diff options
Diffstat (limited to 'kubernetes/common')
27 files changed, 623 insertions, 237 deletions
diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index 7e2fa91363..87e584c78e 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -26,14 +26,20 @@ mkdir -p $WORK_DIR # Decrypt and move relevant files to WORK_DIR for f in $CERTS_DIR/*; do - if [[ $AAF_ENABLED == false ]] && [[ $f == *$ONAP_TRUSTSTORE* ]]; then + export canonical_name_nob64=$(echo $f | sed 's/.*\/\([^\/]*\)/\1/') + export canonical_name_b64=$(echo $f | sed 's/.*\/\([^\/]*\)\(\.b64\)/\1/') + if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_b64" == "$ONAP_TRUSTSTORE" ]; then # Dont use onap truststore when aaf is disabled continue fi - if [[ $f == *.sh ]]; then + if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_nob64" == "$ONAP_TRUSTSTORE" ]; then + # Dont use onap truststore when aaf is disabled + continue + fi + if [ ${f: -3} == ".sh" ]; then continue fi - if [[ $f == *.b64 ]] + if [ ${f: -4} == ".b64" ] then base64 -d $f > $WORK_DIR/`basename $f .b64` else @@ -42,7 +48,7 @@ for f in $CERTS_DIR/*; do done # Prepare truststore output file -if [[ $AAF_ENABLED == true ]] +if [ "$AAF_ENABLED" == "true" ] then mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME else @@ -52,10 +58,10 @@ fi # Import Custom Certificates for f in $WORK_DIR/*; do - if [[ $f == *.pem ]]; then + if [ ${f: -4} == ".pem" ]; then echo "importing certificate: $f" keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt - if [[ $? != 0 ]]; then + if [ $? != 0 ]; then echo "failed importing certificate: $f" exit 1 fi diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index c1459bf438..5a8e84cd8c 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -121,7 +121,7 @@ securityContext: runAsUser: 0 command: - - /bin/bash + - /bin/sh - -c - /root/import-custom-certs.sh env: diff --git a/kubernetes/common/certManagerCertificate/Chart.yaml b/kubernetes/common/certManagerCertificate/Chart.yaml new file mode 100644 index 0000000000..305d25251d --- /dev/null +++ b/kubernetes/common/certManagerCertificate/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +name: certManagerCertificate +description: A Helm chart for Cert-Manager Certificate CRD template +version: 7.0.0 diff --git a/kubernetes/common/certManagerCertificate/requirements.yaml b/kubernetes/common/certManagerCertificate/requirements.yaml new file mode 100644 index 0000000000..6bcaed05a8 --- /dev/null +++ b/kubernetes/common/certManagerCertificate/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~7.x-0 + repository: 'file://../common' diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl new file mode 100644 index 0000000000..4e43f621de --- /dev/null +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -0,0 +1,219 @@ +{{/*# +# Copyright © 2020-2021, Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.*/}} + +{{/* +# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io). +# +# To request a certificate following steps are to be done: +# - create an object 'certificates' in the values.yaml +# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate". +# +# Here is an example of the certificate request for a component: +# +# Directory structure: +# component +# templates +# certifictes.yaml +# values.yaml +# +# To be added in the file certificates.yamll +# +# To be added in the file values.yaml +# 1. Minimal version (certificates only in PEM format) +# certificates: +# - commonName: component.onap.org +# +# 2. Extended version (with defined own issuer and additional certificate format): +# certificates: +# - name: onap-component-certificate +# secretName: onap-component-certificate +# commonName: component.onap.org +# dnsNames: +# - component.onap.org +# issuer: +# group: certmanager.onap.org +# kind: CMPv2Issuer +# name: cmpv2-issuer-for-the-component +# keystore: +# outputType: +# - p12 +# - jks +# passwordSecretRef: +# name: secret-name +# key: secret-key +# +# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. +# Other mandatory fields for the certificate definition do not have to be defined directly, +# in that case they will be taken from default values. +# +# Default values are defined in file onap/values.yaml (see-> global.certificate.default) +# and can be overriden during onap installation process. +# +*/}} + +{{- define "certManagerCertificate.certificate" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} + +{{- $certificates := $dot.Values.certificates -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global }} + +{{ range $i, $certificate := $certificates }} +{{/*# General certifiacate attributes #*/}} +{{- $name := include "common.fullname" $dot -}} +{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}} +{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} +{{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}} +{{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}} +{{- $namespace := $dot.Release.Namespace -}} +{{/*# SAN's #*/}} +{{- $dnsNames := $certificate.dnsNames -}} +{{- $ipAddresses := $certificate.ipAddresses -}} +{{- $uris := $certificate.uris -}} +{{- $emailAddresses := $certificate.emailAddresses -}} +{{/*# Subject #*/}} +{{- $subject := $subchartGlobal.certificate.default.subject -}} +{{- if $certificate.subject -}} +{{- $subject = $certificate.subject -}} +{{- end -}} +{{/*# Issuer #*/}} +{{- $issuer := $subchartGlobal.certificate.default.issuer -}} +{{- if $certificate.issuer -}} +{{- $issuer = $certificate.issuer -}} +{{- end -}} +--- +{{- if $certificate.keystore }} + {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}} + {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $passwordSecretRef.name }} + namespace: {{ $namespace }} +type: Opaque +stringData: + {{ $passwordSecretRef.key }}: {{ $password }} +{{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $certName }} + namespace: {{ $namespace }} +spec: + secretName: {{ $secretName }} + commonName: {{ $commonName }} + renewBefore: {{ $renewBefore }} + {{- if $duration }} + duration: {{ $duration }} + {{- end }} + subject: + organizations: + - {{ $subject.organization }} + countries: + - {{ $subject.country }} + localities: + - {{ $subject.locality }} + provinces: + - {{ $subject.province }} + organizationalUnits: + - {{ $subject.organizationalUnit }} + {{- if $dnsNames }} + dnsNames: + {{- range $dnsName := $dnsNames }} + - {{ $dnsName }} + {{- end }} + {{- end }} + {{- if $ipAddresses }} + ipAddresses: + {{- range $ipAddress := $ipAddresses }} + - {{ $ipAddress }} + {{- end }} + {{- end }} + {{- if $uris }} + uris: + {{- range $uri := $uris }} + - {{ $uri }} + {{- end }} + {{- end }} + {{- if $emailAddresses }} + emailAddresses: + {{- range $emailAddress := $emailAddresses }} + - {{ $emailAddress }} + {{- end }} + {{- end }} + issuerRef: + group: {{ $issuer.group }} + kind: {{ $issuer.kind }} + name: {{ $issuer.name }} + {{- if $certificate.keystore }} + keystores: + {{- range $outputType := $certificate.keystore.outputType }} + {{- if eq $outputType "p12" }} + {{- $outputType = "pkcs12" }} + {{- end }} + {{ $outputType }}: + create: true + passwordSecretRef: + name: {{ $certificate.keystore.passwordSecretRef.name }} + key: {{ $certificate.keystore.passwordSecretRef.key }} + {{- end }} + {{- end }} +{{ end }} +{{- end -}} + +{{- define "common.certManager.volumeMounts" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} + {{- range $i, $certificate := $dot.Values.certificates -}} + {{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: certmanager-certs-volume-{{ $i }} + {{- end -}} +{{- end -}} + +{{- define "common.certManager.volumes" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- $certificates := $dot.Values.certificates -}} + {{- range $i, $certificate := $certificates -}} + {{- $name := include "common.fullname" $dot -}} + {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +- name: certmanager-certs-volume-{{ $i }} + projected: + sources: + - secret: + name: {{ $certificatesSecretName }} + {{- if $certificate.keystore }} + items: + {{- range $outputType := $certificate.keystore.outputType }} + - key: keystore.{{ $outputType }} + path: keystore.{{ $outputType }} + - key: truststore.{{ $outputType }} + path: truststore.{{ $outputType }} + {{- end }} + - secret: + name: {{ $certificate.keystore.passwordSecretRef.name }} + items: + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: keystore.pass + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: truststore.pass + {{- end }} + {{- end -}} +{{- end -}} diff --git a/kubernetes/common/certManagerCertificate/values.yaml b/kubernetes/common/certManagerCertificate/values.yaml new file mode 100644 index 0000000000..d60cdf6cbe --- /dev/null +++ b/kubernetes/common/certManagerCertificate/values.yaml @@ -0,0 +1,29 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +global: +# default values for certificates + certificate: + default: + renewBefore: 720h #30 days + duration: 8760h #365 days + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + issuer: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap diff --git a/kubernetes/common/cmpv2Certificate/Chart.yaml b/kubernetes/common/cmpv2Certificate/Chart.yaml new file mode 100644 index 0000000000..e50de72605 --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Template used to add cmpv2 certificates to components +name: cmpv2Certificate +version: 7.0.0 diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml new file mode 100644 index 0000000000..367d879450 --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/requirements.yaml @@ -0,0 +1,21 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~7.x-0 + repository: 'file://../common' + - name: repositoryGenerator + version: ~7.x-0 + repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl new file mode 100644 index 0000000000..57e6c69b1f --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl @@ -0,0 +1,174 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* +In order to use certServiceClient it is needed do define certificates array in target component values.yaml. Each +certificate will be requested from separate init container + +Minimum example of array in target component values.yaml: +certificates: + - mountPath: /var/custom-certs + commonName: common-name + +Full example (other fields are ignored): +certificates: + - mountPath: /var/custom-certs + caName: RA + outputType: JKS + commonName: common-name + dnsNames: + - dns-name-1 + - dns-name-2 + ipAddresses: + - 192.168.0.1 + - 192.168.0.2 + emailAddresses: + - email-1@onap.org + - email-2@onap.org + uris: + - http://uri-1.onap.org + - http://uri-2.onap.org + subject: + organization: Linux-Foundation + country: US + locality: San Francisco + province: California + organizationalUnit: ONAP + +There also need to be some includes used in a target component deployment (indent values may need to be adjusted): + 1. In initContainers section: + {{ include "common.certServiceClient.initContainer" . | indent 6 }} + 2. In volumeMounts section of container using certificates: + {{ include "common.certServiceClient.volumeMounts" . | indent 10 }} + 3. In volumes section: + {{ include "common.certServiceClient.volumes" . | indent 8 }} + +*/}} + +{{- define "common.certServiceClient.initContainer" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} +{{- range $index, $certificate := $dot.Values.certificates -}} +{{/*# General certifiacate attributes #*/}} +{{- $commonName := $certificate.commonName -}} +{{/*# SAN's #*/}} +{{- $dnsNames := default (list) $certificate.dnsNames -}} +{{- $ipAddresses := default (list) $certificate.ipAddresses -}} +{{- $uris := default (list) $certificate.uris -}} +{{- $emailAddresses := default (list) $certificate.emailAddresses -}} +{{- $sansList := concat $dnsNames $ipAddresses $uris $emailAddresses -}} +{{- $sans := join "," $sansList }} +{{/*# Subject #*/}} +{{- $organization := $subchartGlobal.certificate.default.subject.organization -}} +{{- $country := $subchartGlobal.certificate.default.subject.country -}} +{{- $locality := $subchartGlobal.certificate.default.subject.locality -}} +{{- $province := $subchartGlobal.certificate.default.subject.province -}} +{{- $orgUnit := $subchartGlobal.certificate.default.subject.organizationalUnit -}} +{{- if $certificate.subject -}} +{{- $organization := $certificate.subject.organization -}} +{{- $country := $certificate.subject.country -}} +{{- $locality := $certificate.subject.locality -}} +{{- $province := $certificate.subject.province -}} +{{- $orgUnit := $certificate.subject.organizationalUnit -}} +{{- end -}} +{{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}} +{{- $outputType := default $subchartGlobal.platform.certServiceClient.envVariables.outputType $certificate.outputType -}} +{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} +{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} +{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} +{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}} +{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}} +{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}} +{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}} +{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}} +- name: certs-init-{{ $index }} + image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + env: + - name: REQUEST_URL + value: {{ $requestUrl | quote }} + - name: REQUEST_TIMEOUT + value: {{ $requestTimeout | quote }} + - name: OUTPUT_PATH + value: {{ $certPath | quote }} + - name: OUTPUT_TYPE + value: {{ $outputType | quote }} + - name: CA_NAME + value: {{ $caName | quote }} + - name: COMMON_NAME + value: {{ $commonName | quote }} + - name: SANS + value: {{ $sans | quote }} + - name: ORGANIZATION + value: {{ $organization | quote }} + - name: ORGANIZATION_UNIT + value: {{ $orgUnit | quote }} + - name: LOCATION + value: {{ $locality | quote }} + - name: STATE + value: {{ $province | quote }} + - name: COUNTRY + value: {{ $country | quote }} + - name: KEYSTORE_PATH + value: {{ $keystorePath | quote }} + - name: KEYSTORE_PASSWORD + value: {{ $keystorePassword | quote }} + - name: TRUSTSTORE_PATH + value: {{ $truststorePath | quote }} + - name: TRUSTSTORE_PASSWORD + value: {{ $truststorePassword | quote }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: {{ $certPath }} + name: cmpv2-certs-volume-{{ $index }} + - mountPath: {{ $certificatesSecretMountPath }} + name: certservice-tls-volume +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "common.certServiceClient.volumes" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} +{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}} +- name: certservice-tls-volume + secret: + secretName: {{ $certificatesSecretName }} +{{ range $index, $certificate := $dot.Values.certificates -}} +- name: cmpv2-certs-volume-{{ $index }} + emptyDir: + medium: Memory +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "common.certServiceClient.volumeMounts" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} +{{- range $index, $certificate := $dot.Values.certificates -}} +{{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: cmpv2-certs-volume-{{ $index }} +{{ end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml new file mode 100644 index 0000000000..b7531431c4 --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/values.yaml @@ -0,0 +1,48 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration default values that can be inherited by +# all subcharts. +################################################################# +global: + # Enabling CMPv2 + cmpv2Enabled: true + CMPv2CertManagerIntegration: false + + certificate: + default: + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + + platform: + certServiceClient: + secret: + name: oom-cert-service-client-tls-secret + mountPath: /etc/onap/oom/certservice/certs/ + envVariables: + certPath: "/var/custom-certs" + # Client configuration related + caName: "RA" + requestURL: "https://oom-cert-service:8443/v1/certificate/" + requestTimeout: "30000" + keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" + outputType: "P12" + keystorePassword: "secret" + truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" + truststorePassword: "secret" diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index 19b87b1afa..b6ee064302 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -1,4 +1,4 @@ -# Copyright © 2020 Nokia +# Copyright © 2020-2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,7 +14,7 @@ global: platform: certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 secretName: oom-cert-service-client-tls-secret envVariables: # Certificate related @@ -29,5 +29,5 @@ global: keystorePassword: "secret" truststorePassword: "secret" certPostProcessor: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.2 + image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 diff --git a/kubernetes/common/common/templates/_aafconfig.tpl b/kubernetes/common/common/templates/_aafconfig.tpl index b1021ab9d7..930959337a 100644 --- a/kubernetes/common/common/templates/_aafconfig.tpl +++ b/kubernetes/common/common/templates/_aafconfig.tpl @@ -59,7 +59,7 @@ {{- $aafRoot := default $dot.Values.aafConfig .aafRoot -}} {{- if $dot.Values.global.aafEnabled -}} - name: {{ include "common.name" $dot }}-aaf-readiness - image: "{{ include "common.repository" $dot }}/{{ $dot.Values.global.readinessImage }}" + image: {{ include "common.repository" $dot }}/{{ $dot.Values.global.readinessImage }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} command: - /app/ready.py diff --git a/kubernetes/common/common/templates/_certificate.tpl b/kubernetes/common/common/templates/_certificate.tpl deleted file mode 100644 index d3313b2bc1..0000000000 --- a/kubernetes/common/common/templates/_certificate.tpl +++ /dev/null @@ -1,192 +0,0 @@ -{{/*# -# Copyright © 2020, Nokia -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License.*/}} - -{{/* -# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io). -# -# To request a certificate following steps are to be done: -# - create an object 'certificates' in the values.yaml -# - create a file templates/certificates.yaml and invoke the function "commom.certificate". -# -# Here is an example of the certificate request for a component: -# -# Directory structure: -# component -# templates -# certifictes.yaml -# values.yaml -# -# To be added in the file certificates.yamll -# -# To be added in the file values.yaml -# 1. Minimal version (certificates only in PEM format) -# certificates: -# - commonName: component.onap.org -# -# 2. Extended version (with defined own issuer and additional certificate format): -# certificates: -# - name: onap-component-certificate -# secretName: onap-component-certificate -# commonName: component.onap.org -# dnsNames: -# - component.onap.org -# issuer: -# group: certmanager.onap.org -# kind: CMPv2Issuer -# name: cmpv2-issuer-for-the-component -# p12Keystore: -# create: true -# passwordSecretRef: -# name: secret-name -# key: secret-key -# jksKeystore: -# create: true -# passwordSecretRef: -# name: secret-name -# key: secret-key -# -# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. -# Other mandatory fields for the certificate definition do not have to be defined directly, -# in that case they will be taken from default values. -# -# Default values are defined in file onap/values.yaml (see-> global.certificate.default) -# and can be overriden during onap installation process. -# -*/}} - -{{- define "common.certificate" -}} -{{- $dot := default . .dot -}} -{{- $certificates := $dot.Values.certificates -}} - -{{ range $i, $certificate := $certificates }} -{{/*# General certifiacate attributes #*/}} -{{- $name := include "common.fullname" $dot -}} -{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}} -{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} -{{- $commonName := default $dot.Values.global.certificate.default.commonName $certificate.commonName -}} -{{- $renewBefore := default $dot.Values.global.certificate.default.renewBefore $certificate.renewBefore -}} -{{- $duration := $certificate.duration -}} -{{- $namespace := default $dot.Release.Namespace $dot.Values.global.certificate.default.namespace -}} -{{- if $certificate.namespace -}} -{{- $namespace = default $namespace $certificate.namespace -}} -{{- end -}} -{{/*# SAN's #*/}} -{{- $dnsNames := default $dot.Values.global.certificate.default.dnsNames $certificate.dnsNames -}} -{{- $ipAddresses := default $dot.Values.global.certificate.default.ipAddresses $certificate.ipAddresses -}} -{{- $uris := default $dot.Values.global.certificate.default.uris $certificate.uris -}} -{{- $emailAddresses := default $dot.Values.global.certificate.default.emailAddresses $certificate.emailAddresses -}} -{{/*# Subject #*/}} -{{- $subject := $dot.Values.global.certificate.default.subject -}} -{{- if $certificate.subject -}} -{{- $subject = mergeOverwrite $subject $certificate.subject -}} -{{- end -}} -{{/*# Issuer #*/}} -{{- $issuer := $dot.Values.global.certificate.default.issuer -}} -{{- if $certificate.issuer -}} -{{- $issuer = mergeOverwrite $issuer $certificate.issuer -}} -{{- end -}} -{{/*# Keystores #*/}} -{{- $createJksKeystore := $dot.Values.global.certificate.default.jksKeystore.create -}} -{{- $jksKeystorePasswordSecretName := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.name -}} -{{- $jksKeystorePasswordSecreKey := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.key -}} -{{- $createP12Keystore := $dot.Values.global.certificate.default.p12Keystore.create -}} -{{- $p12KeystorePasswordSecretName := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.name -}} -{{- $p12KeystorePasswordSecreKey := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.key -}} -{{- if $certificate.jksKeystore -}} -{{- $createJksKeystore = default $createJksKeystore $certificate.jksKeystore.create -}} -{{- if $certificate.jksKeystore.passwordSecretRef -}} -{{- $jksKeystorePasswordSecretName = default $jksKeystorePasswordSecretName $certificate.jksKeystore.passwordSecretRef.name -}} -{{- $jksKeystorePasswordSecreKey = default $jksKeystorePasswordSecreKey $certificate.jksKeystore.passwordSecretRef.key -}} -{{- end -}} -{{- end -}} -{{- if $certificate.p12Keystore -}} -{{- $createP12Keystore = default $createP12Keystore $certificate.p12Keystore.create -}} -{{- if $certificate.p12Keystore.passwordSecretRef -}} -{{- $p12KeystorePasswordSecretName = default $p12KeystorePasswordSecretName $certificate.p12Keystore.passwordSecretRef.name -}} -{{- $p12KeystorePasswordSecreKey = default $p12KeystorePasswordSecreKey $certificate.p12Keystore.passwordSecretRef.key -}} -{{- end -}} -{{- end -}} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ $certName }} - namespace: {{ $namespace }} -spec: - secretName: {{ $secretName }} - commonName: {{ $commonName }} - renewBefore: {{ $renewBefore }} - {{- if $duration }} - duration: {{ $duration }} - {{- end }} - subject: - organizations: - - {{ $subject.organization }} - countries: - - {{ $subject.country }} - localities: - - {{ $subject.locality }} - provinces: - - {{ $subject.province }} - organizationalUnits: - - {{ $subject.organizationalUnit }} - {{- if $dnsNames }} - dnsNames: - {{- range $dnsName := $dnsNames }} - - {{ $dnsName }} - {{- end }} - {{- end }} - {{- if $ipAddresses }} - ipAddresses: - {{- range $ipAddress := $ipAddresses }} - - {{ $ipAddress }} - {{- end }} - {{- end }} - {{- if $uris }} - uris: - {{- range $uri := $uris }} - - {{ $uri }} - {{- end }} - {{- end }} - {{- if $emailAddresses }} - emailAddresses: - {{- range $emailAddress := $emailAddresses }} - - {{ $emailAddress }} - {{- end }} - {{- end }} - issuerRef: - group: {{ $issuer.group }} - kind: {{ $issuer.kind }} - name: {{ $issuer.name }} - {{- if or $createJksKeystore $createP12Keystore }} - keystores: - {{- if $createJksKeystore }} - jks: - create: {{ $createJksKeystore }} - passwordSecretRef: - name: {{ $jksKeystorePasswordSecretName }} - key: {{ $jksKeystorePasswordSecreKey }} - {{- end }} - {{- if $createP12Keystore }} - pkcs12: - create: {{ $createP12Keystore }} - passwordSecretRef: - name: {{ $p12KeystorePasswordSecretName }} - key: {{ $p12KeystorePasswordSecreKey }} - {{- end }} - {{- end }} -{{ end }} - -{{- end -}} diff --git a/kubernetes/common/common/templates/_ingress.tpl b/kubernetes/common/common/templates/_ingress.tpl index 18f9bb1ba5..7fee67a7a4 100644 --- a/kubernetes/common/common/templates/_ingress.tpl +++ b/kubernetes/common/common/templates/_ingress.tpl @@ -1,9 +1,15 @@ -{{- define "ingress.config.port" -}} +{{- define "ingress.config.host" -}} {{- $dot := default . .dot -}} +{{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) -}} {{- $burl := (required "'baseurl' param, set to the generic part of the fqdn, is required." $dot.Values.global.ingress.virtualhost.baseurl) -}} +{{ printf "%s.%s" $baseaddr $burl }} +{{- end -}} + +{{- define "ingress.config.port" -}} +{{- $dot := default . .dot -}} {{ range .Values.ingress.service }} {{- $baseaddr := (required "'baseaddr' param, set to the specific part of the fqdn, is required." .baseaddr) }} - - host: {{ printf "%s.%s" $baseaddr $burl }} + - host: {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} http: paths: - backend: @@ -83,12 +89,12 @@ spec: {{- end -}} {{- if .Values.ingress.config -}} {{- if .Values.ingress.config.tls -}} -{{- $dot := default . .dot -}} +{{- $dot := default . .dot }} tls: - - hosts: - {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} - - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} - {{- end }} + - hosts: + {{- range .Values.ingress.service }}{{ $baseaddr := required "baseaddr" .baseaddr }} + - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $baseaddr) }} + {{- end }} secretName: {{ required "secret" (tpl (default "" .Values.ingress.config.tls.secret) $dot) }} {{- end -}} {{- end -}} diff --git a/kubernetes/common/common/templates/_log.tpl b/kubernetes/common/common/templates/_log.tpl index 3ae536aff3..dc714aecc4 100644 --- a/kubernetes/common/common/templates/_log.tpl +++ b/kubernetes/common/common/templates/_log.tpl @@ -17,7 +17,7 @@ {{- define "common.log.sidecar" -}} {{- if .Values.global.centralizedLoggingEnabled }} - name: {{ include "common.name" . }}-filebeat - image: "{{ .Values.global.loggingRepository }}/{{ .Values.global.loggingImage }}" + image: {{ include "repositoryGenerator.image.logging" . }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} volumeMounts: - name: filebeat-conf diff --git a/kubernetes/common/common/templates/_service.tpl b/kubernetes/common/common/templates/_service.tpl index dddd63491d..9c3010c209 100644 --- a/kubernetes/common/common/templates/_service.tpl +++ b/kubernetes/common/common/templates/_service.tpl @@ -128,7 +128,7 @@ labels: {{- include "common.labels" (dict "labels" $labels "dot" $dot) | nindent name: {{ $port.name }} {{- end }} {{- if (eq $serviceType "NodePort") }} - nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "portNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} + nodePort: {{ include "common.nodePortPrefix" (dict "dot" $dot "useNodePortExt" $port.useNodePortExt) }}{{ $port.nodePort }} {{- end }} {{- else }} - port: {{ default $port.port $port.plain_port }} diff --git a/kubernetes/common/common/values.yaml b/kubernetes/common/common/values.yaml index 852f15c810..0de859a3ba 100644 --- a/kubernetes/common/common/values.yaml +++ b/kubernetes/common/common/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/kubernetes/common/etcd/templates/statefulset.yaml b/kubernetes/common/etcd/templates/statefulset.yaml index f5592bd252..e39b8c4ca2 100644 --- a/kubernetes/common/etcd/templates/statefulset.yaml +++ b/kubernetes/common/etcd/templates/statefulset.yaml @@ -133,6 +133,10 @@ spec: # we should wait for other pods to be up before trying to join # otherwise we got "no such host" errors when trying to resolve other members for i in $(seq 0 $((${INITIAL_CLUSTER_SIZE} - 1))); do + if [ "${SET_NAME}-${i}" == "${HOSTNAME}" ]; then + echo "Skipping self-checking" + continue + fi while true; do echo "Waiting for ${SET_NAME}-${i}.${SERVICE_NAME} to come up" ping -W 1 -c 1 ${SET_NAME}-${i}.${SERVICE_NAME} > /dev/null && break diff --git a/kubernetes/common/mariadb-galera/templates/statefulset.yaml b/kubernetes/common/mariadb-galera/templates/statefulset.yaml index caa506225d..bde971ffe7 100644 --- a/kubernetes/common/mariadb-galera/templates/statefulset.yaml +++ b/kubernetes/common/mariadb-galera/templates/statefulset.yaml @@ -100,6 +100,12 @@ spec: value: {{ .Values.galera.name | quote }} - name: MARIADB_GALERA_CLUSTER_ADDRESS value: "gcomm://{{ template "common.name" . }}-headless.{{ include "common.namespace" . }}.svc.{{ .Values.global.clusterDomain }}" + # Bitnami init script don't behave well in dual stack env. + # set it here as long as https://github.com/bitnami/charts/issues/4077 is not solved. + - name: MARIADB_GALERA_NODE_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP - name: MARIADB_ROOT_USER value: {{ .Values.rootUser.user | quote }} - name: MARIADB_ROOT_PASSWORD diff --git a/kubernetes/common/music/requirements.yaml b/kubernetes/common/music/requirements.yaml index a9566c1811..0a3c9315ab 100644 --- a/kubernetes/common/music/requirements.yaml +++ b/kubernetes/common/music/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: repositoryGenerator version: ~7.x-0 repository: 'file://../repositoryGenerator' + - name: certInitializer + version: ~7.x-0 + repository: 'file://../certInitializer'
\ No newline at end of file diff --git a/kubernetes/common/music/resources/config/music-sb.properties b/kubernetes/common/music/resources/config/music-sb.properties index 751a351737..7a13f10d8e 100755 --- a/kubernetes/common/music/resources/config/music-sb.properties +++ b/kubernetes/common/music/resources/config/music-sb.properties @@ -6,7 +6,7 @@ server.tomcat.max-threads=100 #logging.file=/opt/app/music/logs/MUSIC/music-app.log #logging.config=file:/opt/app/music/etc/logback.xml security.require-ssl=true -server.ssl.key-store=/opt/app/aafcertman/org.onap.music.jks +server.ssl.key-store=/opt/app/aafcertman/local/org.onap.music.jks server.ssl.key-store-password=${KEYSTORE_PASSWORD} server.ssl.key-store-provider=SUN server.ssl.key-store-type=JKS diff --git a/kubernetes/common/music/resources/keys/org.onap.music.jks b/kubernetes/common/music/resources/keys/org.onap.music.jks Binary files differdeleted file mode 100644 index 35d27c3ef7..0000000000 --- a/kubernetes/common/music/resources/keys/org.onap.music.jks +++ /dev/null diff --git a/kubernetes/common/music/resources/keys/truststoreONAPall.jks b/kubernetes/common/music/resources/keys/truststoreONAPall.jks Binary files differdeleted file mode 100644 index ff844b109d..0000000000 --- a/kubernetes/common/music/resources/keys/truststoreONAPall.jks +++ /dev/null diff --git a/kubernetes/common/music/templates/deployment.yaml b/kubernetes/common/music/templates/deployment.yaml index cf0ce8f899..1e5d3c5377 100644 --- a/kubernetes/common/music/templates/deployment.yaml +++ b/kubernetes/common/music/templates/deployment.yaml @@ -38,19 +38,18 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.namespace + {{ include "common.certInitializer.initContainer" . | indent 8 | trim }} - command: - sh args: - -c - - "cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" + - "export KEYSTORE_PASSWORD=$(cat /opt/app/aafcertman/local/.pass); cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done" env: - - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "music-keystore-pw" "key" "password") | indent 12}} - name: CASSA_USER {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "login") | indent 12 }} - name: CASSA_PASSWORD {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cassa-secret" "key" "password") | indent 12 }} - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - mountPath: /config-input name: properties-music-scrubbed - mountPath: /config @@ -87,7 +86,7 @@ spec: value: "{{ .Values.javaOpts }}" - name: DEBUG value: "{{ .Values.debug }}" - volumeMounts: + volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }} - name: localtime mountPath: /etc/localtime readOnly: true @@ -100,9 +99,7 @@ spec: - name: properties-music-scrubbed mountPath: /opt/app/music/etc/logback.xml subPath: logback.xml - - name: certs-aaf - mountPath: /opt/app/aafcertman/ - volumes: + volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }} - name: shared-data emptyDir: {} - name: certificate-vol @@ -116,6 +113,3 @@ spec: - name: properties-music emptyDir: medium: Memory - - name: certs-aaf - secret: - secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "music-certs") }} diff --git a/kubernetes/common/music/values.yaml b/kubernetes/common/music/values.yaml index 31df352de7..25cab910a9 100644 --- a/kubernetes/common/music/values.yaml +++ b/kubernetes/common/music/values.yaml @@ -25,16 +25,6 @@ global: # Secrets metaconfig ################################################################# secrets: - - uid: music-certs - name: keystore.jks - type: generic - filePaths: - - resources/keys/org.onap.music.jks - - uid: music-keystore-pw - name: keystore-pw - type: password - password: '{{ .Values.keystorePassword }}' - passwordPolicy: required - uid: cassa-secret type: basicAuth login: '{{ .Values.properties.cassandraUser }}' @@ -115,8 +105,6 @@ debug: false ingress: enabled: false -keystorePassword: "ysF9CVS+xvuXr0vf&fRa5lew" - properties: lockUsing: "cassandra" # Comma dilimited list of hosts @@ -159,4 +147,22 @@ logback: metricsLogLevel: info auditLogLevel: info # Values must be uppercase: INFO, WARN, CRITICAL,DEBUG etc.. - rootLogLevel: INFO
\ No newline at end of file + rootLogLevel: INFO + +#sub-charts configuration +certInitializer: + nameOverride: music-cert-initializer + fqdn: "music.onap" + app_ns: "org.osaaf.aaf" + fqi: "music@music.onap.org" + fqi_namespace: org.onap.music + public_fqdn: "music.onap.org" + aafDeployFqi: "deployer@people.osaaf.org" + aafDeployPass: demo123456! + cadi_latitude: "0.0" + cadi_longitude: "0.0" + credsPath: /opt/app/osaaf/local + appMountPath: /opt/app/aafcertman + aaf_add_config: > + cd {{ .Values.credsPath }}; + /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} | grep cadi_keystore_password_jks= | cut -d= -f 2 > {{ .Values.credsPath }}/.pass 2>&1; diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index ba22bfbd60..a6b434f43a 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -82,6 +82,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "curlImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.certserviceclient" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }} +{{- end -}} + {{- define "repositoryGenerator.image.envsubst" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index def7381e46..559675689f 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2020 Orange +# Copyright © 2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,6 +23,7 @@ global: # common global images busyboxImage: busybox:1.32 curlImage: curlimages/curl:7.69.1 + certServiceClientImage: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 envsubstImage: dibi/envsubst:1 # there's only latest image for htpasswd htpasswdImage: xmartlabs/htpasswd:latest @@ -53,6 +55,7 @@ global: imageRepoMapping: busyboxImage: dockerHubRepository curlImage: dockerHubRepository + certServiceClientImage: repository envsubstImage: dockerHubRepository htpasswdImage: dockerHubRepository jreImage: repository |