summaryrefslogtreecommitdiffstats
path: root/kubernetes/common
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/common')
-rw-r--r--kubernetes/common/cmpv2Config/values.yaml4
-rw-r--r--kubernetes/common/common/templates/_certificate.tpl192
2 files changed, 194 insertions, 2 deletions
diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml
index c22f9731b5..19b87b1afa 100644
--- a/kubernetes/common/cmpv2Config/values.yaml
+++ b/kubernetes/common/cmpv2Config/values.yaml
@@ -14,7 +14,7 @@
global:
platform:
certServiceClient:
- image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.1
+ image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2
secretName: oom-cert-service-client-tls-secret
envVariables:
# Certificate related
@@ -29,5 +29,5 @@ global:
keystorePassword: "secret"
truststorePassword: "secret"
certPostProcessor:
- image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.1
+ image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.2
diff --git a/kubernetes/common/common/templates/_certificate.tpl b/kubernetes/common/common/templates/_certificate.tpl
new file mode 100644
index 0000000000..74f81af901
--- /dev/null
+++ b/kubernetes/common/common/templates/_certificate.tpl
@@ -0,0 +1,192 @@
+{{/*#
+# Copyright © 2020, Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.*/}}
+
+{{/*
+# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io).
+#
+# To request a certificate following steps are to be done:
+# - create an object 'certificates' in the values.yaml
+# - create a file templates/certificates.yaml and invoke the function "commom.certificate".
+#
+# Here is an example of the certificate request for a component:
+#
+# Directory structure:
+# component
+# templates
+# certifictes.yaml
+# values.yaml
+#
+# To be added in the file certificates.yamll
+#
+# To be added in the file values.yaml
+# 1. Minimal version (certificates only in PEM format)
+# certificates:
+# - name: onap-component-certificate
+# secretName: onap-component-certificate
+# commonName: component.onap.org
+# 2. Extended version (with defined own issuer and additional certificate format):
+# certificates:
+# - name: onap-component-certificate
+# secretName: onap-component-certificate
+# commonName: component.onap.org
+# dnsNames:
+# - component.onap.org
+# issuer:
+# group: certmanager.onap.org
+# kind: CMPv2Issuer
+# name: cmpv2-issuer-for-the-component
+# p12Keystore:
+# create: true
+# passwordSecretRef:
+# name: secret-name
+# key: secret-key
+# jksKeystore:
+# create: true
+# passwordSecretRef:
+# name: secret-name
+# key: secret-key
+#
+# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
+# Other mandatory fields for the certificate definition do not have to be defined directly,
+# in that case they will be taken from default values.
+#
+# Default values are defined in file onap/values.yaml (see-> global.certificate.default)
+# and can be overriden during onap installation process.
+#
+*/}}
+
+{{- define "common.certificate" -}}
+{{- $dot := default . .dot -}}
+{{- $certificates := $dot.Values.certificates -}}
+
+{{ range $certificate := $certificates }}
+{{/*# General certifiacate attributes #*/}}
+{{- $name := $certificate.name -}}
+{{- $secretName := $certificate.secretName -}}
+{{- $commonName := default $dot.Values.global.certificate.default.commonName $certificate.commonName -}}
+{{- $renewBefore := default $dot.Values.global.certificate.default.renewBefore $certificate.renewBefore -}}
+{{- $duration := $certificate.duration -}}
+{{- $namespace := default $dot.Release.Namespace $dot.Values.global.certificate.default.namespace -}}
+{{- if $certificate.namespace -}}
+{{- $namespace = default $namespace $certificate.namespace -}}
+{{- end -}}
+{{/*# SAN's #*/}}
+{{- $dnsNames := default $dot.Values.global.certificate.default.dnsNames $certificate.dnsNames -}}
+{{- $ipAddresses := default $dot.Values.global.certificate.default.ipAddresses $certificate.ipAddresses -}}
+{{- $uris := default $dot.Values.global.certificate.default.uris $certificate.uris -}}
+{{- $emailAddresses := default $dot.Values.global.certificate.default.emailAddresses $certificate.emailAddresses -}}
+{{/*# Subject #*/}}
+{{- $subject := $dot.Values.global.certificate.default.subject -}}
+{{- if $certificate.subject -}}
+{{- $subject = mergeOverwrite $subject $certificate.subject -}}
+{{- end -}}
+{{/*# Issuer #*/}}
+{{- $issuer := $dot.Values.global.certificate.default.issuer -}}
+{{- if $certificate.issuer -}}
+{{- $issuer = mergeOverwrite $issuer $certificate.issuer -}}
+{{- end -}}
+{{/*# Keystores #*/}}
+{{- $createJksKeystore := $dot.Values.global.certificate.default.jksKeystore.create -}}
+{{- $jksKeystorePasswordSecretName := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.name -}}
+{{- $jksKeystorePasswordSecreKey := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.key -}}
+{{- $createP12Keystore := $dot.Values.global.certificate.default.p12Keystore.create -}}
+{{- $p12KeystorePasswordSecretName := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.name -}}
+{{- $p12KeystorePasswordSecreKey := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.key -}}
+{{- if $certificate.jksKeystore -}}
+{{- $createJksKeystore = default $createJksKeystore $certificate.jksKeystore.create -}}
+{{- if $certificate.jksKeystore.passwordSecretRef -}}
+{{- $jksKeystorePasswordSecretName = default $jksKeystorePasswordSecretName $certificate.jksKeystore.passwordSecretRef.name -}}
+{{- $jksKeystorePasswordSecreKey = default $jksKeystorePasswordSecreKey $certificate.jksKeystore.passwordSecretRef.key -}}
+{{- end -}}
+{{- end -}}
+{{- if $certificate.p12Keystore -}}
+{{- $createP12Keystore = default $createP12Keystore $certificate.p12Keystore.create -}}
+{{- if $certificate.p12Keystore.passwordSecretRef -}}
+{{- $p12KeystorePasswordSecretName = default $p12KeystorePasswordSecretName $certificate.p12Keystore.passwordSecretRef.name -}}
+{{- $p12KeystorePasswordSecreKey = default $p12KeystorePasswordSecreKey $certificate.p12Keystore.passwordSecretRef.key -}}
+{{- end -}}
+{{- end -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ $name }}
+ namespace: {{ $namespace }}
+spec:
+ secretName: {{ $secretName }}
+ commonName: {{ $commonName }}
+ renewBefore: {{ $renewBefore }}
+ {{- if $duration }}
+ duration: {{ $duration }}
+ {{- end }}
+ subject:
+ organizations:
+ - {{ $subject.organization }}
+ countries:
+ - {{ $subject.country }}
+ localities:
+ - {{ $subject.locality }}
+ provinces:
+ - {{ $subject.province }}
+ organizationalUnits:
+ - {{ $subject.organizationalUnit }}
+ {{- if $dnsNames }}
+ dnsNames:
+ {{- range $dnsName := $dnsNames }}
+ - {{ $dnsName }}
+ {{- end }}
+ {{- end }}
+ {{- if $ipAddresses }}
+ ipAddresses:
+ {{- range $ipAddress := $ipAddresses }}
+ - {{ $ipAddress }}
+ {{- end }}
+ {{- end }}
+ {{- if $uris }}
+ uris:
+ {{- range $uri := $uris }}
+ - {{ $uri }}
+ {{- end }}
+ {{- end }}
+ {{- if $emailAddresses }}
+ emailAddresses:
+ {{- range $emailAddress := $emailAddresses }}
+ - {{ $emailAddress }}
+ {{- end }}
+ {{- end }}
+ issuerRef:
+ group: {{ $issuer.group }}
+ kind: {{ $issuer.kind }}
+ name: {{ $issuer.name }}
+ {{- if or $createJksKeystore $createP12Keystore }}
+ keystores:
+ {{- if $createJksKeystore }}
+ jks:
+ create: {{ $createJksKeystore }}
+ passwordSecretRef:
+ name: {{ $jksKeystorePasswordSecretName }}
+ key: {{ $jksKeystorePasswordSecreKey }}
+ {{- end }}
+ {{- if $createP12Keystore }}
+ pkcs12:
+ create: {{ $createP12Keystore }}
+ passwordSecretRef:
+ name: {{ $p12KeystorePasswordSecretName }}
+ key: {{ $p12KeystorePasswordSecreKey }}
+ {{- end }}
+ {{- end }}
+{{ end }}
+
+{{- end -}}