X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fplatform%2Fcomponents%2Foom-cert-service%2Fvalues.yaml;h=829d3a01d1e21c3082c2d0f9859966a3cff1a583;hb=ad0f69e402aaff1e19a5330f3949d3f445b949b5;hp=3ab98950375aec4bc78a114a6cf76b2e6629a7ef;hpb=395d917e08f5864a2b60ea416b8b198093970419;p=oom.git diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index 3ab9895037..829d3a01d1 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -1,4 +1,4 @@ -# Copyright © 2020, Nokia +# Copyright © 2020-2021, Nokia # Modifications Copyright © 2020, Nordix Foundation, Orange # Modifications Copyright © 2020 Nokia # @@ -16,24 +16,13 @@ # Global global: - envsubstImage: dibi/envsubst nodePortPrefix: 302 - # Readiness image - readinessImage: onap/oom/readiness:3.0.1 - # Ubuntu Init image - ubuntuInitRepository: registry.hub.docker.com - ubuntuInitImage: oomk8s/ubuntu-init:2.0.0 - # Logging image - loggingRepository: docker.elastic.co - loggingImage: beats/filebeat:5.5.0 - # BusyBox image - busyboxRepository: registry.hub.docker.com - busyboxImage: library/busybox:1.31 persistence: enabled: true # Standard OOM pullPolicy: "Always" repository: "nexus3.onap.org:10001" + offlineDeploymentBuild: false # Service configuration @@ -44,10 +33,12 @@ service: port: 8443 port_protocol: http +# Certificates generation configuration +certificateGenerationImage: onap/integration-java11:7.2.0 # Deployment configuration -repository: nexus3.onap.org:10001 -image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.1.0 +repository: "nexus3.onap.org:10001" +image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3 pullPolicy: Always replicaCount: 1 @@ -88,9 +79,16 @@ cmpServers: mountPath: /etc/onap/oom/certservice tls: + issuer: + selfsigning: + name: &selfSigningIssuer cmpv2-selfsigning-issuer + ca: + name: &caIssuer cmpv2-ca-issuer + secret: + name: &caKeyPairSecret cmpv2-ca-key-pair server: secret: - name: oom-cert-service-server-tls-secret + name: &serverSecret oom-cert-service-server-tls-secret volume: name: oom-cert-service-server-tls-volume mountPath: /etc/onap/oom/certservice/certs/ @@ -100,21 +98,21 @@ tls: envs: keystore: - jksName: certServiceServer-keystore.jks - p12Name: certServiceServer-keystore.p12 + jksName: keystore.jks + p12Name: keystore.p12 + pemName: tls.crt truststore: jksName: truststore.jks - crtName: root.crt + crtName: ca.crt + pemName: tls.crt httpsPort: 8443 # External secrets with credentials can be provided to override default credentials defined below, # by uncommenting and filling appropriate *ExternalSecret value credentials: tls: - keystorePassword: secret - truststorePassword: secret - #keystorePasswordExternalSecret: - #truststorePasswordExternalSecret: + certificatesPassword: secret + #certificatesPasswordExternalSecret: # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled cmp: # Used only if cmpv2 testing is enabled @@ -130,17 +128,11 @@ credentials: # rv: unused secrets: - - uid: keystore-password - name: '{{ include "common.release" . }}-keystore-password' + - uid: certificates-password + name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}' type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.keystorePassword }}' - passwordPolicy: required - - uid: truststore-password - name: '{{ include "common.release" . }}-truststore-password' - type: password - externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}' - password: '{{ .Values.credentials.tls.truststorePassword }}' + externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}' + password: '{{ .Values.credentials.tls.certificatesPassword }}' passwordPolicy: required # Below values are relevant only if global addTestingComponents flag is enabled - uid: ejbca-server-client-iak @@ -159,3 +151,65 @@ secrets: type: password externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}' password: '{{ .Values.credentials.cmp.ra.rv }}' + +# Certificates definitions +certificates: + - name: selfsigned-cert + secretName: *caKeyPairSecret + isCA: true + commonName: root.com + subject: + organization: Root Company + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: Root Org + issuer: + name: *selfSigningIssuer + kind: Issuer + - name: cert-service-server-cert + secretName: *serverSecret + commonName: oom-cert-service + dnsNames: + - oom-cert-service + - localhost + subject: + organization: certServiceServer org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceServer company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + - p12 + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer + - name: cert-service-client-cert + secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}' + commonName: certServiceClient.com + subject: + organization: certServiceClient org + country: PL + locality: Wroclaw + province: Dolny Slask + organizationalUnit: certServiceClient company + usages: + - server auth + - client auth + keystore: + outputType: + - jks + passwordSecretRef: + name: *certificatesPasswordSecretName + key: password + issuer: + name: *caIssuer + kind: Issuer