diff options
Diffstat (limited to 'kubernetes/common')
| -rw-r--r-- | kubernetes/common/certManagerCertificate/Chart.yaml | 18 | ||||
| -rw-r--r-- | kubernetes/common/certManagerCertificate/requirements.yaml | 18 | ||||
| -rw-r--r-- | kubernetes/common/certManagerCertificate/templates/_certificate.tpl | 219 | ||||
| -rw-r--r-- | kubernetes/common/certManagerCertificate/values.yaml | 29 | ||||
| -rw-r--r-- | kubernetes/common/common/templates/_certificate.tpl | 192 | ||||
| -rw-r--r-- | kubernetes/common/common/templates/_ingress.tpl | 20 | ||||
| -rw-r--r-- | kubernetes/common/etcd/templates/statefulset.yaml | 4 | ||||
| -rw-r--r-- | kubernetes/common/music/requirements.yaml | 3 | ||||
| -rwxr-xr-x | kubernetes/common/music/resources/config/music-sb.properties | 2 | ||||
| -rw-r--r-- | kubernetes/common/music/resources/keys/org.onap.music.jks | bin | 3635 -> 0 bytes | |||
| -rw-r--r-- | kubernetes/common/music/resources/keys/truststoreONAPall.jks | bin | 117990 -> 0 bytes | |||
| -rw-r--r-- | kubernetes/common/music/templates/deployment.yaml | 16 | ||||
| -rw-r--r-- | kubernetes/common/music/values.yaml | 32 |
13 files changed, 329 insertions, 224 deletions
diff --git a/kubernetes/common/certManagerCertificate/Chart.yaml b/kubernetes/common/certManagerCertificate/Chart.yaml new file mode 100644 index 0000000000..305d25251d --- /dev/null +++ b/kubernetes/common/certManagerCertificate/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +name: certManagerCertificate +description: A Helm chart for Cert-Manager Certificate CRD template +version: 7.0.0 diff --git a/kubernetes/common/certManagerCertificate/requirements.yaml b/kubernetes/common/certManagerCertificate/requirements.yaml new file mode 100644 index 0000000000..6bcaed05a8 --- /dev/null +++ b/kubernetes/common/certManagerCertificate/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~7.x-0 + repository: 'file://../common' diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl new file mode 100644 index 0000000000..4e43f621de --- /dev/null +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -0,0 +1,219 @@ +{{/*# +# Copyright © 2020-2021, Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.*/}} + +{{/* +# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io). +# +# To request a certificate following steps are to be done: +# - create an object 'certificates' in the values.yaml +# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate". +# +# Here is an example of the certificate request for a component: +# +# Directory structure: +# component +# templates +# certifictes.yaml +# values.yaml +# +# To be added in the file certificates.yamll +# +# To be added in the file values.yaml +# 1. Minimal version (certificates only in PEM format) +# certificates: +# - commonName: component.onap.org +# +# 2. Extended version (with defined own issuer and additional certificate format): +# certificates: +# - name: onap-component-certificate +# secretName: onap-component-certificate +# commonName: component.onap.org +# dnsNames: +# - component.onap.org +# issuer: +# group: certmanager.onap.org +# kind: CMPv2Issuer +# name: cmpv2-issuer-for-the-component +# keystore: +# outputType: +# - p12 +# - jks +# passwordSecretRef: +# name: secret-name +# key: secret-key +# +# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. +# Other mandatory fields for the certificate definition do not have to be defined directly, +# in that case they will be taken from default values. +# +# Default values are defined in file onap/values.yaml (see-> global.certificate.default) +# and can be overriden during onap installation process. +# +*/}} + +{{- define "certManagerCertificate.certificate" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} + +{{- $certificates := $dot.Values.certificates -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global }} + +{{ range $i, $certificate := $certificates }} +{{/*# General certifiacate attributes #*/}} +{{- $name := include "common.fullname" $dot -}} +{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}} +{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} +{{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}} +{{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}} +{{- $namespace := $dot.Release.Namespace -}} +{{/*# SAN's #*/}} +{{- $dnsNames := $certificate.dnsNames -}} +{{- $ipAddresses := $certificate.ipAddresses -}} +{{- $uris := $certificate.uris -}} +{{- $emailAddresses := $certificate.emailAddresses -}} +{{/*# Subject #*/}} +{{- $subject := $subchartGlobal.certificate.default.subject -}} +{{- if $certificate.subject -}} +{{- $subject = $certificate.subject -}} +{{- end -}} +{{/*# Issuer #*/}} +{{- $issuer := $subchartGlobal.certificate.default.issuer -}} +{{- if $certificate.issuer -}} +{{- $issuer = $certificate.issuer -}} +{{- end -}} +--- +{{- if $certificate.keystore }} + {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}} + {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $passwordSecretRef.name }} + namespace: {{ $namespace }} +type: Opaque +stringData: + {{ $passwordSecretRef.key }}: {{ $password }} +{{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $certName }} + namespace: {{ $namespace }} +spec: + secretName: {{ $secretName }} + commonName: {{ $commonName }} + renewBefore: {{ $renewBefore }} + {{- if $duration }} + duration: {{ $duration }} + {{- end }} + subject: + organizations: + - {{ $subject.organization }} + countries: + - {{ $subject.country }} + localities: + - {{ $subject.locality }} + provinces: + - {{ $subject.province }} + organizationalUnits: + - {{ $subject.organizationalUnit }} + {{- if $dnsNames }} + dnsNames: + {{- range $dnsName := $dnsNames }} + - {{ $dnsName }} + {{- end }} + {{- end }} + {{- if $ipAddresses }} + ipAddresses: + {{- range $ipAddress := $ipAddresses }} + - {{ $ipAddress }} + {{- end }} + {{- end }} + {{- if $uris }} + uris: + {{- range $uri := $uris }} + - {{ $uri }} + {{- end }} + {{- end }} + {{- if $emailAddresses }} + emailAddresses: + {{- range $emailAddress := $emailAddresses }} + - {{ $emailAddress }} + {{- end }} + {{- end }} + issuerRef: + group: {{ $issuer.group }} + kind: {{ $issuer.kind }} + name: {{ $issuer.name }} + {{- if $certificate.keystore }} + keystores: + {{- range $outputType := $certificate.keystore.outputType }} + {{- if eq $outputType "p12" }} + {{- $outputType = "pkcs12" }} + {{- end }} + {{ $outputType }}: + create: true + passwordSecretRef: + name: {{ $certificate.keystore.passwordSecretRef.name }} + key: {{ $certificate.keystore.passwordSecretRef.key }} + {{- end }} + {{- end }} +{{ end }} +{{- end -}} + +{{- define "common.certManager.volumeMounts" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} + {{- range $i, $certificate := $dot.Values.certificates -}} + {{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: certmanager-certs-volume-{{ $i }} + {{- end -}} +{{- end -}} + +{{- define "common.certManager.volumes" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- $certificates := $dot.Values.certificates -}} + {{- range $i, $certificate := $certificates -}} + {{- $name := include "common.fullname" $dot -}} + {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +- name: certmanager-certs-volume-{{ $i }} + projected: + sources: + - secret: + name: {{ $certificatesSecretName }} + {{- if $certificate.keystore }} + items: + {{- range $outputType := $certificate.keystore.outputType }} + - key: keystore.{{ $outputType }} + path: keystore.{{ $outputType }} + - key: truststore.{{ $outputType }} + path: truststore.{{ $outputType }} + {{- end }} + - secret: + name: {{ $certificate.keystore.passwordSecretRef.name }} + items: + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: keystore.pass + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: truststore.pass + {{- end }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/certManagerCertificate/values.yaml b/kubernetes/common/certManagerCertificate/values.yaml new file mode 100644 index 0000000000..d60cdf6cbe --- /dev/null +++ b/kubernetes/common/certManagerCertificate/values.yaml @@ -0,0 +1,29 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +global: +# default values for certificates + certificate: + default: + renewBefore: 720h #30 days + duration: 8760h #365 days + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + issuer: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap diff --git a/kubernetes/common/common/templates/_certificate.tpl b/kubernetes/common/common/templates/_certificate.tpl deleted file mode 100644 index d3313b2bc1..0000000000 --- a/kubernetes/common/common/templates/_certificate.tpl +++ /dev/null @@ -1,192 +0,0 @@ -{{/*# -# Copyright © 2020, Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License.*/}} - -{{/* -# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io). -# -# To request a certificate following steps are to be done: -# - create an object 'certificates' in the values.yaml -# - create a file templates/certificates.yaml and invoke the function "commom.certificate". -# -# Here is an example of the certificate request for a component: -# -# Directory structure: -# component -# templates -# certifictes.yaml -# values.yaml -# -# To be added in the file certificates.yamll -# -# To be added in the file values.yaml -# 1. Minimal version (certificates only in PEM format) -# certificates: -# - commonName: component.onap.org -# -# 2. Extended version (with defined own issuer and additional certificate format): -# certificates: -# - name: onap-component-certificate -# secretName: onap-component-certificate -# commonName: component.onap.org -# dnsNames: -# - component.onap.org -# issuer: -# group: certmanager.onap.org -# kind: CMPv2Issuer -# name: cmpv2-issuer-for-the-component -# p12Keystore: -# create: true -# passwordSecretRef: -# name: secret-name -# key: secret-key -# jksKeystore: -# create: true -# passwordSecretRef: -# name: secret-name -# key: secret-key -# -# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. -# Other mandatory fields for the certificate definition do not have to be defined directly, -# in that case they will be taken from default values. -# -# Default values are defined in file onap/values.yaml (see-> global.certificate.default) -# and can be overriden during onap installation process. -# -*/}} - -{{- define "common.certificate" -}} -{{- $dot := default . .dot -}} -{{- $certificates := $dot.Values.certificates -}} - -{{ range $i, $certificate := $certificates }} -{{/*# General certifiacate attributes #*/}} -{{- $name := include "common.fullname" $dot -}} -{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}} -{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} -{{- $commonName := default $dot.Values.global.certificate.default.commonName $certificate.commonName -}} -{{- $renewBefore := default $dot.Values.global.certificate.default.renewBefore $certificate.renewBefore -}} -{{- $duration := $certificate.duration -}} -{{- $namespace := default $dot.Release.Namespace $dot.Values.global.certificate.default.namespace -}} -{{- if $certificate.namespace -}} -{{- $namespace = default $namespace $certificate.namespace -}} -{{- end -}} -{{/*# SAN's #*/}} -{{- $dnsNames := default $dot.Values.global.certificate.default.dnsNames $certificate.dnsNames -}} -{{- $ipAddresses := default $dot.Values.global.certificate.default.ipAddresses $certificate.ipAddresses -}} -{{- $uris := default $dot.Values.global.certificate.default.uris $certificate.uris -}} -{{- $emailAddresses := default $dot.Values.global.certificate.default.emailAddresses $certificate.emailAddresses -}} -{{/*# Subject #*/}} -{{- $subject := $dot.Values.global.certificate.default.subject -}} -{{- if $certificate.subject -}} -{{- $subject = mergeOverwrite $subject $certificate.subject -}} -{{- end -}} -{{/*# Issuer #*/}} -{{- $issuer := $dot.Values.global.certificate.default.issuer -}} -{{- if $certificate.issuer -}} -{{- $issuer = mergeOverwrite $issuer $certificate.issuer -}} -{{- end -}} -{{/*# Keystores #*/}} -{{- $createJksKeystore := $dot.Values.global.certificate.default.jksKeystore.create -}} -{{- $jksKeystorePasswordSecretName := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.name -}} -{{- $jksKeystorePasswordSecreKey := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.key -}} -{{- $createP12Keystore := $dot.Values.global.certificate.default.p12Keystore.create -}} -{{- $p12KeystorePasswordSecretName := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.name -}} -{{- $p12KeystorePasswordSecreKey := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.key -}} -{{- if $certificate.jksKeystore -}} -{{- $createJksKeystore = default $createJksKeystore $certificate.jksKeystore.create -}} -{{- if $certificate.jksKeystore.passwordSecretRef -}} -{{- $jksKeystorePasswordSecretName = default $jksKeystorePasswordSecretName $certificate.jksKeystore.passwordSecretRef.name -}} -{{- $jksKeystorePasswordSecreKey = default $jksKeystorePasswordSecreKey $certificate.jksKeystore.passwordSecretRef.key -}} -{{- end -}} -{{- end -}} -{{- if $certificate.p12Keystore -}} -{{- $createP12Keystore = default $createP12Keystore $certificate.p12Keystore.create -}} -{{- if $certificate.p12Keystore.passwordSecretRef -}} -{{- $p12KeystorePasswordSecretName = default $p12KeystorePasswordSecretName $certificate.p12Keystore.passwordSecretRef.name -}} -{{- $p12KeystorePasswordSecreKey = default $p12KeystorePasswordSecreKey $certificate.p12Keystore.passwordSecretRef.key -}} -{{- end -}} -{{- end -}} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ $certName }} - namespace: {{ $namespace }} -spec: - secretName: {{ $secretName }} - commonName: {{ $commonName }} - renewBefore: {{ $renewBefore }} - {{- if $duration }} - duration: {{ $duration }} - {{- end }} - subject: - organizations: - - {{ $subject.organization }} - countries: - - {{ $subject.country }} - localities: - - {{ $subject.locality }} - provinces: - - {{ $subject.province }} - organizationalUnits: - - {{ $subject.organizationalUnit }} - {{- if $dnsNames }} - dnsNames: - {{- range $dnsName := $dnsNames }} - - {{ $dnsName }} - {{- end }} - {{- end }} - {{- if $ipAddresses }} - ipAddresses: - {{- range $ipAddress := $ipAddresses }} - - {{ $ipAddress }} - {{- end }} - {{- end }} - {{- if $uris }} - uris: - {{- range $uri := $uris }} - - {{ $uri }} - {{- end }} - {{- end }} - {{- if $emailAddresses }} - emailAddresses: - {{- range $emailAddress := $emailAddresses }} - - {{ $emailAddress }} - {{- end }} - {{- end }} - issuerRef: - group: {{ $issuer.group }} - kind: {{ $issuer.kind }} - name: {{ $issuer.name }} - {{- if or $createJksKeystore $createP12Keystore }} - keystores: - {{- if $createJksKeystore }} - jks: - create: {{ $createJksKeystore }} - passwordSecretRef: - name: {{ $jksKeystorePasswordSecretName }} - key: {{ $jksKeystorePasswordSecreKey }} - {{- end }} - {{- if $createP12Keystore }} - pkcs12: - create: {{ $createP12Keystore }} - passwordSecretRef: - name: {{ $p12KeystorePasswordSecretName }} - key: {{ $p12KeystorePasswordSecreKey }} - {{- end }} - {{- end }} -{{ end }} - -{{- end -}} diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index 18f9bb1ba5..7fee67a7a4 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -1,9 +1,15 @@ -{{- define "ingress.config.port" -}} +{{- define "ingress.config.host" -}} {{- $dot := default . .dot -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} {{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}} +{{ printf "%s.%s" $baseaddr $burl }} +{{- end -}} + +{{- define "ingress.config.port" -}} +{{- $dot := default . .dot -}} {{ range .Values.ingress.service }} {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} - - host: {{ printf "%s.%s" $baseaddr $burl }} + - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} http: paths: - backend: @@ -83,12 +89,12 @@ spec: {{- end -}} {{- if .Values.ingress.config -}} {{- if .Values.ingress.config.tls -}} -{{- $dot := default . .dot -}} +{{- $dot := default . .dot }} tls: - - hosts: - {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} - - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- end }} + - hosts: + {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{- end }} secretName: {{ required "secret" (tpl (default "" .Values.ingress.config.tls.secret) $dot) }} {{- end -}} {{- end -}} diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml index f5592bd252..e39b8c4ca2 100644 --- a/kubernetes/common/etcd/templates/statefulset.yaml +++ b/kubernetes/common/etcd/templates/statefulset.yaml @@ -133,6 +133,10 @@ spec: # we should wait for other pods to be up before trying to join # otherwise we got "no such host" errors when trying to resolve other members for i in $(seq 0 $((${INITIAL_CLUSTER_SIZE} - 1))); do + if [ "${SET_NAME}-${i}" == "${HOSTNAME}" ]; then + echo "Skipping self-checking" + continue + fi while true; do echo "Waiting for ${SET_NAME}-${i}.${SERVICE_NAME} to come up" ping -W 1 -c 1 ${SET_NAME}-${i}.${SERVICE_NAME} > /dev/null && break diff --git a/kubernetes/common/music/requirements.yaml b/kubernetes/common/music/requirements.yaml index a9566c1811..0a3c9315ab 100644 --- a/kubernetes/common/music/requirements.yaml +++ b/kubernetes/common/music/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: repositoryGenerator version: ~7.x-0 repository: 'file://../repositoryGenerator' + - name: certInitializer + version: ~7.x-0 + repository: 'file://../certInitializer'
\ No newline at end of file diff --git a/kubernetes/common/music/resources/config/music-sb.properties b/kubernetes/common/music/resources/config/music-sb.properties index 751a351737..7a13f10d8e 100755 --- a/kubernetes/common/music/resources/config/music-sb.properties +++ b/kubernetes/common/music/resources/config/music-sb.properties @@ -6,7 +6,7 @@ server.tomcat.max-threads=100 #logging.file=/opt/app/music/logs/MUSIC/music-app.log #logging.config=file:/opt/app/music/etc/logback.xml security.require-ssl=true -server.ssl.key-store=/opt/app/aafcertman/org.onap.music.jks +server.ssl.key-store=/opt/app/aafcertman/local/org.onap.music.jks server.ssl.key-store-password=${KEYSTORE_PASSWORD} server.ssl.key-store-provider=SUN server.ssl.key-store-type=JKS diff --git a/kubernetes/common/music/resources/keys/org.onap.music.jks b/kubernetes/common/music/resources/keys/org.onap.music.jks Binary files differdeleted file mode 100644 index 35d27c3ef7..0000000000 --- a/kubernetes/common/music/resources/keys/org.onap.music.jks +++ /dev/null diff --git a/kubernetes/common/music/resources/keys/truststoreONAPall.jks b/kubernetes/common/music/resources/keys/truststoreONAPall.jks Binary files differdeleted file mode 100644 index ff844b109d..0000000000 --- a/kubernetes/common/music/resources/keys/truststoreONAPall.jks +++ /dev/null diff --git a/kubernetes/common/music/templates/deployment.yaml b/kubernetes/common/music/templates/deployment.yaml index cf0ce8f899..1e5d3c5377 100644 --- a/kubernetes/common/music/templates/deployment.yaml +++ b/kubernetes/common/music/templates/deployment.yaml @@ -38,19 +38,18 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{ include "common.certInitializer.initContainer" . | indent 8 | trim }} - command: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "export KEYSTORE_PASSWORD=$(cat /opt/app/aafcertman/local/.pass); cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "music-keystore-pw" "key" "password") | indent 12}} - name: CASSA_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "login") | indent 12 }} - name: CASSA_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "password") | indent 12 }} - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /config-input name: properties-music-scrubbed - mountPath: /config @@ -87,7 +86,7 @@ spec: value: "{{ .Values.javaOpts }}" - name: DEBUG value: "{{ .Values.debug }}" - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - name: localtime mountPath: /etc/localtime readOnly: true @@ -100,9 +99,7 @@ spec: - name: properties-music-scrubbed mountPath: /opt/app/music/etc/logback.xml subPath: logback.xml - - name: certs-aaf - mountPath: /opt/app/aafcertman/ - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: shared-data emptyDir: {} - name: certificate-vol @@ -116,6 +113,3 @@ spec: - name: properties-music emptyDir: medium: Memory - - name: certs-aaf - secret: - secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "music-certs") }} diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml index 31df352de7..25cab910a9 100644 --- a/kubernetes/common/music/values.yaml +++ b/kubernetes/common/music/values.yaml @@ -25,16 +25,6 @@ global: # Secrets metaconfig ################################################################# secrets: - - uid: music-certs - name: keystore.jks - type: generic - filePaths: - - resources/keys/org.onap.music.jks - - uid: music-keystore-pw - name: keystore-pw - type: password - password: '{{ .Values.keystorePassword }}' - passwordPolicy: required - uid: cassa-secret type: basicAuth login: '{{ .Values.properties.cassandraUser }}' @@ -115,8 +105,6 @@ debug: false ingress: enabled: false -keystorePassword: "ysF9CVS+xvuXr0vf&fRa5lew" - properties: lockUsing: "cassandra" # Comma dilimited list of hosts @@ -159,4 +147,22 @@ logback: metricsLogLevel: info auditLogLevel: info # Values must be uppercase: INFO, WARN, CRITICAL,DEBUG etc.. - rootLogLevel: INFO
\ No newline at end of file + rootLogLevel: INFO + +#sub-charts configuration +certInitializer: + nameOverride: music-cert-initializer + fqdn: "music.onap" + app_ns: "org.osaaf.aaf" + fqi: "music@music.onap.org" + fqi_namespace: org.onap.music + public_fqdn: "music.onap.org" + aafDeployFqi: "deployer@people.osaaf.org" + aafDeployPass: demo123456! + cadi_latitude: "0.0" + cadi_longitude: "0.0" + credsPath: /opt/app/osaaf/local + appMountPath: /opt/app/aafcertman + aaf_add_config: > + cd {{ .Values.credsPath }}; + /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password_jks= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1; |