blob: ee739a3facd85594222d79d5f08ec6ddb31d4e09 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
## Cert Service K8s external provider
### General description
Cert Service K8s external provider ia a part of certificate distribution infrastructure in ONAP.
The main functionality of the provider is to forward Certificate Signing Requests (CSRs) created by cert-mananger (https://cert-manager.io) to CertServiceAPI.
More information can found on a dedicated page: https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration.
### Build project
There are two methods for building the project:
- mvn clean install (used by CI)
- make (used by DEV)
### Installation
#### Providing K8s secret containing TLS certificates
Create secret with certificates for communication between CMPv2Issuer and Cert Service API:
```
kubectl create secret generic -n onap cmpv2-issuer-secret --from-file=<project-base-dir>/certs/cmpv2Issuer-key.pem
--from-file=<project-base-dir>/certs/cmpv2Issuer-cert.pem --from-file=<project-base-dir>/certs/cacert.pem
```
#### Deployment of the application
Apply K8s files from 'deploy' directory in following order:
- crd.yaml
- roles.yaml
- deployment.yaml
- configuration.yaml (certRef, keyRef and cacertRef should match file names if secret was created with command listed
above)
**Note:** Files and installation are currently examples, which should be used as a guide for OOM Helm Charts implementation
#### Log level adjustment
Log level can be set during deployment as docker container argument --> see deployment.yaml file.
Here is an interesting part from the deployment.yaml file:
- args:
- --metrics-addr=127.0.0.1:8080
- --log-level=debug
command:
- /oom-certservice-cmpv2issuer
image: onap/oom-certservice-cmpv2issuer:1.0.0
Supported values of log-level flag (case-sensitive): debug, info, warn, error
### Usage
To issue a certificate adjust and apply following K8s file:
- certificate_example.yaml
#### Unsupported Certificate fields
Some fields present in Cert-Manager Certificate are currently not supported by CertService API and because of that they are
filtered out from the Certificate Signing Request.
**Fields that are filtered out:**
- subjectDN fields:
- serialNumber
- streetAddresses
- postalCodes
- isCa
- ipAddresses
- uris
- emails
- duration
- usages
#### Overridden Certificate fields
Some fields present in a Cert-Manager Certificate will be overridden by a CMPv2 server.
**Overridden fields:**
- duration
- usages
|