X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fcommon%2FcertInitializer%2Ftemplates%2F_certInitializer.yaml;h=414192e2bc0a32932abf05730ead1c82296a1b23;hb=0c31367d791d773bda5687d5977497a1e8215e4f;hp=1250c1225ede76b01aade9f7a4b09114747bd136;hpb=e9754a0a8d5208df5e7f8d65312df6f1f17f486f;p=oom.git diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index 1250c1225e..414192e2bc 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -1,5 +1,5 @@ {{/* -# Copyright © 2020 Samsung Electronics +# Copyright © 2020 Bell Canada, Samsung Electronics # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -44,7 +44,7 @@ {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} {{ include "common.readinessCheck.waitFor" $subchartDot }} - name: {{ include "common.name" $dot }}-aaf-config - image: {{ include "common.repository" $subchartDot }}/{{ $subchartDot.Values.global.aafAgentImage }} + image: {{ include "repositoryGenerator.repository" $subchartDot }}/{{ $subchartDot.Values.global.aafAgentImage }} imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }} volumeMounts: - mountPath: {{ $initRoot.mountPath }} @@ -55,6 +55,9 @@ - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64 name: aaf-agent-certs subPath: truststoreONAP.p12.b64 + - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} + mountPath: /opt/app/aaf_config/bin/retrieval_check.sh + subPath: retrieval_check.sh {{- if $initRoot.aaf_add_config }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh @@ -64,8 +67,8 @@ - sh - -c - | - #!/usr/bin/env bash /opt/app/aaf_config/bin/agent.sh + . /opt/app/aaf_config/bin/retrieval_check.sh {{- if $initRoot.aaf_add_config }} /opt/app/aaf_config/bin/aaf-add-config.sh {{- end }} @@ -96,13 +99,73 @@ value: "{{ $initRoot.public_fqdn | default "" }}" {{- end -}} +{{/* + This init container will import custom .pem certificates to truststoreONAPall.jks + Custom certificates must be placed in common/certInitializer/resources directory. + + The feature is enabled by setting Values.global.importCustomCertsEnabled = true + It can be used independently of aafEnabled, however it requires the same includes + as describe above for _initContainer. + + When AAF is enabled the truststoreONAPAll.jks (which contains AAF CA) will be used + to import custom certificates, otherwise the default java keystore will be used. + + The updated truststore file will be placed in /updatedTruststore and can be mounted per component + to a specific path by defining Values.certInitializer.truststoreMountpath (see _trustStoreVolumeMount) + The truststore file will be available to mount even if no custom certificates were imported. +*/}} +{{- define "common.certInitializer._initImportCustomCertsContainer" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certInitializer .initRoot -}} +{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} +- name: {{ include "common.name" $dot }}-import-custom-certs + image: {{ include "repositoryGenerator.image.jre" $subchartDot }} + imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }} + securityContext: + runAsUser: 0 + command: + - /bin/sh + - -c + - /root/import-custom-certs.sh + env: + - name: AAF_ENABLED + value: "{{ $subchartDot.Values.global.aafEnabled }}" + - name: TRUSTSTORE_OUTPUT_FILENAME + value: "{{ $initRoot.truststoreOutputFileName }}" + - name: TRUSTSTORE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "truststore-creds" "key" "password") | indent 6 }} + volumeMounts: + - mountPath: /certs + name: aaf-agent-certs + - mountPath: /root/import-custom-certs.sh + name: aaf-agent-certs + subPath: import-custom-certs.sh + - mountPath: /updatedTruststore + name: updated-truststore +{{- end -}} + {{- define "common.certInitializer._volumeMount" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certInitializer .initRoot -}} -- mountPath: {{ $initRoot.mountPath }} +- mountPath: {{ $initRoot.appMountPath }} name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }} {{- end -}} +{{/* + This is used together with _initImportCustomCertsContainer + It mounts the updated truststore (with imported custom certificates) to the + truststoreMountpath defined in the values file for the component. +*/}} +{{- define "common.certInitializer._trustStoreVolumeMount" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certInitializer .initRoot -}} +{{- if gt (len $initRoot.truststoreMountpath) 0 }} +- mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }} + name: updated-truststore + subPath: {{ $initRoot.truststoreOutputFileName }} +{{- end -}} +{{- end -}} + {{- define "common.certInitializer._volumes" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certInitializer .initRoot -}} @@ -112,19 +175,23 @@ medium: Memory - name: aaf-agent-certs configMap: - name: {{ include "common.fullname" $subchartDot }}-certs + name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }} defaultMode: 0700 - -{{- if $initRoot.aaf_add_config }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} configMap: name: {{ include "common.fullname" $subchartDot }}-add-config defaultMode: 0700 +{{- if $dot.Values.global.importCustomCertsEnabled }} +- name: updated-truststore + emptyDir: {} {{- end -}} {{- end -}} {{- define "common.certInitializer.initContainer" -}} {{- $dot := default . .dot -}} + {{- if $dot.Values.global.importCustomCertsEnabled }} + {{ include "common.certInitializer._initImportCustomCertsContainer" . }} + {{- end -}} {{- if $dot.Values.global.aafEnabled }} {{ include "common.certInitializer._initContainer" . }} {{- end -}} @@ -135,11 +202,14 @@ {{- if $dot.Values.global.aafEnabled }} {{- include "common.certInitializer._volumeMount" . }} {{- end -}} + {{- if $dot.Values.global.importCustomCertsEnabled }} + {{- include "common.certInitializer._trustStoreVolumeMount" . }} + {{- end -}} {{- end -}} {{- define "common.certInitializer.volumes" -}} {{- $dot := default . .dot -}} - {{- if $dot.Values.global.aafEnabled }} + {{- if or ($dot.Values.global.aafEnabled ) ($dot.Values.global.importCustomCertsEnabled) }} {{- include "common.certInitializer._volumes" . }} {{- end -}} {{- end -}}