4 files changed, 127 insertions, 53 deletions
diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env b/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env
index cde43f95b7..84a42d6436 100644
--- a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env
+++ b/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env
@@ -14,4 +14,4 @@
 
 # Environment settings for starting a container
 DMAAPBC_WAIT_TO_EXIT=Y
-
+DMAAPBC_KSTOREFILE=/opt/app/osaaf/local/org.onap.dmaap-bc.jks
diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
index e43182daa3..59f64bd99c 100644
--- a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
+++ b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
@@ -12,43 +12,47 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#####################################################
-#
-# ONAP Casablanca oom configurable deployment params:
-#
-#####################################################
-
 
 #####################################################
 #
 # Hooks for specific environment configurations
 #
 #####################################################
-# Indicator for whether to use AAF
+# Indicator for whether to use AAF for authentication
 UseAAF: {{ .Values.global.aafEnabled }}
 
-# csit: stubs out some southbound APIs for csit
-csit: No
+# Stub out southbound calls for Unit Test cases to run.  e.g. not timeout
+# Comment out in other environments to get default (No)
+#UnitTest: Yes
 
-# name of this DMaaP instance (deprecated)
-#DmaapName: demo
 
 #####################################################
 #
 # Settings for Southbound API: Datarouter
 #
 #####################################################
-# FQDN of DR Prov Server (deprecated)
-#DR.provhost: dcae-drps.domain.not.set
 
 # URI to retrieve dynamic DR configuration
 ProvisioningURI:  /internal/prov
 
 # indicator for handling feed delete:
 #  DeleteOnDR - means use the DR API to DELETE a feed.  (default for backwards compatibility)
-#  SimulateDelete - means preserve the feed on DR (after cleaning it up), and mark as DELETED in DBCL.  Better for cfy environments.
+#  SimulateDelete - means preserve the feed on DR (after cleaning it up), and mark as DELETED in DBCL.  Better for cloudify environments.
 Feed.deleteHandling: SimulateDelete
 
+###########################################################
+# The following properties default to match ONAP DR instance.
+# However, there are some non-ONAP DR instances that require other values.
+# Sets the X-DR-ON-BEHALF-OF HTTP Header value
+#DR.onBehalfHeader:
+# Value for the Content-Type Header in DR Feed API
+#DR.feedContentType:
+# Value for the Content-Type Header in DR Subscription API
+#DR.subContentType:
+#
+# END OF properties helpful for non-ONAP DR instance.
+############################################################
+
 #####################################################
 #
 # Settings for Soutbound API: Postgresql
@@ -86,6 +90,9 @@ MR.multisite: false
 # In a multi-site, MR cluster deployment, use the CNAME DNS entry which resolves to the primary central MR
 MR.CentralCname: {{ .Values.dmaapMessageRouterService }}
 
+# Indicator for whether we want hostname verification on SSL connection to MR
+MR.hostnameVerify: false
+
 # MR Client Delete Level thoroughness:
 #  0 = don't delete
 #  1 = delete from persistent store
@@ -104,6 +111,12 @@ MR.projectID:  mr
 # Use Basic Authentication when provisioning topics
 MR.authentication: basicAuth
 
+# MR topic name style (default is FQTN_LEGACY_FORMAT)
+#MR.topicStyle: FQTN_LEGACY_FORMAT
+#
+# end of MR Related Properties
+################################################################################
+
 
 #####################################################
 #
@@ -136,14 +149,20 @@ aaf.AdminPassword: {{ .Values.adminPwd }}
 # Identity that is owner of any created namespaces for topics
 aaf.NsOwnerIdentity: {{ .Values.adminUser }}
 
-# location of the codec keyfile used to decrypt passwords in this properties file before they are passed to AAF
-CredentialCodeKeyfile: etc/LocalKey
 
 # this overrides the Class used for Decryption.
 # This allows for a plugin encryption/decryption method if needed.
 # Call this Class for decryption at runtime.
 #AafDecryption.Class: com.company.proprietaryDecryptor
 
+# location of the codec keyfile used to decrypt passwords in this properties file before they are passed to AAF
+# Not used in ONAP, but possibly used with Decryption override class.
+#CredentialCodeKeyfile: etc/LocalKey
+
+#
+# endof AAF Properties
+####################################################
+
 
 #####################################################
 #
@@ -172,11 +191,53 @@ MM.ProvUserMechId: dmaap-bc-mm-prov@dmaap-bc-mm-prov.onap.org
 # pwd for Identity used to publish MM prov cmds
 MM.ProvUserPwd: demo123456!
 
-# AAF Role of MirrorMaker agent subscribed to prov cmds
+# AAF Role of MirrorMaker agent subscribed to prov cmds.
 MM.AgentRole: org.onal.dmaap-bc-mm-prov.agent
 
 #####################################################
 #
+# Certificate Management
+#
+#####################################################
+
+# Indicates how we are expecting certificates to be provided:
+#  cadi - a set of artifacts will be downloaded from AAF at deployment time, and details will be in a cadi properties file
+#  legacy (default) - artifacts will be installed manually or some other way and details will be in this file
+CertificateManagement: cadi
+
+# When CertificateManagement is cadi, then this is where all the cadi properties will be.
+# Note that the cadi properties include where the cert is, and the encrypted passwords to read.
+cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props
+
+###########################################################################################
+# When CertificateManagement is legacy, we need to provide more details about cert handling:
+#CertificateManagement: legacy
+# the type of keystore for https (for legacy CertificateManagment only)
+#KeyStoreType: jks
+
+# path to the keystore file (for legacy CertificateManagment only)
+#KeyStoreFile: etc/keystore
+
+# password for the https keystore (for legacy CertificateManagment only)
+#KeyStorePassword:  Y@Y5f&gm?PAz,CVQL,lk[VAF
+# password for the private key in the https keystore (for legacy CertificateManagment only)
+#KeyPassword: changeit
+
+# type of truststore for https (for legacy CertificateManagment only)
+#TrustStoreType: jks
+
+# path to the truststore for https (for legacy CertificateManagment only)
+#TrustStoreFile: etc/org.onap.dmaap-bc.trust.jks
+
+# password for the https truststore (for legacy CertificateManagment only)
+#TrustStorePassword: changeit
+#
+# END OF legacy CertificateManagement properties
+###########################################################################################
+
+
+#####################################################
+#
 # HTTP Server Configuration
 #
 #####################################################
@@ -191,30 +252,24 @@ IntHttpPort: 8080
 # set to 0 if no certificates are available.
 IntHttpsPort: 8443
 
-# external port number for https taking port mapping into account
-ExtHttpsPort: 443
-
-# the type of keystore for https
-KeyStoreType: jks
-
-# path to the keystore file
-KeyStoreFile: etc/keystore
-
-# password for the https keystore
-KeyStorePassword:  Y@Y5f&gm?PAz,CVQL,lk[VAF
-# password for the private key in the https keystore
-KeyPassword: Y@Y5f&gm?PAz,CVQL,lk[VAF
 
-# type of truststore for https
-TrustStoreType: jks
-
-# path to the truststore for https
-TrustStoreFile: etc/org.onap.dmaap-bc.trust.jks
-
-# password for the https truststore
-TrustStorePassword: 8b&R5%l$l:@jSWz@FCs;rhY*
-
-# path to the file used to trigger an orderly shutdown
-QuiesceFile: etc/SHUTDOWN
 
 inHttpsPort: 0
+
+#####################################################
+#
+# Deprecated
+#
+#####################################################
+# csit: stubs out some southbound APIs for csit  (deprecated)
+#csit: No
+# name of this DMaaP instance (deprecated)
+#DmaapName: demo
+# external port number for https taking port mapping into account  (deprecated)
+#ExtHttpsPort: 443
+# path to the file used to trigger an orderly shutdown (deprecated)
+#QuiesceFile: etc/SHUTDOWN
+# FQDN of DR Prov Server (deprecated)
+#DR.provhost: dcae-drps.domain.not.set
+# root of topic namespace (decrecated)
+#topicNsRoot: org.onap.dcae.dmaap
diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
index 3e08185a20..ea2720f9ce 100644
--- a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
+++ b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
@@ -48,7 +48,7 @@ spec:
         command: ["bash","-c","exec /opt/app/aaf_config/bin/agent.sh"]
         volumeMounts:
         - mountPath: {{ .Values.persistence.aafCredsPath }}
-          name: {{ include "common.name" . }}-aaf-config
+          name: {{ include "common.name" . }}-aaf-config-vol
         env:
         - name: APP_FQI
           value: "{{ .Values.aafConfig.fqi }}"
@@ -75,6 +75,26 @@ spec:
           value: "{{ .Values.aafConfig.cadiLongitude }}"
         - name: cadi_latitude
           value: "{{ .Values.aafConfig.cadiLatitude }}"
+      - name: {{ include "common.name" . }}-permission-fixer
+        image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        volumeMounts:
+        - mountPath: {{ .Values.persistence.aafCredsPath }}
+          name: {{ include "common.name" . }}-aaf-config-vol
+        command: ["chown","-Rf","1000:1001", "/opt/app/"]
+#       See AAF-425 for explanation of why this is needed.
+#       This artifact is provisioned in AAF for both pks12 and jks format and apparently
+#       the cadi library is not using the jks password on the jks keystore.
+#       So, this attempts to "fix" the credential property file until this is fixed properly.
+      - name: {{ include "common.name" . }}-cred-fixer
+        image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        volumeMounts:
+        - mountPath: {{ .Values.persistence.aafCredsPath }}
+          name: {{ include "common.name" . }}-aaf-config-vol
+        command: ["/bin/sh"]
+        args: [ "-c", "sed -i -e '/cadi_keystore_password=/d' -e '/cadi_keystore_password_jks/p' -e 's/cadi_keystore_password_jks/cadi_keystore_password/' -e 's/dmaap-bc.p12/dmaap-bc.jks/' /opt/app/osaaf/local/org.onap.dmaap-bc.cred.props" ]
+
 {{- end }}
 {{- if .Values.PG.enabled }}
       - name: {{ include "common.name" . }}-postgres-readiness
@@ -95,7 +115,7 @@ spec:
 {{- end }}
       containers:
         - name: {{ include "common.name" . }}
-          image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+          image: "{{ .Values.repository }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           ports: {{ include "common.containerPorts" . | nindent 10  }}
           {{ if eq .Values.liveness.enabled true -}}
@@ -118,13 +138,12 @@ spec:
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
+          - mountPath: {{ .Values.persistence.aafCredsPath }}
+            name: {{ include "common.name" . }}-aaf-config-vol
 # NOTE: on the following several configMaps, careful to include / at end
 #       since there may be more than one file in each mountPath
           - name: {{ include "common.name" . }}-config
             mountPath: /opt/app/config/conf/
-          - name: {{ include "common.name" . }}-aaf-config
-            mountPath: /opt/app/dmaapbc/etc/org.onap.dmaap-bc.props
-            subPath: org.onap.dmaap-bc.props
           resources: {{ include "common.resources" . | nindent 12 }}
         {{- if .Values.nodeSelector }}
         nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }}
@@ -139,8 +158,7 @@ spec:
         - name: {{ include "common.name" . }}-config
           configMap:
             name: {{ include "common.fullname" . }}-config
-        - name: {{ include "common.name" . }}-aaf-config
-          configMap:
-            name: {{ include "common.fullname" . }}-aaf-config
+        - name: {{ include "common.name" . }}-aaf-config-vol
+          emptyDir: {}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml
index 28c77eb54c..3a18787826 100644
--- a/kubernetes/dmaap/components/dmaap-bc/values.yaml
+++ b/kubernetes/dmaap/components/dmaap-bc/values.yaml
@@ -30,7 +30,8 @@ pullPolicy: Always
 
 # application images
 repository: nexus3.onap.org:10001
-image: onap/dmaap/dmaap-bc:2.0.3
+#repository:  10.12.7.57:5000
+image: onap/dmaap/dmaap-bc:2.0.4
 
 
 # application configuration
@@ -49,7 +50,7 @@ adminPwd: demo123456!
 
 #AAF local config
 aafConfig:
-  aafDeployFqi: dmaap-bc@dmaap-bc.onap.org
+  aafDeployFqi: deployer@people.osaaf.org
   aafDeployPass: demo123456!
   fqdn: dmaap-bc
   fqi: dmaap-bc@dmaap-bc.onap.org
@@ -58,7 +59,7 @@ aafConfig:
   cadiLongitude: 0.0
 
 persistence:
-  aafCredsPath: /opt/app/osaaf/local
+  aafCredsPath: /opt/app/osaaf/local/
 
 # for Casablanca default deployment, leave this true to
 # get a topic namespace that matches MR.  When set to false,