From d1ca1ee8e3816ca94621f4f9c619ee7c9d52b353 Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Tue, 7 Apr 2020 14:52:20 +0200 Subject: [Contrib] Add EJBCA Server EJBCA Server is used to test that CMPv2 Certificate handling is well done in ONAP. Issue-ID: AAF-1083 Signed-off-by: Sylvain Desbureaux Change-Id: I5e2d25b68b5cd80d3c7bf282ce871dd81e711ff6 --- kubernetes/contrib/components/ejbca/Chart.yaml | 18 ++++ .../contrib/components/ejbca/requirements.yaml | 25 +++++ .../components/ejbca/resources/ejbca-config.sh | 28 ++++++ .../components/ejbca/templates/configmap.yaml | 20 ++++ .../components/ejbca/templates/deployment.yaml | 92 ++++++++++++++++++ .../contrib/components/ejbca/templates/secret.yaml | 15 +++ .../components/ejbca/templates/service.yaml | 15 +++ kubernetes/contrib/components/ejbca/values.yaml | 105 +++++++++++++++++++++ 8 files changed, 318 insertions(+) create mode 100644 kubernetes/contrib/components/ejbca/Chart.yaml create mode 100644 kubernetes/contrib/components/ejbca/requirements.yaml create mode 100755 kubernetes/contrib/components/ejbca/resources/ejbca-config.sh create mode 100644 kubernetes/contrib/components/ejbca/templates/configmap.yaml create mode 100644 kubernetes/contrib/components/ejbca/templates/deployment.yaml create mode 100644 kubernetes/contrib/components/ejbca/templates/secret.yaml create mode 100644 kubernetes/contrib/components/ejbca/templates/service.yaml create mode 100644 kubernetes/contrib/components/ejbca/values.yaml (limited to 'kubernetes/contrib/components/ejbca') diff --git a/kubernetes/contrib/components/ejbca/Chart.yaml b/kubernetes/contrib/components/ejbca/Chart.yaml new file mode 100644 index 0000000000..4de6930f0c --- /dev/null +++ b/kubernetes/contrib/components/ejbca/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2020 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: ONAP EJBCA test server +name: ejbca +version: 6.0.0 diff --git a/kubernetes/contrib/components/ejbca/requirements.yaml b/kubernetes/contrib/components/ejbca/requirements.yaml new file mode 100644 index 0000000000..e87bc08da3 --- /dev/null +++ b/kubernetes/contrib/components/ejbca/requirements.yaml @@ -0,0 +1,25 @@ +# Copyright © 2020 Orange, Ericsson +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +dependencies: + - name: common + version: ~6.x-0 + repository: '@local' + - name: mariadb-galera + version: ~6.x-0 + repository: '@local' + condition: global.mariadbGalera.localCluster + - name: mariadb-init + version: ~6.x-0 + repository: '@local' + condition: not global.mariadbGalera.localCluster diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh new file mode 100755 index 0000000000..f1bd07e158 --- /dev/null +++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +waitForEjbcaToStart() { + until $(curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth --output /dev/null --silent --head --fail) + do + sleep 5 + done +} + +configureEjbca() { + ejbca.sh config cmp addalias --alias cmpRA + ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra + ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK} + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe + ejbca.sh config cmp dumpalias --alias cmpRA + ejbca.sh config cmp addalias --alias cmp + ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true + ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe + ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password ${CLIENT_IAK} --type 1 --token USERGENERATED + ejbca.sh ra setclearpwd --username Node123 --password ${CLIENT_IAK} + ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN + ejbca.sh config cmp dumpalias --alias cmp + ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem +} + + +waitForEjbcaToStart +configureEjbca diff --git a/kubernetes/contrib/components/ejbca/templates/configmap.yaml b/kubernetes/contrib/components/ejbca/templates/configmap.yaml new file mode 100644 index 0000000000..d336bc9a94 --- /dev/null +++ b/kubernetes/contrib/components/ejbca/templates/configmap.yaml @@ -0,0 +1,20 @@ +# Copyright © 2020, Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ConfigMap +metadata: + name: "{{ include "common.fullname" . }}-config-script" +data: +{{ tpl (.Files.Glob "resources/ejbca-config.sh").AsConfig . | indent 2 }} diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml new file mode 100644 index 0000000000..c6981e5fc4 --- /dev/null +++ b/kubernetes/contrib/components/ejbca/templates/deployment.yaml @@ -0,0 +1,92 @@ +# Copyright © 2020, Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: Deployment +metadata: {{- include "common.resourceMetadata" . | nindent 2 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: {{- include "common.selectors" . | nindent 4 }} + template: + metadata: {{- include "common.templateMetadata" . | nindent 6 }} + spec: + initContainers: + - name: {{ include "common.name" . }}-db-readiness + command: + - /root/ready.py + args: + - --container-name + {{- if .Values.global.mariadbGalera.localCluster }} + - ejbca-galera + {{- else }} + - ejbca-config + {{- end }} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}" + imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + containers: + - name: {{ include "common.name" . }}-ejbca + image: {{ .Values.ejbca.image }} + imagePullPolicy: {{ .Values.pullPolicy }} + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "/opt/primekey/scripts/ejbca-config.sh"] + volumeMounts: + - name: "{{ include "common.fullname" . }}-volume" + mountPath: /opt/primekey/scripts/ + ports: {{ include "common.containerPorts" . | nindent 10 }} + env: + - name: INITIAL_ADMIN + value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;" + - name: DATABASE_JDBC_URL + value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }} + - name: DATABASE_USER + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-db-secret" "key" "login") | indent 10 }} + - name: DATABASE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-db-secret" "key" "password") | indent 10 }} + - name: RA_IAK + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-ra-iak" "key" "password") | indent 10 }} + - name: CLIENT_IAK + {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-client-iak" "key" "password") | indent 10 }} + livenessProbe: + httpGet: + port: {{ .Values.liveness.port }} + path: {{ .Values.liveness.path }} + scheme: HTTPS + initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }} + periodSeconds: {{ .Values.liveness.periodSeconds }} + readinessProbe: + httpGet: + port: {{ .Values.readiness.port }} + path: {{ .Values.readiness.path }} + scheme: HTTPS + initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }} + periodSeconds: {{ .Values.readiness.periodSeconds }} + {{- if .Values.nodeSelector }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} + {{- end -}} + {{- if .Values.affinity }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} + {{- end }} + volumes: + - configMap: + name: "{{ include "common.fullname" . }}-config-script" + defaultMode: 0755 + name: "{{ include "common.fullname" . }}-volume" diff --git a/kubernetes/contrib/components/ejbca/templates/secret.yaml b/kubernetes/contrib/components/ejbca/templates/secret.yaml new file mode 100644 index 0000000000..ecb51ae4d3 --- /dev/null +++ b/kubernetes/contrib/components/ejbca/templates/secret.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020, Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.secretFast" . }} diff --git a/kubernetes/contrib/components/ejbca/templates/service.yaml b/kubernetes/contrib/components/ejbca/templates/service.yaml new file mode 100644 index 0000000000..01680ee78e --- /dev/null +++ b/kubernetes/contrib/components/ejbca/templates/service.yaml @@ -0,0 +1,15 @@ +# Copyright © 2020, Nordix Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +{{ include "common.service" . }} diff --git a/kubernetes/contrib/components/ejbca/values.yaml b/kubernetes/contrib/components/ejbca/values.yaml new file mode 100644 index 0000000000..0db7ca14be --- /dev/null +++ b/kubernetes/contrib/components/ejbca/values.yaml @@ -0,0 +1,105 @@ +# Copyright © 2020, Nordix Foundation, Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +global: + readinessRepository: oomk8s + readinessImage: readiness-check:2.0.1 + mariadbGalera: &mariadbGalera + #This flag allows EJBCA to instantiate its own mariadb-galera cluster + localCluster: false + service: mariadb-galera + internalPort: 3306 + nameOverride: mariadb-galera + +secrets: + - uid: ejbca-db-secret + name: &ejbca-db-secret '{{ include "common.release" . }}-ejbca-db-secret' + type: basicAuth + externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}' + login: '{{ .Values.config.db.userName }}' + password: '{{ .Values.config.db.userPassword }}' + - uid: ejbca-server-ra-iak + name: '{{ include "common.release" . }}-ejbca-ra-iak' + type: password + password: '{{ .Values.config.ejbca.raIak }}' + - uid: ejbca-server-client-iak + name: '{{ include "common.release" . }}-ejbca-client-iak' + type: password + password: '{{ .Values.config.ejbca.clientIak }}' + +# application configuration +config: + db: + userName: ejbca + # userPassword: password + # userCredentialsExternalSecret: some-secret + ejbca: {} + # raIak: mypassword + # clientIak: mypassword + +mysqlDatabase: &dbName ejbca + +################################################################# +# Application configuration defaults. +################################################################# +# application configuration +replicaCount: 1 + +ejbca: + image: primekey/ejbca-ce:6.15.2.5 +pullPolicy: Always + +mariadb-galera: + # '&mariadbConfig' means we "store" the values for later use in the file + # with '*mariadbConfig' pointer. + config: &mariadbConfig + userCredentialsExternalSecret: *ejbca-db-secret + mysqlDatabase: *dbName + nameOverride: ejbca-galera + service: + name: ejbca-galera + portName: ejbca-galera + internalPort: 3306 + replicaCount: 1 + persistence: + enabled: true + mountSubPath: ejbca/maria/data + +mariadb-init: + config: *mariadbConfig + nameOverride: ejbca-config + +nodeSelector: {} + +affinity: {} + +# probe configuration parameters +liveness: + path: /ejbca/publicweb/healthcheck/ejbcahealth + port: api + initialDelaySeconds: 30 + periodSeconds: 30 + +readiness: + path: /ejbca/publicweb/healthcheck/ejbcahealth + port: api + initialDelaySeconds: 30 + periodSeconds: 30 + +service: + type: ClusterIP + ports: + - name: api + port: 8443 + plain_port: 8080 + port_protocol: http -- cgit 1.2.3-korg