diff options
Diffstat (limited to 'kubernetes/contrib/components')
20 files changed, 91 insertions, 5 deletions
diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/requirements.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/requirements.yaml index d6f5f56197..b7c4d1e7f8 100755 --- a/kubernetes/contrib/components/awx/components/awx-postgres/requirements.yaml +++ b/kubernetes/contrib/components/awx/components/awx-postgres/requirements.yaml @@ -19,3 +19,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml index c0c6b914fb..3b4dad55ec 100755 --- a/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml +++ b/kubernetes/contrib/components/awx/components/awx-postgres/templates/deployment.yaml @@ -74,6 +74,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml b/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml index a7234caceb..4cf03b2482 100755 --- a/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml +++ b/kubernetes/contrib/components/awx/components/awx-postgres/values.yaml @@ -80,3 +80,9 @@ service: externalPort: 5432 resources: {} + +#Pods Service Account +serviceAccount: + nameOverride: awx-postgres + roles: + - read diff --git a/kubernetes/contrib/components/awx/requirements.yaml b/kubernetes/contrib/components/awx/requirements.yaml index b015bd1216..222db3890e 100755 --- a/kubernetes/contrib/components/awx/requirements.yaml +++ b/kubernetes/contrib/components/awx/requirements.yaml @@ -22,3 +22,6 @@ dependencies: - name: awx-postgres version: ~8.x-0 repository: 'file://components/awx-postgres' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/awx/templates/statefulset.yaml b/kubernetes/contrib/components/awx/templates/statefulset.yaml index 1f2c093742..9910aa4634 100644 --- a/kubernetes/contrib/components/awx/templates/statefulset.yaml +++ b/kubernetes/contrib/components/awx/templates/statefulset.yaml @@ -180,7 +180,7 @@ spec: cpu: 500m memory: 1Gi serviceAccount: {{ include "common.fullname" . }} - serviceAccountName: {{ include "common.fullname" . }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - configMap: defaultMode: 420 diff --git a/kubernetes/contrib/components/awx/values.yaml b/kubernetes/contrib/components/awx/values.yaml index 02642fd3fd..0a247c5743 100755 --- a/kubernetes/contrib/components/awx/values.yaml +++ b/kubernetes/contrib/components/awx/values.yaml @@ -109,3 +109,9 @@ service: externalPort: 5672 resources: {} + +#Pods Service Account +serviceAccount: + nameOverride: awx + roles: + - read diff --git a/kubernetes/contrib/components/ejbca/requirements.yaml b/kubernetes/contrib/components/ejbca/requirements.yaml index 31db08aa3a..284108c256 100644 --- a/kubernetes/contrib/components/ejbca/requirements.yaml +++ b/kubernetes/contrib/components/ejbca/requirements.yaml @@ -26,3 +26,9 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: cmpv2Config + version: ~8.x-0 + repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh index ad10240b94..94c95d6c30 100755 --- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh +++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh waitForEjbcaToStart() { until $(curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth --output /dev/null --silent --head --fail) @@ -8,16 +8,31 @@ waitForEjbcaToStart() { } configureEjbca() { + ejbca.sh ca init \ + --caname ManagementCA \ + --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ + --tokenType soft \ + --keyspec 3072 \ + --keytype RSA \ + -v 3652 \ + --policy null \ + -s SHA256WithRSA \ + -type "x509" ejbca.sh config cmp addalias --alias cmpRA ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' + ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth) ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles #Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER #ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 + caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') + ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" ejbca.sh config cmp dumpalias --alias cmpRA ejbca.sh config cmp addalias --alias cmp ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true @@ -27,6 +42,13 @@ configureEjbca() { ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN ejbca.sh config cmp dumpalias --alias cmp ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem + #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) + ejbca.sh roles addrole "Certificate Update Admin" + ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT + ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}" } diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml index 46f7d3521c..6bd5b259ea 100644 --- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml +++ b/kubernetes/contrib/components/ejbca/templates/deployment.yaml @@ -61,6 +61,8 @@ spec: env: - name: INITIAL_ADMIN value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;" + - name: NO_CREATE_CA + value: "true" - name: DATABASE_JDBC_URL value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }} - name: DATABASE_USER @@ -92,6 +94,7 @@ spec: affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} resources: {{ include "common.resources" . | nindent 10 }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - configMap: name: "{{ include "common.fullname" . }}-config-script" diff --git a/kubernetes/contrib/components/ejbca/values.yaml b/kubernetes/contrib/components/ejbca/values.yaml index 57d1e7848e..52e0e750a0 100644 --- a/kubernetes/contrib/components/ejbca/values.yaml +++ b/kubernetes/contrib/components/ejbca/values.yaml @@ -124,3 +124,9 @@ resources: cpu: 20m memory: 1Gi unlimited: {} + +#Pods Service Account +serviceAccount: + nameOverride: ejbca + roles: + - read diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/requirements.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/requirements.yaml index 50ff87c18b..1b6f2d7c93 100755 --- a/kubernetes/contrib/components/netbox/components/netbox-app/requirements.yaml +++ b/kubernetes/contrib/components/netbox/components/netbox-app/requirements.yaml @@ -19,3 +19,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml index c23e29a11d..05bbfc7738 100755 --- a/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml +++ b/kubernetes/contrib/components/netbox/components/netbox-app/resources/config/initializers/custom_fields.yml @@ -1,8 +1,8 @@ -external-key: +external-key: description: "The external-key uniquely identify the resources to a service within ONAP." filterable: true label: ONAP external key - on_objects: + on_objects: - ipam.models.IPAddress required: true type: text diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml index f1209cdb56..302166fcd6 100755 --- a/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml +++ b/kubernetes/contrib/components/netbox/components/netbox-app/templates/deployment.yaml @@ -138,6 +138,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml index 92f97c2620..27cd811ec1 100755 --- a/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml +++ b/kubernetes/contrib/components/netbox/components/netbox-app/values.yaml @@ -112,3 +112,9 @@ readiness: periodSeconds: 10 resources: {} + +#Pods Service Account +serviceAccount: + nameOverride: netbox-app + roles: + - read diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/requirements.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/requirements.yaml index 50ff87c18b..1b6f2d7c93 100755 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/requirements.yaml +++ b/kubernetes/contrib/components/netbox/components/netbox-nginx/requirements.yaml @@ -19,3 +19,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml index 7bdf46f252..2d115f74bf 100755 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml +++ b/kubernetes/contrib/components/netbox/components/netbox-nginx/templates/deployment.yaml @@ -61,6 +61,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml index de131d30d0..a7d0dadbf1 100755 --- a/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml +++ b/kubernetes/contrib/components/netbox/components/netbox-nginx/values.yaml @@ -81,3 +81,9 @@ service: nodePort: 20 resources: {} + +#Pods Service Account +serviceAccount: + nameOverride: netbox-nginx + roles: + - read diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/requirements.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/requirements.yaml index 50ff87c18b..1b6f2d7c93 100755 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/requirements.yaml +++ b/kubernetes/contrib/components/netbox/components/netbox-postgres/requirements.yaml @@ -19,3 +19,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: serviceAccount + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml index 2caddeba49..8e05524fd1 100755 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml +++ b/kubernetes/contrib/components/netbox/components/netbox-postgres/templates/deployment.yaml @@ -64,6 +64,7 @@ spec: affinity: {{ toYaml .Values.affinity | indent 10 }} {{- end }} + serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}} volumes: - name: localtime hostPath: diff --git a/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml b/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml index 572e23d53c..7e0a324aa1 100755 --- a/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml +++ b/kubernetes/contrib/components/netbox/components/netbox-postgres/values.yaml @@ -80,3 +80,9 @@ service: externalPort: 5432 resources: {} + +#Pods Service Account +serviceAccount: + nameOverride: netbox-postgres + roles: + - read |