From 2954823e469dc10ec45f8170dac5a8041ab3fd44 Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Wed, 21 Oct 2020 18:15:08 +0200 Subject: [SO] Import various CAs in truststore Per default, SO truststore has only one CA, the ONAP one. But we also need MSB root CA. The process to onboard was broken and this patch solves it We also needs "common root CAs" in order to discuss with other components such as the underneath OpenStack. In this patch we also import all "known" root CA from truststoreONAPall. Issue-ID: OOM-2606 Issue-ID: OOM-2607 Signed-off-by: Sylvain Desbureaux Change-Id: Ia67bd4aec7a0b122fb9fda11e1e48c4e6e55430c --- .../so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml | 1 + kubernetes/so/components/soHelpers/templates/_certificates.tpl | 6 +++++- kubernetes/so/components/soHelpers/values.yaml | 7 ++++--- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml index 45668eda98..2327e19b67 100644 --- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml +++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml @@ -39,6 +39,7 @@ spec: {{- if .Values.global.aafEnabled }} export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0) export TRUSTSTORE_PASSWORD="${cadi_truststore_password}" + export TRUSTSTORE="file:/${TRUSTSTORE}" {{- if .Values.global.security.aaf.enabled }} export KEYSTORE_PASSWORD="${cadi_keystore_password}" {{- end }} diff --git a/kubernetes/so/components/soHelpers/templates/_certificates.tpl b/kubernetes/so/components/soHelpers/templates/_certificates.tpl index fa25ba5177..ef3b0768f5 100644 --- a/kubernetes/so/components/soHelpers/templates/_certificates.tpl +++ b/kubernetes/so/components/soHelpers/templates/_certificates.tpl @@ -16,7 +16,11 @@ keytool -import -trustcacerts -alias msb_root -file \ /certificates/msb-ca.crt -keystore \ "{{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.aaf.trustore }}" \ - -keypass $cadi_truststore_password -noprompt + -storepass $cadi_truststore_password -noprompt + keytool -importkeystore -srckeystore "{{ $subchartDot.Values.certInitializer.credsPath }}/truststoreONAPall.jks" \ + -srcstorepass {{ $subchartDot.Values.certInitializer.trustStoreAllPass }} \ + -destkeystore "{{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.aaf.trustore }}" \ + -deststorepass $cadi_truststore_password -noprompt volumeMounts: {{ include "common.certInitializer.volumeMount" $subchartDot | indent 2 | trim }} - name: {{ include "common.name" $dot }}-msb-certificate diff --git a/kubernetes/so/components/soHelpers/values.yaml b/kubernetes/so/components/soHelpers/values.yaml index 5dbe46cf9e..391938199e 100755 --- a/kubernetes/so/components/soHelpers/values.yaml +++ b/kubernetes/so/components/soHelpers/values.yaml @@ -37,7 +37,7 @@ global: # Secrets metaconfig ################################################################# secrets: - - uid: "so-onap-certs" + - uid: 'so-onap-certs' name: '{{ include "common.release" . }}-so-certs' externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' type: generic @@ -54,10 +54,11 @@ certInitializer: fqdn: so fqi: so@so.onap.org public_fqdn: so.onap.org - cadi_longitude: "0.0" - cadi_latitude: "0.0" + cadi_longitude: '0.0' + cadi_latitude: '0.0' app_ns: org.osaaf.aaf credsPath: /opt/app/osaaf/local + trustStoreAllPass: changeit aaf_add_config: > /opt/app/aaf_config/bin/agent.sh local showpass {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop -- cgit 1.2.3-korg