X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fcommon%2FcertInitializer%2Ftemplates%2F_certInitializer.yaml;h=800364f1a281f4d79c622d534081511b3d075604;hb=8c26e59d30a185186cf33988a0dbb859409f73eb;hp=0e0f339e1162a45ace2cf7a31331611ec18e905b;hpb=af6a61e9b6ea2722e750c307fb6ffa5d3921b0c7;p=oom.git diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index 0e0f339e11..1312d98009 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -1,5 +1,6 @@ {{/* -# Copyright © 2020 Samsung Electronics +# Copyright © 2020 Bell Canada, Samsung Electronics +# Copyright © 2021 Orange # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -41,29 +42,13 @@ {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certInitializer .initRoot -}} {{- $initName := default "certInitializer" -}} -{{/* Our version of helm doesn't support deepCopy so we need this nasty trick */}} -{{- $subchartDot := mergeOverwrite (fromJson (toJson $dot)) (dict "Chart" (set (fromJson (toJson .Chart)) "Name" $initRoot.nameOverride) "Values" $initRoot) }} -- name: {{ include "common.name" $dot }}-aaf-readiness - image: "{{ $dot.Values.global.readinessRepository }}/{{ $dot.Values.global.readinessImage }}" - imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} - command: - - /root/ready.py - args: - - --container-name - - aaf-locate - - --container-name - - aaf-cm - - --container-name - - aaf-service - env: - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace +{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} +{{ include "common.readinessCheck.waitFor" $subchartDot }} - name: {{ include "common.name" $dot }}-aaf-config - image: {{ (default $dot.Values.repository $dot.Values.global.repository) }}/{{ $dot.Values.global.aafAgentImage }} - imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + image: {{ include "repositoryGenerator.repository" $subchartDot }}/{{ $subchartDot.Values.global.aafAgentImage }} + imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }} + securityContext: + runAsUser: 0 volumeMounts: - mountPath: {{ $initRoot.mountPath }} name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }} @@ -73,6 +58,14 @@ - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64 name: aaf-agent-certs subPath: truststoreONAP.p12.b64 + - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} + mountPath: /opt/app/aaf_config/bin/retrieval_check.sh + subPath: retrieval_check.sh +{{- if hasKey $initRoot "ingressTlsSecret" }} + - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} + mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh + subPath: tls_certs_configure.sh +{{- end }} {{- if $initRoot.aaf_add_config }} - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh @@ -82,20 +75,30 @@ - sh - -c - | - #!/usr/bin/env bash /opt/app/aaf_config/bin/agent.sh + . /opt/app/aaf_config/bin/retrieval_check.sh +{{- if hasKey $initRoot "ingressTlsSecret" }} + /opt/app/aaf_config/bin/tls_certs_configure.sh +{{- end -}} {{- if $initRoot.aaf_add_config }} /opt/app/aaf_config/bin/aaf-add-config.sh {{- end }} env: - name: APP_FQI value: "{{ $initRoot.fqi }}" + {{- if $initRoot.aaf_namespace }} - name: aaf_locate_url - value: "https://aaf-locate.{{ $dot.Release.Namespace}}:8095" - - name: aaf_locator_container - value: "oom" + value: "https://aaf-locate.{{ $initRoot.aaf_namespace }}:8095" + - name: aaf_locator_container_ns + value: "{{ $initRoot.aaf_namespace }}" + {{- else }} + - name: aaf_locate_url + value: "https://aaf-locate.{{ $dot.Release.Namespace }}:8095" - name: aaf_locator_container_ns value: "{{ $dot.Release.Namespace }}" + {{- end }} + - name: aaf_locator_container + value: "oom" - name: aaf_locator_fqdn value: "{{ $initRoot.fqdn }}" - name: aaf_locator_app_ns @@ -114,35 +117,119 @@ value: "{{ $initRoot.public_fqdn | default "" }}" {{- end -}} +{{/* + This init container will import custom .pem certificates to truststoreONAPall.jks + Custom certificates must be placed in common/certInitializer/resources directory. + + The feature is enabled by setting Values.global.importCustomCertsEnabled = true + It can be used independently of aafEnabled, however it requires the same includes + as describe above for _initContainer. + + When AAF is enabled the truststoreONAPAll.jks (which contains AAF CA) will be used + to import custom certificates, otherwise the default java keystore will be used. + + The updated truststore file will be placed in /updatedTruststore and can be mounted per component + to a specific path by defining Values.certInitializer.truststoreMountpath (see _trustStoreVolumeMount) + The truststore file will be available to mount even if no custom certificates were imported. +*/}} +{{- define "common.certInitializer._initImportCustomCertsContainer" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certInitializer .initRoot -}} +{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }} +- name: {{ include "common.name" $dot }}-import-custom-certs + image: {{ include "repositoryGenerator.image.jre" $subchartDot }} + imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }} + securityContext: + runAsUser: 0 + command: + - /bin/sh + - -c + - /root/import-custom-certs.sh + env: + - name: AAF_ENABLED + value: "{{ $subchartDot.Values.global.aafEnabled }}" + - name: TRUSTSTORE_OUTPUT_FILENAME + value: "{{ $initRoot.truststoreOutputFileName }}" + - name: TRUSTSTORE_PASSWORD + {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "truststore-creds" "key" "password") | indent 6 }} + volumeMounts: + - mountPath: /certs + name: aaf-agent-certs + - mountPath: /more_certs + name: provided-custom-certs + - mountPath: /root/import-custom-certs.sh + name: aaf-agent-certs + subPath: import-custom-certs.sh + - mountPath: /updatedTruststore + name: updated-truststore +{{- end -}} + {{- define "common.certInitializer._volumeMount" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certInitializer .initRoot -}} -- mountPath: {{ $initRoot.mountPath }} +- mountPath: {{ $initRoot.appMountPath }} name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }} {{- end -}} +{{/* + This is used together with _initImportCustomCertsContainer + It mounts the updated truststore (with imported custom certificates) to the + truststoreMountpath defined in the values file for the component. +*/}} +{{- define "common.certInitializer._trustStoreVolumeMount" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certInitializer .initRoot -}} +{{- if gt (len $initRoot.truststoreMountpath) 0 }} +- mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }} + name: updated-truststore + subPath: {{ $initRoot.truststoreOutputFileName }} +- mountPath: /etc/ssl/certs/ca-certificates.crt + name: updated-truststore + subPath: ca-certificates.crt +{{- end -}} +{{- end -}} + {{- define "common.certInitializer._volumes" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certInitializer .initRoot -}} -{{- $subchartDot := mergeOverwrite (fromJson (toJson $dot)) (dict "Chart" (set (fromJson (toJson .Chart)) "Name" $initRoot.nameOverride) "Values" $initRoot) }} +{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot))}} - name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }} emptyDir: medium: Memory -{{- if $initRoot.aaf_add_config }} -- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} +- name: aaf-agent-certs configMap: - name: {{ include "common.fullname" $subchartDot }}-add-config + name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }} defaultMode: 0700 -- name: aaf-agent-certs +{{- if $dot.Values.global.importCustomCertsEnabled }} +- name: provided-custom-certs +{{- if $dot.Values.global.customCertsSecret }} + secret: + secretName: {{ $dot.Values.global.customCertsSecret }} +{{- else }} +{{- if $dot.Values.global.customCertsConfigMap }} + configMap: + name: {{ $dot.Values.global.customCertsConfigMap }} +{{- else }} + emptyDir: + medium: Memory +{{- end }} +{{- end }} +{{- end }} +- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }} configMap: - name: {{ include "common.fullname" $subchartDot }}-certs + name: {{ include "common.fullname" $subchartDot }}-add-config defaultMode: 0700 - +{{- if $dot.Values.global.importCustomCertsEnabled }} +- name: updated-truststore + emptyDir: {} {{- end -}} {{- end -}} {{- define "common.certInitializer.initContainer" -}} {{- $dot := default . .dot -}} + {{- if $dot.Values.global.importCustomCertsEnabled }} + {{ include "common.certInitializer._initImportCustomCertsContainer" . }} + {{- end -}} {{- if $dot.Values.global.aafEnabled }} {{ include "common.certInitializer._initContainer" . }} {{- end -}} @@ -153,11 +240,14 @@ {{- if $dot.Values.global.aafEnabled }} {{- include "common.certInitializer._volumeMount" . }} {{- end -}} + {{- if $dot.Values.global.importCustomCertsEnabled }} + {{- include "common.certInitializer._trustStoreVolumeMount" . }} + {{- end -}} {{- end -}} {{- define "common.certInitializer.volumes" -}} {{- $dot := default . .dot -}} - {{- if $dot.Values.global.aafEnabled }} + {{- if or ($dot.Values.global.aafEnabled ) ($dot.Values.global.importCustomCertsEnabled) }} {{- include "common.certInitializer._volumes" . }} {{- end -}} {{- end -}}