summaryrefslogtreecommitdiffstats
path: root/kubernetes/platform/components/oom-cert-service
diff options
context:
space:
mode:
Diffstat (limited to 'kubernetes/platform/components/oom-cert-service')
-rw-r--r--kubernetes/platform/components/oom-cert-service/templates/certificate.yaml53
-rw-r--r--kubernetes/platform/components/oom-cert-service/templates/issuer.yaml24
-rw-r--r--kubernetes/platform/components/oom-cert-service/values.yaml18
3 files changed, 94 insertions, 1 deletions
diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
index fd317703e3..8f49424b54 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
@@ -14,4 +14,57 @@
# limitations under the License.
*/}}
+{{- if .Values.global.cmpv2Enabled }}
{{ include "certManagerCertificate.certificate" . }}
+{{- end -}}
+
+{{- if (include "common.onServiceMesh" .) }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ingress-ca-certificate
+ namespace: {{ .Values.tls.issuer.ingressCa.namespace }}
+spec:
+ isCA: true
+ commonName: "{{ .Values.global.ingress.virtualhost.baseurl }}" #not important as it is self signed
+ secretName: {{ .Values.tls.issuer.ingressCa.secret.name }}
+ usages:
+ - server auth
+ - client auth
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: {{ .Values.tls.issuer.ingressSelfsigned.name }}
+ kind: Issuer
+ group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: ingress-selfsigned-certificate
+ namespace: {{ .Values.tls.issuer.ingressSelfsigned.namespace }}
+spec:
+ secretName: ingress-tls-secret
+ privateKey:
+ rotationPolicy: Always
+ algorithm: RSA
+ encoding: PKCS1
+ size: 4096
+ duration: 9000h0m0s # 1 Year
+ renewBefore: 4000h0m0s #9 months
+ commonName: "*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+# usages:
+# - server auth
+# - client auth
+ dnsNames:
+ - {{ .Values.global.ingress.virtualhost.baseurl }}
+ - "*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+ - "*.*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+ - "*.*.*.{{ .Values.global.ingress.virtualhost.baseurl }}"
+ issuerRef:
+ name: {{ .Values.tls.issuer.ingressCa.name }}
+ kind: Issuer
+ group: cert-manager.io
+{{- end -}}
diff --git a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml
index 9047ab73d3..1220ad35a9 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml
@@ -14,6 +14,7 @@
# limitations under the License.
*/}}
+{{- if .Values.global.cmpv2Enabled }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
@@ -29,4 +30,25 @@ metadata:
namespace: {{ include "common.namespace" . }}
spec:
ca:
- secretName: {{ .Values.tls.issuer.ca.secret.name }} \ No newline at end of file
+ secretName: {{ .Values.tls.issuer.ca.secret.name }}
+{{- end -}}
+
+{{- if (include "common.onServiceMesh" .) }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ .Values.tls.issuer.ingressSelfsigned.name }}
+ namespace: {{ .Values.tls.issuer.ingressSelfsigned.namespace }}
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ .Values.tls.issuer.ingressCa.name }}
+ namespace: {{ .Values.tls.issuer.ingressCa.namespace }}
+spec:
+ ca:
+ secretName: {{ .Values.tls.issuer.ingressCa.secret.name }}
+{{- end -}} \ No newline at end of file
diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml
index c74fe9b2c0..7778c03e34 100644
--- a/kubernetes/platform/components/oom-cert-service/values.yaml
+++ b/kubernetes/platform/components/oom-cert-service/values.yaml
@@ -22,6 +22,16 @@ global:
# Standard OOM
pullPolicy: "Always"
repository: "nexus3.onap.org:10001"
+ ingress:
+ enabled: true
+ # All http requests via ingress will be redirected
+ config:
+ ssl: "redirect"
+ # you can set an own Secret containing a certificate
+ # tls:
+ # secret: 'my-ingress-cert'
+ # optional: Namespace of the Istio IngressGateway
+ namespace: &ingressNamespace istio-ingress
# Service configuration
@@ -82,6 +92,14 @@ tls:
name: &caIssuer cmpv2-issuer-onap
secret:
name: &caKeyPairSecret cmpv2-ca-key-pair
+ ingressSelfsigned:
+ name: ingress-selfsigned-issuer
+ namespace: *ingressNamespace
+ ingressCa:
+ name: ingress-ca-issuer
+ namespace: *ingressNamespace
+ secret:
+ name: ingress-ca-key-pair
server:
secret:
name: &serverSecret oom-cert-service-server-tls-secret