--- kubernetes/common/dgbuilder/templates/deployment.yaml 2019-01-28 13:01:35.017243076 +0100 +++ kubernetes/common/dgbuilder/templates/deployment.yaml 2019-01-28 13:19:04.238712534 +0100 @@ -49,8 +49,14 @@ - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && ./start.sh sdnc1.0 && wait"] + command: + - /bin/bash + - -c + - > + HOSTS_FILE_RECORD >> /etc/hosts; + NPM_REGISTRY_RECORD; + cd /opt/onap/ccsdk/dgbuilder/; + ./start.sh sdnc1.0 && wait ports: - containerPort: {{ .Values.service.internalPort }} readinessProbe: --- kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml 2019-01-28 13:01:35.087243698 +0100 +++ kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml 2019-01-28 13:29:24.881069646 +0100 @@ -49,8 +49,13 @@ name: {{ include "common.name" . }}-readiness containers: - name: {{ include "common.name" . }} - command: ["/bin/bash"] - args: ["-c", "cd /opt/onap/sdnc/admportal/shell && ./start_portal.sh"] + command: + - /bin/bash + - -c + - > + HOSTS_FILE_RECORD >> /etc/hosts; + NPM_REGISTRY_RECORD; + cd /opt/onap/sdnc/admportal/shell && ./start_portal.sh image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} ports: --- kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml 2019-01-24 09:55:30.000000000 +0100 +++ kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml 2019-01-29 18:07:59.057804519 +0100 @@ -70,6 +70,8 @@ - mountPath: /etc/localtime name: localtime readOnly: true + - mountPath: /etc/pki/ca-trust/source/anchors + name: root-ca securityContext: privileged: True lifecycle: @@ -82,6 +84,8 @@ set -ex mkdir -p /var/run/secrets/kubernetes.io/ ln -s /secret /var/run/secrets/kubernetes.io/serviceaccount + echo -e '\nREQUESTS_CA_BUNDLE="/etc/ssl/certs/ca-bundle.crt"' >> /etc/sysconfig/cloudify-restservice + update-ca-trust extract volumes: - name: {{ include "common.fullname" . }}-config configMap: @@ -95,5 +99,8 @@ - name: localtime hostPath: path: /etc/localtime + - name: root-ca + hostPath: + path: /etc/pki/ca-trust/source/anchors imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" --- kubernetes/policy/charts/brmsgw/templates/deployment.yaml 2019-01-24 09:55:33.000000000 +0100 +++ kubernetes/policy/charts/brmsgw/templates/deployment.yaml 2019-01-31 13:01:49.911044498 +0100 @@ -46,6 +46,7 @@ image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness +{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} containers: - command: - /bin/bash @@ -69,6 +70,8 @@ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: +{{ include "common.cacert-mount-ubuntu" . | indent 8 }} +{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -95,6 +98,8 @@ {{ toYaml .Values.affinity | indent 10 }} {{- end }} volumes: +{{ include "common.cacert-volume" . | indent 8 }} +{{ include "common.system-ca-store-volume" . | indent 8 }} - name: localtime hostPath: path: /etc/localtime --- kubernetes/policy/charts/drools/templates/statefulset.yaml 2019-01-24 09:55:33.000000000 +0100 +++ kubernetes/policy/charts/drools/templates/statefulset.yaml 2019-01-31 13:04:00.848634430 +0100 @@ -52,6 +52,8 @@ image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness +{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} +{{ include "policy.update-policy-keystore" . | indent 6 }} containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" @@ -79,6 +81,9 @@ - name: REPLICAS value: "{{ .Values.replicaCount }}" volumeMounts: +{{ include "common.cacert-mount-ubuntu" . | indent 10 }} +{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }} +{{ include "policy.keystore-mount" . | indent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -137,6 +142,9 @@ {{ toYaml .Values.affinity | indent 10 }} {{- end }} volumes: +{{ include "common.cacert-volume" . | indent 8 }} +{{ include "common.system-ca-store-volume" . | indent 8 }} +{{ include "policy.keystore-storage-volume" . | indent 8 }} - name: localtime hostPath: path: /etc/localtime --- kubernetes/policy/charts/pdp/templates/statefulset.yaml 2019-01-24 09:55:33.000000000 +0100 +++ kubernetes/policy/charts/pdp/templates/statefulset.yaml 2019-01-31 13:07:16.161006088 +0100 @@ -50,6 +50,7 @@ image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} name: {{ include "common.name" . }}-readiness +{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }} containers: - command: - /bin/bash @@ -75,6 +76,8 @@ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} periodSeconds: {{ .Values.readiness.periodSeconds }} volumeMounts: +{{ include "common.cacert-mount-ubuntu" . | indent 8 }} +{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -114,6 +117,8 @@ - mountPath: /usr/share/filebeat/data name: policy-data-filebeat volumes: +{{ include "common.cacert-volume" . | indent 6 }} +{{ include "common.system-ca-store-volume" . | indent 6 }} - name: localtime hostPath: path: /etc/localtime --- kubernetes/common/common/templates/_cacert.tpl 2019-01-31 13:09:54.170924801 +0100 +++ kubernetes/common/common/templates/_cacert.tpl 2019-01-31 13:10:54.650659206 +0100 @@ -0,0 +1,80 @@ +# COPYRIGHT NOTICE STARTS HERE +# +# Copyright 2018 © Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COPYRIGHT NOTICE ENDS HERE + +#This template adds volume for access to ca certificate. +#Template is ignored when cacert not set. +{{- define "common.cacert-volume" }} +{{- if .Values.global.cacert }} +- name: cacert + configMap: + name: {{ include "common.namespace" . }}-root-ca-cert +{{- end }} +{{- end }} + +#This template mounts the CA certificate in an ubuntu compatible way. +#It is mounted to /usr/local/share/ca-certificates/cacert.crt. +#Template is ignored if cacert not set. +{{- define "common.cacert-mount-ubuntu" }} +{{- if .Values.global.cacert }} +- mountPath: "/usr/local/share/ca-certificates/cacert.crt" + name: cacert + subPath: certificate +{{- end }} +{{- end }} + +#This template creates an empty volume used to store system certificates (includes java keystore). +{{- define "common.system-ca-store-volume" }} +{{- if .Values.global.cacert }} +- name: system-ca-store + emptyDir: +{{- end }} +{{- end }} + +#This template mounts system ca store volume to /etc/ssl/certs (ubuntu specific). +#Template is ignored in case cacert is not given. +{{- define "common.system-ca-store-mount-ubuntu" }} +{{- if .Values.global.cacert }} +- mountPath: "/etc/ssl/certs" + name: system-ca-store +{{- end }} +{{- end }} + +#This template is a template for an init container. +#This init container can be declared to update system's ca store for ubuntu containers. +#It runs as root using the same image as the main one. +#It expects /etc/ssl/certs to be mounted as a volume. +#It has to be shared with the main container. +#This template is ignored if cacert is not given as helm value. +{{- define "common.update-system-ca-store-ubuntu" }} +{{- if .Values.global.cacert }} +- command: + - "/bin/bash" + - "-c" + - | + mkdir -p /etc/ssl/certs/java + update-ca-certificates + name: update-system-ca-store + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + image: {{ include "common.repository" . }}/{{ .Values.image }} + securityContext: + runAsUser: 0 + volumeMounts: +{{ include "common.cacert-mount-ubuntu" . | indent 2 }} +{{ include "common.system-ca-store-mount-ubuntu" . | indent 2 }} +{{- end }} +{{- end }} --- kubernetes/onap/templates/configmap.yaml 2019-01-31 13:09:54.170924801 +0100 +++ kubernetes/onap/templates/configmap.yaml 2019-01-31 13:11:24.628023219 +0100 @@ -0,0 +1,33 @@ +# COPYRIGHT NOTICE STARTS HERE +# +# Copyright 2018 © Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COPYRIGHT NOTICE ENDS HERE + +{{ if .Values.global.cacert -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.namespace" . }}-root-ca-cert + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + certificate: | +{{ .Values.global.cacert | indent 4 }} +{{- end }} --- kubernetes/policy/charts/policy-common/templates/_keystore.tpl 2019-01-31 13:09:54.170924801 +0100 +++ kubernetes/policy/charts/policy-common/templates/_keystore.tpl 2019-01-31 13:11:49.122320657 +0100 @@ -0,0 +1,61 @@ +# COPYRIGHT NOTICE STARTS HERE +# +# Copyright 2018 © Samsung Electronics Co., Ltd. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# COPYRIGHT NOTICE ENDS HERE + +#This template creates a volume for storing policy-keystore with imported ca. +#It is ignored if cacert was not given. +{{- define "policy.keystore-storage-volume" }} +{{- if .Values.global.cacert }} +- name: keystore-storage + emptyDir: +{{- end }} +{{- end }} + +#This template mounts policy-keystore in appropriate place for policy components to take it. +#It is ignored if cacert is not given. +{{- define "policy.keystore-mount" }} +{{- if .Values.global.cacert }} +- mountPath: "/tmp/policy-install/config/policy-keystore" + name: keystore-storage + subPath: policy-keystore +{{- end }} +{{- end }} + +#This will extract a policy keystore and then import +#the root cacert of offline nexus into it. +#This template expects a volume named keystore-storage where policy-keystore will be put. +#It also expects volume named cacert where the file "certificate" will contain the cert to import. +#Template is ignored if ca certificate not given. +{{- define "policy.update-policy-keystore" }} +{{- if .Values.global.cacert }} +- command: + - "/bin/bash" + - "-c" + - | + set -e + tar -xzf base-*.tar.gz etc/ssl/policy-keystore + cp etc/ssl/policy-keystore keystore-storage/ + keytool -import -keystore keystore-storage/policy-keystore -storepass "Pol1cy_0nap" -noprompt -file /usr/local/share/ca-certificates/cacert.crt + name: update-policy-keystore + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + image: {{ include "common.repository" . }}/{{ .Values.image }} + volumeMounts: + - mountPath: "/tmp/policy-install/keystore-storage" + name: keystore-storage +{{ include "common.cacert-mount-ubuntu" . | indent 2 }} +{{- end }} +{{- end }}