2 # Copyright © 2020 Bell Canada, Samsung Electronics
3 # Copyright © 2021 Orange
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
9 # http://www.apache.org/licenses/LICENSE-2.0
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
20 {{- define "common.certInitializer._aafConfigVolumeName" -}}
21 {{ include "common.fullname" . }}-aaf-config
24 {{- define "common.certInitializer._aafAddConfigVolumeName" -}}
25 {{ print "aaf-add-config" }}
29 common templates to enable cert initialization for applictaions
31 In deployments/jobs/stateful include:
33 {{ include "common.certInitializer.initContainer" . | nindent XX }}
37 {{- include "common.certInitializer.volumeMount" . | nindent XX }}
39 {{- include "common.certInitializer.volume" . | nindent XX}}
41 {{- define "common.certInitializer._initContainer" -}}
42 {{- $dot := default . .dot -}}
43 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
44 {{- $initName := default "certInitializer" -}}
45 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
46 {{ include "common.readinessCheck.waitFor" $subchartDot }}
47 - name: {{ include "common.name" $dot }}-aaf-config
48 image: {{ include "repositoryGenerator.repository" $subchartDot }}/{{ $subchartDot.Values.global.aafAgentImage }}
49 imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
53 - mountPath: {{ $initRoot.mountPath }}
54 name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
55 - mountPath: /opt/app/aaf_config/cert/truststoreONAPall.jks.b64
57 subPath: truststoreONAPall.jks.b64
58 - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64
60 subPath: truststoreONAP.p12.b64
61 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
62 mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
63 subPath: retrieval_check.sh
64 {{- if hasKey $initRoot "ingressTlsSecret" }}
65 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
66 mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh
67 subPath: tls_certs_configure.sh
69 {{- if $initRoot.aaf_add_config }}
70 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
71 mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
72 subPath: aaf-add-config.sh
78 /opt/app/aaf_config/bin/agent.sh
79 . /opt/app/aaf_config/bin/retrieval_check.sh
80 {{- if hasKey $initRoot "ingressTlsSecret" }}
81 /opt/app/aaf_config/bin/tls_certs_configure.sh
83 {{- if $initRoot.aaf_add_config }}
84 /opt/app/aaf_config/bin/aaf-add-config.sh
88 value: "{{ $initRoot.fqi }}"
89 {{- if $initRoot.aaf_namespace }}
90 - name: aaf_locate_url
91 value: "https://aaf-locate.{{ $initRoot.aaf_namespace }}:8095"
92 - name: aaf_locator_container_ns
93 value: "{{ $initRoot.aaf_namespace }}"
95 - name: aaf_locate_url
96 value: "https://aaf-locate.{{ $dot.Release.Namespace }}:8095"
97 - name: aaf_locator_container_ns
98 value: "{{ $dot.Release.Namespace }}"
100 - name: aaf_locator_container
102 - name: aaf_locator_fqdn
103 value: "{{ $initRoot.fqdn }}"
104 - name: aaf_locator_app_ns
105 value: "{{ $initRoot.app_ns }}"
107 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "login") | indent 6 }}
108 - name: DEPLOY_PASSWORD
109 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "password") | indent 6 }}
110 #Note: want to put this on Nodes, eventually
111 - name: cadi_longitude
112 value: "{{ default "52.3" $initRoot.cadi_longitude }}"
113 - name: cadi_latitude
114 value: "{{ default "13.2" $initRoot.cadi_latitude }}"
115 #Hello specific. Clients don't don't need this, unless Registering with AAF Locator
116 - name: aaf_locator_public_fqdn
117 value: "{{ $initRoot.public_fqdn | default "" }}"
121 This init container will import custom .pem certificates to truststoreONAPall.jks
122 Custom certificates must be placed in common/certInitializer/resources directory.
124 The feature is enabled by setting Values.global.importCustomCertsEnabled = true
125 It can be used independently of aafEnabled, however it requires the same includes
126 as describe above for _initContainer.
128 When AAF is enabled the truststoreONAPAll.jks (which contains AAF CA) will be used
129 to import custom certificates, otherwise the default java keystore will be used.
131 The updated truststore file will be placed in /updatedTruststore and can be mounted per component
132 to a specific path by defining Values.certInitializer.truststoreMountpath (see _trustStoreVolumeMount)
133 The truststore file will be available to mount even if no custom certificates were imported.
135 {{- define "common.certInitializer._initImportCustomCertsContainer" -}}
136 {{- $dot := default . .dot -}}
137 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
138 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
139 - name: {{ include "common.name" $dot }}-import-custom-certs
140 image: {{ include "repositoryGenerator.image.jre" $subchartDot }}
141 imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
147 - /root/import-custom-certs.sh
150 value: "{{ $subchartDot.Values.global.aafEnabled }}"
151 - name: TRUSTSTORE_OUTPUT_FILENAME
152 value: "{{ $initRoot.truststoreOutputFileName }}"
153 - name: TRUSTSTORE_PASSWORD
154 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "truststore-creds" "key" "password") | indent 6 }}
157 name: aaf-agent-certs
158 - mountPath: /more_certs
159 name: provided-custom-certs
160 - mountPath: /root/import-custom-certs.sh
161 name: aaf-agent-certs
162 subPath: import-custom-certs.sh
163 - mountPath: /updatedTruststore
164 name: updated-truststore
167 {{- define "common.certInitializer._volumeMount" -}}
168 {{- $dot := default . .dot -}}
169 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
170 - mountPath: {{ $initRoot.appMountPath }}
171 name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
175 This is used together with _initImportCustomCertsContainer
176 It mounts the updated truststore (with imported custom certificates) to the
177 truststoreMountpath defined in the values file for the component.
179 {{- define "common.certInitializer._trustStoreVolumeMount" -}}
180 {{- $dot := default . .dot -}}
181 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
182 {{- if gt (len $initRoot.truststoreMountpath) 0 }}
183 - mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }}
184 name: updated-truststore
185 subPath: {{ $initRoot.truststoreOutputFileName }}
186 - mountPath: /etc/ssl/certs/ca-certificates.crt
187 name: updated-truststore
188 subPath: ca-certificates.crt
192 {{- define "common.certInitializer._volumes" -}}
193 {{- $dot := default . .dot -}}
194 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
195 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot))}}
196 - name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
199 - name: aaf-agent-certs
201 name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
203 {{- if $dot.Values.global.importCustomCertsEnabled }}
204 - name: provided-custom-certs
205 {{- if $dot.Values.global.customCertsSecret }}
207 secretName: {{ $dot.Values.global.customCertsSecret }}
209 {{- if $dot.Values.global.customCertsConfigMap }}
211 name: {{ $dot.Values.global.customCertsConfigMap }}
218 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
220 name: {{ include "common.fullname" $subchartDot }}-add-config
222 {{- if $dot.Values.global.importCustomCertsEnabled }}
223 - name: updated-truststore
228 {{- define "common.certInitializer.initContainer" -}}
229 {{- $dot := default . .dot -}}
230 {{- if $dot.Values.global.importCustomCertsEnabled }}
231 {{ include "common.certInitializer._initImportCustomCertsContainer" . }}
233 {{- if $dot.Values.global.aafEnabled }}
234 {{ include "common.certInitializer._initContainer" . }}
238 {{- define "common.certInitializer.volumeMount" -}}
239 {{- $dot := default . .dot -}}
240 {{- if $dot.Values.global.aafEnabled }}
241 {{- include "common.certInitializer._volumeMount" . }}
243 {{- if $dot.Values.global.importCustomCertsEnabled }}
244 {{- include "common.certInitializer._trustStoreVolumeMount" . }}
248 {{- define "common.certInitializer.volumes" -}}
249 {{- $dot := default . .dot -}}
250 {{- if or ($dot.Values.global.aafEnabled ) ($dot.Values.global.importCustomCertsEnabled) }}
251 {{- include "common.certInitializer._volumes" . }}