From bca68e048a74ac3754e76ed738090402f7cbfd13 Mon Sep 17 00:00:00 2001
From: EmmettCox <emmett.cox@est.tech>
Date: Thu, 27 Feb 2020 14:20:52 +0000
Subject: [AAF] Add CMPv2 Cert Service

This new micro service allow retrieval of certificates using CMPv2
protocol and relay the requests to CA server (such as EJBCA provided in
contrib folder).

Issue-ID: AAF-1083
Change-Id: Ib3acba3d071533ad933d043f067147e8406d8fa8
Signed-off-by: EmmettCox <emmett.cox@est.tech>
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
---
 kubernetes/aaf/charts/aaf-cert-service/values.yaml | 141 +++++++++++++++++++++
 1 file changed, 141 insertions(+)
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/values.yaml

(limited to 'kubernetes/aaf/charts/aaf-cert-service/values.yaml')

diff --git a/kubernetes/aaf/charts/aaf-cert-service/values.yaml b/kubernetes/aaf/charts/aaf-cert-service/values.yaml
new file mode 100644
index 0000000000..c2bbecd81a
--- /dev/null
+++ b/kubernetes/aaf/charts/aaf-cert-service/values.yaml
@@ -0,0 +1,141 @@
+# Copyright © 2020, Nokia
+# Modifications Copyright  © 2020, Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Global
+global:
+  envsubstImage: dibi/envsubst
+
+# Service configuration
+service:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8443
+      port_protocol: http
+
+
+# Deployment configuration
+repository: nexus3.onap.org:10001
+image: onap/org.onap.aaf.certservice.aaf-certservice-api:1.0.0
+pullPolicy: Always
+replicaCount: 1
+
+liveness:
+  initialDelaySeconds: 60
+  periodSeconds: 10
+  command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
+readiness:
+  initialDelaySeconds: 30
+  periodSeconds: 10
+  command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
+
+flavor: small
+resources:
+  small:
+    limits:
+      cpu: 0.5
+      memory: 1Gi
+    requests:
+      cpu: 0.2
+      memory: 512Mi
+  large:
+    limits:
+      cpu: 1
+      memory: 2Gi
+    requests:
+      cpu: 0.4
+      memory: 1Gi
+  unlimited: {}
+
+
+# Application configuration
+cmpServers:
+  secret:
+    name: aaf-cert-service-secret
+  volume:
+    name: aaf-cert-service-volume
+    mountPath: /etc/onap/aaf/certservice
+
+tls:
+  server:
+    secret:
+      name: aaf-cert-service-server-tls-secret
+    volume:
+      name: aaf-cert-service-server-tls-volume
+      mountPath: /etc/onap/aaf/certservice/certs/
+  client:
+    secret:
+      defaultName: aaf-cert-service-client-tls-secret
+
+envs:
+  keystore:
+    jksName: certServiceServer-keystore.jks
+    p12Name: certServiceServer-keystore.p12
+  truststore:
+    jksName: truststore.jks
+    crtName: root.crt
+  httpsPort: 8443
+
+# External secrets with credentials can be provided to override default credentials defined below,
+# by uncommenting and filling appropriate *ExternalSecret value
+credentials:
+  tls:
+    keystorePassword: secret
+    truststorePassword: secret
+    #keystorePasswordExternalSecret:
+    #truststorePasswordExternalSecret:
+  # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
+  cmp:
+    #clientIakExternalSecret:
+    #clientRvExternalSecret:
+    #raIakExternalSecret:
+    #raRvExternalSecret:
+    client: {}
+      # iak: mypassword
+      # rv: unused
+    ra: {}
+      # iak: mypassword
+      # rv: unused
+
+secrets:
+  - uid: keystore-password
+    name: '{{ include "common.release" . }}-keystore-password'
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}'
+    password: '{{ .Values.credentials.tls.keystorePassword }}'
+    passwordPolicy: required
+  - uid: truststore-password
+    name: '{{ include "common.release" . }}-truststore-password'
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}'
+    password: '{{ .Values.credentials.tls.truststorePassword }}'
+    passwordPolicy: required
+  # Below values are relevant only if global addTestingComponents flag is enabled
+  - uid: ejbca-server-client-iak
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.client.iak }}'
+  - uid: cmp-config-client-rv
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.client.rv }}'
+  - uid: ejbca-server-ra-iak
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.ra.iak }}'
+  - uid: cmp-config-ra-rv
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.ra.rv }}'
-- 
cgit 1.2.3-korg