diff options
Diffstat (limited to 'kubernetes/contrib')
6 files changed, 155 insertions, 7 deletions
diff --git a/kubernetes/contrib/components/ejbca/requirements.yaml b/kubernetes/contrib/components/ejbca/requirements.yaml index 31db08aa3a..8762d969f9 100644 --- a/kubernetes/contrib/components/ejbca/requirements.yaml +++ b/kubernetes/contrib/components/ejbca/requirements.yaml @@ -26,3 +26,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: cmpv2Config + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh index ad10240b94..2c672e2f07 100755 --- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh +++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh @@ -8,16 +8,31 @@ waitForEjbcaToStart() { } configureEjbca() { + ejbca.sh ca init \ + --caname ManagementCA \ + --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \ + --tokenType soft \ + --keyspec 3072 \ + --keytype RSA \ + -v 3652 \ + --policy null \ + -s SHA256WithRSA \ + -type "x509" ejbca.sh config cmp addalias --alias cmpRA ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} - ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate' + ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA' + ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth) ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles #Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER #ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml) ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849 + caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p') + ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject" ejbca.sh config cmp dumpalias --alias cmpRA ejbca.sh config cmp addalias --alias cmp ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true @@ -27,6 +42,13 @@ configureEjbca() { ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN ejbca.sh config cmp dumpalias --alias cmp ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem + #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation) + ejbca.sh roles addrole "Certificate Update Admin" + ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT + ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT + ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}" } diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml index a10b0592de..fc163ee2e2 100644 --- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml +++ b/kubernetes/contrib/components/ejbca/templates/deployment.yaml @@ -23,6 +23,8 @@ spec: template: metadata: {{- include "common.templateMetadata" . | nindent 6 }} spec: + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" initContainers: - name: {{ include "common.name" . }}-db-readiness command: @@ -59,6 +61,8 @@ spec: env: - name: INITIAL_ADMIN value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;" + - name: NO_CREATE_CA + value: "true" - name: DATABASE_JDBC_URL value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }} - name: DATABASE_USER diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh index 67bbfd6c6f..460c046632 100755 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh @@ -1,5 +1,5 @@ #!/bin/bash -e -# + # Copyright 2020 Samsung Electronics Co., Ltd. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -70,7 +70,8 @@ ingress_controller_ip() { deploy() { local ingress_ip=$(ingress_controller_ip) - pushd "$SPATH/bind9dns" > /dev/null + initdir = $(pwd) + cd $SPATH/bind9dns if [ $# -eq 0 ]; then local cl_domain="simpledemo.onap.org" else @@ -82,13 +83,13 @@ deploy() { shift fi helm install . --set dnsconf.wildcard="$cl_domain=$ingress_ip" $@ - popd > /dev/null + cd $initdir target_machine_notice_info } if [ $# -eq 1 ] && [ "$1" = "-h" ]; then usage -elif [ $# -eq 1 ] && [ "$1" = "--help" ]; then +elif [ $# -eq 1 ] && [ "$1" = "--help" ]; then usage elif [ $# -eq 1 ] && [ "$1" = "--info" ]; then target_machine_notice_info diff --git a/kubernetes/contrib/tools/check-for-staging-images.sh b/kubernetes/contrib/tools/check-for-staging-images.sh index 8c01312fa2..543e918cfa 100755 --- a/kubernetes/contrib/tools/check-for-staging-images.sh +++ b/kubernetes/contrib/tools/check-for-staging-images.sh @@ -40,7 +40,7 @@ printf "\n" if [ -n "$NOT_AVAILABLE_IMAGES" ]; then echo "[ERROR] Only release images are allowed in helm charts." echo "[ERROR] Images not found in release repo:" - echo -e "$NOT_AVAILABLE_IMAGES" + printf "%b$NOT_AVAILABLE_IMAGES\n" exit 1 fi -exit 0
\ No newline at end of file +exit 0 diff --git a/kubernetes/contrib/tools/registry-initialize.sh b/kubernetes/contrib/tools/registry-initialize.sh new file mode 100755 index 0000000000..75b36bbc52 --- /dev/null +++ b/kubernetes/contrib/tools/registry-initialize.sh @@ -0,0 +1,118 @@ +#!/bin/sh -x + +# Copyright (c) 2021 AT&T. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Pre-requisite +# 1. Chart packages available under local directory provided as input/argument +# 2. helm client installed with push plugin +# 3. ONAP chartmuseum service deployed + +usage() +{ + echo "Chart Base directory must be provided as input!!" + echo "Usage: registry-initialize.sh -d chartdirectory \ +<-n namespace override> <-r helmrelease override>" + exit 1 +} + +if [ $# -eq 0 ]; then + usage +fi + +# defaults +NAMESPACE=onap +RLS_NAME=onap +LOGIN="" +PASSWORD="" + +while getopts ":d:n:r:" opt; do + case $opt in + d) BASEDIR="$OPTARG" + ;; + n) NAMESPACE="$OPTARG" + ;; + r) RLS_NAME="$OPTARG" + ;; + \?) echo "Invalid option -$OPTARG" >&2 + usage + ;; + esac +done + +if [ -z "$BASEDIR" ]; then + exit "Chart base directory provided $BASEDIR is empty" +fi + +if [ "$(find $BASEDIR -maxdepth 1 -name '*tgz' -print -quit)" ]; then + echo "$BASEDIR valid" +else + exit "No chart package on $BASEDIR provided" +fi + +LOGIN=$(kubectl -n "$NAMESPACE" get secret \ + "${RLS_NAME}-chartmuseum-registrycred" \ + -o jsonpath='{.data.login}' | base64 -d) + +PASSWORD=$(kubectl -n "$NAMESPACE" get secret \ + "${RLS_NAME}-chartmuseum-registrycred" \ + -o jsonpath='{.data.password}' | base64 -d) + +if [ -z "$LOGIN" ] || [ -z "$PASSWORD" ]; then + echo "Login/Password credential for target registry cannot be retrieved" + exit 1 +fi + +# Expose cluster port via port-forwarding +kubectl -n $NAMESPACE port-forward service/chart-museum 27017:80 & +if [ $? -ne 0 ]; then + echo "Error in portforwarding; registry cannot be added!!" + exit 1 +fi + +sleep 5 + +# Add chartmuseum repo as helm repo +# Credentials should match config defined in +# oom\kubernetes\platform\components\chartmuseum\values.yaml +helm repo add k8s-registry http://127.0.0.1:27017 --username "$LOGIN" \ + --password "$PASSWORD" +if [ $? -ne 0 ]; then + echo "registry cannot be added!!" + pkill -f "port-forward service/chart-museum" + exit 1 +fi + +# Initial scope is pushing only dcae charts +# can be expanded to include all onap charts if required +for file in $BASEDIR/dcae*tgz; do + # use helm plugin to push charts + helm push $file k8s-registry + if [ $? -eq 0 ]; then + echo "$file uploaded to registry successfully" + else + echo "registry upload failed!!" + pkill -f "port-forward service/chart-museum" + helm repo remove k8s-registry + exit 1 + fi +done + +echo "All Helm charts successfully uploaded into internal repository" + +# Remove the port-forwarding process +pkill -f "port-forward service/chart-museum" + +# Remove helm registry from local +helm repo remove k8s-registry |