diff options
Diffstat (limited to 'kubernetes')
44 files changed, 472 insertions, 385 deletions
diff --git a/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties b/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties index 4f480cb5d7..774e8bd5ca 100644 --- a/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties +++ b/kubernetes/aai/components/aai-resources/resources/config/application-keycloak.properties @@ -3,10 +3,10 @@ spring.autoconfigure.exclude=\ org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\ org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration -multi.tenancy.enabled=true +multi.tenancy.enabled={{ .Values.config.keycloak.multiTenancy.enabled }} keycloak.auth-server-url=http://{{ .Values.config.keycloak.host }}:{{ .Values.config.keycloak.port }}/auth -keycloak.realm=aai-resources -keycloak.resource=aai-resources-app +keycloak.realm={{ .Values.config.keycloak.realm }} +keycloak.resource={{ .Values.config.keycloak.resource }} keycloak.public-client=true keycloak.principal-attribute=preferred_username diff --git a/kubernetes/aai/components/aai-resources/values.yaml b/kubernetes/aai/components/aai-resources/values.yaml index b84139161e..f30b067b2e 100644 --- a/kubernetes/aai/components/aai-resources/values.yaml +++ b/kubernetes/aai/components/aai-resources/values.yaml @@ -49,7 +49,7 @@ global: # global defaults # Active spring profiles for the resources microservice profiles: - active: production,dmaap,aaf-auth + active: production,dmaap,aaf-auth #,keycloak # Notification event specific properties notification: @@ -164,9 +164,19 @@ replicaCount: 1 # Configuration for the resources deployment config: + # configure keycloak according to your environment. + # don't forget to add keycloak in active profiles above (global.config.profiles) keycloak: - host: localhost + host: keycloak.your.domain port: 8180 + # Specifies a set of users, credentials, roles, and groups + realm: aai-resources + # Used by any client application for enabling fine-grained authorization for their protected resources + resource: aai-resources-app + # If set to true, additional criteria will be added that match the data-owner property with the given role + # to the user in keycloak + multiTenancy: + enabled: true # Specifies crud related operation timeouts and overrides crud: diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh index 6e35ca894c..f2675b0404 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/health_check.sh @@ -18,7 +18,7 @@ waiting_bundles=$(/opt/opendaylight/current/bin/client bundle:list | grep Waiting | wc -l) run_level=$(/opt/opendaylight/current/bin/client system:start-level) - if [ "$run_level" == "Level 100" ] && [ "$waiting_bundles" -lt "1" ] + if [ "$run_level" = "Level 100" ] && [ "$waiting_bundles" -lt "1" ] then echo APPC is healthy. else diff --git a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh index c78daee558..2fd6db1360 100755 --- a/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh +++ b/kubernetes/appc/resources/config/appc/opt/onap/appc/bin/startODL.sh @@ -83,7 +83,7 @@ then show databases like 'sdnctl'; END ) - if [ "x${sdnc_db_exists}" == "x" ] + if [ "x${sdnc_db_exists}" = "x" ] then echo "Installing SDNC database" ${SDNC_HOME}/bin/installSdncDb.sh @@ -92,7 +92,7 @@ END show databases like 'appcctl'; END ) - if [ "x${appc_db_exists}" == "x" ] + if [ "x${appc_db_exists}" = "x" ] then echo "Installing APPC database" ${APPC_HOME}/bin/installAppcDb.sh diff --git a/kubernetes/common/cassandra/resources/restore.sh b/kubernetes/common/cassandra/resources/restore.sh index b56c0fac70..a8105345f7 100644 --- a/kubernetes/common/cassandra/resources/restore.sh +++ b/kubernetes/common/cassandra/resources/restore.sh @@ -75,7 +75,7 @@ esac done # Validate inputs -if [ "$base_db_dir" == "" ] || [ "$ss_dir" == "" ] || [ "$keyspace_name" == "" ] +if [ "$base_db_dir" = "" ] || [ "$ss_dir" = "" ] || [ "$keyspace_name" = "" ] then echo "" echo ">>>>>>>>>>Not all inputs provided, please check usage >>>>>>>>>>" diff --git a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh index 87e584c78e..d955ecdf3c 100755 --- a/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh +++ b/kubernetes/common/cert-wrapper/resources/import-custom-certs.sh @@ -28,18 +28,18 @@ mkdir -p $WORK_DIR for f in $CERTS_DIR/*; do export canonical_name_nob64=$(echo $f | sed 's/.*\/\([^\/]*\)/\1/') export canonical_name_b64=$(echo $f | sed 's/.*\/\([^\/]*\)\(\.b64\)/\1/') - if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_b64" == "$ONAP_TRUSTSTORE" ]; then + if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_b64" = "$ONAP_TRUSTSTORE" ]; then # Dont use onap truststore when aaf is disabled continue fi - if [ "$AAF_ENABLED" == "false" ] && [ "$canonical_name_nob64" == "$ONAP_TRUSTSTORE" ]; then + if [ "$AAF_ENABLED" = "false" ] && [ "$canonical_name_nob64" = "$ONAP_TRUSTSTORE" ]; then # Dont use onap truststore when aaf is disabled continue fi - if [ ${f: -3} == ".sh" ]; then + if [ ${f: -3} = ".sh" ]; then continue fi - if [ ${f: -4} == ".b64" ] + if [ ${f: -4} = ".b64" ] then base64 -d $f > $WORK_DIR/`basename $f .b64` else @@ -48,7 +48,7 @@ for f in $CERTS_DIR/*; do done # Prepare truststore output file -if [ "$AAF_ENABLED" == "true" ] +if [ "$AAF_ENABLED" = "true" ] then mv $WORK_DIR/$ONAP_TRUSTSTORE $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME else @@ -58,7 +58,7 @@ fi # Import Custom Certificates for f in $WORK_DIR/*; do - if [ ${f: -4} == ".pem" ]; then + if [ ${f: -4} = ".pem" ]; then echo "importing certificate: $f" keytool -import -file $f -alias `basename $f` -keystore $WORK_DIR/$TRUSTSTORE_OUTPUT_FILENAME -storepass $TRUSTSTORE_PASSWORD -noprompt if [ $? != 0 ]; then diff --git a/kubernetes/common/certManagerCertificate/requirements.yaml b/kubernetes/common/certManagerCertificate/requirements.yaml index 210a02c65c..83becb0a33 100644 --- a/kubernetes/common/certManagerCertificate/requirements.yaml +++ b/kubernetes/common/certManagerCertificate/requirements.yaml @@ -16,3 +16,6 @@ dependencies: - name: common version: ~8.x-0 repository: 'file://../common' + - name: cmpv2Config + version: ~8.x-0 + repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index f820c30ca9..108873b31d 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -18,7 +18,7 @@ # # To request a certificate following steps are to be done: # - create an object 'certificates' in the values.yaml -# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate". +# - create a file templates/certificate.yaml and invoke the function "certManagerCertificate.certificate". # # Here is an example of the certificate request for a component: # @@ -53,6 +53,7 @@ # passwordSecretRef: # name: secret-name # key: secret-key +# create: true # # Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. # Other mandatory fields for the certificate definition do not have to be defined directly, @@ -74,7 +75,7 @@ {{/*# General certifiacate attributes #*/}} {{- $name := include "common.fullname" $dot -}} {{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}} -{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +{{- $secretName := default (printf "%s-secret-%d" $name $i) (tpl (default "" $certificate.secretName) $ ) -}} {{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} {{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}} {{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}} @@ -94,10 +95,11 @@ {{- if $certificate.issuer -}} {{- $issuer = $certificate.issuer -}} {{- end -}} ---- -{{- if $certificate.keystore }} +{{/*# Secret #*/}} +{{ if $certificate.keystore -}} {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}} - {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }} + {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote -}} + {{- if $passwordSecretRef.create }} apiVersion: v1 kind: Secret metadata: @@ -106,7 +108,8 @@ metadata: type: Opaque stringData: {{ $passwordSecretRef.key }}: {{ $password }} -{{- end }} + {{- end }} +{{ end -}} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -120,6 +123,15 @@ spec: {{- if $duration }} duration: {{ $duration }} {{- end }} + {{- if $certificate.isCA }} + isCA: {{ $certificate.isCA }} + {{- end }} + {{- if $certificate.usages }} + usages: + {{- range $usage := $certificate.usages }} + - {{ $usage }} + {{- end }} + {{- end }} subject: organizations: - {{ $subject.organization }} @@ -156,7 +168,9 @@ spec: {{- end }} {{- end }} issuerRef: + {{- if not (eq $issuer.kind "Issuer" ) }} group: {{ $issuer.group }} + {{- end }} kind: {{ $issuer.kind }} name: {{ $issuer.name }} {{- if $certificate.keystore }} @@ -168,7 +182,7 @@ spec: {{ $outputType }}: create: true passwordSecretRef: - name: {{ $certificate.keystore.passwordSecretRef.name }} + name: {{ tpl (default "" $certificate.keystore.passwordSecretRef.name) $ }} key: {{ $certificate.keystore.passwordSecretRef.key }} {{- end }} {{- end }} @@ -234,4 +248,4 @@ spec: {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}} {{- end -}} {{ $certsLinkCommand }} -{{- end -}} +{{- end -}}
\ No newline at end of file diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml index 87509d11bc..b10896d2ce 100644 --- a/kubernetes/common/cmpv2Certificate/requirements.yaml +++ b/kubernetes/common/cmpv2Certificate/requirements.yaml @@ -19,3 +19,6 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: 'file://../repositoryGenerator' + - name: cmpv2Config + version: ~8.x-0 + repository: 'file://../cmpv2Config' diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl index 58cc9c7249..f80b06b4d3 100644 --- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl +++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl @@ -62,7 +62,7 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.initContainer" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} {{- range $index, $certificate := $dot.Values.certificates -}} @@ -97,11 +97,14 @@ There also need to be some includes used in a target component deployment (inden {{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} {{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} {{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} -{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}} -{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}} -{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}} -{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}} -{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}} +{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}} +{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}} +{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}} +{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}} +{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}} +{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}} +{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}} +{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}} - name: certs-init-{{ $index }} image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} @@ -133,11 +136,17 @@ There also need to be some includes used in a target component deployment (inden - name: KEYSTORE_PATH value: {{ $keystorePath | quote }} - name: KEYSTORE_PASSWORD - value: {{ $keystorePassword | quote }} + valueFrom: + secretKeyRef: + name: {{ $keystorePasswordSecret | quote}} + key: {{ $keystorePasswordSecretKey | quote}} - name: TRUSTSTORE_PATH value: {{ $truststorePath | quote }} - name: TRUSTSTORE_PASSWORD - value: {{ $truststorePassword | quote }} + valueFrom: + secretKeyRef: + name: {{ $truststorePasswordSecret | quote}} + key: {{ $truststorePasswordSecretKey | quote}} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: @@ -151,10 +160,10 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.volumes" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} -{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}} +{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}} - name: certservice-tls-volume secret: secretName: {{ $certificatesSecretName }} @@ -168,7 +177,7 @@ There also need to be some includes used in a target component deployment (inden {{- define "common.certServiceClient.volumeMounts" -}} {{- $dot := default . .dot -}} -{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}} {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} {{- range $index, $certificate := $dot.Values.certificates -}} diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml index b7531431c4..504947525d 100644 --- a/kubernetes/common/cmpv2Certificate/values.yaml +++ b/kubernetes/common/cmpv2Certificate/values.yaml @@ -11,38 +11,3 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -################################################################# -# Global configuration default values that can be inherited by -# all subcharts. -################################################################# -global: - # Enabling CMPv2 - cmpv2Enabled: true - CMPv2CertManagerIntegration: false - - certificate: - default: - subject: - organization: "Linux-Foundation" - country: "US" - locality: "San-Francisco" - province: "California" - organizationalUnit: "ONAP" - - platform: - certServiceClient: - secret: - name: oom-cert-service-client-tls-secret - mountPath: /etc/onap/oom/certservice/certs/ - envVariables: - certPath: "/var/custom-certs" - # Client configuration related - caName: "RA" - requestURL: "https://oom-cert-service:8443/v1/certificate/" - requestTimeout: "30000" - keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" - outputType: "P12" - keystorePassword: "secret" - truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" - truststorePassword: "secret" diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml index b6ee064302..695e40616c 100644 --- a/kubernetes/common/cmpv2Config/values.yaml +++ b/kubernetes/common/cmpv2Config/values.yaml @@ -12,22 +12,40 @@ # See the License for the specific language governing permissions and # limitations under the License. global: + + # Enabling CMPv2 + cmpv2Enabled: true + CMPv2CertManagerIntegration: false + + certificate: + default: + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + platform: + certificates: + clientSecretName: oom-cert-service-client-tls-secret + keystoreKeyRef: keystore.jks + truststoreKeyRef: truststore.jks + keystorePasswordSecretName: oom-cert-service-keystore-password + keystorePasswordSecretKey: password + truststorePasswordSecretName: oom-cert-service-truststore-password + truststorePasswordSecretKey: password certServiceClient: image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - secretName: oom-cert-service-client-tls-secret + certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ envVariables: + certPath: "/var/custom-certs" # Certificate related - cmpv2Organization: "Linux-Foundation" - cmpv2OrganizationalUnit: "ONAP" - cmpv2Location: "San-Francisco" - cmpv2State: "California" - cmpv2Country: "US" + caName: "RA" # Client configuration related requestURL: "https://oom-cert-service:8443/v1/certificate/" requestTimeout: "30000" - keystorePassword: "secret" - truststorePassword: "secret" + outputType: "P12" certPostProcessor: image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3 diff --git a/kubernetes/common/music/resources/config/startup.sh b/kubernetes/common/music/resources/config/startup.sh index 37bb84de8b..e3cee36f1f 100755 --- a/kubernetes/common/music/resources/config/startup.sh +++ b/kubernetes/common/music/resources/config/startup.sh @@ -32,8 +32,8 @@ DEBUG_PROP= # Debug Setup. Uses env variables # DEBUG and DEBUG_PORT # DEBUG=true/false | DEBUG_PORT=<Port valie must be integer> -if [ "${DEBUG}" == "true" ]; then - if [ "${DEBUG_PORT}" == "" ]; then +if [ "${DEBUG}" = "true" ]; then + if [ "${DEBUG_PORT}" = "" ]; then DEBUG_PORT=8000 fi echo "Debug mode on" diff --git a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh index 657b5f9448..1a75bd7a85 100755 --- a/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh +++ b/kubernetes/contrib/dns-server-for-vhost-ingress-testing/deploy_dns.sh @@ -86,9 +86,9 @@ deploy() { target_machine_notice_info } -if [[ $# -eq 1 ]] && [[ $1 == "-h" || $1 == "--help" ]]; then +if [[ $# -eq 1 ]] && [[ $1 = "-h" || $1 = "--help" ]]; then usage -elif [[ $# -eq 1 ]] && [[ $1 == "--info" ]]; then +elif [[ $# -eq 1 ]] && [[ $1 = "--info" ]]; then target_machine_notice_info else deploy $@ diff --git a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh b/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh index 6e412a3688..44fe79a0c6 100755 --- a/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh +++ b/kubernetes/contrib/metallb-loadbalancer-inst/install-metallb-on-cluster.sh @@ -76,7 +76,7 @@ manual_configuration() { generate_config_map $@ } -if [[ $# -eq 1 ]] && [[ $1 == "-h" || $1 == "--help" ]]; then +if [[ $# -eq 1 ]] && [[ $1 = "-h" || $1 = "--help" ]]; then usage elif [[ $# -eq 0 ]]; then automatic_configuration diff --git a/kubernetes/contrib/tools/check-for-staging-images.sh b/kubernetes/contrib/tools/check-for-staging-images.sh index ce51b30b58..8c01312fa2 100755 --- a/kubernetes/contrib/tools/check-for-staging-images.sh +++ b/kubernetes/contrib/tools/check-for-staging-images.sh @@ -16,7 +16,7 @@ BASE_URL="https://nexus3.onap.org/repository/docker.release" -if [ "$GERRIT_BRANCH" == "staging" ]; then +if [ "$GERRIT_BRANCH" = "staging" ]; then exit 0 fi diff --git a/kubernetes/contrib/tools/rke/rke_setup.sh b/kubernetes/contrib/tools/rke/rke_setup.sh index cde7d4caa0..7950e0cc88 100755 --- a/kubernetes/contrib/tools/rke/rke_setup.sh +++ b/kubernetes/contrib/tools/rke/rke_setup.sh @@ -258,14 +258,14 @@ EOF helm init --service-account tiller kubectl -n kube-system rollout status deploy/tiller-deploy echo "upgrade server side of helm in kubernetes" - if [ "$USERNAME" == "root" ]; then + if [ "$USERNAME" = "root" ]; then helm version else sudo helm version fi echo "sleep 30" sleep 30 - if [ "$USERNAME" == "root" ]; then + if [ "$USERNAME" = "root" ]; then helm init --upgrade else sudo helm init --upgrade @@ -273,13 +273,13 @@ EOF echo "sleep 30" sleep 30 echo "verify both versions are the same below" - if [ "$USERNAME" == "root" ]; then + if [ "$USERNAME" = "root" ]; then helm version else sudo helm version fi echo "start helm server" - if [ "$USERNAME" == "root" ]; then + if [ "$USERNAME" = "root" ]; then helm serve & else sudo helm serve & @@ -287,7 +287,7 @@ EOF echo "sleep 30" sleep 30 echo "add local helm repo" - if [ "$USERNAME" == "root" ]; then + if [ "$USERNAME" = "root" ]; then helm repo add local http://127.0.0.1:8879 helm repo list else diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json index 6018abe309..3c769fca5f 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/resources/config/plugins/k8s-plugin.json @@ -44,14 +44,18 @@ "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certServiceClient.image }}", "request_url": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestURL }}", "timeout": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestTimeout }}", - "country": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Country }}", - "organization": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Organization }}", - "state": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2State }}", - "organizational_unit": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }}", - "location": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Location }}", - "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certServiceClient.secretName }}", - "keystore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.keystorePassword }}", - "truststore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.truststorePassword }}" + "country": "{{ .Values.cmpv2Config.global.certificate.default.subject.country }}", + "organization": "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}", + "state": "{{ .Values.cmpv2Config.global.certificate.default.subject.province }}", + "organizational_unit": "{{ .Values.cmpv2Config.global.certificate.default.subject.organizationalUnit }}", + "location": "{{ .Values.cmpv2Config.global.certificate.default.subject.locality }}", + "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName }}", + "keystore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystoreKeyRef }}", + "truststore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststoreKeyRef }}", + "keystore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}", + "keystore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretKey }}", + "truststore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretName }}", + "truststore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretKey }}" }, "cert_post_processor": { "image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certPostProcessor.image }}" diff --git a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml index 1135c053d9..fcc8f6d4b0 100644 --- a/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml +++ b/kubernetes/dcaegen2/components/dcae-cloudify-manager/values.yaml @@ -55,7 +55,7 @@ config: # Application configuration defaults. ################################################################# # application image -image: onap/org.onap.dcaegen2.deployments.cm-container:4.4.2 +image: onap/org.onap.dcaegen2.deployments.cm-container:4.5.0 pullPolicy: Always # name of shared ConfigMap with kubeconfig for multiple clusters diff --git a/kubernetes/helm/plugins/deploy/deploy.sh b/kubernetes/helm/plugins/deploy/deploy.sh index 3bcb404032..6267a35312 100755 --- a/kubernetes/helm/plugins/deploy/deploy.sh +++ b/kubernetes/helm/plugins/deploy/deploy.sh @@ -49,7 +49,7 @@ generate_overrides() { for index in "${!SUBCHART_NAMES[@]}"; do START=${SUBCHART_NAMES[index]} END=${SUBCHART_NAMES[index+1]} - if [[ $START == "global:" ]]; then + if [[ $START = "global:" ]]; then echo "global:" > $GLOBAL_OVERRIDES cat $COMPUTED_OVERRIDES | sed '/common:/,/consul:/d' \ | sed -n '/^'"$START"'/,/'log:'/p' | sed '1d;$d' >> $GLOBAL_OVERRIDES @@ -72,11 +72,11 @@ resolve_deploy_flags() { n=${#flags[*]} for (( i = 0; i < n; i++ )); do PARAM=${flags[i]} - if [[ $PARAM == "-f" || \ - $PARAM == "--values" || \ - $PARAM == "--set" || \ - $PARAM == "--set-string" || \ - $PARAM == "--version" ]]; then + if [[ $PARAM = "-f" || \ + $PARAM = "--values" || \ + $PARAM = "--set" || \ + $PARAM = "--set-string" || \ + $PARAM = "--version" ]]; then # skip param and its value i=$((i + 1)) else @@ -98,7 +98,7 @@ deploy() { FLAGS=${@:3} CHART_REPO="$(cut -d'/' -f1 <<<"$CHART_URL")" CHART_NAME="$(cut -d'/' -f2 <<<"$CHART_URL")" - if [[ $HELM_VER == "v3."* ]]; then + if [[ $HELM_VER = "v3."* ]]; then CACHE_DIR=~/.local/share/helm/plugins/deploy/cache else CACHE_DIR=~/.helm/plugins/deploy/cache @@ -149,7 +149,7 @@ deploy() { SUBCHART_RELEASE="$(cut -d'-' -f2 <<<"$RELEASE")" # update specified subchart without parent RELEASE="$(cut -d'-' -f1 <<<"$RELEASE")" - if [[ $SUBCHART_RELEASE == $RELEASE ]]; then + if [[ $SUBCHART_RELEASE = $RELEASE ]]; then SUBCHART_RELEASE= fi @@ -201,13 +201,13 @@ deploy() { helm upgrade -i $RELEASE $CHART_DIR $DEPLOY_FLAGS -f $COMPUTED_OVERRIDES \ > $LOG_FILE.log 2>&1 - if [[ $VERBOSE == "true" ]]; then + if [[ $VERBOSE = "true" ]]; then cat $LOG_FILE else echo "release \"$RELEASE\" deployed" fi # Add annotation last-applied-configuration if set-last-applied flag is set - if [[ $SET_LAST_APPLIED == "true" ]]; then + if [[ $SET_LAST_APPLIED = "true" ]]; then helm get manifest ${RELEASE} \ | kubectl apply set-last-applied --create-annotation -n onap -f - \ > $LOG_FILE.log 2>&1 @@ -228,7 +228,7 @@ deploy() { fi if [[ $SUBCHART_ENABLED -eq 1 ]]; then - if [[ -z "$SUBCHART_RELEASE" || $SUBCHART_RELEASE == "$subchart" ]]; then + if [[ -z "$SUBCHART_RELEASE" || $SUBCHART_RELEASE = "$subchart" ]]; then LOG_FILE=$LOG_DIR/"${RELEASE}-${subchart}".log :> $LOG_FILE @@ -236,19 +236,19 @@ deploy() { $DEPLOY_FLAGS -f $GLOBAL_OVERRIDES -f $SUBCHART_OVERRIDES \ > $LOG_FILE 2>&1 - if [[ $VERBOSE == "true" ]]; then + if [[ $VERBOSE = "true" ]]; then cat $LOG_FILE else echo "release \"${RELEASE}-${subchart}\" deployed" fi # Add annotation last-applied-configuration if set-last-applied flag is set - if [[ $SET_LAST_APPLIED == "true" ]]; then + if [[ $SET_LAST_APPLIED = "true" ]]; then helm get manifest "${RELEASE}-${subchart}" \ | kubectl apply set-last-applied --create-annotation -n onap -f - \ > $LOG_FILE.log 2>&1 fi fi - if [[ $DELAY == "true" ]]; then + if [[ $DELAY = "true" ]]; then echo sleep 3m sleep 3m fi @@ -256,7 +256,7 @@ deploy() { array=($(echo "$ALL_HELM_RELEASES" | grep "${RELEASE}-${subchart}")) n=${#array[*]} for (( i = n-1; i >= 0; i-- )); do - if [[ $HELM_VER == "v3."* ]]; then + if [[ $HELM_VER = "v3."* ]]; then helm del "${array[i]}" else helm del "${array[i]}" --purge @@ -266,7 +266,7 @@ deploy() { done # report on success/failures of installs/upgrades - if [[ $HELM_VER == "v3."* ]]; then + if [[ $HELM_VER = "v3."* ]]; then helm ls --all-namespaces | grep -i FAILED | grep $RELEASE else helm ls | grep FAILED | grep $RELEASE diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index b008acf6f3..ca9ccd48f4 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -196,28 +196,25 @@ global: cmpv2Enabled: true CMPv2CertManagerIntegration: false platform: + certificates: + clientSecretName: oom-cert-service-client-tls-secret + keystoreKeyRef: keystore.jks + truststoreKeyRef: truststore.jks + keystorePasswordSecretName: oom-cert-service-certificates-password + keystorePasswordSecretKey: password + truststorePasswordSecretName: oom-cert-service-certificates-password + truststorePasswordSecretKey: password certServiceClient: image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3 - secret: - name: oom-cert-service-client-tls-secret - mountPath: /etc/onap/oom/certservice/certs/ + certificatesSecretMountPath: /etc/onap/oom/certservice/certs/ envVariables: certPath: "/var/custom-certs" # Certificate related - cmpv2Organization: "Linux-Foundation" - cmpv2OrganizationalUnit: "ONAP" - cmpv2Location: "San-Francisco" - cmpv2State: "California" - cmpv2Country: "US" - # Client configuration related caName: "RA" + # Client configuration related requestURL: "https://oom-cert-service:8443/v1/certificate/" requestTimeout: "30000" - keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" outputType: "P12" - keystorePassword: "secret" - truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" - truststorePassword: "secret" # Indicates offline deployment build # Set to true if you are rendering helm charts for offline deployment diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml index 0614819930..c34ebad982 100644 --- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml +++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml @@ -73,10 +73,10 @@ cmpv2issuer: certEndpoint: v1/certificate caName: RA certSecretRef: - name: cmpv2-issuer-secret - certRef: certServiceServer-cert.pem - keyRef: certServiceServer-key.pem - cacertRef: truststore.pem + name: oom-cert-service-server-tls-secret + certRef: tls.crt + keyRef: tls.key + cacertRef: ca.crt diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile deleted file mode 100644 index ea0cb8aae4..0000000000 --- a/kubernetes/platform/components/oom-cert-service/Makefile +++ /dev/null @@ -1,183 +0,0 @@ -CERTS_DIR = resources -CURRENT_DIR := ${CURDIR} -DOCKER_CONTAINER = generate-certs -DOCKER_EXEC = docker exec ${DOCKER_CONTAINER} - -all: start_docker \ - clear_all \ - root_generate_keys \ - root_create_certificate \ - root_self_sign_certificate \ - client_generate_keys \ - client_generate_csr \ - client_sign_certificate_by_root \ - client_import_root_certificate \ - client_convert_certificate_to_jks \ - server_generate_keys \ - server_generate_csr \ - server_sign_certificate_by_root \ - server_import_root_certificate \ - server_convert_certificate_to_jks \ - server_convert_certificate_to_p12 \ - convert_truststore_to_p12 \ - convert_truststore_to_pem \ - server_export_certificate_to_pem \ - server_export_key_to_pem \ - clear_unused_files \ - stop_docker - -.PHONY: all - -# Starts docker container for generating certificates - deletes first, if already running -start_docker: - @make stop_docker - $(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2)) - $(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2)) - $(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE)) - $(eval USERNAME :=$(shell id -u)) - $(eval GROUP :=$(shell id -g)) - docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE) - -# Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted -stop_docker: - docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true - -#Clear all files related to certificates -clear_all: - @make clear_existing_certificates - @make clear_unused_files - -#Clear certificates -clear_existing_certificates: - @echo "Clear certificates" - ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem - @echo "#####done#####" - -#Generate root private and public keys -root_generate_keys: - @echo "Generate root private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \ - -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \ - -storepass secret -ext BasicConstraints:critical="ca:true" - @echo "#####done#####" - -#Export public key as certificate -root_create_certificate: - @echo "(Export public key as certificate)" - ${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc - @echo "#####done#####" - -#Self-signed root (import root certificate into truststore) -root_self_sign_certificate: - @echo "(Self-signed root (import root certificate into truststore))" - ${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt - @echo "#####done#####" - -#Generate certService's client private and public keys -client_generate_keys: - @echo "Generate certService's client private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \ - -keystore certServiceClient-keystore.jks -storetype JKS \ - -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret - @echo "####done####" - -#Generate certificate signing request for certService's client -client_generate_csr: - @echo "Generate certificate signing request for certService's client" - ${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr - @echo "####done####" - -#Sign certService's client certificate by root CA -client_sign_certificate_by_root: - @echo "Sign certService's client certificate by root CA" - ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \ - -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" - @echo "####done####" - -#Import root certificate into client -client_import_root_certificate: - @echo "Import root certificate into intermediate" - ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt" - @echo "####done####" - -#Import signed certificate into certService's client -client_convert_certificate_to_jks: - @echo "Import signed certificate into certService's client" - ${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt - @echo "####done####" - -#Generate certService private and public keys -server_generate_keys: - @echo "Generate certService private and public keys" - ${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \ - -keystore certServiceServer-keystore.jks -storetype JKS \ - -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \ - -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false" - @echo "####done####" - -#Generate certificate signing request for certService -server_generate_csr: - @echo "Generate certificate signing request for certService" - ${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr - @echo "####done####" - -#Sign certService certificate by root CA -server_sign_certificate_by_root: - @echo "Sign certService certificate by root CA" - ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \ - -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \ - -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost" - @echo "####done####" - -#Import root certificate into server -server_import_root_certificate: - @echo "Import root certificate into intermediate(server)" - ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt" - @echo "####done####" - -#Import signed certificate into certService -server_convert_certificate_to_jks: - @echo "Import signed certificate into certService" - ${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \ - -storepass secret -noprompt - @echo "####done####" - -#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12) -server_convert_certificate_to_p12: - @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" - ${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \ - -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret - @echo "#####done#####" - -#Convert truststore(.jks) to PCKS12 format(.p12) -convert_truststore_to_p12: - @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)" - ${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \ - -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret - @echo "#####done#####" - -#Convert truststore(.p12) to PEM format(.pem) -convert_truststore_to_pem: - @echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret - @echo "#####done#####" - -#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem) -server_export_certificate_to_pem: - @echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem - @echo "#####done#####" - -#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem) -server_export_key_to_pem: - @echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)" - ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem - @echo "#####done#####" - - -#Clear unused certificates -clear_unused_files: - @echo "Clear unused certificates" - ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr truststore.p12 - @echo "#####done#####" diff --git a/kubernetes/platform/components/oom-cert-service/requirements.yaml b/kubernetes/platform/components/oom-cert-service/requirements.yaml index e89dc58027..6177278552 100644 --- a/kubernetes/platform/components/oom-cert-service/requirements.yaml +++ b/kubernetes/platform/components/oom-cert-service/requirements.yaml @@ -19,3 +19,9 @@ dependencies: - name: repositoryGenerator version: ~8.x-0 repository: '@local' + - name: certManagerCertificate + version: ~8.x-0 + repository: '@local' + - name: cmpv2Config + version: ~8.x-0 + repository: '@local'
\ No newline at end of file diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml new file mode 100644 index 0000000000..fd317703e3 --- /dev/null +++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml @@ -0,0 +1,17 @@ +{{/* +# Copyright © 2020-2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ include "certManagerCertificate.certificate" . }} diff --git a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml index c4d7440b20..9a6abd4eb9 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml @@ -93,9 +93,9 @@ spec: - name: ROOT_CERT value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}" - name: KEYSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 14 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }} - name: TRUSTSTORE_PASSWORD - {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 14 }} + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }} livenessProbe: exec: command: diff --git a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml new file mode 100644 index 0000000000..9047ab73d3 --- /dev/null +++ b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml @@ -0,0 +1,32 @@ +{{/* + # Copyright © 2021, Nokia + # + # Licensed under the Apache License, Version 2.0 (the "License"); + # you may not use this file except in compliance with the License. + # You may obtain a copy of the License at + # + # http://www.apache.org/licenses/LICENSE-2.0 + # + # Unless required by applicable law or agreed to in writing, software + # distributed under the License is distributed on an "AS IS" BASIS, + # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + # See the License for the specific language governing permissions and + # limitations under the License. +*/}} + +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.selfsigning.name }} + namespace: {{ include "common.namespace" . }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.ca.name }} + namespace: {{ include "common.namespace" . }} +spec: + ca: + secretName: {{ .Values.tls.issuer.ca.secret.name }}
\ No newline at end of file diff --git a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml index 2d47e6f57c..5401801af5 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml @@ -28,42 +28,5 @@ data: {{ (.Files.Glob "resources/default/cmpServers.json").AsSecrets }} {{ end }} --- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.global.certService.certServiceClient.secret.name | default .Values.tls.client.secret.defaultName }} -type: Opaque -data: - certServiceClient-keystore.jks: - {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }} - truststore.jks: - {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.tls.server.secret.name }} -type: Opaque -data: - certServiceServer-keystore.jks: - {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }} - certServiceServer-keystore.p12: - {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }} - truststore.jks: - {{ (.Files.Glob "resources/truststore.jks").AsSecrets }} - root.crt: - {{ (.Files.Glob "resources/root.crt").AsSecrets }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ .Values.tls.provider.secret.name }} -type: Opaque -data: - certServiceServer-key.pem: - {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }} - certServiceServer-cert.pem: - {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }} - truststore.pem: - {{ (.Files.Glob "resources/truststore.pem").AsSecrets }} + {{ end -}} diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 537b025fb0..829d3a01d1 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -79,38 +79,40 @@ cmpServers: mountPath: /etc/onap/oom/certservice tls: + issuer: + selfsigning: + name: &selfSigningIssuer cmpv2-selfsigning-issuer + ca: + name: &caIssuer cmpv2-ca-issuer + secret: + name: &caKeyPairSecret cmpv2-ca-key-pair server: secret: - name: oom-cert-service-server-tls-secret + name: &serverSecret oom-cert-service-server-tls-secret volume: name: oom-cert-service-server-tls-volume mountPath: /etc/onap/oom/certservice/certs/ client: secret: defaultName: oom-cert-service-client-tls-secret - provider: - secret: - name: cmpv2-issuer-secret envs: keystore: - jksName: certServiceServer-keystore.jks - p12Name: certServiceServer-keystore.p12 - pemName: certServiceServer-keystore.pem + jksName: keystore.jks + p12Name: keystore.p12 + pemName: tls.crt truststore: jksName: truststore.jks - crtName: root.crt - pemName: truststore.pem + crtName: ca.crt + pemName: tls.crt httpsPort: 8443 # External secrets with credentials can be provided to override default credentials defined below, # by uncommenting and filling appropriate *ExternalSecret value credentials: tls: - keystorePassword: secret - truststorePassword: secret - #keystorePasswordExternalSecret: - #truststorePasswordExternalSecret: + certificatesPassword: secret + #certificatesPasswordExternalSecret: # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled cmp: # Used only if cmpv2 testing is enabled @@ -126,17 +128,11 @@ credentials: # rv: unused secrets: - - uid: keystore-password - name: '{{ include "common.release" . }}-keystore-password' - type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.keystorePassword }}' - passwordPolicy: required - - uid: truststore-password - name: '{{ include "common.release" . }}-truststore-password' + - uid: certificates-password + name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}' type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.truststorePassword }}' + externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}' + password: '{{ .Values.credentials.tls.certificatesPassword }}' passwordPolicy: required # Below values are relevant only if global addTestingComponents flag is enabled - uid: ejbca-server-client-iak @@ -155,3 +151,65 @@ secrets: type: password externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}' password: '{{ .Values.credentials.cmp.ra.rv }}' + +# Certificates definitions +certificates: + - name: selfsigned-cert + secretName: *caKeyPairSecret + isCA: true + commonName: root.com + subject: + organization: Root Company + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: Root Org + issuer: + name: *selfSigningIssuer + kind: Issuer + - name: cert-service-server-cert + secretName: *serverSecret + commonName: oom-cert-service + dnsNames: + - oom-cert-service + - localhost + subject: + organization: certServiceServer org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceServer company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + - p12 + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer + - name: cert-service-client-cert + secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}' + commonName: certServiceClient.com + subject: + organization: certServiceClient org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceClient company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer diff --git a/kubernetes/robot/demo-k8s.sh b/kubernetes/robot/demo-k8s.sh index 7ab384e8d0..d48070cf24 100755 --- a/kubernetes/robot/demo-k8s.sh +++ b/kubernetes/robot/demo-k8s.sh @@ -63,7 +63,7 @@ usage () # Check if execscript flag is used and drop it from input arguments -if [[ "${!#}" == "execscript" ]]; then +if [[ "${!#}" = "execscript" ]]; then set -- "${@:1:$#-1}" execscript=true fi diff --git a/kubernetes/robot/ete-k8s.sh b/kubernetes/robot/ete-k8s.sh index 576b669cdb..97f4e4d032 100755 --- a/kubernetes/robot/ete-k8s.sh +++ b/kubernetes/robot/ete-k8s.sh @@ -18,7 +18,7 @@ # Run the testsuite for the passed tag. Valid tags are listed in usage help # Please clean up logs when you are done... # -if [ "$1" == "" ] || [ "$2" == "" ]; then +if [ "$1" = "" ] || [ "$2" = "" ]; then echo "Usage: ete-k8s.sh [namespace] [tag] [execscript]" echo "" echo " List of test case tags (filename for intent: tag)" @@ -76,7 +76,7 @@ SCRIPTDIR=scripts/etescript ETEHOME=/var/opt/ONAP -if [[ "${!#}" == "execscript" ]]; then +if [[ "${!#}" = "execscript" ]]; then for script in $(ls -1 "$DIR/$SCRIPTDIR"); do [ -f "$DIR/$SCRIPTDIR/$script" ] && [ -x "$DIR/$SCRIPTDIR/$script" ] && source "$DIR/$SCRIPTDIR/$script" done diff --git a/kubernetes/robot/eteHelm-k8s.sh b/kubernetes/robot/eteHelm-k8s.sh index b8b8708a26..2512e5f7ce 100755 --- a/kubernetes/robot/eteHelm-k8s.sh +++ b/kubernetes/robot/eteHelm-k8s.sh @@ -18,7 +18,7 @@ # Run the health-check testsuites for the tags discovered by helm list # Please clean up logs when you are done... # -if [ "$1" == "" ] ; then +if [ "$1" = "" ] ; then echo "Usage: eteHelm-k8s.sh [namespace] [execscript]" echo " list projects via helm list and runs health-check with those tags except dev and dev-consul" echo " [execscript] - optional parameter to execute user custom scripts located in scripts/helmscript directory" @@ -44,7 +44,7 @@ SCRIPTDIR=scripts/helmscript ETEHOME=/var/opt/ONAP -if [[ "${!#}" == "execscript" ]]; then +if [[ "${!#}" = "execscript" ]]; then for script in $(ls -1 "$DIR/$SCRIPTDIR"); do [ -f "$DIR/$SCRIPTDIR/$script" ] && [ -x "$DIR/$SCRIPTDIR/$script" ] && source "$DIR/$SCRIPTDIR/$script" done diff --git a/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml b/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml new file mode 100644 index 0000000000..5af3bf737b --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/Chart.yaml @@ -0,0 +1,20 @@ +# ===========LICENSE_START======================================================== +# Copyright (c) 2021 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +apiVersion: v1 +description: ONAP Service Design and Creation Helm Validator +name: sdc-helm-validator +version: 8.0.0 diff --git a/kubernetes/sdc/components/sdc-helm-validator/requirements.yaml b/kubernetes/sdc/components/sdc-helm-validator/requirements.yaml new file mode 100644 index 0000000000..8e1160ad44 --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/requirements.yaml @@ -0,0 +1,23 @@ +# ===========LICENSE_START======================================================== +# Copyright (c) 2021 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +dependencies: + - name: repositoryGenerator + version: ~8.x-0 + repository: '@local' + - name: common + version: ~8.x-0 + repository: '@local' diff --git a/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml b/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml new file mode 100644 index 0000000000..08228ad99c --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/templates/deployment.yaml @@ -0,0 +1,44 @@ +{{/* +# ===========LICENSE_START======================================================== +# Copyright (c) 2021 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +*/}} + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + selector: {{- include "common.selectors" . | nindent 4 }} + replicas: 1 + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + containers: + - name: {{ include "common.name" . }} + image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + resources: {{ include "common.resources" . | nindent 12 }} + ports: {{ include "common.containerPorts" . | nindent 12 }} + env: + - name: LOG_LEVEL + value: {{ .Values.config.loggingLevel }} + livenessProbe: + httpGet: + path: {{ .Values.liveness.path }} + port: {{ .Values.liveness.port }} + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + imagePullSecrets: + - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/sdc/components/sdc-helm-validator/templates/service.yaml b/kubernetes/sdc/components/sdc-helm-validator/templates/service.yaml new file mode 100644 index 0000000000..a5837afc84 --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/templates/service.yaml @@ -0,0 +1,19 @@ +{{/* +# ===========LICENSE_START======================================================== +# Copyright (c) 2021 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= +*/}} + +{{ include "common.service" . }} diff --git a/kubernetes/sdc/components/sdc-helm-validator/values.yaml b/kubernetes/sdc/components/sdc-helm-validator/values.yaml new file mode 100644 index 0000000000..9c0d90649f --- /dev/null +++ b/kubernetes/sdc/components/sdc-helm-validator/values.yaml @@ -0,0 +1,58 @@ +# ===========LICENSE_START======================================================== +# Copyright (c) 2021 Nokia. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# ============LICENSE_END========================================================= + +# Global values +global: + pullPolicy: Always + +image: onap/org.onap.sdc.sdc-helm-validator:1.2.0 +containerPort: &svc_port 8080 + +config: + loggingLevel: INFO + +service: + type: ClusterIP + ports: + - name: &port http + port: *svc_port + +liveness: + initialDelaySeconds: 30 + periodSeconds: 30 + path: /actuator/health + port: *port + # necessary to disable liveness probe when setting breakpoints + # in debugger so K8s doesn't restart unresponsive container + enabled: true + +flavor: small +resources: + small: + limits: + cpu: 1 + memory: 256Mi + requests: + cpu: 1 + memory: 256Mi + large: + limits: + cpu: 2 + memory: 1Gi + requests: + cpu: 1 + memory: 256Mi + unlimited: {} diff --git a/kubernetes/sdc/requirements.yaml b/kubernetes/sdc/requirements.yaml index 7ed88c50cc..2f2cb6c373 100644 --- a/kubernetes/sdc/requirements.yaml +++ b/kubernetes/sdc/requirements.yaml @@ -34,3 +34,7 @@ dependencies: version: ~8.x-0 repository: 'file://components/sdc-wfd-fe' condition: sdc-wfd.enabled + - name: sdc-helm-validator + version: ~8.x-0 + repository: 'file://components/sdc-helm-validator' + condition: sdc-helm-validator.enabled diff --git a/kubernetes/sdc/values.yaml b/kubernetes/sdc/values.yaml index fef7dab310..b7476a584e 100644 --- a/kubernetes/sdc/values.yaml +++ b/kubernetes/sdc/values.yaml @@ -63,3 +63,5 @@ cassandra: # dependency / sub-chart configuration sdc-wfd: enabled: true +sdc-helm-validator: + enabled: true diff --git a/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncActive.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncActive.sh index 5a53fa1ca2..feb6662196 100755 --- a/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncActive.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncActive.sh @@ -17,7 +17,7 @@ */}} debugLog(){ - if [ "$enableDebugLogging" == true ]; then + if [ "$enableDebugLogging" = true ]; then if [ $# -eq 0 ]; then echo "" >> $LOGFILE else diff --git a/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncStandby.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncStandby.sh index 9c81069812..94858339e7 100755 --- a/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncStandby.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/ensureSdncStandby.sh @@ -17,7 +17,7 @@ */}} debugLog(){ - if [ "$enableDebugLogging" == true ]; then + if [ "$enableDebugLogging" = true ]; then if [ $# -eq 0 ]; then echo "" >> $LOGFILE else diff --git a/kubernetes/sdnc/components/sdnc-prom/resources/bin/prom.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/prom.sh index 7764d00cc2..fa76a9ee40 100755 --- a/kubernetes/sdnc/components/sdnc-prom/resources/bin/prom.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/prom.sh @@ -24,7 +24,7 @@ fi # should PROM start as passive? state=$( bin/sdnc.cluster ) -if [ "$state" == "standby" ]; then +if [ "$state" = "standby" ]; then echo "Starting PROM in passive mode" passive="-p" fi diff --git a/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh b/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh index 8057547b59..c36d2e3e9f 100755 --- a/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh +++ b/kubernetes/sdnc/components/sdnc-prom/resources/bin/switchVoting.sh @@ -26,7 +26,7 @@ LOGFILE="/app/geo.log" enableDebugLogging=true debugLog(){ - if [ "$enableDebugLogging" == true ]; then + if [ "$enableDebugLogging" = true ]; then if [ $# -eq 0 ]; then echo "" >> $LOGFILE else diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index fc093b8637..43201fef4b 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -195,6 +195,7 @@ certificates: outputType: - jks passwordSecretRef: + create: true name: sdnc-cmpv2-keystore-password key: password issuer: |