2 # Copyright © 2020, Nokia
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.*/}}
17 # This is a template for requesting a certificate from the cert-manager (https://cert-manager.io).
19 # To request a certificate following steps are to be done:
20 # - create an object 'certificates' in the values.yaml
21 # - create a file templates/certificates.yaml and invoke the function "commom.certificate".
23 # Here is an example of the certificate request for a component:
25 # Directory structure:
31 # To be added in the file certificates.yamll
33 # To be added in the file values.yaml
34 # 1. Minimal version (certificates only in PEM format)
36 # - name: onap-component-certificate
37 # secretName: onap-component-certificate
38 # commonName: component.onap.org
39 # 2. Extended version (with defined own issuer and additional certificate format):
41 # - name: onap-component-certificate
42 # secretName: onap-component-certificate
43 # commonName: component.onap.org
45 # - component.onap.org
47 # group: certmanager.onap.org
49 # name: cmpv2-issuer-for-the-component
61 # Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
62 # Other mandatory fields for the certificate definition do not have to be defined directly,
63 # in that case they will be taken from default values.
65 # Default values are defined in file onap/values.yaml (see-> global.certificate.default)
66 # and can be overriden during onap installation process.
70 {{- define "common.certificate" -}}
71 {{- $dot := default . .dot -}}
72 {{- $certificates := $dot.Values.certificates -}}
74 {{ range $certificate := $certificates }}
75 {{/*# General certifiacate attributes #*/}}
76 {{- $name := $certificate.name -}}
77 {{- $secretName := $certificate.secretName -}}
78 {{- $commonName := default $dot.Values.global.certificate.default.commonName $certificate.commonName -}}
79 {{- $renewBefore := default $dot.Values.global.certificate.default.renewBefore $certificate.renewBefore -}}
80 {{- $duration := $certificate.duration -}}
81 {{- $namespace := default $dot.Release.Namespace $dot.Values.global.certificate.default.namespace -}}
82 {{- if $certificate.namespace -}}
83 {{- $namespace = default $namespace $certificate.namespace -}}
86 {{- $dnsNames := default $dot.Values.global.certificate.default.dnsNames $certificate.dnsNames -}}
87 {{- $ipAddresses := default $dot.Values.global.certificate.default.ipAddresses $certificate.ipAddresses -}}
88 {{- $uris := default $dot.Values.global.certificate.default.uris $certificate.uris -}}
89 {{- $emailAddresses := default $dot.Values.global.certificate.default.emailAddresses $certificate.emailAddresses -}}
91 {{- $subject := $dot.Values.global.certificate.default.subject -}}
92 {{- if $certificate.subject -}}
93 {{- $subject = mergeOverwrite $subject $certificate.subject -}}
96 {{- $issuer := $dot.Values.global.certificate.default.issuer -}}
97 {{- if $certificate.issuer -}}
98 {{- $issuer = mergeOverwrite $issuer $certificate.issuer -}}
100 {{/*# Keystores #*/}}
101 {{- $createJksKeystore := $dot.Values.global.certificate.default.jksKeystore.create -}}
102 {{- $jksKeystorePasswordSecretName := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.name -}}
103 {{- $jksKeystorePasswordSecreKey := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.key -}}
104 {{- $createP12Keystore := $dot.Values.global.certificate.default.p12Keystore.create -}}
105 {{- $p12KeystorePasswordSecretName := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.name -}}
106 {{- $p12KeystorePasswordSecreKey := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.key -}}
107 {{- if $certificate.jksKeystore -}}
108 {{- $createJksKeystore = default $createJksKeystore $certificate.jksKeystore.create -}}
109 {{- if $certificate.jksKeystore.passwordSecretRef -}}
110 {{- $jksKeystorePasswordSecretName = default $jksKeystorePasswordSecretName $certificate.jksKeystore.passwordSecretRef.name -}}
111 {{- $jksKeystorePasswordSecreKey = default $jksKeystorePasswordSecreKey $certificate.jksKeystore.passwordSecretRef.key -}}
114 {{- if $certificate.p12Keystore -}}
115 {{- $createP12Keystore = default $createP12Keystore $certificate.p12Keystore.create -}}
116 {{- if $certificate.p12Keystore.passwordSecretRef -}}
117 {{- $p12KeystorePasswordSecretName = default $p12KeystorePasswordSecretName $certificate.p12Keystore.passwordSecretRef.name -}}
118 {{- $p12KeystorePasswordSecreKey = default $p12KeystorePasswordSecreKey $certificate.p12Keystore.passwordSecretRef.key -}}
122 apiVersion: cert-manager.io/v1
126 namespace: {{ $namespace }}
128 secretName: {{ $secretName }}
129 commonName: {{ $commonName }}
130 renewBefore: {{ $renewBefore }}
132 duration: {{ $duration }}
136 - {{ $subject.organization }}
138 - {{ $subject.country }}
140 - {{ $subject.locality }}
142 - {{ $subject.province }}
144 - {{ $subject.organizationalUnit }}
147 {{- range $dnsName := $dnsNames }}
151 {{- if $ipAddresses }}
153 {{- range $ipAddress := $ipAddresses }}
159 {{- range $uri := $uris }}
163 {{- if $emailAddresses }}
165 {{- range $emailAddress := $emailAddresses }}
166 - {{ $emailAddress }}
170 group: {{ $issuer.group }}
171 kind: {{ $issuer.kind }}
172 name: {{ $issuer.name }}
173 {{- if or $createJksKeystore $createP12Keystore }}
175 {{- if $createJksKeystore }}
177 create: {{ $createJksKeystore }}
179 name: {{ $jksKeystorePasswordSecretName }}
180 key: {{ $jksKeystorePasswordSecreKey }}
182 {{- if $createP12Keystore }}
184 create: {{ $createP12Keystore }}
186 name: {{ $p12KeystorePasswordSecretName }}
187 key: {{ $p12KeystorePasswordSecreKey }}