From c57b58ddca8fa19fad93b3aea70e556ad6f045d8 Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Tue, 23 Feb 2021 18:07:34 +0100 Subject: [AAI][SCHEMA] Remove Hardcoded certificates Use Certinitializer in order to retrieve needed certificates. It'll also do the retrieval for graphadmin as both microservices are working together. Issue-ID: OOM-2691 Signed-off-by: Sylvain Desbureaux Change-Id: Iad790cc14361cf15d5a6bf4fcad6fd9f4048a1a7 --- .../aai/components/aai-schema-service/values.yaml | 53 ++++++++++++++++------ 1 file changed, 39 insertions(+), 14 deletions(-) (limited to 'kubernetes/aai/components/aai-schema-service/values.yaml') diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml index 121809e89e..7989bcc63d 100644 --- a/kubernetes/aai/components/aai-schema-service/values.yaml +++ b/kubernetes/aai/components/aai-schema-service/values.yaml @@ -58,20 +58,40 @@ global: # global defaults edge: label: v12 - # Keystore configuration password and filename - keystore: - filename: aai_keystore - passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit - - # Truststore configuration password and filename - truststore: - filename: aai_keystore - passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit - - # Specifies a list of files to be included in auth volume - auth: - files: - - aai_keystore +################################################################# +# Certificate configuration +################################################################# +certInitializer: + nameOverride: aai-schema-service-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: aai-schema-service + fqi: aai-schema-service@aai-schema-service.onap.org + public_fqdn: aai-schema-service.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + fqi_namespace: org.onap.aai-schema-service + user_id: &user_id 1000 + group_id: &group_id 1000 + aaf_add_config: | + echo "*** changing them into shell safe ones" + export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1) + cd {{ .Values.credsPath }} + keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \ + -storepass "${cadi_keystore_password_p12}" \ + -keystore {{ .Values.fqi_namespace }}.p12 + keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \ + -storepass "${cadi_truststore_password}" \ + -keystore {{ .Values.fqi_namespace }}.trust.jks + echo "*** writing passwords into prop file" + echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop + echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop + echo "*** change ownership of certificates to targeted user" + chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }} # application image image: onap/aai-schema-service:1.9.2 @@ -147,6 +167,11 @@ serviceAccount: roles: - read +# Not fully used for now +securityContext: + user_id: *user_id + group_id: *group_id + #Log configuration log: path: /var/log/onap -- cgit 1.2.3-korg