Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Add security context to pods within DMAAP
Change-Id: I86f7bd79e77dec33879f4ee3b599799705d40a24
Issue-ID: OOM-2913
Signed-off-by: rope252 <gareth.roper@est.tech>
|
|
Added missing definition to use secret for repository access
Issue-ID: OOM-2907
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
Change-Id: If0886b2a59df7786c3655851610e1a6b3aca73ff
|
|
|
|
Helm 3.7.0 introduced a new .Chart variable named IsRoot.
In the same time they refactored the representation of .Chart and it
no longer is a dictionary but a structure which confuses
mergeOverride.
In order to keep our tricks working we need to skip .Chart while doing
a deepCopy of our current context.
Issue-ID: OOM-1
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I230e2ba460ddf09377d8de6c1366d4fd82f764cd
|
|
Make the namespace parameter configurable for
CertInitializer and ReadinessCheck Chart
Issue-ID: OOM-2888
Signed-off-by: xuegao <xue.gao@intl.att.com>
Change-Id: I5bb4e86be935921af1d852d6d7666fb5c8eaf725
|
|
|
|
Instead of terminating TLS on SO POD, let's terminate it on its Ingress.
This patch uses certInitializer to create the right certificates and put them in
a secret.
This secret is then referenced on SO Ingress.
Issue-ID: SO-3078
Issue-ID: SO-3237
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Icdc8cf6fc84cb3b3c337b4f4e5320980eee06337
|
|
Add update for /etc/ssl/cacerts/ca-certificates.crt
Issue-ID: CCSDK-3356
Change-Id: I797aea054bb80db805f4791a288e89b102e1d662
Signed-off-by: Abdelmuhaimen Seaudi <abdelmuhaimen.seaudi@orange.com>
|
|
|
|
Instead of mandating to provide custom certificates before creation of
helm packages, let's propose to include certificates from a known
secret or configmap.
The current implementation will first search for secret and if not
provided will look for configmap.
Issue-ID: OOM-2731
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: If2f90adc18efe59c0516db9409964a236bd17a66
|
|
Some components are http based but want to be usable from outside world.
Instead of dealing with TLS part on the component itself, let's use
certInitializer to generate a secret with the certs which will be usable
by Ingress
Issue-ID: SO-3078
Issue-ID: SO-3237
Issue-ID: CPS-281
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: If166716d159586b1eb94c111e9d3d82a54c2fd6e
|
|
The built-in command source is a bashism.
Profiles script must be dotted and not sourced when possible.
Issue-ID: OOM-2688 OOM-2158
Signed-off-by: Guillaume Lambert <guillaume.lambert@orange.com>
Change-Id: Id7cad0d499129fa3b7ea020e906748243b1b3ace
|
|
Current script that retrieve certificates can fail but exit code will be
0. We then add a check in the script in order to avoid such issue
Issue-ID: OOM-2688
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Ib41c66a4de46db8752f68ef35a2bfb67ca575246
|
|
Today, onboarding custom certificates relies on `bash`. But image used
for that doesn't have bash.
Therefore, we need to use `sh` in order to onboard the certs.
Issue-ID: OOM-2666
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Ia8087bd9484a013ac76044681059f634a4e45eb8
|
|
This commit makes CertInitializer template to use the new generator for
repositories and images.
Issue-ID: OOM-2364
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I5efa37225bfe05e2c7be7b8d2420ccaeb10afe62
|
|
Use trim function in order to remove the 4 first spaces that breaks
configuration when aaf add config is a multiline (a.k.a uses `|`) YAML
entry.
Issue-ID: OOM-2611
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Ib53a8a87f896a66ba613d542cfca833804ef1d7a
|
|
certInitializer is included multiple times in number of different
projects. If it contains the truststore then under if it is not used
it increases the size of the chart itself so that it our final ONAP
chart does not fit into default 20 Mb chartmuseum limit.
Let's resolve this by moving the configmap and its content to the
cert-wrapper which is included only once per onap instance.
Issue-ID: AAF-1134
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I654d9158e7b776c012653dbef2c8091a393635f0
|
|
Truststore is quite heavy. If it is included several times in the
component it can easily cross helm chart size limit.
To fix this issue let's make sure that the truststore is created only
once and then shared among all certInitializer instances.
Issue-ID: AAF-1134
Change-Id: I546a88fea3fe869748194682e7dcf3ad566282ab
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|
|
Add new mount path value in values.yaml to
specify app mount path
Issue-ID: OPTFRA-803
Signed-off-by: krishnaa96 <krishna.moorthy6@wipro.com>
Change-Id: I70771e0ab6ec16f7f4cfadcb8448ecfdfb6e8f4b
|
|
certInitializer
ONAP deployments may require the use of custom certificates. Instead of
manually adding certificates to the truststore file, users can now add
their .pem certificates under certInitializer/resources and have them
imported automatically by an init container. The updated truststore can
then be mounted to a component by providing a truststoreMountpath.
Issue-ID: OOM-2509
Signed-off-by: Jozsef Csongvai <jozsef.csongvai@bell.ca>
Change-Id: I896c729143346738e91fa57f895ba48043b253c1
|
|
Instead of manually creating readiness init container let's use our
dedicated template for this.
Issue-ID: OOM-2511
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Idb112e864b7899e7a1e76d139c6cc6a94851a090
|
|
Not all components declare repository in the global section which may
lead to some error when processing just a single component instead of
whole onap. To avoid this let's make sure that cerInitializer sets
repository url internally.
Issue-ID: OOM-2416
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I4fd2a235b188c7ee09d0173dbaa873141187a077
|
|
Create a template in order to have same readiness check everywhere.
Issue-ID: OOM-1971
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: If3297184564a8e763110a79ff89eb07dfbc9e630
|
|
One of reasons why certInitializer is a proper chart that you need to
put in your requirements.yaml is to avoid copy-pasting the same global
values among different charts. As it turned out in tests we've been
not "mangling" global values properly while creating
$subchartDot. This patch fixes the issue.
Issue-ID: AAF-1134
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I630154c4eedd7192ebb1881e5899c8df495d988b
|
|
By mistage aaf-agent-certs volume was created only if aaf_add_config
option was set. This is incorrect as it should be created always.
Issue-ID: AAF-1134
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I6172d2cbb781db4a26e09b7c4c324e985978b31e
|
|
aaf_agent image currently contains hardcoded truststores in order to
be able to connect to certman to retrieve certificate for given
component.
The goal is to remove hardcoded truststore from aaf_agent immage but
first we need to be sure that all its users are able to provide the
truststore to the pod as a configmap.
Issue-ID: AAF-1134
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: Ibe9de6ad7264c05aeca2af858918fc2b4d3a772b
|
|
Add new template that can be used to obtain certificate by
component. Make also a PoC with NBI.
Strongly based on aaf-config template.
Issue-ID: AAF-1134
Change-Id: I10cb2a7b36a8dc436be337518cc15431aabbbc5d
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
|