summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--docs/release-notes.rst45
-rw-r--r--kubernetes/common/cassandra/templates/statefulset.yaml11
-rw-r--r--kubernetes/common/cassandra/values.yaml15
-rwxr-xr-xkubernetes/common/cert-wrapper/resources/import-custom-certs.sh8
-rw-r--r--kubernetes/common/certInitializer/resources/ingress/onboard.sh35
-rw-r--r--kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh (renamed from kubernetes/common/certInitializer/resources/retrieval_check.sh)3
-rw-r--r--kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh32
-rw-r--r--kubernetes/common/certInitializer/templates/_certInitializer.yaml26
-rw-r--r--kubernetes/common/certInitializer/templates/configmap.yaml15
-rw-r--r--kubernetes/common/certInitializer/templates/job.yaml44
-rw-r--r--kubernetes/common/certInitializer/values.yaml11
-rw-r--r--kubernetes/common/music/values.yaml3
-rw-r--r--kubernetes/msb/components/msb-eag/values.yaml33
-rw-r--r--kubernetes/msb/components/msb-iag/values.yaml33
-rwxr-xr-xkubernetes/policy/components/policy-apex-pdp/values.yaml3
-rwxr-xr-xkubernetes/policy/components/policy-api/values.yaml4
-rwxr-xr-xkubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh2
-rw-r--r--kubernetes/policy/components/policy-clamp-be/values.yaml9
-rw-r--r--kubernetes/policy/components/policy-clamp-fe/values.yaml2
-rwxr-xr-xkubernetes/policy/components/policy-distribution/values.yaml3
-rwxr-xr-xkubernetes/policy/components/policy-drools-pdp/values.yaml3
-rwxr-xr-xkubernetes/policy/components/policy-pap/values.yaml4
-rwxr-xr-xkubernetes/policy/components/policy-xacml-pdp/values.yaml4
-rw-r--r--kubernetes/portal/components/portal-app/values.yaml7
-rw-r--r--kubernetes/portal/components/portal-sdk/values.yaml7
25 files changed, 269 insertions, 93 deletions
diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index d8e529a347..ae0ea457f5 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -42,7 +42,7 @@ Release Data
| **Release designation** | Honolulu |
| | |
+--------------------------------------+--------------------------------------+
-| **Release date** | 2020/12/03 |
+| **Release date** | 2021/04/29 |
| | |
+--------------------------------------+--------------------------------------+
@@ -52,18 +52,53 @@ New features
* Kubernetes support for version up to 1.20
* Helm support for version up to 3.5
* Limits are set for most of the components
+* Portal-Cassandra image updated to Bitnami, supporting IPv4/IPv6 Dual Stack
+* CMPv2 external issuer implemented which extends Cert-Manager with ability to
+ enroll X.509 certificates from CMPv2 servers
+* New version for mariadb galera using Bitnami image, supporting IPv4/IPv6 Dual
+ Stack
+* Bump version of common PostgreSQL and ElasticSearch
+* Move to automatic certificates retrieval for 80% of the components
+* Consistent retrieval of docker images, with ability to configure proxy for
+ the 4 repositories used by ONAP
**Bug fixes**
A list of issues resolved in this release can be found here:
-https://jira.onap.org/projects/OOM/versions/10826
+https://jira.onap.org/projects/OOM/versions/11073
-**Known Issues**
+major issues solved:
-- `<https://github.com/bitnami/bitnami-docker-mariadb-galera/issues/35>`_
- bitnami mariadb galera image doesn't support single quote in password.
+* Better handling of persistence on PostgreSQL
+* Better Ingress templating
+* Better Service templating
+**Known Issues**
+- `OOM-2554 <https://jira.onap.org/browse/OOM-2554>`_ Common pods have java 8
+- `OOM-2435 <https://jira.onap.org/browse/OOM-2435>`_ SDNC karaf shell:
+ log:list: Error executing command: Unrecognized configuration
+- `OOM-2629 <https://jira.onap.org/browse/OOM-2629>`_ NetBox demo entry setup
+ not complete
+- `OOM-2706 <https://jira.onap.org/browse/OOM-2706>`_ CDS Blueprint Processor
+ does not work with local DB
+- `OOM-2713 <https://jira.onap.org/browse/OOM-2713>`_ Problem on onboarding
+ custom cert to SDNC ONAP during deployment
+- `OOM-2698 <https://jira.onap.org/browse/OOM-2698>`_ SO helm override fails in
+ for value with multi-level replacement
+- `OOM-2697 <https://jira.onap.org/browse/OOM-2697>`_ SO with local MariaDB
+ deployment fails
+- `OOM-2538 <https://jira.onap.org/browse/OOM-2538>`_ strange error with
+ CertInitializer template
+- `OOM-2547 <https://jira.onap.org/browse/OOM-2547>`_ Health Check failures
+ seen after bringing down/up control plane & worker node VM instances on which
+ ONAP hosted
+- `OOM-2699 <https://jira.onap.org/browse/OOM-2699>`_ SO so-mariadb
+ readinessCheck fails for local MariaDB instance
+- `OOM-2705 <https://jira.onap.org/browse/OOM-2705>`_ SDNC DB installation fails
+ on local MariaDB instance
+- `OOM-2603 <https://jira.onap.org/browse/OOM-2603>`_ [SDNC] allign password for
+ scaleoutUser/restconfUser/odlUser
Deliverables
------------
diff --git a/kubernetes/common/cassandra/templates/statefulset.yaml b/kubernetes/common/cassandra/templates/statefulset.yaml
index 953c89d24d..3553cd4069 100644
--- a/kubernetes/common/cassandra/templates/statefulset.yaml
+++ b/kubernetes/common/cassandra/templates/statefulset.yaml
@@ -71,6 +71,17 @@ spec:
timeoutSeconds: {{ .Values.readiness.timeoutSeconds }}
successThreshold: {{ .Values.readiness.successThreshold }}
failureThreshold: {{ .Values.readiness.failureThreshold }}
+ startupProbe:
+ exec:
+ command:
+ - /bin/bash
+ - -c
+ - nodetool status | grep $POD_IP | awk '$1!="UN" { exit 1; }'
+ initialDelaySeconds: {{ .Values.startup.initialDelaySeconds }}
+ periodSeconds: {{ .Values.startup.periodSeconds }}
+ timeoutSeconds: {{ .Values.startup.timeoutSeconds }}
+ successThreshold: {{ .Values.startup.successThreshold }}
+ failureThreshold: {{ .Values.startup.failureThreshold }}
env:
{{- $seed_size := default 1 .Values.replicaCount | int -}}
{{- $global := . }}
diff --git a/kubernetes/common/cassandra/values.yaml b/kubernetes/common/cassandra/values.yaml
index c3d22cedc0..5a50d8e9e8 100644
--- a/kubernetes/common/cassandra/values.yaml
+++ b/kubernetes/common/cassandra/values.yaml
@@ -54,8 +54,8 @@ affinity: {}
# probe configuration parameters
liveness:
- initialDelaySeconds: 60
- periodSeconds: 20
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
@@ -64,12 +64,19 @@ liveness:
enabled: true
readiness:
- initialDelaySeconds: 120
- periodSeconds: 20
+ initialDelaySeconds: 1
+ periodSeconds: 10
timeoutSeconds: 10
successThreshold: 1
failureThreshold: 3
+startup:
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 10
+ successThreshold: 1
+ failureThreshold: 90
+
service:
name: cassandra
headless:
diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh
index d955ecdf3c..ec1ce944c9 100755
--- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh
+++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh
@@ -17,6 +17,7 @@
*/}}
CERTS_DIR=${CERTS_DIR:-/certs}
+MORE_CERTS_DIR=${MORE_CERTS_DIR:-/more_certs}
WORK_DIR=${WORK_DIR:-/updatedTruststore}
ONAP_TRUSTSTORE=${ONAP_TRUSTSTORE:-truststoreONAPall.jks}
JRE_TRUSTSTORE=${JRE_TRUSTSTORE:-$JAVA_HOME/lib/security/cacerts}
@@ -47,6 +48,13 @@ for f in $CERTS_DIR/*; do
fi
done
+for f in $MORE_CERTS_DIR/*; do
+ if [ ${f: -4} == ".pem" ]
+ then
+ cp $f $WORK_DIR/.
+ fi
+done
+
# Prepare truststore output file
if [ "$AAF_ENABLED" = "true" ]
then
diff --git a/kubernetes/common/certInitializer/resources/ingress/onboard.sh b/kubernetes/common/certInitializer/resources/ingress/onboard.sh
new file mode 100644
index 0000000000..9cc5ec580e
--- /dev/null
+++ b/kubernetes/common/certInitializer/resources/ingress/onboard.sh
@@ -0,0 +1,35 @@
+#!/bin/sh
+
+{{/*
+# Copyright © 2020 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/ -}}
+
+echo "*** retrieving certificates and keys"
+export CRT=$(cat {{ .Values.credsPath }}/certs/tls.crt | base64 -w 0)
+export KEY=$(cat {{ .Values.credsPath }}/certs/tls.key | base64 -w 0)
+export CACERT=$(cat {{ .Values.credsPath }}/certs/cacert.pem | base64 -w 0)
+echo "*** creating tls secret"
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ tpl .Values.ingressTlsSecret . }}
+ namespace: {{ include "common.namespace" . }}
+data:
+ ca.crt: "${CACERT}"
+ tls.crt: "${CRT}"
+ tls.key: '${KEY}'
+type: kubernetes.io/tls
+EOF
diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh
index 25e47693de..76f384502f 100644
--- a/kubernetes/common/certInitializer/resources/retrieval_check.sh
+++ b/kubernetes/common/certInitializer/resources/retrieval/retrieval_check.sh
@@ -14,7 +14,8 @@
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-*/}}
+*/ -}}
+
echo "*** retrieving passwords for certificates"
export $(/opt/app/aaf_config/bin/agent.sh local showpass \
{{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
diff --git a/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh b/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh
new file mode 100644
index 0000000000..f201eadd0a
--- /dev/null
+++ b/kubernetes/common/certInitializer/resources/retrieval/tls_certs_configure.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/ -}}
+
+echo "--- Cert transformation for use with Ingress"
+echo "*** transform AAF certs into pem files"
+mkdir -p {{ .Values.credsPath }}/certs
+keytool -exportcert -rfc -file {{ .Values.credsPath }}/certs/cacert.pem \
+ -keystore {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.trust.jks \
+ -alias ca_local_0 \
+ -storepass $cadi_truststore_password
+openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -out {{ .Values.credsPath }}/certs/tls.crt -nokeys \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key \
+ {{ .Values.credsPath }}/certs/tls.key
+echo "--- Done"
diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
index 414192e2bc..f3ba8a24e0 100644
--- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml
+++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2020 Bell Canada, Samsung Electronics
+# Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -58,6 +59,11 @@
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
subPath: retrieval_check.sh
+{{- if hasKey $initRoot "ingressTlsSecret" }}
+ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
+ mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh
+ subPath: tls_certs_configure.sh
+{{- end }}
{{- if $initRoot.aaf_add_config }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
@@ -69,6 +75,9 @@
- |
/opt/app/aaf_config/bin/agent.sh
. /opt/app/aaf_config/bin/retrieval_check.sh
+{{- if hasKey $initRoot "ingressTlsSecret" }}
+ /opt/app/aaf_config/bin/tls_certs_configure.sh
+{{- end -}}
{{- if $initRoot.aaf_add_config }}
/opt/app/aaf_config/bin/aaf-add-config.sh
{{- end }}
@@ -137,6 +146,8 @@
volumeMounts:
- mountPath: /certs
name: aaf-agent-certs
+ - mountPath: /more_certs
+ name: provided-custom-certs
- mountPath: /root/import-custom-certs.sh
name: aaf-agent-certs
subPath: import-custom-certs.sh
@@ -177,6 +188,21 @@
configMap:
name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
defaultMode: 0700
+{{- if $dot.Values.global.importCustomCertsEnabled }}
+- name: provided-custom-certs
+{{- if $dot.Values.global.customCertsSecret }}
+ secret:
+ secretName: {{ $dot.Values.global.customCertsSecret }}
+{{- else }}
+{{- if $dot.Values.global.customCertsConfigMap }}
+ configMap:
+ name: {{ $dot.Values.global.customCertsConfigMap }}
+{{- else }}
+ emptyDir:
+ medium: Memory
+{{- end }}
+{{- end }}
+{{- end }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
configMap:
name: {{ include "common.fullname" $subchartDot }}-add-config
diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml
index 1e9254abef..abd1575774 100644
--- a/kubernetes/common/certInitializer/templates/configmap.yaml
+++ b/kubernetes/common/certInitializer/templates/configmap.yaml
@@ -1,5 +1,6 @@
{{/*
# Copyright © 2020 Samsung Electronics
+# Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -19,8 +20,20 @@ kind: ConfigMap
{{- $suffix := "add-config" }}
metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
data:
-{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }}
+{{ tpl (.Files.Glob "resources/retrieval/retrieval_check.sh").AsConfig . | indent 2 }}
+{{- if hasKey .Values "ingressTlsSecret" }}
+{{ tpl (.Files.Glob "resources/retrieval/tls_certs_configure.sh").AsConfig . | indent 2 }}
+{{- end }}
{{ if .Values.aaf_add_config }}
aaf-add-config.sh: |
{{ tpl .Values.aaf_add_config . | indent 4 | trim }}
{{- end }}
+{{- if hasKey .Values "ingressTlsSecret" }}
+---
+apiVersion: v1
+kind: ConfigMap
+{{- $suffix := "ingress" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+data:
+{{ tpl (.Files.Glob "resources/ingress/onboard.sh").AsConfig . | indent 2 }}
+{{- end }}
diff --git a/kubernetes/common/certInitializer/templates/job.yaml b/kubernetes/common/certInitializer/templates/job.yaml
new file mode 100644
index 0000000000..331a58c310
--- /dev/null
+++ b/kubernetes/common/certInitializer/templates/job.yaml
@@ -0,0 +1,44 @@
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{- if hasKey .Values "ingressTlsSecret" }}
+apiVersion: batch/v1
+kind: Job
+{{- $suffix := "set-tls-secret" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+spec:
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ initContainers: {{ include "common.certInitializer.initContainer" (dict "dot" . "initRoot" .Values) | nindent 6 }}
+ containers:
+ - name: create tls secret
+ command:
+ - /ingress/onboard.sh
+ image: {{ include "repositoryGenerator.image.kubectl" . }}
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ volumeMounts: {{ include "common.certInitializer.volumeMount" (dict "dot" . "initRoot" .Values) | nindent 8 }}
+ - name: ingress-scripts
+ mountPath: /ingress
+ volumes: {{ include "common.certInitializer.volumes" (dict "dot" . "initRoot" .Values) | nindent 6 }}
+ - name: localtime
+ hostPath:
+ path: /etc/localtime
+ - name: ingress-scripts
+ configMap:
+ name: {{ include "common.fullname" . }}-ingress
+ defaultMode: 0777
+{{- end}}
diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml
index 52b2765329..747c94f4d1 100644
--- a/kubernetes/common/certInitializer/values.yaml
+++ b/kubernetes/common/certInitializer/values.yaml
@@ -15,6 +15,15 @@
global:
aafAgentImage: onap/aaf/aaf_agent:2.1.20
aafEnabled: true
+ # Give the name of a config map where certInitializer will onboard all certs
+ # given (certs must be in pem format)
+ customCertsConfigMap:
+ # Give the name of a secret where certInitializer will onboard all certs given
+ # (certs must be in pem format)
+ # this one superseedes previous one (so if both are given, only certs from
+ # secret will be onboarded).
+ customCertsSecret:
+
pullPolicy: Always
@@ -37,7 +46,6 @@ readinessCheck:
- aaf-cm
- aaf-service
-aafDeployFqi: "changeme"
fqdn: ""
app_ns: "org.osaaf.aaf"
fqi: ""
@@ -55,6 +63,7 @@ truststoreMountpath: ""
truststoreOutputFileName: truststore.jks
truststorePassword: changeit
envVarToCheck: cadi_keystore_password_p12
+# ingressTlsSecret:
# This introduces implicit dependency on cert-wrapper
# if you are using cert initializer cert-wrapper has to be also deployed.
diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml
index 25cab910a9..f578949196 100644
--- a/kubernetes/common/music/values.yaml
+++ b/kubernetes/common/music/values.yaml
@@ -164,5 +164,4 @@ certInitializer:
credsPath: /opt/app/osaaf/local
appMountPath: /opt/app/aafcertman
aaf_add_config: >
- cd {{ .Values.credsPath }};
- /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password_jks= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1;
+ echo "$cadi_keystore_password_jks" > {{ .Values.credsPath }}/.pass;
diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml
index ff158b592c..3629eb43ec 100644
--- a/kubernetes/msb/components/msb-eag/values.yaml
+++ b/kubernetes/msb/components/msb-eag/values.yaml
@@ -35,27 +35,18 @@ certInitializer:
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: |
- echo "*** retrieving passwords for certificates"
- export $(/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c')
- if [ -z "$cadi_keystore_password_p12" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- else
- mkdir -p {{ .Values.credsPath }}/certs
- echo "*** retrieve certificate from pkcs12"
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** copy key to relevant place"
- cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
- echo "*** change ownership and read/write attributes"
- chown -R 1000 {{ .Values.credsPath }}/certs
- chmod 600 {{ .Values.credsPath }}/certs/cert.crt
- chmod 600 {{ .Values.credsPath }}/certs/cert.key
- fi
+ mkdir -p {{ .Values.credsPath }}/certs
+ echo "*** retrieve certificate from pkcs12"
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** copy key to relevant place"
+ cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
+ echo "*** change ownership and read/write attributes"
+ chown -R 1000 {{ .Values.credsPath }}/certs
+ chmod 600 {{ .Values.credsPath }}/certs/cert.crt
+ chmod 600 {{ .Values.credsPath }}/certs/cert.key
#################################################################
# Application configuration defaults.
diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml
index 51e78e1de3..b95a11914d 100644
--- a/kubernetes/msb/components/msb-iag/values.yaml
+++ b/kubernetes/msb/components/msb-iag/values.yaml
@@ -35,27 +35,18 @@ certInitializer:
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: |
- echo "*** retrieving passwords for certificates"
- export $(/opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c')
- if [ -z "$cadi_keystore_password_p12" ]
- then
- echo " /!\ certificates retrieval failed"
- exit 1
- else
- mkdir -p {{ .Values.credsPath }}/certs
- echo "*** retrieve certificate from pkcs12"
- openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
- -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
- -passin pass:$cadi_keystore_password_p12 \
- -passout pass:$cadi_keystore_password_p12
- echo "*** copy key to relevant place"
- cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
- echo "*** change ownership and read/write attributes"
- chown -R 1000 {{ .Values.credsPath }}/certs
- chmod 600 {{ .Values.credsPath }}/certs/cert.crt
- chmod 600 {{ .Values.credsPath }}/certs/cert.key
- fi
+ mkdir -p {{ .Values.credsPath }}/certs
+ echo "*** retrieve certificate from pkcs12"
+ openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+ -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
+ -passin pass:$cadi_keystore_password_p12 \
+ -passout pass:$cadi_keystore_password_p12
+ echo "*** copy key to relevant place"
+ cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
+ echo "*** change ownership and read/write attributes"
+ chown -R 1000 {{ .Values.credsPath }}/certs
+ chmod 600 {{ .Values.credsPath }}/certs/cert.crt
+ chmod 600 {{ .Values.credsPath }}/certs/cert.key
#################################################################
# Application configuration defaults.
diff --git a/kubernetes/policy/components/policy-apex-pdp/values.yaml b/kubernetes/policy/components/policy-apex-pdp/values.yaml
index 22edcff601..aa1daf703f 100755
--- a/kubernetes/policy/components/policy-apex-pdp/values.yaml
+++ b/kubernetes/policy/components/policy-apex-pdp/values.yaml
@@ -80,9 +80,6 @@ certInitializer:
uid: 101
gid: 102
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWORD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
diff --git a/kubernetes/policy/components/policy-api/values.yaml b/kubernetes/policy/components/policy-api/values.yaml
index 0b2ea9f20c..da983e5b5b 100755
--- a/kubernetes/policy/components/policy-api/values.yaml
+++ b/kubernetes/policy/components/policy-api/values.yaml
@@ -69,9 +69,6 @@ certInitializer:
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
@@ -146,4 +143,3 @@ resources:
cpu: 200m
memory: 2Gi
unlimited: {}
-
diff --git a/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh b/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh
index 329479fad2..ad9984c26c 100755
--- a/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh
+++ b/kubernetes/policy/components/policy-clamp-be/resources/config/create-db-tables.sh
@@ -16,4 +16,4 @@
# limitations under the License.
*/}}
-mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" policyclamp < /dbcmd-config/policy-clamp-create-tables.sql
+mysql -h"${MYSQL_HOST}" -P"${MYSQL_PORT}" -u"${MYSQL_USER}" -p"${MYSQL_PASSWORD}" -f policyclamp < /dbcmd-config/policy-clamp-create-tables.sql
diff --git a/kubernetes/policy/components/policy-clamp-be/values.yaml b/kubernetes/policy/components/policy-clamp-be/values.yaml
index 50ec8fafea..ef0ea7ae4e 100644
--- a/kubernetes/policy/components/policy-clamp-be/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-be/values.yaml
@@ -44,11 +44,10 @@ certInitializer:
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_truststore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_truststore_password.pwd;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_key_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_key_password.pwd;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password.pwd;
- grep '^cadi' {{ .Values.credsPath }}/mycreds.prop | awk -v FS="cadi_keystore_password_p12=" 'NF>1{print $2}' > {{ .Values.credsPath }}/cadi_keystore_password_p12.pwd;
+ echo "$cadi_truststore_password" > {{ .Values.credsPath }}/cadi_truststore_password.pwd;
+ echo "$cadi_key_password" > {{ .Values.credsPath }}/cadi_key_password.pwd;
+ echo "$cadi_keystore_password" > {{ .Values.credsPath }}/cadi_keystore_password.pwd;
+ echo "$cadi_keystore_password_p12" > {{ .Values.credsPath }}/cadi_keystore_password_p12.pwd;
cd {{ .Values.credsPath }};
chmod a+rx *;
diff --git a/kubernetes/policy/components/policy-clamp-fe/values.yaml b/kubernetes/policy/components/policy-clamp-fe/values.yaml
index c2f4d157c8..c824965955 100644
--- a/kubernetes/policy/components/policy-clamp-fe/values.yaml
+++ b/kubernetes/policy/components/policy-clamp-fe/values.yaml
@@ -48,8 +48,6 @@ certInitializer:
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass | grep '^c' | xargs -0);
cd {{ .Values.credsPath }};
openssl pkcs12 -in {{ .Values.keystoreFile }} -nocerts -nodes -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_key }};
openssl pkcs12 -in {{ .Values.keystoreFile }} -clcerts -nokeys -passin pass:$cadi_keystore_password_p12 > {{ .Values.clamp_pem }};
diff --git a/kubernetes/policy/components/policy-distribution/values.yaml b/kubernetes/policy/components/policy-distribution/values.yaml
index 09805bd496..6788613ceb 100755
--- a/kubernetes/policy/components/policy-distribution/values.yaml
+++ b/kubernetes/policy/components/policy-distribution/values.yaml
@@ -105,9 +105,6 @@ certInitializer:
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
diff --git a/kubernetes/policy/components/policy-drools-pdp/values.yaml b/kubernetes/policy/components/policy-drools-pdp/values.yaml
index 658fa65a31..4eb37c6106 100755
--- a/kubernetes/policy/components/policy-drools-pdp/values.yaml
+++ b/kubernetes/policy/components/policy-drools-pdp/values.yaml
@@ -89,9 +89,6 @@ certInitializer:
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" >> {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
echo "export CADI_KEYFILE='{{ .Values.credsPath }}/org.onap.policy.keyfile'" >> {{ .Values.credsPath }}/.ci;
diff --git a/kubernetes/policy/components/policy-pap/values.yaml b/kubernetes/policy/components/policy-pap/values.yaml
index ec177d82c1..18e0e3e171 100755
--- a/kubernetes/policy/components/policy-pap/values.yaml
+++ b/kubernetes/policy/components/policy-pap/values.yaml
@@ -83,9 +83,6 @@ certInitializer:
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
@@ -172,4 +169,3 @@ resources:
cpu: 200m
memory: 2Gi
unlimited: {}
-
diff --git a/kubernetes/policy/components/policy-xacml-pdp/values.yaml b/kubernetes/policy/components/policy-xacml-pdp/values.yaml
index 76b0f3a42a..64c00e9bed 100755
--- a/kubernetes/policy/components/policy-xacml-pdp/values.yaml
+++ b/kubernetes/policy/components/policy-xacml-pdp/values.yaml
@@ -74,9 +74,6 @@ certInitializer:
uid: 100
gid: 101
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- export $(/opt/app/aaf_config/bin/agent.sh local showpass
- {{ .Values.fqi }} {{ .Values.fqdn }} | grep "^cadi_keystore_password_p12");
echo "export KEYSTORE='{{ .Values.credsPath }}/org.onap.policy.p12'" > {{ .Values.credsPath }}/.ci;
echo "export KEYSTORE_PASSWD='${cadi_keystore_password_p12}'" >> {{ .Values.credsPath }}/.ci;
chown -R {{ .Values.uid }}:{{ .Values.gid }} $(dirname {{ .Values.credsPath }});
@@ -155,4 +152,3 @@ resources:
cpu: 200m
memory: 2Gi
unlimited: {}
-
diff --git a/kubernetes/portal/components/portal-app/values.yaml b/kubernetes/portal/components/portal-app/values.yaml
index 0a818102c6..b46876ced9 100644
--- a/kubernetes/portal/components/portal-app/values.yaml
+++ b/kubernetes/portal/components/portal-app/values.yaml
@@ -77,10 +77,9 @@ certInitializer:
permission_group: 999
keystoreFile: "org.onap.portal.p12"
truststoreFile: "org.onap.portal.trust.jks"
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- /opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop
# default number of instances
replicaCount: 1
diff --git a/kubernetes/portal/components/portal-sdk/values.yaml b/kubernetes/portal/components/portal-sdk/values.yaml
index 11ce5a6e42..7631c3a482 100644
--- a/kubernetes/portal/components/portal-sdk/values.yaml
+++ b/kubernetes/portal/components/portal-sdk/values.yaml
@@ -78,10 +78,9 @@ certInitializer:
permission_group: 999
keystoreFile: "org.onap.portal.p12"
truststoreFile: "org.onap.portal.trust.jks"
- aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- /opt/app/aaf_config/bin/agent.sh local showpass \
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ aaf_add_config: |
+ echo "cadi_truststore_password=$cadi_truststore_password" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" >> {{ .Values.credsPath }}/mycreds.prop
# flag to enable debugging - application support required
debugEnabled: false