From 5336a4ad074c54e392c8b0ec128ce4e450111c9c Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Fri, 5 Jun 2020 15:40:52 +0200 Subject: [AAF SMS] Override outdated certificates Certificates in AAF SMS are outdated Replacing by new ones Issue-ID: AAF-1159 Signed-off-by: Sylvain Desbureaux Change-Id: I47c459e6f9ca002bf7ed946a7de80426b04e959a --- .../charts/aaf-sms/resources/certs/aaf_root_ca.cer | 31 +++++++++++++ .../aaf-sms/resources/certs/org.onap.aaf-sms.crt | 52 ++++++++++++++++++++++ .../aaf-sms/resources/certs/org.onap.aaf-sms.key | 28 ++++++++++++ .../aaf/charts/aaf-sms/templates/deployment.yaml | 6 +++ kubernetes/aaf/charts/aaf-sms/templates/job.yaml | 6 +++ .../aaf/charts/aaf-sms/templates/secret.yaml | 28 ++++++++++++ kubernetes/aaf/charts/aaf-sms/values.yaml | 4 +- 7 files changed, 153 insertions(+), 2 deletions(-) create mode 100644 kubernetes/aaf/charts/aaf-sms/resources/certs/aaf_root_ca.cer create mode 100644 kubernetes/aaf/charts/aaf-sms/resources/certs/org.onap.aaf-sms.crt create mode 100644 kubernetes/aaf/charts/aaf-sms/resources/certs/org.onap.aaf-sms.key create mode 100644 kubernetes/aaf/charts/aaf-sms/templates/secret.yaml diff --git a/kubernetes/aaf/charts/aaf-sms/resources/certs/aaf_root_ca.cer b/kubernetes/aaf/charts/aaf-sms/resources/certs/aaf_root_ca.cer new file mode 100644 index 0000000000..e9a50d7ea0 --- /dev/null +++ b/kubernetes/aaf/charts/aaf-sms/resources/certs/aaf_root_ca.cer @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFPjCCAyagAwIBAgIJAJ6u7cCnzrWdMA0GCSqGSIb3DQEBCwUAMCwxDjAMBgNV +BAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJVUzAeFw0xODA0MDUx +NDE1MjhaFw0zODAzMzExNDE1MjhaMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQK +DARPTkFQMQswCQYDVQQGEwJVUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC +ggIBAMA5pkgRs7NhGG4ew5JouhyYakgYUyFaG121+/h8qbSdt0hVQv56+EA41Yq7 +XGie7RYDQK9NmAFF3gruE+6X7wvJiChp+Cyd7sFMnb65uWhxEdxWTM2BJFrgfzUn +H8ZCxgaCo3XH4PzlKRy2LQQJEJECwl/RZmRCXijMt5e9h8XoZY/fKkKcZZUsWNCM +pTo266wjvA9MXLmdgReRj0+vrCjrNqy+htwJDztoiHWiYPqT6o8EvGcgjNqjlZx7 +NUNf8MfLDByqKF6+wRbHv1GKjn3/Vijd45Fv8riyRYROiFanvbV6jIfBkv8PZbXg +2VDWsYsgp8NAvMxK+iV8cO+Ck3lBI2GOPZbCEqpPVTYbLUz6sczAlCXwQoPzDIZY +wYa3eR/gYLY1gP2iEVHORag3bLPap9ZX5E8DZkzTNTjovvLk8KaCmfcaUMJsBtDd +ApcUitz10cnRyZc1sX3gE1f3DpzQM6t9C5sOVyRhDcSrKqqwb9m0Ss04XAS9FsqM +P3UWYQyqDXSxlUAYaX892u8mV1hxnt2gjb22RloXMM6TovM3sSrJS0wH+l1nznd6 +aFXftS/G4ZVIVZ/LfT1is4StoyPWZCwwwly1z8qJQ/zhip5NgZTxQw4mi7ww35DY +PdAQOCoajfSvFjqslQ/cPRi/MRCu079heVb5fQnnzVtnpFQRAgMBAAGjYzBhMB0G +A1UdDgQWBBRTVTPyS+vQUbHBeJrBKDF77+rtSTAfBgNVHSMEGDAWgBRTVTPyS+vQ +UbHBeJrBKDF77+rtSTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAN +BgkqhkiG9w0BAQsFAAOCAgEAPx/IaK94n02wPxpnYTy+LVLIxwdq/kawNd6IbiMz +L87zmNMDmHcGbfoRCj8OkhuggX9Lx1/CkhpXimuYsZOFQi5blr/u+v4mIbsgbmi9 +7j+cUHDP0zLycvSvxKHty51LwmaX9a4wkJl5zBU4O1sd/H9tWcEmwJ39ltKoBKBx +c94Zc3iMm5ytRWGj+0rKzLDAXEWpoZ5bE5PLJauA6UDCxDLfs3FwhbS7uDggxYvf +jySF5FCNET94oJ+m8s7VeHvoa8iPGKvXrIqdd7XDHnqJJlVKr7m9S0fMbyEB8ci2 +RtOXDt93ifY1uhoEtEykn4dqBSp8ezvNMnwoXdYPDvTd9uCAFeWFLVreBAWxd25h +PsBTkZA5hpa/rA+mKv6Af4VBViYr8cz4dZCsFChuioVebe9ighrfjB//qKepFjPF +CyjzKN1u0JKm/2x/ORqxkTONG8p3uDwoIOyimUcTtTMv42bfYD88RKakqSFXE9G+ +Z0LlaKABqfjK49o/tsAp+c5LoNlYllKhnetO3QAdraHwdmC36BhoghzR1jpX751A +cZn2VH3Q4XKyp01cJNCJIrua+A+bx6zh3RyW6zIIkbRCbET+UD+4mr8WIcSE3mtR +ZVlnhUDO4z9//WKMVzwS9Rh8/kuszrGFI1KQozXCHLrce3YP6RYZfOed79LXaRwX +dYY= +-----END CERTIFICATE----- diff --git a/kubernetes/aaf/charts/aaf-sms/resources/certs/org.onap.aaf-sms.crt b/kubernetes/aaf/charts/aaf-sms/resources/certs/org.onap.aaf-sms.crt new file mode 100644 index 0000000000..6a70443738 --- /dev/null +++ b/kubernetes/aaf/charts/aaf-sms/resources/certs/org.onap.aaf-sms.crt @@ -0,0 +1,52 @@ +-----BEGIN CERTIFICATE----- +MIIEdzCCA1+gAwIBAgIJAPjgcZm5gVWUMA0GCSqGSIb3DQEBCwUAMEcxCzAJBgNV +BAYTAlVTMQ0wCwYDVQQKDARPTkFQMQ4wDAYDVQQLDAVPU0FBRjEZMBcGA1UEAwwQ +aW50ZXJtZWRpYXRlQ0FfOTAeFw0yMDA2MDQxNjEyMDRaFw0yMTA2MDQxNjEyMDRa +MGUxEDAOBgNVBAMMB2FhZi1zbXMxJTAjBgNVBAsMHGFhZi1zbXNAYWFmLXNtcy5v +bmFwLm9yZzpERVYxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYD +VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ8Tg54iobqT +7xqdu0fV8aIfmLfdm+BcQNkbn273UUguJpdzfdSziQIUr8NIX0K8jGFIGAZinji3 +Wqscr/eKSrMSyYmvu8aQYfV7LPXGn0l5aEp0M08q066+rJi52rhOF7ALyBHlZFXn +7FV29cGfn9QTkQrYXxjAp6b5lQvlaDCBrK1PsOLxMxRZj+wT2xOB5VFvyxkmX1yg +jD4UIuc3KbpMThJTOt2aZuMPBfuIGk1WeHj+T1RrB/nLTVYJesuIY3QzOJXLpDJ5 +TOkEc+c+kWc6A6hppDRxS2q65WMV3GVmToQvJrO07xj+B2bhRdSzBa2Xjb/JsA9e +zUzTga4WMLkCAwEAAaOCAUYwggFCMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgXg +MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBUBgNVHSMETTBLgBSB +95lbELnIjN7zUl7qTmmgQz6s3aEwpC4wLDEOMAwGA1UECwwFT1NBQUYxDTALBgNV +BAoMBE9OQVAxCzAJBgNVBAYTAlVTggEHMB0GA1UdDgQWBBRl51401mvaC9u0KMY1 +L6u6OX0EaTCBjQYDVR0RBIGFMIGCgRphYWZfYWRtaW5AcGVvcGxlLm9zYWFmLmNv +bYIHYWFmLXNtc4IPYWFmLXNtcy1kYi5vbmFwgh9hYWYtc21zLmFwaS5zaW1wbGVk +ZW1vLm9uYXAub3JnggxhYWYtc21zLm9uYXCCG2FhZi1zbXMuc2ltcGxlZGVtby5v +bmFwLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAnZ6HkKDg3TEtYQ3PELdXTZ95URTQ +otwGjemSg1GNgF8GEhQG7aTE02/bjffywxXzM42g/oImKP0HoHx5Z6wmtRSJHjfG +eEjeqCB3yBaURcsVG5RBEMqmHp9bm68ZNm3HrpmWpbrIPKpjzxTkONn6RKL5wh1Y +5R0frfPdETJJ6sCnf6mIr/E763+erLt/+cSnAggKMAUesjGs18HrD9tqkyqVWM4h +VAf/PG9eooZMXpFsIrpOUqwdun9W+0WVkhqxMn/giOVOfwWrc4AnzZujLaGvrBB2 +iSlsv7w5igUjRtHTnIfIbG5gwmv0AW/Ay+WqXV5zB7gzTqYYPcBpGX4uTg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIEdTCCAl2gAwIBAgIBBzANBgkqhkiG9w0BAQsFADAsMQ4wDAYDVQQLDAVPU0FB +RjENMAsGA1UECgwET05BUDELMAkGA1UEBhMCVVMwHhcNMTgwODE3MTg1MTM3WhcN +MjMwODE3MTg1MTM3WjBHMQswCQYDVQQGEwJVUzENMAsGA1UECgwET05BUDEOMAwG +A1UECwwFT1NBQUYxGTAXBgNVBAMMEGludGVybWVkaWF0ZUNBXzkwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv0HHUkba3uNtNI3jPKimUcd6RNwmhSCJL +neMWpnjqp5/A+HCKyNsEaT4y177hNLmCm/aMm1u2JIfikc+8wEqLCSBBPz+P0h+d +o+sZ7U+4oeQizdYYpEdzHJ2SieHHa8vtu80rU3nO2NEIkuYC20HcKSEtl8fFKsk3 +nqlhY+tGfYJPTXcDOQAO40BTcgat3C3uIJHkWJJ4RivunE4LEuRv9QyKgAw7rkJV +v+f7guqpZlXy6dzAkuU7XULWcgo55MkZlssoiErMvEZJad5aWKvRY3g7qUjaQ6wO +15wOAUoRBW96eeZZbytgn8kybcBy++Ue49gPtgm1MF/KlAsp0MD5AgMBAAGjgYYw +gYMwHQYDVR0OBBYEFIH3mVsQuciM3vNSXupOaaBDPqzdMB8GA1UdIwQYMBaAFFNV +M/JL69BRscF4msEoMXvv6u1JMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/ +BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B +AQsFAAOCAgEADxNymiCNr2e37iLReoaxKmZvwox0cTiNAaj7iafRzmwIoY3VXO8Q +ix5IYcp4FaQ7fV1jyp/AmaSnyHf6Osl0sx8PxsQkO7ALttxKUrjfbvNSVUA2C/vl +u5m7UVJLIUtFDZBWanzUSmkTsYLHpiANFQKd2c/cU1qXcyzgJVFEFVyyHNkF7Is+ ++pjG9M1hwQHOoTnEuU013P7X1mHek+RXEfhJWwe7UsZnBKZaZKbQZu7hEtqKWYp/ +QsHgnjoLYXsh0WD5rz/mBxdTdDLGpFqWDzDqb8rsYnqBzoowvsasV8X8OSkov0Ht +8Yka0ckFH9yf8j1Cwmbl6ttuonOhky3N/gwLEozuhy7TPcZGVyzevF70kXy7g1CX +kpFGJyEHXoprlNi8FR4I+NFzbDe6a2cFow1JN19AJ9Z5Rk5m7M0mQPaQ4RcikjB3 +aoLsASCJTm1OpOFHfxEKiBW4Lsp3Uc5/Rb9ZNbfLrwqWZRM7buW1e3ekLqntgbky +uKKISHqVJuw/vXHl1jNibEo9+JuQ88VNuAcm7WpGUogeCa2iAlPTckPZei+MwZ8w +tpvxTyYlZEC8DWzY1VC29+W2N5cvh01e2E3Ql08W1zL63dqrgdEZ3VWjzooYi4ep +BmMXTvouW+Flyvcw/0oTcfN0biDIt0mCkZ5CQVjfGL9DTOYteR5hw+k= +-----END CERTIFICATE----- diff --git a/kubernetes/aaf/charts/aaf-sms/resources/certs/org.onap.aaf-sms.key b/kubernetes/aaf/charts/aaf-sms/resources/certs/org.onap.aaf-sms.key new file mode 100644 index 0000000000..649387ba04 --- /dev/null +++ b/kubernetes/aaf/charts/aaf-sms/resources/certs/org.onap.aaf-sms.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCfE4OeIqG6k+8a +nbtH1fGiH5i33ZvgXEDZG59u91FILiaXc33Us4kCFK/DSF9CvIxhSBgGYp44t1qr +HK/3ikqzEsmJr7vGkGH1eyz1xp9JeWhKdDNPKtOuvqyYudq4ThewC8gR5WRV5+xV +dvXBn5/UE5EK2F8YwKem+ZUL5WgwgaytT7Di8TMUWY/sE9sTgeVRb8sZJl9coIw+ +FCLnNym6TE4SUzrdmmbjDwX7iBpNVnh4/k9Uawf5y01WCXrLiGN0MziVy6QyeUzp +BHPnPpFnOgOoaaQ0cUtquuVjFdxlZk6ELyaztO8Y/gdm4UXUswWtl42/ybAPXs1M +04GuFjC5AgMBAAECggEBAIITPduP6/kZwDleYuZxndz4wzMNxcknBmvBN5RQLSm9 +exb6fBjyGYUXD0W6pxJ2BMADaInIGCK+YyhqE8VxUnWtVhj9FqleJIvLhc8O8+7r +lIjVDaOdnGxWQ+G6j4uHZ70vVRC1J19Lfqe/12LVOKb8vOxGUzR1TGGv0d1hX9nQ +0d3YYIwlstHPPZktZ3Owk/5KkO3MYYH46N6bOtu07COvDxG/IXPv95ppe3FbDGwT +KIS/ntJRMFqRLobzsTVrl6SjZpCtRkC/8mU+s4Al47+93Vnbq1pp3aJFT4Wv55zl +wvE3koURsYCBignfuC4vBoh5aq3ScDE4/xSqLRr9ppECgYEA6ImU5+6AmE6vtjN6 +s/sR6SD1NF7DMMdoyQbMq06qiwl04hq10J3tcsfg+VqrhqpueYhfqP9a/GjHUxxO +YXFkYsquF3vJhszrhWHZxbo7ZtBtisX6Cw2pjNfVRm6Yk9A+CV8XARN7EQe7fZgk +BXCu96Mmj9euLR+T1n8vMJBVpN0CgYEAryBv4glxj2ZzaKBDgYBqaC+WcC9IFbTz +OeylZGz6eYz7z2Jn8HEhgx8FL8xTfAvjyM5nzRbU0zZR2nAkFuCFeqAOb78iXsHB +c92ggj3XGR2+fAKTf0TNo57qmYJX5EiaPPY6gBduyktHEHyDH57IYXOK5u61d8AW +eqEEiwc4P40CgYBNRNJPE0h108e9YnPGdIoqDkKMaWSww8JE8lZ2Igi3dKf7Leb2 +cFPjjRlroj5W3DEjfzZSQK/qKaL6MfC1nmk+Dp00vnRjr5ofUzl643wzmNSdhVWl +8J9DZsC+y6c1jr/ee1N4jxGYwhoCDNkDWcM6FGOO7ps48UI9xztWBs/+nQKBgQCu +qWhNBWQoRGLoP6b0OvJlVMjyvIVleOJ4rAfMoFAz+KOQk7HcgciNsNuIb334Ixec +yBeI2bOLsAp1FRE5a9ZUlduwIe4SmaXqfGlAXJLyLtMzdZJMBYAfJzkNv40PVkXW +dTGlXTmXMvr+e2B/oepyHz2y0vNUKtWAmqUgUCQOZQKBgDEjqlU91hQka8gFEjEn +c0uEhxdhBv7qB54BpG4Ea1o8g0/ZVR1ANqyEDUoF+JvdnL+UZGUs2ghvDPJAPERW +MmClS/n1EebB7slh/B2C4hlvb7YFlY3+YMLLq4ofU9shDcTXrrOq4DMZ7oxJ+Ufv +z6MfQL0GTwvu0rc6yriTMetO +-----END PRIVATE KEY----- diff --git a/kubernetes/aaf/charts/aaf-sms/templates/deployment.yaml b/kubernetes/aaf/charts/aaf-sms/templates/deployment.yaml index ca35fdc55a..b8886e2332 100644 --- a/kubernetes/aaf/charts/aaf-sms/templates/deployment.yaml +++ b/kubernetes/aaf/charts/aaf-sms/templates/deployment.yaml @@ -80,6 +80,9 @@ spec: subPath: smsconfig.json - mountPath: /sms/auth name: {{ include "common.fullname" . }}-auth + - mountPath: /sms/certs + name: {{ include "common.fullname" . }}-certs + readOnly: true resources: {{ include "common.resources" . | indent 10 }} {{- if .Values.nodeSelector }} @@ -100,5 +103,8 @@ spec: - name: {{ include "common.fullname" . }}-auth persistentVolumeClaim: claimName: {{ include "common.fullname" . }} + - name: {{ include "common.fullname" . }}-certs + secret: + secretName: {{ include "common.fullname" . }}-certs imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/charts/aaf-sms/templates/job.yaml b/kubernetes/aaf/charts/aaf-sms/templates/job.yaml index a5446ab20e..a3b1fa9818 100644 --- a/kubernetes/aaf/charts/aaf-sms/templates/job.yaml +++ b/kubernetes/aaf/charts/aaf-sms/templates/job.yaml @@ -70,6 +70,9 @@ spec: readOnly: true - mountPath: /preload/config name: {{ include "common.name" . }}-preload + - mountPath: /sms/certs + name: {{ include "common.fullname" . }}-certs + readOnly: true resources: {{ include "common.resources" . | indent 10 }} {{- if .Values.nodeSelector }} @@ -87,6 +90,9 @@ spec: - name : {{ include "common.name" . }}-preload configMap: name: {{ include "common.fullname" . }}-preload + - name: {{ include "common.fullname" . }}-certs + secret: + secretName: {{ include "common.fullname" . }}-certs restartPolicy: OnFailure imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/aaf/charts/aaf-sms/templates/secret.yaml b/kubernetes/aaf/charts/aaf-sms/templates/secret.yaml new file mode 100644 index 0000000000..1ee1fa6c12 --- /dev/null +++ b/kubernetes/aaf/charts/aaf-sms/templates/secret.yaml @@ -0,0 +1,28 @@ +{{/* +# Copyright 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-certs + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: +{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/aaf/charts/aaf-sms/values.yaml b/kubernetes/aaf/charts/aaf-sms/values.yaml index de005ed366..06833c8d28 100644 --- a/kubernetes/aaf/charts/aaf-sms/values.yaml +++ b/kubernetes/aaf/charts/aaf-sms/values.yaml @@ -39,8 +39,8 @@ debugEnabled: false config: smsdbaddress: "http://aaf-sms-db:8200" cafile: "/sms/certs/aaf_root_ca.cer" - servercert: "/sms/certs/aaf-sms.pub" - serverkey: "/sms/certs/aaf-sms.pr" + servercert: "/sms/certs/org.onap.aaf-sms.crt" + serverkey: "/sms/certs/org.onap.aaf-sms.key" password: "c2VjcmV0bWFuYWdlbWVudHNlcnZpY2VzZWNyZXRwYXNzd29yZA==" # subchart configuration -- cgit 1.2.3-korg