From 55af648d55ec228006bd44928e812bbdd52fb1cf Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Mon, 2 Nov 2020 18:21:11 +0100 Subject: [MSB] Use certInitializer for MSB MSB is currently using an hardcoded certificate. In order to follow SECOMMON requirements, let's use a freshly generated certificate instead Issue-ID: MSB-521 Signed-off-by: Sylvain Desbureaux Change-Id: I157e44a6e30391c36c0142acfa08604c37b79cc4 --- .../aaf-cass/resources/cass-init-dats/artifact.dat | 2 ++ .../aaf-cass/resources/cass-init-dats/cred.dat | 2 ++ .../aaf-cass/resources/cass-init-dats/ns.dat | 2 ++ .../aaf-cass/resources/cass-init-dats/perm.dat | 6 ++++ .../aaf-cass/resources/cass-init-dats/role.dat | 8 ++++- .../resources/cass-init-dats/user_role.dat | 10 ++++++ kubernetes/aaf/resources/data/identities.dat | 2 ++ .../msb/components/msb-eag/requirements.yaml | 6 +++- .../msb-eag/resources/config/log/logback.xml | 40 ---------------------- .../msb-eag/resources/config/nginx/msbhttps.conf | 28 +++++++++++++++ .../components/msb-eag/templates/configmap.yaml | 9 +++++ .../components/msb-eag/templates/deployment.yaml | 21 ++++++------ kubernetes/msb/components/msb-eag/values.yaml | 40 ++++++++++++++++++++++ .../msb/components/msb-iag/requirements.yaml | 4 +++ .../msb-iag/resources/config/log/logback.xml | 40 ---------------------- .../msb-iag/resources/config/nginx/msbhttps.conf | 28 +++++++++++++++ .../components/msb-iag/templates/configmap.yaml | 9 +++++ .../components/msb-iag/templates/deployment.yaml | 21 ++++++------ kubernetes/msb/components/msb-iag/values.yaml | 40 ++++++++++++++++++++++ kubernetes/msb/requirements.yaml | 1 + .../msb/resources/config/certificates/ca.crt | 22 ------------ .../msb/resources/config/certificates/cert.crt | 23 ------------- kubernetes/msb/templates/secrets.yaml | 26 -------------- kubernetes/msb/templates/serviceaccount.yaml | 39 +++++++++++++++++++++ kubernetes/msb/templates/serviceaccout.yaml | 39 --------------------- kubernetes/msb/values.yaml | 1 - 26 files changed, 254 insertions(+), 215 deletions(-) delete mode 100644 kubernetes/msb/components/msb-eag/resources/config/log/logback.xml create mode 100644 kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf delete mode 100644 kubernetes/msb/components/msb-iag/resources/config/log/logback.xml create mode 100644 kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf delete mode 100644 kubernetes/msb/resources/config/certificates/ca.crt delete mode 100644 kubernetes/msb/resources/config/certificates/cert.crt delete mode 100644 kubernetes/msb/templates/secrets.yaml create mode 100644 kubernetes/msb/templates/serviceaccount.yaml delete mode 100644 kubernetes/msb/templates/serviceaccout.yaml (limited to 'kubernetes') diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat index 6fc63e47d7..61ddfb2988 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat @@ -29,6 +29,8 @@ dmaap.mr@mr.dmaap.onap.org|dmaap.mr|local|/opt/app/osaaf/local||mailto:|org.onap dmaap.mr@mr.dmaap.onap.org|dmaapmr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'} dmaap.mr@mr.dmaap.onap.org|dmaap-mr|local|/opt/app/osaaf/local||mailto:|org.onap.dmaap.mr|root|30|{'message-router mr.api.simpledemo.onap.org message-router.onap dmaapmr dmaap.mr dmaap-mr dmaap.mr.onap dmaap-mr.onap dmaap-mr dmaapmr.onap'}|@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} holmes@holmes.onap.org|holmes|local|/opt/app/osaaf/local||mailto:|org.onap.holmes|root|30|{'holmes.api.simpledemo.onap.org', 'holmes.onap'}|aaf_admin@osaaf.org|{'pkcs12'} +msb-eag@msb-eag.onap.org|msb-eag|local|/opt/app/osaaf/local||mailto:|org.onap.msb-eag|root|30|{'msb-eag', 'msb-eag.api.simpledemo.onap.org', 'msb-eag.onap'}|mmanager@osaaf.org|{'file', 'pkcs12'} +msb-iag@msb-iag.onap.org|msb-iag|local|/opt/app/osaaf/local||mailto:|org.onap.msb-iag|root|30|{'msb-iag', 'msb-iag.api.simpledemo.onap.org', 'msb-iag.onap'}|mmanager@osaaf.org|{'file', 'pkcs12'} music@music.onap.org|music|aaf|/opt/app/aaf/local||mailto:|org.onap.music|root|30|{'music.api.simpledemo.onap.org', 'music.onap'}|mmanager@osaaf.org|{'pkcs12', 'script'} music@music.onap.org|music.onap|local|/opt/app/osaaf/local||mailto:|org.onap.music|root|30|{'music-api', 'music-api.onap', 'music-onap', 'music.api.simpledemo.onap.org', 'music.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'} nbi@nbi.onap.org|nbi|local|/opt/app/osaaf/local||mailto:|org.onap.nbi|root|30|{'nbi', 'nbi.api.simpledemo.onap.org', 'nbi.onap'}|aaf_admin@osaaf.org|{'file', 'pkcs12'} diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat index ff5caacf47..35c78c643c 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/cred.dat @@ -16,6 +16,8 @@ policy@policy.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04d pomba@pomba.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.pomba|53344|| holmes@holmes.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.holmes|53344|| nbi@nbi.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.nbi|53344|| +msb-eag@msb-eag.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.msb-eag|53344|| +msb-iag@msb-iag.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.msb-iag|53344|| music@music.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.music|53344|| vid@vid.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid|53344|| vid1@vid1.onap.org|2|2020-11-26 12:31:54.000+0000|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.onap.vid1|53344|| diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat index 9b8149dc6a..f4a63267d9 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/ns.dat @@ -52,6 +52,8 @@ org.onap.dmaap.mr.topic-002||org.onap.dmaap.mr||3 org.onap.dmaap||org.onap||3 org.onap.holmes||org.onap||3 org.onap.music||org.onap||3 +org.onap.msb-eag||org.onap||3 +org.onap.msb-iag||org.onap||3 org.onap.nbi||org.onap||3 org.onap|ONAP|org|2|2 org.onap.oof||org.onap||3 diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat index 23b1d1d690..f283282fd6 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/perm.dat @@ -289,6 +289,12 @@ org.onap.dmaap.mr|topic|*|view||"{'org.onap.dmaap-bc|service', 'org.onap.dmaap.m org.onap.dmaap.mr|viewtest|*|view||"{'org.onap.dmaap.mr|viewtest'}" org.onap.holmes|access|*|*|AAF Namespace Write Access|"{'org.onap.holmes|admin'}" org.onap.holmes|access|*|read|AAF Namespace Read Access|"{'org.onap.holmes|owner'}" +org.onap.msb-eag|access|*|*|AAF Namespace Write Access|"{'org.onap.msb-eag|admin', 'org.onap.msb-eag|service'}" +org.onap.msb-eag|access|*|read|AAF Namespace Read Access|"{'org.onap.msb-eag|owner'}" +org.onap.msb-eag|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" +org.onap.msb-iag|access|*|*|AAF Namespace Write Access|"{'org.onap.msb-iag|admin', 'org.onap.msb-iag|service'}" +org.onap.msb-iag|access|*|read|AAF Namespace Read Access|"{'org.onap.msb-iag|owner'}" +org.onap.msb-iag|certman|local|request,ignoreIPs,showpass||"{'org.osaaf.aaf|deploy'}" org.onap.music|access|*|*|AAF Namespace Write Access|"{'org.onap.music|admin'}" org.onap.music|access|*|read|AAF Namespace Read Access|"{'org.onap.music|owner'}" org.onap.music|certman|local|request,ignoreIPs,showpass||"{'org.onap.music|admin', 'org.osaaf.aaf|deploy'}" diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat index 240373e5c9..7384e5eebd 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/role.dat @@ -215,6 +215,12 @@ org.onap.dmaap|owner|AAF Namespace Owners|"{'org.onap.dmaap|access|*|read'}" org.onap.holmes|admin|AAF Namespace Administrators|"{'org.onap.holmes|access|*|*'}" org.onap.holmes|owner|AAF Namespace Owners|"{'org.onap.holmes|access|*|read'}" org.onap.holmes|service|| +org.onap.msb-eag|admin|AAF Namespace Administrators|"{'org.onap.msb-eag|access|*|*'}" +org.onap.msb-eag|owner|AAF Namespace Owners|"{'org.onap.msb-eag|access|*|read'}" +org.onap.msb-eag|service||"{'org.onap.msb-eag|access|*|*'}" +org.onap.msb-iag|admin|AAF Namespace Administrators|"{'org.onap.msb-iag|access|*|*'}" +org.onap.msb-iag|owner|AAF Namespace Owners|"{'org.onap.msb-iag|access|*|read'}" +org.onap.msb-iag|service||"{'org.onap.msb-iag|access|*|*'}" org.onap.music|admin|AAF Namespace Administrators|"{'org.onap.music|access|*|*', 'org.onap.music|certman|local|request,ignoreIPs,showpass'}" org.onap.music|owner|AAF Namespace Owners|"{'org.onap.music|access|*|read'}" org.onap.music|service|| @@ -302,7 +308,7 @@ org.openecomp.dmaapBC|admin|AAF Admins|"{'org.openecomp.dmaapBC.access|*|*', 'or org.openecomp.dmaapBC|owner|AAF Owners|"{'org.openecomp.dmaapBC.access|*|read'}" org.openecomp|owner|OpenEcomp Owners|"{'org.openecomp.access|*|read'}" org.osaaf.aaf|admin|AAF Admins|"{'org.osaaf.aaf.access|*|*', 'org.osaaf.aaf|cache|all|clear', 'org.osaaf.aaf|cache|role|clear', 'org.osaaf.aaf|password|*|create,reset'}" -org.osaaf.aaf|deploy|ONAP Deployment Role|"{'org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass', 'org.onap.aai|certman|local|request,ignoreIPs,showpass', 'org.onap.appc|certman|local|request,ignoreIPs,showpass', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass', 'org.onap.dcae|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass', 'org.onap.music|certman|local|request,ignoreIPs,showpass', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass', 'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.policy|certman|local|request,ignoreIPs,showpass', 'org.onap.pomba|certman|local|request,ignoreIPs,showpass', 'org.onap.portal|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc|certman|local|request,ignoreIPs,showpass', 'org.onap.so|certman|local|request,ignoreIPs,showpass', 'org.onap.vfc|certman|local|request,ignoreIPs,showpass', 'org.onap.vid1|certman|local|request,ignoreIPs,showpass', 'org.onap.vid2|certman|local|request,ignoreIPs,showpass', 'org.onap.vid|certman|local|request,ignoreIPs,showpass', 'org.osaaf.aaf|certman|local|request,ignoreIPs,showpass'}" +org.osaaf.aaf|deploy|ONAP Deployment Role|"{'org.onap.aaf-sms|certman|local|request,ignoreIPs,showpass', 'org.onap.aai|certman|local|request,ignoreIPs,showpass', 'org.onap.appc|certman|local|request,ignoreIPs,showpass', 'org.onap.clamp|certman|local|request,ignoreIPs,showpass', 'org.onap.dcae|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-mm-prov|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc-topic-mgr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-bc|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-dr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap-mr|certman|local|request,ignoreIPs,showpass', 'org.onap.dmaap.mr|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-eag|certman|local|request,ignoreIPs,showpass', 'org.onap.msb-iag|certman|local|request,ignoreIPs,showpass', 'org.onap.music|certman|local|request,ignoreIPs,showpass', 'org.onap.nbi|certman|local|request,ignoreIPs,showpass', 'org.onap.oof|certman|local|request,ignoreIPs,showpass', 'org.onap.policy|certman|local|request,ignoreIPs,showpass', 'org.onap.pomba|certman|local|request,ignoreIPs,showpass', 'org.onap.portal|certman|local|request,ignoreIPs,showpass', 'org.onap.sdc|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc-cds|certman|local|request,ignoreIPs,showpass', 'org.onap.sdnc|certman|local|request,ignoreIPs,showpass', 'org.onap.so|certman|local|request,ignoreIPs,showpass', 'org.onap.vfc|certman|local|request,ignoreIPs,showpass', 'org.onap.vid1|certman|local|request,ignoreIPs,showpass', 'org.onap.vid2|certman|local|request,ignoreIPs,showpass', 'org.onap.vid|certman|local|request,ignoreIPs,showpass', 'org.osaaf.aaf|certman|local|request,ignoreIPs,showpass'}" org.osaaf.aaf|owner|AAF Owners|"{'org.osaaf.aaf.access|*|read,approve'}" org.osaaf.aaf|service||"{'org.osaaf.aaf|cache|*|clear'}" org.osaaf|admin|OSAAF Admins|"{'org.osaaf.access|*|*'}" diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat index 63190b8a5a..7882ec5727 100644 --- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat +++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/user_role.dat @@ -49,6 +49,10 @@ mmanager@people.osaaf.org|org.onap.dmaap-mr.sunil.owner|2020-11-26 12:31:54.000+ mmanager@people.osaaf.org|org.onap.dmaap-mr.test.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap-mr.test|owner mmanager@people.osaaf.org|org.onap.dmaap.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap|owner mmanager@people.osaaf.org|org.onap.holmes.owner|2020-11-26 12:31:54.000+0000|org.onap.holmes|owner +mmanager@people.osaaf.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin +mmanager@people.osaaf.org|org.onap.msb-eag.owner|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|owner +mmanager@people.osaaf.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin +mmanager@people.osaaf.org|org.onap.msb-iag.owner|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|owner mmanager@people.osaaf.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin mmanager@people.osaaf.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner mmanager@people.osaaf.org|org.onap.nbi.owner|2020-11-26 12:31:54.000+0000|org.onap.nbi|owner @@ -109,6 +113,8 @@ portal@portal.onap.org|org.onap.dmaap.mr.topic-000.owner|2020-11-26 12:31:54.000 portal@portal.onap.org|org.onap.dmaap.mr.topic-001.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|owner portal@portal.onap.org|org.onap.dmaap.mr.topic-002.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|owner portal@portal.onap.org|org.onap.holmes.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes|admin +portal@portal.onap.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin +portal@portal.onap.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin portal@portal.onap.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin portal@portal.onap.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner portal@portal.onap.org|org.onap.nbi.admin|2020-11-26 12:31:54.000+0000|org.onap.nbi|admin @@ -208,6 +214,8 @@ aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-000.owner|2020-11-26 12:31:54 aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-001.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-001|owner aaf_admin@people.osaaf.org|org.onap.dmaap.mr.topic-002.owner|2020-11-26 12:31:54.000+0000|org.onap.dmaap.mr.topic-002|owner aaf_admin@people.osaaf.org|org.onap.holmes.admin|2020-11-26 12:31:54.000+0000|org.onap.holmes|admin +aaf_admin@people.osaaf.org|org.onap.msb-eag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|admin +aaf_admin@people.osaaf.org|org.onap.msb-iag.admin|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|admin aaf_admin@people.osaaf.org|org.onap.music.admin|2020-11-26 12:31:54.000+0000|org.onap.music|admin aaf_admin@people.osaaf.org|org.onap.music.owner|2020-11-26 12:31:54.000+0000|org.onap.music|owner aaf_admin@people.osaaf.org|org.onap.nbi.admin|2020-11-26 12:31:54.000+0000|org.onap.nbi|admin @@ -303,6 +311,8 @@ policy@policy.onap.org|org.onap.policy.seeCerts|2020-11-26 12:31:54.000+0000|org pomba@pomba.onap.org|org.onap.aai.resources_all|2020-11-26 12:31:54.000+0000|org.onap.aai|resources_all pomba@pomba.onap.org|org.onap.aai.traversal_advanced|2020-11-26 12:31:54.000+0000|org.onap.aai|traversal_advanced holmes@holmes.onap.org|org.onap.holmes.service|2020-11-26 12:31:54.000+0000|org.onap.holmes|service +msb-eag@msb-eag.onap.org|org.onap.msb-eag.service|2020-11-26 12:31:54.000+0000|org.onap.msb-eag|service +msb-iag@msb-iag.onap.org|org.onap.msb-iag.service|2020-11-26 12:31:54.000+0000|org.onap.msb-iag|service nbi@nbi.onap.org|org.onap.nbi.seeCerts|2020-11-26 12:31:54.000+0000|org.onap.nbi|seeCerts nbi@nbi.onap.org|org.onap.nbi.service|2020-11-26 12:31:54.000+0000|org.onap.nbi|service music@music.onap.org|org.onap.music.service|2020-11-26 12:31:54.000+0000|org.onap.music|service diff --git a/kubernetes/aaf/resources/data/identities.dat b/kubernetes/aaf/resources/data/identities.dat index 7e976621df..3b0114a0d4 100644 --- a/kubernetes/aaf/resources/data/identities.dat +++ b/kubernetes/aaf/resources/data/identities.dat @@ -64,6 +64,8 @@ policy|ONAP Policy Application|POLICY|ONAP Application|314-123-1234|no_reply@peo pomba|ONAP Pomba Application|POMBA|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager holmes|ONAP Holmes Application|HOLMES|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager nbi|ONAP NBI Application|NBI|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager +msb-eag|ONAP MSB EAG Application|MSB EAG|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager +msb-iag|ONAP MSB IAG Application|MSB IAG|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager music|ONAP MUSIC Application|MUSIC|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager # VID Identities vid|ONAP VID Application|VID|ONAP Application|314-123-1234|no_reply@people.osaaf.com|a|mmanager diff --git a/kubernetes/msb/components/msb-eag/requirements.yaml b/kubernetes/msb/components/msb-eag/requirements.yaml index c59eb6fdf9..fe552019cc 100644 --- a/kubernetes/msb/components/msb-eag/requirements.yaml +++ b/kubernetes/msb/components/msb-eag/requirements.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,4 +18,7 @@ dependencies: repository: '@local' - name: repositoryGenerator version: ~7.x-0 - repository: '@local' \ No newline at end of file + repository: '@local' + - name: certInitializer + version: ~7.x-0 + repository: '@local' diff --git a/kubernetes/msb/components/msb-eag/resources/config/log/logback.xml b/kubernetes/msb/components/msb-eag/resources/config/log/logback.xml deleted file mode 100644 index 680cb7357a..0000000000 --- a/kubernetes/msb/components/msb-eag/resources/config/log/logback.xml +++ /dev/null @@ -1,40 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - ${pattern} - - diff --git a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf new file mode 100644 index 0000000000..70125753ed --- /dev/null +++ b/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf @@ -0,0 +1,28 @@ +{{/* +# +# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +*/}} +server { + listen 443 ssl; + ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; + ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; + include ../msb-enabled/location-default/msblocations.conf; + # Add below settings for making SDC to work + underscores_in_headers on; +} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-eag/templates/configmap.yaml b/kubernetes/msb/components/msb-eag/templates/configmap.yaml index 33c77e5eae..30c0a80209 100644 --- a/kubernetes/msb/components/msb-eag/templates/configmap.yaml +++ b/kubernetes/msb/components/msb-eag/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,3 +21,11 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-nginx + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/components/msb-eag/templates/deployment.yaml b/kubernetes/msb/components/msb-eag/templates/deployment.yaml index 36cb13dc52..113a174eb6 100644 --- a/kubernetes/msb/components/msb-eag/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-eag/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,6 +39,7 @@ spec: spec: serviceAccountName: msb initContainers: + {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - command: - /app/ready.py args: @@ -83,19 +85,15 @@ spec: - name: ROUTE_LABELS value: {{ .Values.config.routeLabels }} volumeMounts: + {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - mountPath: /etc/localtime name: localtime readOnly: true - - name: {{ include "common.fullname" . }}-cert - mountPath: /usr/local/openresty/nginx/ssl/cert/cert.crt - readOnly: true - subPath: "cert.crt" - - name: {{ include "common.fullname" . }}-cert - mountPath: /usr/local/openresty/nginx/html/cert/ca.crt - readOnly: true - subPath: "ca.crt" - mountPath: /usr/local/apiroute-works/logs name: {{ include "common.fullname" . }}-logs + - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf + name: {{ include "common.fullname" . }}-nginx-conf + subPath: msbhttps.conf resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -122,12 +120,13 @@ spec: name: {{ include "common.fullname" . }}-log-conf subPath: logback.xml volumes: - - name: {{ include "common.fullname" . }}-cert - secret: - secretName: {{ include "common.release" . }}-msb-https-cert + {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log + - name: {{ include "common.fullname" . }}-nginx-conf + configMap: + name: {{ include "common.fullname" . }}-nginx - name: {{ include "common.fullname" . }}-filebeat-conf configMap: name: {{ include "common.release" . }}-msb-filebeat-configmap diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml index b8813b8f1a..ff158b592c 100644 --- a/kubernetes/msb/components/msb-eag/values.yaml +++ b/kubernetes/msb/components/msb-eag/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,6 +18,45 @@ global: nodePortPrefix: 302 +################################################################# +# AAF part +################################################################# +certInitializer: + nameOverride: msb-eag-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: msb-eag + fqi: msb-eag@msb-eag.onap.org + fqi_namespace: org.onap.msb-eag + public_fqdn: msb-eag.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: | + echo "*** retrieving passwords for certificates" + export $(/opt/app/aaf_config/bin/agent.sh local showpass \ + {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c') + if [ -z "$cadi_keystore_password_p12" ] + then + echo " /!\ certificates retrieval failed" + exit 1 + else + mkdir -p {{ .Values.credsPath }}/certs + echo "*** retrieve certificate from pkcs12" + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key to relevant place" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key + echo "*** change ownership and read/write attributes" + chown -R 1000 {{ .Values.credsPath }}/certs + chmod 600 {{ .Values.credsPath }}/certs/cert.crt + chmod 600 {{ .Values.credsPath }}/certs/cert.key + fi + ################################################################# # Application configuration defaults. ################################################################# diff --git a/kubernetes/msb/components/msb-iag/requirements.yaml b/kubernetes/msb/components/msb-iag/requirements.yaml index 467a52ab21..fe552019cc 100644 --- a/kubernetes/msb/components/msb-iag/requirements.yaml +++ b/kubernetes/msb/components/msb-iag/requirements.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -18,3 +19,6 @@ dependencies: - name: repositoryGenerator version: ~7.x-0 repository: '@local' + - name: certInitializer + version: ~7.x-0 + repository: '@local' diff --git a/kubernetes/msb/components/msb-iag/resources/config/log/logback.xml b/kubernetes/msb/components/msb-iag/resources/config/log/logback.xml deleted file mode 100644 index 680cb7357a..0000000000 --- a/kubernetes/msb/components/msb-iag/resources/config/log/logback.xml +++ /dev/null @@ -1,40 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - ${pattern} - - diff --git a/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf new file mode 100644 index 0000000000..70125753ed --- /dev/null +++ b/kubernetes/msb/components/msb-iag/resources/config/nginx/msbhttps.conf @@ -0,0 +1,28 @@ +{{/* +# +# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE) +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +*/}} +server { + listen 443 ssl; + ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt; + ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key; + ssl_protocols TLSv1.1 TLSv1.2; + ssl_dhparam ../ssl/dh-pubkey/dhparams.pem; + include ../msb-enabled/location-default/msblocations.conf; + # Add below settings for making SDC to work + underscores_in_headers on; +} \ No newline at end of file diff --git a/kubernetes/msb/components/msb-iag/templates/configmap.yaml b/kubernetes/msb/components/msb-iag/templates/configmap.yaml index 33c77e5eae..30c0a80209 100644 --- a/kubernetes/msb/components/msb-iag/templates/configmap.yaml +++ b/kubernetes/msb/components/msb-iag/templates/configmap.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,3 +21,11 @@ metadata: namespace: {{ include "common.namespace" . }} data: {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.fullname" . }}-nginx + namespace: {{ include "common.namespace" . }} +data: +{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }} diff --git a/kubernetes/msb/components/msb-iag/templates/deployment.yaml b/kubernetes/msb/components/msb-iag/templates/deployment.yaml index 00dc6b69b3..7bae325b1e 100644 --- a/kubernetes/msb/components/msb-iag/templates/deployment.yaml +++ b/kubernetes/msb/components/msb-iag/templates/deployment.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -38,6 +39,7 @@ spec: spec: serviceAccountName: msb initContainers: + {{ include "common.certInitializer.initContainer" . | indent 6 | trim }} - command: - /app/ready.py args: @@ -83,19 +85,15 @@ spec: - name: ROUTE_LABELS value: {{ .Values.config.routeLabels }} volumeMounts: + {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }} - mountPath: /etc/localtime name: localtime readOnly: true - - name: {{ include "common.fullname" . }}-cert - mountPath: /usr/local/openresty/nginx/ssl/cert/cert.crt - readOnly: true - subPath: "cert.crt" - - name: {{ include "common.fullname" . }}-cert - mountPath: /usr/local/openresty/nginx/html/cert/ca.crt - readOnly: true - subPath: "ca.crt" - mountPath: /usr/local/apiroute-works/logs name: {{ include "common.fullname" . }}-logs + - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf + name: {{ include "common.fullname" . }}-nginx-conf + subPath: msbhttps.conf resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -122,12 +120,13 @@ spec: name: {{ include "common.fullname" . }}-log-conf subPath: logback.xml volumes: - - name: {{ include "common.fullname" . }}-cert - secret: - secretName: {{ include "common.release" . }}-msb-https-cert + {{ include "common.certInitializer.volumes" . | indent 8 | trim }} - name: {{ include "common.fullname" . }}-log-conf configMap: name: {{ include "common.fullname" . }}-log + - name: {{ include "common.fullname" . }}-nginx-conf + configMap: + name: {{ include "common.fullname" . }}-nginx - name: {{ include "common.fullname" . }}-filebeat-conf configMap: name: {{ include "common.release" . }}-msb-filebeat-configmap diff --git a/kubernetes/msb/components/msb-iag/values.yaml b/kubernetes/msb/components/msb-iag/values.yaml index b91ddcae1b..51e78e1de3 100644 --- a/kubernetes/msb/components/msb-iag/values.yaml +++ b/kubernetes/msb/components/msb-iag/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,6 +18,45 @@ global: nodePortPrefix: 302 +################################################################# +# AAF part +################################################################# +certInitializer: + nameOverride: msb-iag-cert-initializer + aafDeployFqi: deployer@people.osaaf.org + aafDeployPass: demo123456! + # aafDeployCredsExternalSecret: some secret + fqdn: msb-iag + fqi: msb-iag@msb-iag.onap.org + fqi_namespace: org.onap.msb-iag + public_fqdn: msb-iag.onap.org + cadi_longitude: "0.0" + cadi_latitude: "0.0" + app_ns: org.osaaf.aaf + credsPath: /opt/app/osaaf/local + aaf_add_config: | + echo "*** retrieving passwords for certificates" + export $(/opt/app/aaf_config/bin/agent.sh local showpass \ + {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c') + if [ -z "$cadi_keystore_password_p12" ] + then + echo " /!\ certificates retrieval failed" + exit 1 + else + mkdir -p {{ .Values.credsPath }}/certs + echo "*** retrieve certificate from pkcs12" + openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \ + -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \ + -passin pass:$cadi_keystore_password_p12 \ + -passout pass:$cadi_keystore_password_p12 + echo "*** copy key to relevant place" + cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key + echo "*** change ownership and read/write attributes" + chown -R 1000 {{ .Values.credsPath }}/certs + chmod 600 {{ .Values.credsPath }}/certs/cert.crt + chmod 600 {{ .Values.credsPath }}/certs/cert.key + fi + ################################################################# # Application configuration defaults. ################################################################# diff --git a/kubernetes/msb/requirements.yaml b/kubernetes/msb/requirements.yaml index c52bec4944..b335bfaf2b 100644 --- a/kubernetes/msb/requirements.yaml +++ b/kubernetes/msb/requirements.yaml @@ -1,4 +1,5 @@ # Copyright © 2018 Amdocs, Bell Canada , ZTE +# Copyright © 2020 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/kubernetes/msb/resources/config/certificates/ca.crt b/kubernetes/msb/resources/config/certificates/ca.crt deleted file mode 100644 index 62da777a58..0000000000 --- a/kubernetes/msb/resources/config/certificates/ca.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDkjCCAnoCCQCHtNgoWafiHzANBgkqhkiG9w0BAQsFADCBijELMAkGA1UEBhMC -Q04xETAPBgNVBAgMCHNpY2h1YW5nMRAwDgYDVQQHDAdjaGVuZ2R1MQwwCgYDVQQK -DAN6dGUxDjAMBgNVBAsMBXplbmFwMTgwNgYDVQQDDC9aVEUgT3BlblBhbGV0dGUg -Um9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAxNzAeFw0xNzAzMTcwMTU2MjBa -Fw0yNzAzMTUwMTU2MjBaMIGKMQswCQYDVQQGEwJDTjERMA8GA1UECAwIc2ljaHVh -bmcxEDAOBgNVBAcMB2NoZW5nZHUxDDAKBgNVBAoMA3p0ZTEOMAwGA1UECwwFemVu -YXAxODA2BgNVBAMML1pURSBPcGVuUGFsZXR0ZSBSb290IENlcnRpZmljYXRlIEF1 -dGhvcml0eSAyMDE3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA23LK -Eq56pVzsRbYJ6NMdk82QfLjnp+f7KzdQ46SfwldG3gmipasPwDXV9jT9FvUlX8s/ -mRphOyuZ7vDzL2QjlS/FBATTWrJ2VCJmBVlzVu4STZ6YrxpQrSAalGkiYd9uT2Yt -2quNUPCsZSlJ8qJCYs098bJ2XTsK0JBby94j3nTdvNWhhErrheWdG/CHje32sKog -6BxN4GzMeZ2fUd0vKsqBs89M0pApdjpRMqEGHg+Lri4iiE9kKa/Y8S3V6ggJZjbp -7xs7N0miy/paeosjfFe5U6mhumUSZPFy8ueAgGxqBkwvLJwCY3HYcrsFGaXTu+c3 -p2q1Adygif1h43HrvQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAb/cgmsCxvQmvu -5e4gpn5WEMo0k7F6IAghd8139i9vmtQ88reYZvfiVsp/5ZjNnNj75lLbjjexDkPA -bdnAiJfRKOrMaPqY6Bem4v8lPu1B/kj1umn4BXOCC1kpcH/2JCmvI8uh49SSlT9J -wUSKWw8Qhy9XKN692y02QZke9Xp2HoFvMUlntglmQUIRO5eBYLQCSWpfv/iyMs6w -ar7Tk1p2rURpRh02P7WFQ5j5fxXEOrkMT7FX80EB3AddSthstj2iDlUcqfG3jXH/ -FA5r1q45kMUaMYxV9WIE67Vt0RaxrUJYWDR2kDSSox7LR5GpjWiSlPAfcLCeVuA3 -3lR7lW/J ------END CERTIFICATE----- diff --git a/kubernetes/msb/resources/config/certificates/cert.crt b/kubernetes/msb/resources/config/certificates/cert.crt deleted file mode 100644 index e718c8d166..0000000000 --- a/kubernetes/msb/resources/config/certificates/cert.crt +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID0TCCArmgAwIBAgIJAOQWcdss4QvKMA0GCSqGSIb3DQEBCwUAMIGKMQswCQYD -VQQGEwJDTjERMA8GA1UECAwIc2ljaHVhbmcxEDAOBgNVBAcMB2NoZW5nZHUxDDAK -BgNVBAoMA3p0ZTEOMAwGA1UECwwFemVuYXAxODA2BgNVBAMML1pURSBPcGVuUGFs -ZXR0ZSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDE3MB4XDTIwMDUxMzAy -MjIyN1oXDTIyMDUxMzAyMjIyN1owgYwxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdT -aWNodWFuMRAwDgYDVQQHDAdDaGVuZ2R1MQ0wCwYDVQQKDARPTkFQMQwwCgYDVQQL -DANNU0IxEDAOBgNVBAMMB21zYi1pYWcxKjAoBgkqhkiG9w0BCQEWG29uYXAtZGlz -Y3Vzc0BsaXN0cy5vbmFwLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBAMa1YlTIL8APcmASbxrD7Q9BhWL9Hwi+FKO4HsIrSiJj/A/FLVe3kV2axA7b -5wdv44P0qQnh3pc0djlnZ47Fgli3lhEZ33+j5vrXHCjEFKiZZVeO+y/p+OcZVMNi -L+MPJNTNgMkPoaljs/U6fn6fFyAgMMIqqigxHJaNvz7IH+UpqbWWzZo7+JqClBi8 -t5ZIDk18/3cPQWXIne+3MoYULdEayAS8/4wYoJANH1knmSG+J07f9uCXniiz4zFF -ngMGHm4kuKXJCAl5E6S5fPzsLKqtwbbn9kJNyWoNFDuc7zW5dPfqPVckHHQ8Dx0q -2111UgrzrBZMW1RKmcwB+1YXip8CAwEAAaM2MDQwMgYDVR0RBCswKYIHbXNiLWlh -Z4IHbXNiLWVhZ4IVKi5zaW1wbGVkZW1vLm9uYXAub3JnMA0GCSqGSIb3DQEBCwUA -A4IBAQC9KKJ5x+EBHfdODbMIAufYinlbNRQ4xdG7tlRk0cRXnZoWi6yObQXmZuHV -56M2ZIylKNab2Z0VBluQqoLJvByAHQJO1r+qsAMG/LXBRC1x3y5344vtEPbikpMs -GHtxHomAu/JtSAlSL1Wvj7co3OUgVH/yNbccysVtqxxrfPrBhLfH/yDrFehmQ00T -P8mmJG3qeOUII0pgUjBkGL52+YMN0qy0SgryBx86fR9Y1bQLdWNfsM1CUXE2q9xs -FmU5Ry1pemTo68THSJs4wOnjLZ4kWTseTcEmQ6X2lfah8Ch0ffd3tttguNXnT1Xc -axgwv2Cypja3bPbq9t8kfJhbDrYO ------END CERTIFICATE----- diff --git a/kubernetes/msb/templates/secrets.yaml b/kubernetes/msb/templates/secrets.yaml deleted file mode 100644 index 7dcec5a303..0000000000 --- a/kubernetes/msb/templates/secrets.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -# Copyright © 2020 Samsung Electronics -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "common.release" . }}-msb-https-cert - labels: {{ include "common.labels" . | nindent 4 }} - app: {{ include "common.name" . }} - chart: {{ include "common.chart" . }} - release: {{ include "common.release" . }} -type: Opaque -data: -{{ tpl (.Files.Glob "resources/config/certificates/*").AsSecrets . | indent 2 }} diff --git a/kubernetes/msb/templates/serviceaccount.yaml b/kubernetes/msb/templates/serviceaccount.yaml new file mode 100644 index 0000000000..50cbebf984 --- /dev/null +++ b/kubernetes/msb/templates/serviceaccount.yaml @@ -0,0 +1,39 @@ +{{/* +# Copyright © 2017 Amdocs, Bell Canada, ZTE +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: msb + namespace: {{ include "common.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "common.namespace" . }}-msb-binding + namespace: {{ include "common.namespace" . }} + labels: + app: {{ include "common.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ include "common.release" . }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: msb + namespace: {{ include "common.namespace" . }} diff --git a/kubernetes/msb/templates/serviceaccout.yaml b/kubernetes/msb/templates/serviceaccout.yaml deleted file mode 100644 index 3248a0f12c..0000000000 --- a/kubernetes/msb/templates/serviceaccout.yaml +++ /dev/null @@ -1,39 +0,0 @@ -{{/* -# Copyright © 2017 Amdocs, Bell Canada, ZTE -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -*/}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: msb - namespace: {{ include "common.namespace" . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "common.namespace" . }}-msb-binding - namespace: {{ include "common.namespace" . }} - labels: - app: {{ include "common.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - release: {{ include "common.release" . }} - heritage: {{ .Release.Service }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: - - kind: ServiceAccount - name: msb - namespace: {{ include "common.namespace" . }} diff --git a/kubernetes/msb/values.yaml b/kubernetes/msb/values.yaml index 739fcea9d2..5d3ffe0d6c 100644 --- a/kubernetes/msb/values.yaml +++ b/kubernetes/msb/values.yaml @@ -23,4 +23,3 @@ global: config: logstashServiceName: log-ls logstashPort: 5044 - -- cgit 1.2.3-korg