aboutsummaryrefslogtreecommitdiffstats
path: root/docs/sections/cmpv2-cert-provider.rst
blob: f4493cd1b2fda135ba498b52e71a207a824d3c6d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. Copyright 2020 NOKIA

CMPv2 certificate provider
==============================

General information
------------------------------

CMPv2 certificate provider is a part of certificate distribution infrastructure in ONAP.
The main functionality of the provider is to forward Certificate Signing Requests (CSRs) created by cert-mananger (https://cert-manager.io) to CertServiceAPI.

Additional information can be found on a dedicated page:  https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration.

By default CMPv2 provider is **disabled**. To enable it set following global helm value:

- CMPv2CertManagerIntegration = true

CMPv2 Issuer
------------------------------

In order to be able to request a certificate via CMPv2 provider a *CMPv2Issuer* CRD (Customer Resource Definition) instance has to be created.

It is important to note that the attribute *kind* has to be set to **CMPv2Issuer**, all other attributes can be set as needed.

**NOTE: a default instance of CMPv2Issuer is created when installing ONAP via OOM deployment.**

Here is a definition of a *CMPv2Issuer* provided with ONAP installation:

.. code-block:: yaml

  apiVersion: certmanager.onap.org/v1
  kind: CMPv2Issuer
  metadata:
    name: cmpv2-issuer-onap
    namespace: onap
  spec:
    url: https://oom-cert-service:8443
    healthEndpoint: actuator/health
    certEndpoint: v1/certificate
    caName: RA
    certSecretRef:
      name: cmpv2-issuer-secret
      certRef: cmpv2Issuer-cert.pem
      keyRef: cmpv2Issuer-key.pem
      cacertRef: cacert.pem


Certificate enrolling
------------------------------

In order to request a certificate a K8s *Certificate* CRD (Custom Resource Definition) has to be created.

It is important that in the section issuerRef following attributes have those values:

- group: certmanager.onap.org

- kind: CMPv2Issuer

After *Certificate* CRD has been placed cert manager will send a *CSR* (Certificate Sign Request) to CA (Certificate Authority) via CMPv2 provider.
Signed certificate as well as trust anchor (CA root certificate) will be stored in the K8s *secret* specified in *Certificate* CRD (see secretName attribute).

By default certificates will be stored in PEM format. It is possible to get certificates also in JKS and P12 format - see example below - more information can be found on official cert manager page.

The following SANs types are supported: DNS names, IPs, URIs, emails.

Here is an example of a *Certificate*:

.. code-block:: yaml

  apiVersion: cert-manager.io/v1
  kind: Certificate
  metadata:
    name: certificate_name
    namespace: onap
  spec:
    # The secret name to store the signed certificate
    secretName: secret_name
    # Common Name
    commonName: certissuer.onap.org
    subject:
      organizations:
        - Linux-Foundation
      countries:
        - US
      localities:
        - San-Francisco
      provinces:
        - California
      organizationalUnits:
        - ONAP
    # SANs
    dnsNames:
      - localhost
      - certissuer.onap.org
    ipAddresses:
      - "127.0.0.1"
    uris:
      - onap://cluster.local/
    emailAddresses:
      - onap@onap.org
    # The reference to the CMPv2 issuer
    issuerRef:
      group: certmanager.onap.org
      kind: CMPv2Issuer
      name: cmpv2-issuer-onap
    # Section keystores is optional and defines in which format certificates will be stored
    # If this section is omitted than only PEM format will be present in the secret
    keystores:
        jks:
          create: true
          passwordSecretRef: # Password used to encrypt the keystore
            name: certservice-key
            key: key
        pkcs12:
          create: true
          passwordSecretRef: # Password used to encrypt the keystore
            name: certservice-key
            key: key


Here is an example of generated *secret* containing certificates:

.. code-block:: yaml

    Name:         secret_name
    Namespace:    onap
    Labels:       <none>
    Annotations:  cert-manager.io/alt-names: localhost,certissuer.onap.org
                  cert-manager.io/certificate-name: certificate_name
                  cert-manager.io/common-name: certissuer.onap.org
                  cert-manager.io/ip-sans:
                  cert-manager.io/issuer-group: certmanager.onap.org
                  cert-manager.io/issuer-kind: CMPv2Issuer
                  cert-manager.io/issuer-name: cmpv2-issuer-onap
                  cert-manager.io/uri-sans:

    Type:  kubernetes.io/tls

    Data
    ====
    tls.crt:         1675 bytes  <-- Certificate (PEM)
    tls.key:         1679 bytes  <-- Private Key (PEM)
    truststore.jks:  1265 bytes  <-- Trusted anchors (JKS)
    ca.crt:          1692 bytes  <-- Trusted anchors (PEM)
    keystore.jks:    3786 bytes  <-- Certificate and Private Key (JKS)
    keystore.p12:    4047 bytes  <-- Certificate and Private Key (P12)