# Copyright © 2020-2021, Nokia
# Modifications Copyright  © 2020, Nordix Foundation, Orange
# Modifications Copyright © 2020 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Global
global:
  nodePortPrefix: 302
  persistence:
    enabled: true
  # Standard OOM
  pullPolicy: "Always"
  repository: "nexus3.onap.org:10001"
  ingress:
    enabled: true
    # All http requests via ingress will be redirected
    config:
      ssl: "redirect"
    # you can set an own Secret containing a certificate
    #  tls:
    #    secret: 'my-ingress-cert'
    # optional: Namespace of the Istio IngressGateway
    namespace: &ingressNamespace istio-ingress


# Service configuration
service:
  type: ClusterIP
  ports:
    - name: http
      port: 8443
      port_protocol: http

# Deployment configuration
repository: "nexus3.onap.org:10001"
image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.6.0
pullPolicy: Always
replicaCount: 1

liveness:
  initialDelaySeconds: 60
  periodSeconds: 10
  command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
readiness:
  initialDelaySeconds: 30
  periodSeconds: 10
  command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD

flavor: small
resources:
  small:
    limits:
      cpu: 1
      memory: 0.5Gi
    requests:
      cpu: 0.5
      memory: 0.5Gi
  large:
    limits:
      cpu: 2
      memory: 1Gi
    requests:
      cpu: 1
      memory: 1Gi
  unlimited: {}


# Application configuration
cmpServers:
  secret:
    name: oom-cert-service-secret
  volume:
    name: oom-cert-service-volume
    mountPath: /etc/onap/oom/certservice

tls:
  issuer:
    selfsigning:
      name: &selfSigningIssuer cmpv2-selfsigning-issuer
    ca:
      name: &caIssuer cmpv2-issuer-onap
      secret:
        name: &caKeyPairSecret  cmpv2-ca-key-pair
    ingressSelfsigned:
      name: ingress-selfsigned-issuer
      namespace: *ingressNamespace
    ingressCa:
      name: ingress-ca-issuer
      namespace: *ingressNamespace
      secret:
        name: ingress-ca-key-pair
  server:
    secret:
      name: &serverSecret oom-cert-service-server-tls-secret
    volume:
      name: oom-cert-service-server-tls-volume
      mountPath: /etc/onap/oom/certservice/certs/
  client:
    secret:
      defaultName: oom-cert-service-client-tls-secret

envs:
  keystore:
    jksName: keystore.jks
    p12Name: keystore.p12
    pemName: tls.crt
  truststore:
    jksName: truststore.jks
    crtName: ca.crt
    pemName: tls.crt
  httpsPort: 8443

# External secrets with credentials can be provided to override default credentials defined below,
# by uncommenting and filling appropriate *ExternalSecret value
credentials:
  tls:
    certificatesPassword: secret
    #certificatesPasswordExternalSecret:
  # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
  cmp:
    # Used only if cmpv2 testing is enabled
    clientIakExternalSecret: '{{ include "common.release" . }}-ejbca-client-iak'
    #clientRvExternalSecret:
    raIakExternalSecret: '{{ include "common.release" . }}-ejbca-ra-iak'
    #raRvExternalSecret:
    client: {}
      # iak: mypassword
      # rv: unused
    ra: {}
      # iak: mypassword
      # rv: unused

secrets:
  - uid: certificates-password
    name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}'
    type: password
    externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}'
    password: '{{ .Values.credentials.tls.certificatesPassword }}'
    passwordPolicy: required
  # Below values are relevant only if global addTestingComponents flag is enabled
  - uid: ejbca-server-client-iak
    type: password
    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}'
    password: '{{ .Values.credentials.cmp.client.iak }}'
  - uid: cmp-config-client-rv
    type: password
    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}'
    password: '{{ .Values.credentials.cmp.client.rv }}'
  - uid: ejbca-server-ra-iak
    type: password
    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}'
    password: '{{ .Values.credentials.cmp.ra.iak }}'
  - uid: cmp-config-ra-rv
    type: password
    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
    password: '{{ .Values.credentials.cmp.ra.rv }}'

# Certificates definitions
certificates:
  - name: selfsigned-cert
    secretName: *caKeyPairSecret
    isCA: true
    commonName: root.com
    subject:
      organization: Root Company
      country: PL
      locality: Wroclaw
      province: Dolny Slask
      organizationalUnit: Root Org
    issuer:
      name: *selfSigningIssuer
      kind: Issuer
  - name: cert-service-server-cert
    secretName: *serverSecret
    commonName: oom-cert-service
    dnsNames:
      - oom-cert-service
      - localhost
    subject:
      organization: certServiceServer org
      country: PL
      locality: Wroclaw
      province: Dolny Slask
      organizationalUnit: certServiceServer company
    usages:
      - server auth
      - client auth
    keystore:
      outputType:
        - jks
        - p12
      passwordSecretRef:
        name: *certificatesPasswordSecretName
        key: password
    issuer:
      name: *caIssuer
      kind: Issuer
  - name: cert-service-client-cert
    secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}'
    commonName: certServiceClient.com
    subject:
      organization: certServiceClient org
      country: PL
      locality: Wroclaw
      province: Dolny Slask
      organizationalUnit: certServiceClient company
    usages:
      - server auth
      - client auth
    keystore:
      outputType:
        - jks
      passwordSecretRef:
        name: *certificatesPasswordSecretName
        key: password
    issuer:
      name: *caIssuer
      kind: Issuer