[AAF SMS] Use certInitializer for certificates

[oom.git] / kubernetes / aaf / components / aaf-cert-service / values.yaml

diff --git a/kubernetes/aaf/components/aaf-cert-service/values.yaml b/kubernetes/aaf/components/aaf-cert-service/values.yaml
new file mode 100644 (file)
index 0000000..17b0b75
--- /dev/null
+++ b/kubernetes/aaf/components/aaf-cert-service/values.yaml
@@ -0,0 +1,160 @@
+# Copyright © 2020, Nokia
+# Modifications Copyright  © 2020, Nordix Foundation, Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Global
+global:
+  envsubstImage: dibi/envsubst
+  nodePortPrefix: 302
+  # Readiness image
+  readinessRepository: oomk8s
+  readinessImage: readiness-check:2.0.2
+  # Ubuntu Init image
+  ubuntuInitRepository: registry.hub.docker.com
+  ubuntuInitImage: oomk8s/ubuntu-init:2.0.0
+  # Logging image
+  loggingRepository: docker.elastic.co
+  loggingImage: beats/filebeat:5.5.0
+  # BusyBox image
+  busyboxRepository: registry.hub.docker.com
+  busyboxImage: library/busybox:1.31
+  persistence:
+    enabled: true
+  # Standard OOM
+  pullPolicy: "Always"
+  repository: "nexus3.onap.org:10001"
+
+
+# Service configuration
+service:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8443
+      port_protocol: http
+
+
+# Deployment configuration
+repository: nexus3.onap.org:10001
+image: onap/org.onap.aaf.certservice.aaf-certservice-api:1.0.0
+pullPolicy: Always
+replicaCount: 1
+
+liveness:
+  initialDelaySeconds: 60
+  periodSeconds: 10
+  command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
+readiness:
+  initialDelaySeconds: 30
+  periodSeconds: 10
+  command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
+
+flavor: small
+resources:
+  small:
+    limits:
+      cpu: 0.5
+      memory: 1Gi
+    requests:
+      cpu: 0.2
+      memory: 512Mi
+  large:
+    limits:
+      cpu: 1
+      memory: 2Gi
+    requests:
+      cpu: 0.4
+      memory: 1Gi
+  unlimited: {}
+
+
+# Application configuration
+cmpServers:
+  secret:
+    name: aaf-cert-service-secret
+  volume:
+    name: aaf-cert-service-volume
+    mountPath: /etc/onap/aaf/certservice
+
+tls:
+  server:
+    secret:
+      name: aaf-cert-service-server-tls-secret
+    volume:
+      name: aaf-cert-service-server-tls-volume
+      mountPath: /etc/onap/aaf/certservice/certs/
+  client:
+    secret:
+      defaultName: aaf-cert-service-client-tls-secret
+
+envs:
+  keystore:
+    jksName: certServiceServer-keystore.jks
+    p12Name: certServiceServer-keystore.p12
+  truststore:
+    jksName: truststore.jks
+    crtName: root.crt
+  httpsPort: 8443
+
+# External secrets with credentials can be provided to override default credentials defined below,
+# by uncommenting and filling appropriate *ExternalSecret value
+credentials:
+  tls:
+    keystorePassword: secret
+    truststorePassword: secret
+    #keystorePasswordExternalSecret:
+    #truststorePasswordExternalSecret:
+  # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
+  cmp:
+    #clientIakExternalSecret:
+    #clientRvExternalSecret:
+    #raIakExternalSecret:
+    #raRvExternalSecret:
+    client: {}
+      # iak: mypassword
+      # rv: unused
+    ra: {}
+      # iak: mypassword
+      # rv: unused
+
+secrets:
+  - uid: keystore-password
+    name: '{{ include "common.release" . }}-keystore-password'
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}'
+    password: '{{ .Values.credentials.tls.keystorePassword }}'
+    passwordPolicy: required
+  - uid: truststore-password
+    name: '{{ include "common.release" . }}-truststore-password'
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}'
+    password: '{{ .Values.credentials.tls.truststorePassword }}'
+    passwordPolicy: required
+  # Below values are relevant only if global addTestingComponents flag is enabled
+  - uid: ejbca-server-client-iak
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.client.iak }}'
+  - uid: cmp-config-client-rv
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.client.rv }}'
+  - uid: ejbca-server-ra-iak
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.ra.iak }}'
+  - uid: cmp-config-ra-rv
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.ra.rv }}'