summaryrefslogtreecommitdiffstats
path: root/certServiceK8sExternalProvider/README.md
blob: ee739a3facd85594222d79d5f08ec6ddb31d4e09 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
## Cert Service K8s external provider

### General description

Cert Service K8s external provider ia a part of certificate distribution infrastructure in ONAP.
The main functionality of the provider is to forward Certificate Signing Requests (CSRs) created by cert-mananger (https://cert-manager.io) to CertServiceAPI.

More information can found on a dedicated page:  https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration.

### Build project

There are two methods for building the project:
    
 - mvn clean install (used by CI)
 - make (used by DEV)

### Installation

#### Providing K8s secret containing TLS certificates

Create secret with certificates for communication between CMPv2Issuer and Cert Service API:
```
kubectl create secret generic -n onap cmpv2-issuer-secret --from-file=<project-base-dir>/certs/cmpv2Issuer-key.pem
  --from-file=<project-base-dir>/certs/cmpv2Issuer-cert.pem --from-file=<project-base-dir>/certs/cacert.pem
```

#### Deployment of the application

Apply K8s files from 'deploy' directory in following order:
 
 - crd.yaml
 - roles.yaml
 - deployment.yaml
 - configuration.yaml (certRef, keyRef and cacertRef should match file names if secret was created with command listed 
 above)

**Note:** Files and installation are currently examples, which should be used as a guide for OOM Helm Charts implementation  

#### Log level adjustment

Log level can be set during deployment as docker container argument --> see deployment.yaml file.
Here is an interesting part from the deployment.yaml file:

      - args:
        - --metrics-addr=127.0.0.1:8080
        - --log-level=debug
        command:
        - /oom-certservice-cmpv2issuer
        image: onap/oom-certservice-cmpv2issuer:1.0.0

Supported values of log-level flag (case-sensitive): debug, info, warn, error 

### Usage

To issue a certificate adjust and apply following K8s file:
 
 - certificate_example.yaml
 
#### Unsupported Certificate fields

Some fields present in Cert-Manager Certificate are currently not supported by CertService API and because of that they are
filtered out from the Certificate Signing Request.

**Fields that are filtered out:**
 - subjectDN fields:
   - serialNumber
   - streetAddresses
   - postalCodes
 - isCa
 - ipAddresses
 - uris
 - emails
 - duration
 - usages
 
 #### Overridden Certificate fields
 
Some fields present in a Cert-Manager Certificate will be overridden by a CMPv2 server.

**Overridden fields:**
 - duration
 - usages