From: Remigiusz Janeczek Date: Thu, 10 Dec 2020 12:10:15 +0000 (+0100) Subject: [COMMON] Add template for CertServiceClient X-Git-Tag: 8.0.0~150^2 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=42177a154d827dd1fddea3a451597c7708b65b6e;p=oom.git [COMMON] Add template for CertServiceClient Create generic template to simplify CertServiceClient use Issue-ID: OOM-2568 Signed-off-by: Remigiusz Janeczek Change-Id: I4fb9829b27b1dd13a9e7a098f807710cc5648438 --- diff --git a/kubernetes/common/cmpv2Certificate/Chart.yaml b/kubernetes/common/cmpv2Certificate/Chart.yaml new file mode 100644 index 0000000000..e50de72605 --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Template used to add cmpv2 certificates to components +name: cmpv2Certificate +version: 7.0.0 diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml new file mode 100644 index 0000000000..367d879450 --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/requirements.yaml @@ -0,0 +1,21 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~7.x-0 + repository: 'file://../common' + - name: repositoryGenerator + version: ~7.x-0 + repository: 'file://../repositoryGenerator' diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl new file mode 100644 index 0000000000..57e6c69b1f --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl @@ -0,0 +1,174 @@ +{{/* +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{/* +In order to use certServiceClient it is needed do define certificates array in target component values.yaml. Each +certificate will be requested from separate init container + +Minimum example of array in target component values.yaml: +certificates: + - mountPath: /var/custom-certs + commonName: common-name + +Full example (other fields are ignored): +certificates: + - mountPath: /var/custom-certs + caName: RA + outputType: JKS + commonName: common-name + dnsNames: + - dns-name-1 + - dns-name-2 + ipAddresses: + - 192.168.0.1 + - 192.168.0.2 + emailAddresses: + - email-1@onap.org + - email-2@onap.org + uris: + - http://uri-1.onap.org + - http://uri-2.onap.org + subject: + organization: Linux-Foundation + country: US + locality: San Francisco + province: California + organizationalUnit: ONAP + +There also need to be some includes used in a target component deployment (indent values may need to be adjusted): + 1. In initContainers section: + {{ include "common.certServiceClient.initContainer" . | indent 6 }} + 2. In volumeMounts section of container using certificates: + {{ include "common.certServiceClient.volumeMounts" . | indent 10 }} + 3. In volumes section: + {{ include "common.certServiceClient.volumes" . | indent 8 }} + +*/}} + +{{- define "common.certServiceClient.initContainer" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} +{{- range $index, $certificate := $dot.Values.certificates -}} +{{/*# General certifiacate attributes #*/}} +{{- $commonName := $certificate.commonName -}} +{{/*# SAN's #*/}} +{{- $dnsNames := default (list) $certificate.dnsNames -}} +{{- $ipAddresses := default (list) $certificate.ipAddresses -}} +{{- $uris := default (list) $certificate.uris -}} +{{- $emailAddresses := default (list) $certificate.emailAddresses -}} +{{- $sansList := concat $dnsNames $ipAddresses $uris $emailAddresses -}} +{{- $sans := join "," $sansList }} +{{/*# Subject #*/}} +{{- $organization := $subchartGlobal.certificate.default.subject.organization -}} +{{- $country := $subchartGlobal.certificate.default.subject.country -}} +{{- $locality := $subchartGlobal.certificate.default.subject.locality -}} +{{- $province := $subchartGlobal.certificate.default.subject.province -}} +{{- $orgUnit := $subchartGlobal.certificate.default.subject.organizationalUnit -}} +{{- if $certificate.subject -}} +{{- $organization := $certificate.subject.organization -}} +{{- $country := $certificate.subject.country -}} +{{- $locality := $certificate.subject.locality -}} +{{- $province := $certificate.subject.province -}} +{{- $orgUnit := $certificate.subject.organizationalUnit -}} +{{- end -}} +{{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}} +{{- $outputType := default $subchartGlobal.platform.certServiceClient.envVariables.outputType $certificate.outputType -}} +{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} +{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} +{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} +{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}} +{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}} +{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}} +{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}} +{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}} +- name: certs-init-{{ $index }} + image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} + imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} + env: + - name: REQUEST_URL + value: {{ $requestUrl | quote }} + - name: REQUEST_TIMEOUT + value: {{ $requestTimeout | quote }} + - name: OUTPUT_PATH + value: {{ $certPath | quote }} + - name: OUTPUT_TYPE + value: {{ $outputType | quote }} + - name: CA_NAME + value: {{ $caName | quote }} + - name: COMMON_NAME + value: {{ $commonName | quote }} + - name: SANS + value: {{ $sans | quote }} + - name: ORGANIZATION + value: {{ $organization | quote }} + - name: ORGANIZATION_UNIT + value: {{ $orgUnit | quote }} + - name: LOCATION + value: {{ $locality | quote }} + - name: STATE + value: {{ $province | quote }} + - name: COUNTRY + value: {{ $country | quote }} + - name: KEYSTORE_PATH + value: {{ $keystorePath | quote }} + - name: KEYSTORE_PASSWORD + value: {{ $keystorePassword | quote }} + - name: TRUSTSTORE_PATH + value: {{ $truststorePath | quote }} + - name: TRUSTSTORE_PASSWORD + value: {{ $truststorePassword | quote }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: {{ $certPath }} + name: cmpv2-certs-volume-{{ $index }} + - mountPath: {{ $certificatesSecretMountPath }} + name: certservice-tls-volume +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "common.certServiceClient.volumes" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} +{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}} +- name: certservice-tls-volume + secret: + secretName: {{ $certificatesSecretName }} +{{ range $index, $certificate := $dot.Values.certificates -}} +- name: cmpv2-certs-volume-{{ $index }} + emptyDir: + medium: Memory +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "common.certServiceClient.volumeMounts" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} +{{- range $index, $certificate := $dot.Values.certificates -}} +{{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: cmpv2-certs-volume-{{ $index }} +{{ end -}} +{{- end -}} +{{- end -}} diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml new file mode 100644 index 0000000000..b7531431c4 --- /dev/null +++ b/kubernetes/common/cmpv2Certificate/values.yaml @@ -0,0 +1,48 @@ +# Copyright © 2021 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################# +# Global configuration default values that can be inherited by +# all subcharts. +################################################################# +global: + # Enabling CMPv2 + cmpv2Enabled: true + CMPv2CertManagerIntegration: false + + certificate: + default: + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + + platform: + certServiceClient: + secret: + name: oom-cert-service-client-tls-secret + mountPath: /etc/onap/oom/certservice/certs/ + envVariables: + certPath: "/var/custom-certs" + # Client configuration related + caName: "RA" + requestURL: "https://oom-cert-service:8443/v1/certificate/" + requestTimeout: "30000" + keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" + outputType: "P12" + keystorePassword: "secret" + truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" + truststorePassword: "secret" diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl index ba22bfbd60..a6b434f43a 100644 --- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl +++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl @@ -82,6 +82,10 @@ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "curlImage") .) }} {{- end -}} +{{- define "repositoryGenerator.image.certserviceclient" -}} + {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }} +{{- end -}} + {{- define "repositoryGenerator.image.envsubst" -}} {{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }} {{- end -}} diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml index def7381e46..7d6fabe9b5 100644 --- a/kubernetes/common/repositoryGenerator/values.yaml +++ b/kubernetes/common/repositoryGenerator/values.yaml @@ -1,4 +1,5 @@ # Copyright © 2020 Orange +# Copyright © 2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -22,6 +23,7 @@ global: # common global images busyboxImage: busybox:1.32 curlImage: curlimages/curl:7.69.1 + certServiceClientImage: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2 envsubstImage: dibi/envsubst:1 # there's only latest image for htpasswd htpasswdImage: xmartlabs/htpasswd:latest @@ -53,6 +55,7 @@ global: imageRepoMapping: busyboxImage: dockerHubRepository curlImage: dockerHubRepository + certServiceClientImage: repository envsubstImage: dockerHubRepository htpasswdImage: dockerHubRepository jreImage: repository diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 5376940938..048945025c 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -1,6 +1,6 @@ # Copyright © 2019 Amdocs, Bell Canada # Copyright (c) 2020 Nordix Foundation, Modifications -# Modifications Copyright © 2020 Nokia +# Modifications Copyright © 2020-2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -207,6 +207,7 @@ global: name: oom-cert-service-client-tls-secret mountPath: /etc/onap/oom/certservice/certs/ envVariables: + certPath: "/var/custom-certs" # Certificate related cmpv2Organization: "Linux-Foundation" cmpv2OrganizationalUnit: "ONAP" diff --git a/kubernetes/sdnc/requirements.yaml b/kubernetes/sdnc/requirements.yaml index 57c165c4c0..f58ecb16be 100644 --- a/kubernetes/sdnc/requirements.yaml +++ b/kubernetes/sdnc/requirements.yaml @@ -1,5 +1,6 @@ # Copyright © 2017 Amdocs, Bell Canada, # Copyright © 2020 highstreet technologies GmbH +# Copyright © 2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -20,6 +21,9 @@ dependencies: - name: certInitializer version: ~7.x-0 repository: '@local' + - name: cmpv2Certificate + version: ~7.x-0 + repository: '@local' - name: logConfiguration version: ~7.x-0 repository: '@local' diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 63b56f87a9..b668fd8e4d 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -1,6 +1,7 @@ {{/* # Copyright © 2020 Samsung Electronics # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -98,50 +99,8 @@ spec: name: {{ include "common.name" . }}-readiness {{ end -}} {{ include "common.certInitializer.initContainer" . | indent 6 }} - - {{ if .Values.global.cmpv2Enabled }} - - name: certs-init - image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.global.platform.certServiceClient.image }} - imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} - env: - - name: REQUEST_URL - value: {{ .Values.global.platform.certServiceClient.envVariables.requestURL }} - - name: REQUEST_TIMEOUT - value: "30000" - - name: OUTPUT_PATH - value: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }} - - name: CA_NAME - value: {{ .Values.global.platform.certServiceClient.envVariables.caName }} - - name: COMMON_NAME - value: {{ .Values.global.platform.certServiceClient.envVariables.common_name }} - - name: ORGANIZATION - value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Organization }} - - name: ORGANIZATION_UNIT - value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }} - - name: LOCATION - value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Location }} - - name: STATE - value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2State }} - - name: COUNTRY - value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Country }} - - name: KEYSTORE_PATH - value: {{ .Values.global.platform.certServiceClient.envVariables.keystorePath }} - - name: KEYSTORE_PASSWORD - value: {{ .Values.global.platform.certServiceClient.envVariables.keystorePassword }} - - name: TRUSTSTORE_PATH - value: {{ .Values.global.platform.certServiceClient.envVariables.truststorePath }} - - name: TRUSTSTORE_PASSWORD - value: {{ .Values.global.platform.certServiceClient.envVariables.truststorePassword }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }} - name: certs - - mountPath: {{ .Values.global.platform.certServiceClient.secret.mountPath }} - name: certservice-tls-volume - {{ end }} - - - name: {{ include "common.name" . }}-init-files +{{ include "common.certServiceClient.initContainer" . | indent 6 }} + - name: {{ include "common.name" . }}-chown image: {{ include "repositoryGenerator.image.busybox" . }} command: - sh @@ -150,7 +109,7 @@ spec: - | mkdir {{ .Values.persistence.mdsalPath }}/daexim mkdir {{ .Values.persistence.mdsalPath }}/journal - mkdir {{ .Values.persistence.mdsalPath }}/snapshots + mkdir {{ .Values.persistence.mdsalPath }}/snapshots chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.persistence.mdsalPath }} {{- if .Values.global.aafEnabled }} chown -R {{ .Values.config.odlUid }}:{{ .Values.config.odlGid}} {{ .Values.certInitializer.credsPath }} @@ -236,6 +195,7 @@ spec: volumeMounts: {{ include "common.certInitializer.volumeMount" . | indent 10 }} +{{ include "common.certServiceClient.volumeMounts" . | indent 10 }} - mountPath: /etc/localtime name: localtime readOnly: true @@ -294,10 +254,6 @@ spec: - mountPath: {{ .Values.config.odl.etcDir }}/mountpoint-state-provider.properties name: properties subPath: mountpoint-state-provider.properties - {{ if .Values.global.cmpv2Enabled }} - - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }} - name: certs - {{- end }} resources: {{ include "common.resources" . | indent 12 }} {{- if .Values.nodeSelector }} @@ -348,19 +304,12 @@ spec: - name: properties emptyDir: medium: Memory - {{ if .Values.global.cmpv2Enabled }} - - name: certs - emptyDir: - medium: Memory - - name: certservice-tls-volume - secret: - secretName: {{ .Values.global.platform.certServiceClient.secret.name }} - {{- end }} {{ if not .Values.persistence.enabled }} - name: {{ include "common.fullname" . }}-data emptyDir: {} {{ else }} {{ include "common.certInitializer.volumes" . | nindent 8 }} +{{ include "common.certServiceClient.volumes" . | nindent 8 }} volumeClaimTemplates: - metadata: name: {{ include "common.fullname" . }}-data diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index faf6594e2a..4354fe4a23 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -1,5 +1,6 @@ # Copyright © 2020 Samsung Electronics, highstreet technologies GmbH # Copyright © 2017 Amdocs, Bell Canada +# Copyright © 2021 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -29,33 +30,8 @@ global: service: mariadb-galera internalPort: 3306 nameOverride: mariadb-galera - service: mariadb-galera - # Enabling CMPv2 - cmpv2Enabled: true + # Enabling CMPv2 with CertManager CMPv2CertManagerIntegration: false - platform: - certServiceClient: - image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2 - secret: - name: oom-cert-service-client-tls-secret - mountPath: /etc/onap/oom/certservice/certs/ - envVariables: - # Certificate related - cert_path: /var/custom-certs - cmpv2Organization: "Linux-Foundation" - cmpv2OrganizationalUnit: "ONAP" - cmpv2Location: "San-Francisco" - cmpv2Country: "US" - # Client configuration related - caName: "RA" - common_name: "sdnc.simpledemo.onap.org" - requestURL: "https://oom-cert-service:8443/v1/certificate/" - requestTimeout: "30000" - keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks" - outputType: "P12" - keystorePassword: "secret" - truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks" - truststorePassword: "secret" ################################################################# # Secrets metaconfig @@ -141,7 +117,8 @@ secrets: # Certificates ################################################################# certificates: - - commonName: sdnc.simpledemo.onap.org + - mountPath: /var/custom-certs + commonName: sdnc.simpledemo.onap.org dnsNames: - sdnc.simpledemo.onap.org p12Keystore: