2 # Copyright © 2020 Bell Canada, Samsung Electronics
3 # Copyright © 2021 Orange
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
9 # http://www.apache.org/licenses/LICENSE-2.0
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
20 {{- define "common.certInitializer._aafConfigVolumeName" -}}
21 {{ include "common.fullname" . }}-aaf-config
24 {{- define "common.certInitializer._aafAddConfigVolumeName" -}}
25 {{ print "aaf-add-config" }}
29 common templates to enable cert initialization for applictaions
31 In deployments/jobs/stateful include:
33 {{ include "common.certInitializer.initContainer" . | nindent XX }}
37 {{- include "common.certInitializer.volumeMount" . | nindent XX }}
39 {{- include "common.certInitializer.volume" . | nindent XX}}
41 {{- define "common.certInitializer._initContainer" -}}
42 {{- $dot := default . .dot -}}
43 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
44 {{- $initName := default "certInitializer" -}}
45 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
46 {{ include "common.readinessCheck.waitFor" $subchartDot }}
47 - name: {{ include "common.name" $dot }}-aaf-config
48 image: {{ include "repositoryGenerator.repository" $subchartDot }}/{{ $subchartDot.Values.global.aafAgentImage }}
49 imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
51 - mountPath: {{ $initRoot.mountPath }}
52 name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
53 - mountPath: /opt/app/aaf_config/cert/truststoreONAPall.jks.b64
55 subPath: truststoreONAPall.jks.b64
56 - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64
58 subPath: truststoreONAP.p12.b64
59 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
60 mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
61 subPath: retrieval_check.sh
62 {{- if hasKey $initRoot "ingressTlsSecret" }}
63 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
64 mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh
65 subPath: tls_certs_configure.sh
67 {{- if $initRoot.aaf_add_config }}
68 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
69 mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
70 subPath: aaf-add-config.sh
76 /opt/app/aaf_config/bin/agent.sh
77 . /opt/app/aaf_config/bin/retrieval_check.sh
78 {{- if hasKey $initRoot "ingressTlsSecret" }}
79 /opt/app/aaf_config/bin/tls_certs_configure.sh
81 {{- if $initRoot.aaf_add_config }}
82 /opt/app/aaf_config/bin/aaf-add-config.sh
86 value: "{{ $initRoot.fqi }}"
87 {{- if $initRoot.aaf_namespace }}
88 - name: aaf_locate_url
89 value: "https://aaf-locate.{{ $initRoot.aaf_namespace }}:8095"
90 - name: aaf_locator_container_ns
91 value: "{{ $initRoot.aaf_namespace }}"
93 - name: aaf_locate_url
94 value: "https://aaf-locate.{{ $dot.Release.Namespace }}:8095"
95 - name: aaf_locator_container_ns
96 value: "{{ $dot.Release.Namespace }}"
98 - name: aaf_locator_container
100 - name: aaf_locator_fqdn
101 value: "{{ $initRoot.fqdn }}"
102 - name: aaf_locator_app_ns
103 value: "{{ $initRoot.app_ns }}"
105 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "login") | indent 6 }}
106 - name: DEPLOY_PASSWORD
107 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "password") | indent 6 }}
108 #Note: want to put this on Nodes, eventually
109 - name: cadi_longitude
110 value: "{{ default "52.3" $initRoot.cadi_longitude }}"
111 - name: cadi_latitude
112 value: "{{ default "13.2" $initRoot.cadi_latitude }}"
113 #Hello specific. Clients don't don't need this, unless Registering with AAF Locator
114 - name: aaf_locator_public_fqdn
115 value: "{{ $initRoot.public_fqdn | default "" }}"
119 This init container will import custom .pem certificates to truststoreONAPall.jks
120 Custom certificates must be placed in common/certInitializer/resources directory.
122 The feature is enabled by setting Values.global.importCustomCertsEnabled = true
123 It can be used independently of aafEnabled, however it requires the same includes
124 as describe above for _initContainer.
126 When AAF is enabled the truststoreONAPAll.jks (which contains AAF CA) will be used
127 to import custom certificates, otherwise the default java keystore will be used.
129 The updated truststore file will be placed in /updatedTruststore and can be mounted per component
130 to a specific path by defining Values.certInitializer.truststoreMountpath (see _trustStoreVolumeMount)
131 The truststore file will be available to mount even if no custom certificates were imported.
133 {{- define "common.certInitializer._initImportCustomCertsContainer" -}}
134 {{- $dot := default . .dot -}}
135 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
136 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
137 - name: {{ include "common.name" $dot }}-import-custom-certs
138 image: {{ include "repositoryGenerator.image.jre" $subchartDot }}
139 imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
145 - /root/import-custom-certs.sh
148 value: "{{ $subchartDot.Values.global.aafEnabled }}"
149 - name: TRUSTSTORE_OUTPUT_FILENAME
150 value: "{{ $initRoot.truststoreOutputFileName }}"
151 - name: TRUSTSTORE_PASSWORD
152 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "truststore-creds" "key" "password") | indent 6 }}
155 name: aaf-agent-certs
156 - mountPath: /more_certs
157 name: provided-custom-certs
158 - mountPath: /root/import-custom-certs.sh
159 name: aaf-agent-certs
160 subPath: import-custom-certs.sh
161 - mountPath: /updatedTruststore
162 name: updated-truststore
165 {{- define "common.certInitializer._volumeMount" -}}
166 {{- $dot := default . .dot -}}
167 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
168 - mountPath: {{ $initRoot.appMountPath }}
169 name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
173 This is used together with _initImportCustomCertsContainer
174 It mounts the updated truststore (with imported custom certificates) to the
175 truststoreMountpath defined in the values file for the component.
177 {{- define "common.certInitializer._trustStoreVolumeMount" -}}
178 {{- $dot := default . .dot -}}
179 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
180 {{- if gt (len $initRoot.truststoreMountpath) 0 }}
181 - mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }}
182 name: updated-truststore
183 subPath: {{ $initRoot.truststoreOutputFileName }}
184 - mountPath: /etc/ssl/certs/ca-certificates.crt
185 name: updated-truststore
186 subPath: ca-certificates.crt
190 {{- define "common.certInitializer._volumes" -}}
191 {{- $dot := default . .dot -}}
192 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
193 {{- $subchartDot := mergeOverwrite (deepCopy (omit $dot "Values")) (dict "Chart" (set (fromJson (toJson $dot.Chart)) "Name" $initRoot.nameOverride) "Values" (mergeOverwrite (deepCopy $initRoot) (dict "global" $dot.Values.global))) }}
194 - name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
197 - name: aaf-agent-certs
199 name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
201 {{- if $dot.Values.global.importCustomCertsEnabled }}
202 - name: provided-custom-certs
203 {{- if $dot.Values.global.customCertsSecret }}
205 secretName: {{ $dot.Values.global.customCertsSecret }}
207 {{- if $dot.Values.global.customCertsConfigMap }}
209 name: {{ $dot.Values.global.customCertsConfigMap }}
216 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
218 name: {{ include "common.fullname" $subchartDot }}-add-config
220 {{- if $dot.Values.global.importCustomCertsEnabled }}
221 - name: updated-truststore
226 {{- define "common.certInitializer.initContainer" -}}
227 {{- $dot := default . .dot -}}
228 {{- if $dot.Values.global.importCustomCertsEnabled }}
229 {{ include "common.certInitializer._initImportCustomCertsContainer" . }}
231 {{- if $dot.Values.global.aafEnabled }}
232 {{ include "common.certInitializer._initContainer" . }}
236 {{- define "common.certInitializer.volumeMount" -}}
237 {{- $dot := default . .dot -}}
238 {{- if $dot.Values.global.aafEnabled }}
239 {{- include "common.certInitializer._volumeMount" . }}
241 {{- if $dot.Values.global.importCustomCertsEnabled }}
242 {{- include "common.certInitializer._trustStoreVolumeMount" . }}
246 {{- define "common.certInitializer.volumes" -}}
247 {{- $dot := default . .dot -}}
248 {{- if or ($dot.Values.global.aafEnabled ) ($dot.Values.global.importCustomCertsEnabled) }}
249 {{- include "common.certInitializer._volumes" . }}