868 100644 --- a/kubernetes/sdnc/requirements.yaml +++ b/kubernetes/sdnc/requirements.yaml @@ -21,9 +21,6 @@ dependencies: - name: certInitializer version: ~8.x-0 repository: '@local' - - name: cmpv2Certificate - version: ~8.x-0 - repository: '@local' - name: certManagerCertificate version: ~8.x-0 repository: '@local' diff --git a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties index 57a16bd488..303e504aa9 100644 --- a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties +++ b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties @@ -23,7 +23,6 @@ topic=unauthenticated.SEC_FAULT_OUTPUT contenttype=application/json group=myG id=C1 -timeout=50000 limit=10000 [pnfRegistration] @@ -41,5 +40,4 @@ topic=unauthenticated.VES_PNFREG_OUTPUT contenttype=application/json group=myG id=C1 -timeout=50000 limit=10000 diff --git a/kubernetes/sdnc/templates/certificates.yaml b/kubernetes/sdnc/templates/certificates.yaml index c4eca61e35..acf9012099 100644 --- a/kubernetes/sdnc/templates/certificates.yaml +++ b/kubernetes/sdnc/templates/certificates.yaml @@ -14,6 +14,6 @@ # limitations under the License. */}} -{{ if and .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{ if .Values.global.cmpv2Enabled }} {{ include "certManagerCertificate.certificate" . }} {{ end }} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 8a7259ba0d..f0ee8a9456 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -155,7 +155,6 @@ spec: name: {{ include "common.name" . }}-readiness {{ end -}} {{ include "common.certInitializer.initContainer" . | indent 6 }} -{{ include "common.certServiceClient.initContainer" . | indent 6 }} - name: {{ include "common.name" . }}-chown image: {{ include "repositoryGenerator.image.busybox" . }} command: @@ -178,7 +177,7 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - {{- if and .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} + {{- if .Values.global.cmpv2Enabled }} {{- $linkCommand := include "common.certManager.linkVolumeMounts" . }} lifecycle: postStart: @@ -312,8 +311,7 @@ spec: value: "{{ .Values.config.sdnr.netconfCallHome.enabled | default "false" }}" volumeMounts: {{ include "common.certInitializer.volumeMount" . | indent 10 }} -{{ include "common.certServiceClient.volumeMounts" . | indent 10 }} -{{- if and .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{- if .Values.global.cmpv2Enabled }} {{ include "common.certManager.volumeMounts" . | indent 10 }} {{- end }} - mountPath: /etc/localtime @@ -437,8 +435,7 @@ spec: emptyDir: {} {{ else }} {{ include "common.certInitializer.volumes" . | nindent 8 }} -{{ include "common.certServiceClient.volumes" . | nindent 8 }} -{{- if and .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} +{{- if .Values.global.cmpv2Enabled }} {{ include "common.certManager.volumes" . | nindent 8 }} {{- end }} volumeClaimTemplates: diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index b22b6758d2..6ab96adde7 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -30,8 +30,6 @@ global: service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera - # Enabling CMPv2 with CertManager - CMPv2CertManagerIntegration: false ################################################################# # Secrets metaconfig @@ -461,6 +459,8 @@ dgbuilder: dbServiceName: mariadb-galera # This should be revisited and changed to plain text dgUserPassword: cc03e747a6afbbcbf8be7668acfebee5 + serviceAccount: + nameOverride: sdnc-dgbuilder mariadb-galera: service: name: sdnc-dgbuilder |