From 27578339f9152a1a1ea24f01cdd3b83e95287685 Mon Sep 17 00:00:00 2001
From: egernug <gerard.nugent@est.tech>
Date: Thu, 26 Mar 2020 10:27:55 +0000
Subject: [SDNC] Deploy external TLC cert in ODL

Changes for 111973

Issue-ID: SDNC-1136
Signed-off-by: esobmar <mariusz.sobucki@est.tech>
Change-Id: If185ee3658b8f51a969bb3505f8bfb163cfea2a3
Signed-off-by: egernug <gerard.nugent@est.tech>
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
[Access EJBCA secret from cert service]
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
---
 kubernetes/onap/values.yaml                        | 18 ++++----
 .../components/oom-cert-service/values.yaml        |  1 +
 kubernetes/sdnc/resources/config/bin/startODL.sh   |  1 +
 kubernetes/sdnc/templates/statefulset.yaml         | 52 +++++++++++++++++++++-
 kubernetes/sdnc/values.yaml                        | 41 +++++++++++++++++
 5 files changed, 103 insertions(+), 10 deletions(-)

(limited to 'kubernetes')

diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index e699581727..5f4495498c 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -106,8 +106,8 @@ global:
   ingress:
     enabled: false
     virtualhost:
-        enabled: true
-        baseurl: "simpledemo.onap.org"
+      enabled: true
+      baseurl: "simpledemo.onap.org"
 
   # Global Service Mesh configuration
   # POC Mode, don't use it in production
@@ -141,6 +141,7 @@ global:
         requestURL: "https://oom-cert-service:8443/v1/certificate/"
         requestTimeout: "30000"
         keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
+        outputType: "P12"
         keystorePassword: "secret"
         truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
         truststorePassword: "secret"
@@ -156,13 +157,12 @@ global:
   # default
   centralizedLoggingEnabled: &centralizedLogging false
 
-
-# Example of specific for the components where you want to disable TLS only for
-# it:
-# if set this element will force or not tls even if global.serviceMesh.tls and
-# global.tlsEnabled is set otherwise.
-# robot:
-#   tlsOverride: false
+  # Example of specific for the components where you want to disable TLS only for
+  # it:
+  # if set this element will force or not tls even if global.serviceMesh.tls and
+  # global.tlsEnabled is set otherwise.
+  # robot:
+  #   tlsOverride: false
 
   # Global storage configuration
   #    Set to "-" for default, or with the name of the storage class
diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml
index 4a3a289484..64ed1a387b 100644
--- a/kubernetes/platform/components/oom-cert-service/values.yaml
+++ b/kubernetes/platform/components/oom-cert-service/values.yaml
@@ -117,6 +117,7 @@ credentials:
     #truststorePasswordExternalSecret:
   # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
   cmp:
+    # Used only if cmpv2 testing is enabled
     clientIakExternalSecret: '{{ include "common.release" . }}-ejbca-client-iak'
     #clientRvExternalSecret:
     raIakExternalSecret: '{{ include "common.release" . }}-ejbca-ra-iak'
diff --git a/kubernetes/sdnc/resources/config/bin/startODL.sh b/kubernetes/sdnc/resources/config/bin/startODL.sh
index 6aa796a163..a83fc92890 100755
--- a/kubernetes/sdnc/resources/config/bin/startODL.sh
+++ b/kubernetes/sdnc/resources/config/bin/startODL.sh
@@ -162,6 +162,7 @@ then
 fi
 
 cp /opt/opendaylight/current/certs/* /tmp
+cp /var/custom-certs/* /tmp
 
 nohup python ${SDNC_BIN}/installCerts.py &
 
diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml
index b1da64a748..454e3aa2eb 100644
--- a/kubernetes/sdnc/templates/statefulset.yaml
+++ b/kubernetes/sdnc/templates/statefulset.yaml
@@ -1,5 +1,5 @@
 {{/*
-# Copyright © 2020 Samsung Electronics, highstreet technologies GmbH
+# Copyright © 2020 Samsung Electronics
 # Copyright © 2017 Amdocs, Bell Canada
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -94,6 +94,48 @@ spec:
         {{ end -}}
 {{ include "common.certInitializer.initContainer" . | indent 6 }}
 
+      {{ if .Values.global.cmpv2Enabled }}
+      - name: certs-init
+        image: "{{ .Values.global.repository }}/{{ .Values.global.platform.certServiceClient.image }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        env:
+          - name: REQUEST_URL
+            value: {{ .Values.global.platform.certServiceClient.envVariables.requestURL }}
+          - name: REQUEST_TIMEOUT
+            value: "30000"
+          - name: OUTPUT_PATH
+            value: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }}
+          - name: CA_NAME
+            value: {{ .Values.global.platform.certServiceClient.envVariables.caName }}
+          - name: COMMON_NAME
+            value: {{ .Values.global.platform.certServiceClient.envVariables.common_name }}
+          - name: ORGANIZATION
+            value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Organization }}
+          - name: ORGANIZATION_UNIT
+            value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }}
+          - name: LOCATION
+            value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Location }}
+          - name: STATE
+            value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2State }}
+          - name: COUNTRY
+            value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Country }}
+          - name: KEYSTORE_PATH
+            value: {{ .Values.global.platform.certServiceClient.envVariables.keystorePath }}
+          - name: KEYSTORE_PASSWORD
+            value: {{ .Values.global.platform.certServiceClient.envVariables.keystorePassword }}
+          - name: TRUSTSTORE_PATH
+            value: {{ .Values.global.platform.certServiceClient.envVariables.truststorePath }}
+          - name: TRUSTSTORE_PASSWORD
+            value: {{ .Values.global.platform.certServiceClient.envVariables.truststorePassword }}
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+          - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }}
+            name: certs
+          - mountPath: {{ .Values.global.platform.certServiceClient.secret.mountPath }}
+            name: certservice-tls-volume
+      {{ end }}
+
       - name: {{ include "common.name" . }}-chown
         image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }}
         command:
@@ -238,6 +280,8 @@ spec:
           - mountPath: {{ .Values.config.odl.etcDir }}/mountpoint-state-provider.properties
             name: properties
             subPath: mountpoint-state-provider.properties
+          - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }}
+            name: certs
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
@@ -288,6 +332,12 @@ spec:
         - name: properties
           emptyDir:
             medium: Memory
+        - name: certs
+          emptyDir:
+            medium: Memory
+        - name: certservice-tls-volume
+          secret:
+            secretName: {{ .Values.global.platform.certServiceClient.secret.name }}
   {{ if not .Values.persistence.enabled }}
         - name: {{ include "common.fullname" . }}-data
           emptyDir: {}
diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml
index 244a7d5d9a..8745c0a1dc 100644
--- a/kubernetes/sdnc/values.yaml
+++ b/kubernetes/sdnc/values.yaml
@@ -35,6 +35,31 @@ global:
     service: mariadb-galera
     internalPort: 3306
     nameOverride: mariadb-galera
+  # Enabling CMPv2
+  cmpv2Enabled: true
+  platform:
+    certServiceClient:
+      image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.0.0
+      secret:
+        name: oom-cert-service-client-tls-secret
+        mountPath: /etc/onap/oom/certservice/certs/
+      envVariables:
+        # Certificate related
+        cert_path: /var/custom-certs
+        cmpv2Organization: "Linux-Foundation"
+        cmpv2OrganizationalUnit: "ONAP"
+        cmpv2Location: "San-Francisco"
+        cmpv2Country: "US"
+        # Client configuration related
+        caName: "RA"
+        common_name: "sdnc.simpledemo.onap.org"
+        requestURL: "https://oom-cert-service:8443/v1/certificate/"
+        requestTimeout: "30000"
+        keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
+        outputType: "P12"
+        keystorePassword: "secret"
+        truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
+        truststorePassword: "secret"
 
 #################################################################
 # Secrets metaconfig
@@ -406,6 +431,22 @@ persistence:
   mountSubPath: sdnc/mdsal
   mdsalPath: /opt/opendaylight/current/daexim
 
+certpersistence:
+  enabled: true
+
+  ## A manually managed Persistent Volume and Claim
+  ## Requires persistence.enabled: true
+  ## If defined, PVC must be created manually before volume will be bound
+  # existingClaim:
+
+  volumeReclaimPolicy: Retain
+  accessMode: ReadWriteOnce
+  size: 50Mi
+  mountPath: /dockerdata-nfs
+  mountSubPath: sdnc/certs
+  certPath: /opt/app/osaaf
+  ##storageClass: "manual"
+
 ingress:
   enabled: false
   service:
-- 
cgit 1.2.3-korg