From: Krzysztof Opasiak <k.opasiak@samsung.com>
Date: Tue, 7 Apr 2020 21:22:39 +0000 (+0000)
Subject: Merge "Add healthcheck for legacy PAP"
X-Git-Tag: 6.0.0~172
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=f5dad738e1366651b7d5e52aabb8109630d71ce4;hp=df5484e88df47c754ffa4d3d0f0096ff69cae3dc;p=oom.git

Merge "Add healthcheck for legacy PAP"
---

diff --git a/docs/oom_hardcoded_certificates.rst b/docs/oom_hardcoded_certificates.rst
index 0745ec0df4..5aeee2e07f 100644
--- a/docs/oom_hardcoded_certificates.rst
+++ b/docs/oom_hardcoded_certificates.rst
@@ -48,5 +48,13 @@ Here's the list of these certificates:
  +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
  | SO/VNFM          | Yes              | No?              | Yes             | kubernetes/so/resources/config/certificates                              |
  +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
+ | SO/VNFM          | No               | Yes?             | Yes             | kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks    |
+ +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
  | VID              | No               | Yes              | No              | kubernetes/vid/resources/cert                                            |
  +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
+ | OOF/OOF-CMSO     | Yes              | No               | No              | kubernetes/oof/charts/oof-cmso/resources/certs                           |
+ +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
+ | OOF/OOF-HAS      | Yes              | No               | No              | kubernetes/oof/charts/oof-has/resources/config                           |
+ +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
+ | OOF/OOF-OSDF     | Yes              | No               | No              | kubernetes/oof/resources/config                                          |
+ +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
diff --git a/kubernetes/aai b/kubernetes/aai
index ab137ca81f..eb70b3f12b 160000
--- a/kubernetes/aai
+++ b/kubernetes/aai
@@ -1 +1 @@
-Subproject commit ab137ca81f5d4f9eb3d442f37f8e7ea52d7757f0
+Subproject commit eb70b3f12b30d4d7ea010723707db8c3e2ef2354
diff --git a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties
index d36f0bce85..eee61e7e90 100755
--- a/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties
+++ b/kubernetes/cds/charts/cds-blueprints-processor/resources/config/application.properties
@@ -72,7 +72,7 @@ error.catalog.errorDefinitionFileDirectory=/opt/app/onap/config
 # SDN-C's ODL Restconf Connection Details
 blueprintsprocessor.restconfEnabled=true
 blueprintsprocessor.restclient.sdncodl.type=basic-auth
-blueprintsprocessor.restclient.sdncodl.url=http://sdnc:8282/
+blueprintsprocessor.restclient.sdncodl.url=http://{{ .Values.global.sdncOamService }}:{{ .Values.global.sdncOamPort }}/
 blueprintsprocessor.restclient.sdncodl.username=admin
 blueprintsprocessor.restclient.sdncodl.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
 
@@ -92,7 +92,7 @@ blueprintsprocessor.grpcclient.py-executor.trustCertCollection=/opt/app/onap/con
 blueprintsprocessor.grpcclient.py-executor.type=tls-auth
 # Config Data REST client settings
 blueprintsprocessor.restclient.sdnc.type=basic-auth
-blueprintsprocessor.restclient.sdnc.url=http://sdnc:8282
+blueprintsprocessor.restclient.sdnc.url=http://{{ .Values.global.sdncOamService }}:{{ .Values.global.sdncOamPort }}
 blueprintsprocessor.restclient.sdnc.username=admin
 blueprintsprocessor.restclient.sdnc.password=Kp8bJ4SXszM0WXlhak3eHlcse2gAw84vaoGGmJvUy2U
 
diff --git a/kubernetes/cds/charts/cds-blueprints-processor/values.yaml b/kubernetes/cds/charts/cds-blueprints-processor/values.yaml
index 29047a7404..6cd3c2b554 100755
--- a/kubernetes/cds/charts/cds-blueprints-processor/values.yaml
+++ b/kubernetes/cds/charts/cds-blueprints-processor/values.yaml
@@ -37,6 +37,10 @@ global:
   # envsusbt
   envsubstImage: dibi/envsubst
 
+  #This configuration specifies Service and port for SDNC OAM interface
+  sdncOamService: sdnc-oam
+  sdncOamPort: 8282
+
 #################################################################
 # Secrets metaconfig
 #################################################################
diff --git a/kubernetes/clamp/charts/clamp-backend/values.yaml b/kubernetes/clamp/charts/clamp-backend/values.yaml
index ce86ec2104..18888547c3 100644
--- a/kubernetes/clamp/charts/clamp-backend/values.yaml
+++ b/kubernetes/clamp/charts/clamp-backend/values.yaml
@@ -27,7 +27,7 @@ flavor: small
 
 # application image
 repository: nexus3.onap.org:10001
-image: onap/clamp-backend:5.0.2
+image: onap/clamp-backend:5.0.3
 pullPolicy: Always
 
 # flag to enable debugging - application support required
diff --git a/kubernetes/clamp/values.yaml b/kubernetes/clamp/values.yaml
index cf6c572cc9..47eca67f91 100644
--- a/kubernetes/clamp/values.yaml
+++ b/kubernetes/clamp/values.yaml
@@ -30,7 +30,7 @@ flavor: small
 
 # application image
 repository: nexus3.onap.org:10001
-image: onap/clamp-frontend:5.0.2
+image: onap/clamp-frontend:5.0.3
 pullPolicy: Always
 
 # flag to enable debugging - application support required
diff --git a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/dmaap-plugin.json b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/dmaap-plugin.json
index 41404b0199..c52a0a8606 100644
--- a/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/dmaap-plugin.json
+++ b/kubernetes/dcaegen2/components/dcae-bootstrap/resources/config/dmaap-plugin.json
@@ -2,7 +2,6 @@
     "dmaap": {
         "username": "notused",
         "password": "doesnotmatter",
-        "owner": "dcaecm",
-        "protocol": "http"
-    }
+        "owner": "dcaecm"
+     }
 }
\ No newline at end of file
diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml
index c2d6f8c7ef..67808472b6 100644
--- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml
+++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/templates/deployment.yaml
@@ -45,6 +45,13 @@ spec:
         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-readiness
+      - name: {{ include "common.name" . }}-chown
+        command: ["/bin/sh", "-c", "chown -Rf 1000:1000 /share/"]
+        image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        volumeMounts:
+        - name: {{ include "common.fullname" . }}-logs
+          mountPath: /share/logs
       - name: db-init
         image: "{{ include "common.repository" . }}/{{ .Values.dbinit.image }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml
index a9a89ddd72..f3f176fded 100644
--- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml
+++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-optimizer/values.yaml
@@ -25,12 +25,12 @@ subChartsOnly:
 
 # application image
 repository: nexus3.onap.org:10001
-image: onap/optf-cmso-optimizer:2.1.1
+image: onap/optf-cmso-optimizer:2.2.0
 pullPolicy: Always
 
 #init container image
 dbinit:
-  image: onap/optf-cmso-dbinit:2.1.1
+  image: onap/optf-cmso-dbinit:2.2.0
 
 # flag to enable debugging - application support required
 debugEnabled: false
diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml
index b41b840fde..ca45d7ee12 100644
--- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml
+++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/templates/deployment.yaml
@@ -45,6 +45,13 @@ spec:
         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-readiness
+      - name: {{ include "common.name" . }}-chown
+        command: ["/bin/sh", "-c", "chown -Rf 1000:1000 /share/"]
+        image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        volumeMounts:
+        - name: {{ include "common.fullname" . }}-logs
+          mountPath: /share/logs
       - name: db-init
         image: "{{ include "common.repository" . }}/{{ .Values.dbinit.image }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml
index 345f03d4d3..90a74bd3ed 100644
--- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml
+++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-service/values.yaml
@@ -25,13 +25,13 @@ subChartsOnly:
 
 # application image
 repository: nexus3.onap.org:10001
-image: onap/optf-cmso-service:2.1.1
-robotimage: onap/optf-cmso-robot:2.1.1
+image: onap/optf-cmso-service:2.2.0
+robotimage: onap/optf-cmso-robot:2.2.0
 pullPolicy: Always
 
 #init container image
 dbinit:
-  image: onap/optf-cmso-dbinit:2.1.1
+  image: onap/optf-cmso-dbinit:2.2.0
 
 # flag to enable debugging - application support required
 debugEnabled: false
diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-ticketmgt/templates/deployment.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-ticketmgt/templates/deployment.yaml
index 53d1b26755..0b0b7e0890 100644
--- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-ticketmgt/templates/deployment.yaml
+++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-ticketmgt/templates/deployment.yaml
@@ -30,6 +30,14 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
+      initContainers:
+      - name: {{ include "common.name" . }}-chown
+        command: ["/bin/sh", "-c", "chown -Rf 1000:1000 /share/"]
+        image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        volumeMounts:
+          - name: {{ include "common.fullname" . }}-logs
+            mountPath: /share/logs
       containers:
       - name: {{ include "common.name" . }}
         image: "{{ include "common.repository" . }}/{{ .Values.image }}"
diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-ticketmgt/values.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-ticketmgt/values.yaml
index 300a72cbae..846245a42c 100644
--- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-ticketmgt/values.yaml
+++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-ticketmgt/values.yaml
@@ -20,13 +20,12 @@ global: # global defaults
   readinessRepository: oomk8s
   readinessImage: readiness-check:2.0.0
   authentication: proprietary-auth
-  
 subChartsOnly:
   enabled: true
 
 # application image
 repository: nexus3.onap.org:10001
-image: onap/optf-cmso-ticketmgt:2.1.1
+image: onap/optf-cmso-ticketmgt:2.2.0
 pullPolicy: Always
 
 
diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-topology/templates/deployment.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-topology/templates/deployment.yaml
index 8cc4a986c5..a23ac430c9 100644
--- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-topology/templates/deployment.yaml
+++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-topology/templates/deployment.yaml
@@ -30,6 +30,14 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
+      initContainers:
+      - name: {{ include "common.name" . }}-chown
+        command: ["/bin/sh", "-c", "chown -Rf 1000:1000 /share/"]
+        image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        volumeMounts:
+        - name: {{ include "common.fullname" . }}-logs
+          mountPath: /share/logs
       containers:
       - name: {{ include "common.name" . }}
         image: "{{ include "common.repository" . }}/{{ .Values.image }}"
diff --git a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-topology/values.yaml b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-topology/values.yaml
index c8ac5d7880..775da43928 100644
--- a/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-topology/values.yaml
+++ b/kubernetes/oof/charts/oof-cmso/charts/oof-cmso-topology/values.yaml
@@ -25,7 +25,7 @@ subChartsOnly:
 
 # application image
 repository: nexus3.onap.org:10001
-image: onap/optf-cmso-topology:2.1.1
+image: onap/optf-cmso-topology:2.2.0
 pullPolicy: Always
 
 
diff --git a/kubernetes/oof/charts/oof-cmso/resources/certs/org.onap.oof.jks b/kubernetes/oof/charts/oof-cmso/resources/certs/org.onap.oof.jks
index 535abaa92b..f1e01085f9 100644
Binary files a/kubernetes/oof/charts/oof-cmso/resources/certs/org.onap.oof.jks and b/kubernetes/oof/charts/oof-cmso/resources/certs/org.onap.oof.jks differ
diff --git a/kubernetes/oof/charts/oof-cmso/resources/certs/org.onap.oof.keyfile b/kubernetes/oof/charts/oof-cmso/resources/certs/org.onap.oof.keyfile
index f85a567981..78a6afba63 100644
--- a/kubernetes/oof/charts/oof-cmso/resources/certs/org.onap.oof.keyfile
+++ b/kubernetes/oof/charts/oof-cmso/resources/certs/org.onap.oof.keyfile
@@ -1,27 +1,27 @@
-liD-IR8Y1MHqPDTUqq3AaTtqnWn5jCpfIRBlyi6xY4A0fbQz8ZPlTZPHkshRt0dHdST3R7TIvTyQ
-JpTCeBNBu2df3vBbUzsN0rIpPG9TGjzmE7cRu4V4kfefSqsIj-S7OTAaWaWpwGWJYLLCB2sQALkS
-f68VWdupUEw3g9jqCU1QzjKOnLGvhlp6Qrc1xG4Z5Ar8WERw-C3DqTWUKANoEvjWkvH2rAywzj93
-pmspvd5fQfH1rp1ACNvnPrRb_oYNfwPrNpE7Sb4LvM1muoiKMDF64IDO0TkxhjHZ9wpJgVsnowby
-qmokqf39dMRRk3S1IEpOiBGyLS_885JDj_XJKYRQsjvkTzjpFJ7wE2-HDZEVWCITvtS9-Xorm5TI
-3iU4rjMDew5fkBnjoKuSOS7Lksva4ouZOCiUkDos1jAJ5XMDEQm4BcPHtcW6PpC602-qRcgnNjjP
-wOPdF7hCm27ZTai3lAtNGByR7oBr9r5Uma-soORFvg8drV8Rgh0lax-poFVhoEH7RhKPIzYpSco9
-jnpURzi_epTjAhjjup-erTv2GAIllKsSEHZLbfsFWlNUZTOx58PSB0jBN5m_8HxTyNm0zsm0Cb7U
-KsjPduQ5ZblsfRIJwqpOBXoof7WerKReMZSOdgjZUNueiuEImVH9_SYOdKZhkluSi4yfEtme7CCP
-kZ2JhdiT5km3SeonalhU2MUsx60krxyQ1mnjI4jS9QagUME4mujdvM_L7mtjcPZVSfXUn49whakE
-J-NQV6q2iZgN2IxsT_uCnlZYwnE5i-IbQkQAEu13m6ETsMmf0cwPnKaSwRhb8G48EkJhTL-GP9Z0
--EsIKT7lQt7kfX-mmNoEirTg9gQAaN3uxLmdHvXpeJdlETnnaLYYJJ3h-SL0e_5Yz2SpdsEwZ3Bk
-PtR-QvlYKDhG1nhPOna65ctCzn81PZOUP3lsO6MSTOK6D6Taxfh1TYEBAvzCP0BfFBodw4lSglFP
-I5IfdiJmomTGARa36nC_O5YzH_jBWLQrgd2gxI5H5bB-5zqzu79SGX9o2_LRVY_LVV0BmI3xSYOI
-vziYYC1XyTY6blfdiOM5a5KjraErxSTEFZVFrsx4OQ_dLA0woVtixawrIy1rgfQr49U1oIRe8BgN
-j3eis_UQAbPbmdbEe1qtXnvi6T7trHskzt6K-vTgo5ITJkr-F2Sds_QgNdaFBGuES6X5RwRGlbHT
-Tl_M8Ja_1K-RMNKJRssoRTKstpwnrhk9IcoSwYcLykbDLgeC0mhSMHOOuWv1RGRaZdzObc5YA1eB
-idQmzy5xAHzNxPHHrB-fpjFJRYv_QZY9qZcGvP58d6bHO0upxbj-BBt9zfc7Qt0JLU6EAdYbW5TI
-2v4JImikrx6KvtoK8vcjJMTDAanTVB31J65tat0rq9wYKxUdjBJLzkT3psYs_DRtYQc0i02YTD7t
-dWya0-3p1Yrt0em3XGb8JAh2PA3BsQKmvKAOc054wf_B8n8saxSFw1WQL30vU5c4-Z_p53HfaUYd
-Qg7DZskzgwBRy48sLJNCrn81RtxXfQP1XtPEZs-AAlTUslHoUdoQ1cwrYEgkNT1cjk6sLI_oKSK-
-dDICBnlYLrZRBS3sH8K38WaIh1WRY6vbGVDs1tUectUpng_-Khavd0Crw7D_CE6T7Rnfcn0pnTV-
-HW1PIXejFsONQn-2c3a9HZ-v6Hg4JL6UWm-qgBPC5118ymO0LfmrviAFAC6Wt3WFiNzrvx9Jggus
-lE0qvLVfkQVZXAy-hSPHlYZmtxk5voVsf60qPoDN2-NdpWz62M9PrXd_A03YGxzt0G6J4VXExRES
-xqLeGNGB496AfX_vEub97sR8xcbbUXsyt12uVnygifGyND60coikaKrMktv2OLOLEl8AudLp0ZNA
-oOoYJZqfUnQqaLt0dNmNa5OtzYjf7f6bYX0V8XLTHlFqZ6QzqYGFMPNhDYjqtet6d--Q8t7_5S5C
-RfXP8Wh8CjbEh2_rsr9rvy1nhM_Cptxc0BFXcS5Dt_R4vjd2G4B_LEC4Hy1s_rZThzUVxRCl
\ No newline at end of file
+dX1X5XcwStbiOmKV2k-px6nukVP3Ucg3mB6Rx3IyAyAQOZx8nU-TBK9kOV635VI5559pLF6z7jGR
+BcBfEgQtiO93vGKsSfkiVjorFz5UDqqXvoW6kFz4yQHBYR8cfFIRQ4L6mitfrs6gsM0d7CBqBz29
+I5lyzeSzmaPmJDP92jw--y3cvGRYYNLGvl3U3IIeCFX9IkDY29OZazaQaihAZx2trjLZKEeuzLN1
+6JQGbKEqCCRzZ46TXnH1DKRPxxV2aNzb_3I8402XUmlGBPf0Ucyj2wlBWrSApVVaxKKIEgIjf7vs
+x2fEMD-ye--2MkalDZ6Tm_x75GFKiia7Uc2fBBb4xHGZZEmKTh4php1Gu3v1bVY8hjXXVTpF-WXm
+cm9T4uczm_CgnKE4PtqLnYQg87LI8ONbWIE5jkgu1D4lhWkzO8nMrQlnFT0HlB-CRGu_xRsIWvnc
+bTA8K4iKJMHm7IhRfrBFNRBSq8AH_9LoUfTQ62C-Nt8g6Wu7ox6fO_dus1S9H9ndNzos31IVrn1h
+5QHxuBCUORISWjGoEQSM6spz3pyvbNMgKpkkg2izwXzDwc3RbqOgiSY8WtpKXuWceU-Ltl_npFpO
+O1suykGF6fnuql87ERJ7mcEiNd8L2_GuxTr-0YbbWgCK2IBDyfNc6ayTcjN0huoF72umE0ODQ0aK
+0HUAWAV4W6cWXEj7iOpMx1jkDURbWEdPetlz-LZKv7aN3s65Cl4Nib7ltWrs9ilP5J-KUKTkUPpM
+poBWXVZf4IjNx3H2KFzdLeGSXO3kG46tQDeeloFuY2yk1FWeyS9xLS60H2komdIW6qRVVBzeJHRN
+7dYMK5AhAgOghhe5XBhH1yHVdjLJuOMXPRrXe8dTyNU6fD1rHuvGukwSLW9lXsQkJBENfsIxY-At
+-j6Gm54G_Dz5k7tu7ThpCREVxNoBDMOBC_RemS0P-pqHSEpxEc0OjLQbVSPBQRa3eaRiqLMz_dop
+FGJt56UE73Qn0HWQw16lSdKSDtuSlByEwbQ8fRFN6e2f6DCHwW81kPpfJBcoPgO4RcoazNfbLXGI
+c3q9SSpOy6r33lPT8ZigURWiNqgO2NgWswAhaN1lllbXooQxhmTnokTxi8lbQ45ZMI0n5TKFJVAB
+TtEpi4VESECsda-Rlt2w-SE9QMSSxbdYcoMutupHoj2EuRcEDAW9ghLcfBqBkGapS_Vk-E7VYBqT
+mCzuKx5WdvNj9RFCIHq7U6axpddRd7XGgKhQwyLo075DLlpULcXjHegh2Dv_U-CgwMc7J4NfCNYL
+atLIkKAhxiaHt7nkhSVKsJK89-7_NQd-OubYnUNMREoEBJautCFfyiL5fooEb2Vdu1S-27fAYk3f
+9Zv4j_lwldSGBkNZg8vKGsSLgl9acdXld_zyUI9iGe-cj5eibI7LLpaxRL9UyBJWvElyDdTQvTZL
+DdpWmy3QF9GUGx0AwZixPixXdIHmmu2yOu1kFqNAjHqfVfoyNETlGrQRM5IPQ6RmBhWC3Iv5mSNA
+FZ0J95bvy9_HS718wAhlEiw4B6FGnTR8KZozfOtr2ihh8QybBgvvJrs-68RIB56gWyavbn-aAnXi
+zTI1YYCVzBDVv4XPzqK4itVl5gPb3KCHPUSlrVhkPLXAUix3b4-nu4pk8veAE1CYZCIy_GqPNUOT
+LqLl4-WMHodF7SLNzvPSqgolCC1TjnuO1ysOHlK86W7nZPyrpnideiLbGs6G51cG0pIcDIyWNm6d
+9TXQTiRx87cZxRxEEFz57ftjqy3qhg_sw2ziFWOeItEO6OaOgwfH2OtMToeBWiJepyfG1eB4n7jH
+OsTQLSvCt2gHI1zXyCtYBZKeZI2dxO6cOdh5ljIuS0rABHe1BP2ZkKmJIXoEPFstJlAz4GPaghL4
+8rCndhdyoW7CayzBAAe5balYq63qjqUD_eOIp-pHcEe0Mfbmzu4CDSK8-40Qia6ApskFsRCkzu1V
+Pf1fH6-3rvQZFqt6irr_7HWUFhGRcXw9kBOy8h24nTawv-L6eydW5iX0pwRMz_QfHo_Krm6O
\ No newline at end of file
diff --git a/kubernetes/oof/charts/oof-cmso/values.yaml b/kubernetes/oof/charts/oof-cmso/values.yaml
index 2b8ad9487d..b1c3561538 100644
--- a/kubernetes/oof/charts/oof-cmso/values.yaml
+++ b/kubernetes/oof/charts/oof-cmso/values.yaml
@@ -56,9 +56,11 @@ global:
   keystoreFile: "org.onap.oof.jks"
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
-  keystorePassword: N{$tSp*U)RQzjqE;)%4z;Pv[
+  keystorePassword: OA7*y0PEGTma?$be2z#0$:L]
   truststorePassword:
   authentication: aaf-auth
+  busyBoxImage: busybox:1.30
+  busyBoxRepository: docker.io
 
 flavor: small
 
diff --git a/kubernetes/policy/charts/pap/resources/config/config.json b/kubernetes/policy/charts/pap/resources/config/config.json
index e4517c7a5d..544ecdfc32 100644
--- a/kubernetes/policy/charts/pap/resources/config/config.json
+++ b/kubernetes/policy/charts/pap/resources/config/config.json
@@ -41,8 +41,8 @@
         "implementation": "org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl",
         "databaseDriver": "org.mariadb.jdbc.Driver",
         "databaseUrl": "jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/{{ .Values.global.mariadb.config.mysqlDatabase }}",
-        "databaseUser": "{{ .Values.global.mariadb.config.userName }}",
-        "databasePassword": "{{ .Values.global.mariadb.config.userPassword | b64enc }}",
+        "databaseUser": "${SQL_USER}",
+        "databasePassword": "${SQL_PASSWORD_BASE64}",
         "persistenceUnit": "PolicyMariaDb"
     },
     "topicParameterGroup": {
diff --git a/kubernetes/policy/charts/pap/templates/deployment.yaml b/kubernetes/policy/charts/pap/templates/deployment.yaml
index caef5218ef..85ca9c1486 100644
--- a/kubernetes/policy/charts/pap/templates/deployment.yaml
+++ b/kubernetes/policy/charts/pap/templates/deployment.yaml
@@ -31,6 +31,25 @@ spec:
         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-readiness
+
+      - command:
+        - sh
+        args:
+        - -c
+        - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+        env:
+        - name: SQL_USER
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 10 }}
+        - name: SQL_PASSWORD
+          {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 10 }}
+        volumeMounts:
+        - mountPath: /config-input
+          name: papconfig
+        - mountPath: /config
+          name: papconfig-processed
+        image: "{{ .Values.global.envsubstImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: {{ include "common.name" . }}-update-config
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -58,7 +77,7 @@ spec:
             name: localtime
             readOnly: true
           - mountPath: /opt/app/policy/pap/etc/mounted
-            name: papconfig
+            name: papconfig-processed
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
@@ -77,5 +96,8 @@ spec:
           configMap:
             name: {{ include "common.fullname" . }}-configmap
             defaultMode: 0755
+        - name: papconfig-processed
+          emptyDir:
+            medium: Memory
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/policy/charts/pap/templates/secrets.yaml b/kubernetes/policy/charts/pap/templates/secrets.yaml
new file mode 100644
index 0000000000..bd7eb8ea40
--- /dev/null
+++ b/kubernetes/policy/charts/pap/templates/secrets.yaml
@@ -0,0 +1,15 @@
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/policy/charts/pap/values.yaml b/kubernetes/policy/charts/pap/values.yaml
index 05f43d66e0..7edb3ab871 100644
--- a/kubernetes/policy/charts/pap/values.yaml
+++ b/kubernetes/policy/charts/pap/values.yaml
@@ -22,6 +22,18 @@
 #################################################################
 global:
   persistence: {}
+  envsubstImage: dibi/envsubst
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: db-secret
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}'
+    login: '{{ .Values.db.user }}'
+    password: '{{ .Values.db.password }}'
+    passwordPolicy: required
 
 #################################################################
 # Application configuration defaults.
@@ -36,6 +48,10 @@ debugEnabled: false
 
 # application configuration
 
+db:
+  user: policy_user
+  password: policy_user
+
 # default number of instances
 replicaCount: 1
 
diff --git a/kubernetes/policy/charts/policy-api/resources/config/config.json b/kubernetes/policy/charts/policy-api/resources/config/config.json
index ccfc07ae67..2e46ccae96 100644
--- a/kubernetes/policy/charts/policy-api/resources/config/config.json
+++ b/kubernetes/policy/charts/policy-api/resources/config/config.json
@@ -30,8 +30,8 @@
         "implementation": "org.onap.policy.models.provider.impl.DatabasePolicyModelsProviderImpl",
         "databaseDriver": "org.mariadb.jdbc.Driver",
         "databaseUrl": "jdbc:mariadb://{{ .Values.global.mariadb.service.name }}:{{ .Values.global.mariadb.service.internalPort }}/policyadmin",
-        "databaseUser": "{{ .Values.global.mariadb.config.userName }}",
-        "databasePassword": "{{ .Values.global.mariadb.config.userPassword | b64enc }}",
+        "databaseUser": "${SQL_USER}",
+        "databasePassword": "${SQL_PASSWORD_BASE64}",
         "persistenceUnit": "PolicyMariaDb"
     },
     "preloadPolicyTypes": [
diff --git a/kubernetes/policy/charts/policy-api/templates/deployment.yaml b/kubernetes/policy/charts/policy-api/templates/deployment.yaml
index 25e80d0ac3..777cc4954d 100644
--- a/kubernetes/policy/charts/policy-api/templates/deployment.yaml
+++ b/kubernetes/policy/charts/policy-api/templates/deployment.yaml
@@ -31,6 +31,26 @@ spec:
           image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           name: {{ include "common.name" . }}-readiness
+
+        - command:
+          - sh
+          args:
+          - -c
+          - "export SQL_PASSWORD_BASE64=`echo -n ${SQL_PASSWORD} | base64`; cd /config-input && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done"
+          env:
+          - name: SQL_USER
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "login") | indent 12 }}
+          - name: SQL_PASSWORD
+            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "db-secret" "key" "password") | indent 12 }}
+          volumeMounts:
+          - mountPath: /config-input
+            name: apiconfig
+          - mountPath: /config
+            name: apiconfig-processed
+          image: "{{ .Values.global.envsubstImage }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          name: {{ include "common.name" . }}-update-config
+
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -58,7 +78,7 @@ spec:
             name: localtime
             readOnly: true
           - mountPath: /opt/app/policy/api/etc/mounted
-            name: apiconfig
+            name: apiconfig-processed
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
@@ -77,5 +97,8 @@ spec:
           configMap:
             name: {{ include "common.fullname" . }}-configmap
             defaultMode: 0755
+        - name: apiconfig-processed
+          emptyDir:
+            medium: Memory
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/policy/charts/policy-api/templates/secrets.yaml b/kubernetes/policy/charts/policy-api/templates/secrets.yaml
new file mode 100644
index 0000000000..bd7eb8ea40
--- /dev/null
+++ b/kubernetes/policy/charts/policy-api/templates/secrets.yaml
@@ -0,0 +1,15 @@
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/policy/charts/policy-api/values.yaml b/kubernetes/policy/charts/policy-api/values.yaml
index b5e10493dc..fd66b69e4e 100644
--- a/kubernetes/policy/charts/policy-api/values.yaml
+++ b/kubernetes/policy/charts/policy-api/values.yaml
@@ -22,6 +22,18 @@
 global:
   nodePortPrefix: 304
   persistence: {}
+  envsubstImage: dibi/envsubst
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: db-secret
+    type: basicAuth
+    externalSecret: '{{ tpl (default "" .Values.db.credsExternalSecret) . }}'
+    login: '{{ .Values.db.user }}'
+    password: '{{ .Values.db.password }}'
+    passwordPolicy: required
 
 #################################################################
 # Application configuration defaults.
@@ -35,6 +47,9 @@ pullPolicy: Always
 debugEnabled: false
 
 # application configuration
+db:
+  user: policy_user
+  password: policy_user
 
 # default number of instances
 replicaCount: 1
diff --git a/kubernetes/portal/charts/portal-app/resources/certs/keystoreONAPPortal.p12 b/kubernetes/portal/charts/portal-app/resources/certs/keystoreONAPPortal.p12
deleted file mode 100644
index 9f52189096..0000000000
Binary files a/kubernetes/portal/charts/portal-app/resources/certs/keystoreONAPPortal.p12 and /dev/null differ
diff --git a/kubernetes/portal/charts/portal-app/resources/certs/truststoreONAPall.jks b/kubernetes/portal/charts/portal-app/resources/certs/truststoreONAPall.jks
deleted file mode 100644
index ff844b109d..0000000000
Binary files a/kubernetes/portal/charts/portal-app/resources/certs/truststoreONAPall.jks and /dev/null differ
diff --git a/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties b/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties
index 8d21859b29..63348f02d6 100755
--- a/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties
+++ b/kubernetes/portal/charts/portal-app/resources/config/deliveries/properties/ONAPPORTAL/system.properties
@@ -1,4 +1,5 @@
 # Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2020 AT&T
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -111,14 +112,16 @@ auditlog_del_day_from = 365
 #External system notification URL
 external_system_notification_url= https://jira.onap.org/browse/
 
+#cookie domain
+cookie_domain = onap.org
+
+{{- if .Values.global.aafEnabled }}
 # External Access System Basic Auth Credentials & Rest endpoint(These credentials doesn't work as these are place holders for now)
 ext_central_access_user_name = aaf_admin@people.osaaf.org
-ext_central_access_password = VTCIC7wfMI0Zy61wkqKQC0bF0EK2YmL2JLl1fQU2YC4=
-ext_central_access_url = https://aaf-service:8100/authz/
+ext_central_access_password = thiswillbereplacedatruntime
+ext_central_access_url = {{ .Values.aafURL }}/authz/
 ext_central_access_user_domain = @people.osaaf.org
 
 # External Central Auth system access
 remote_centralized_system_access = true
-
-#cookie domain
-cookie_domain = onap.org
+{{- end }}
diff --git a/kubernetes/portal/charts/portal-app/resources/server/server.xml b/kubernetes/portal/charts/portal-app/resources/server/server.xml
index c9515c1f41..dec68376d2 100644
--- a/kubernetes/portal/charts/portal-app/resources/server/server.xml
+++ b/kubernetes/portal/charts/portal-app/resources/server/server.xml
@@ -14,7 +14,7 @@
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
-  
+
   Modifications to this file for use in ONAP are also subject to the Apache-2.0 license.
 -->
 <!-- Note:  A "Server" is not itself a "Container", so you may not
@@ -22,7 +22,7 @@
      Documentation at /docs/config/server.html
  -->
 <Server port="8005" shutdown="SHUTDOWN">
-  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
+  <Listener className="org.apache.catalina.startup.VersionLoggerListener" logArgs="false"/>
   <!-- Security listener. Documentation at /docs/config/listeners.html
   <Listener className="org.apache.catalina.security.SecurityListener" />
   -->
@@ -70,7 +70,10 @@
     -->
     <Connector port="8080" protocol="HTTP/1.1"
                connectionTimeout="20000"
-               redirectPort="8443" />
+    {{ if .Values.global.aafEnabled }}
+               redirectPort="8443"
+    {{ end }}
+    />
     <!-- A "Connector" using the shared thread pool-->
     <!--
     <Connector executor="tomcatThreadPool"
@@ -88,14 +91,19 @@
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS" />
     -->
-	
-	 <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+    {{ if .Values.global.aafEnabled }}
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
-               keystoreFile="{{.Values.global.keystoreFile}}" keystorePass="{{.Values.global.keypass}}" 
+               keystoreFile="{{.Values.aafConfig.credsPath}}/{{.Values.aafConfig.keystoreFile}}"
+               keystorePass="${javax.net.ssl.keyStorePassword}"
                clientAuth="false" sslProtocol="TLS" />
-
+    {{ end }}
     <!-- Define an AJP 1.3 Connector on port 8009 -->
-    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
+    <Connector port="8009" protocol="AJP/1.3"
+    {{ if .Values.global.aafEnabled }}
+              redirectPort="8443"
+    {{ end }}
+    />
 
 
     <!-- An Engine represents the entry point (within Catalina) that processes
diff --git a/kubernetes/portal/charts/portal-app/templates/configmap.yaml b/kubernetes/portal/charts/portal-app/templates/configmap.yaml
index d19ffeb9a8..d514fe6411 100644
--- a/kubernetes/portal/charts/portal-app/templates/configmap.yaml
+++ b/kubernetes/portal/charts/portal-app/templates/configmap.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
+# Modifications Copyright © 2020 AT&T
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -25,3 +26,17 @@ metadata:
 data:
 {{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTAL/*").AsConfig . | indent 2 }}
 {{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }}
+
+{{ if .Values.global.aafEnabled }}
+{{- if .Values.aafConfig.addconfig -}}
+---
+apiVersion: v1
+kind: ConfigMap
+{{- $suffix := "aaf-add-config" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+data:
+  aaf-add-config.sh: |-
+    /opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \
+    {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.aafConfig.credsPath }}/mycreds.prop
+{{- end -}}
+{{- end -}}
diff --git a/kubernetes/portal/charts/portal-app/templates/deployment.yaml b/kubernetes/portal/charts/portal-app/templates/deployment.yaml
index eb0dee0f73..14bbd3c7f6 100644
--- a/kubernetes/portal/charts/portal-app/templates/deployment.yaml
+++ b/kubernetes/portal/charts/portal-app/templates/deployment.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
+# Modifications Copyright © 2020 AT&T
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -45,33 +46,27 @@ spec:
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
+      {{- if .Values.global.aafEnabled }}
+{{ include "common.aaf-config" . | indent 6 }}
+      {{- end }}
       containers:
       - name: {{ include "common.name" . }}
         image: "{{ include "common.repository" . }}/{{ .Values.image }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        command:
-          - /start-apache-tomcat.sh
-          - -i
-          - ""
-          - -n
-          - ""
-          - -b
-          - "{{ .Values.global.env.tomcatDir }}"
+        command: ["bash","-c"]
+        {{- if .Values.global.aafEnabled }}
+        args: ["export $(grep '^c' {{ .Values.aafConfig.credsPath }}/mycreds.prop | xargs -0);\
+               export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \
+              -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\
+              /start-apache-tomcat.sh -i \"\" -n \"\" -b {{ .Values.global.env.tomcatDir }}"]
         env:
-          - name: CATALINA_OPTS
+          - name: _CATALINA_OPTS
             value: >
-              -Djavax.net.ssl.keyStore={{ .Values.global.env.tomcatDir }}/{{ .Values.global.truststoreFile}}
-              -Djavax.net.ssl.keyStorePassword={{ .Values.global.trustpass }}
-              -Djavax.net.ssl.trustStore={{ .Values.global.env.tomcatDir }}/{{ .Values.global.truststoreFile}}
-              -Djavax.net.ssl.trustStorePassword={{ .Values.global.trustpass }}
-          - name: javax.net.ssl.keyStore
-            value: {{ .Values.global.env.tomcatDir }}/{{ .Values.global.truststoreFile}} 
-          - name: javax.net.ssl.keyStorePassword
-            value: {{ .Values.global.trustpass }}
-          - name: javax.net.ssl.trustStore
-            value: {{ .Values.global.env.tomcatDir }}/{{ .Values.global.truststoreFile}}
-          - name: javax.net.ssl.trustStorePassword
-            value: {{ .Values.global.trustpass }}
+              -Djavax.net.ssl.keyStore="{{ .Values.aafConfig.credsPath }}/{{ .Values.aafConfig.keystoreFile }}"
+              -Djavax.net.ssl.trustStore="{{ .Values.aafConfig.credsPath }}/{{ .Values.aafConfig.truststoreFile }}"
+        {{- else }}
+        args: ["/start-apache-tomcat.sh -i "" -n "" -b {{ .Values.global.env.tomcatDir }}"]
+        {{- end }}
         ports:
         - containerPort: {{ .Values.service.internalPort }}
         - containerPort: {{ .Values.service.internalPort2 }}
@@ -90,6 +85,9 @@ spec:
           initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
           periodSeconds: {{ .Values.readiness.periodSeconds }}
         volumeMounts:
+        {{- if .Values.global.aafEnabled }}
+{{ include "common.aaf-config-volume-mountpath" . | indent 8 }}
+        {{- end }}
         - mountPath: /etc/localtime
           name: localtime
           readOnly: true
@@ -117,16 +115,10 @@ spec:
         - name: properties-onapportal
           mountPath: "{{ .Values.global.env.tomcatDir }}/webapps/ONAPPORTAL/WEB-INF/web.xml"
           subPath: web.xml
-        - name: authz-onapportal
-          mountPath: "{{ .Values.global.env.tomcatDir }}/{{ .Values.global.keystoreFile}}"
-          subPath: {{ .Values.global.keystoreFile}}
-        - name: authz-onapportal
-          mountPath: "{{ .Values.global.env.tomcatDir }}/{{ .Values.global.truststoreFile}}"
-          subPath: {{ .Values.global.truststoreFile}}          
         - name: var-log-onap
           mountPath: /var/log/onap
         resources:
-{{ include "common.resources" . | indent 12 }}
+{{ include "common.resources" . }}
       {{- if .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 10 }}
@@ -147,6 +139,9 @@ spec:
         - name: var-log-onap
           mountPath: /var/log/onap
       volumes:
+        {{- if .Values.global.aafEnabled }}
+{{ include "common.aaf-config-volumes" . | indent 8 }}
+        {{- end }}
         - name: localtime
           hostPath:
             path: /etc/localtime
@@ -154,9 +149,6 @@ spec:
           configMap:
             name: {{ include "common.fullname" . }}-onapportal
             defaultMode: 0755
-        - name: authz-onapportal
-          secret:
-            secretName: {{ include "common.fullname" . }}-authz-onapportal
         - name: filebeat-conf
           configMap:
             name: portal-filebeat
diff --git a/kubernetes/portal/charts/portal-app/templates/secret.yaml b/kubernetes/portal/charts/portal-app/templates/secret.yaml
index 85b0f40567..a4019efa2b 100644
--- a/kubernetes/portal/charts/portal-app/templates/secret.yaml
+++ b/kubernetes/portal/charts/portal-app/templates/secret.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright © 2020 AT&T
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,16 +13,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}-authz-onapportal
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
-type: Opaque
-data:
-{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }}
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/portal/charts/portal-app/values.yaml b/kubernetes/portal/charts/portal-app/values.yaml
index 59a11ad6cf..433352cf2e 100644
--- a/kubernetes/portal/charts/portal-app/values.yaml
+++ b/kubernetes/portal/charts/portal-app/values.yaml
@@ -1,5 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
-# Modifications Copyright © 2018 AT&T
+# Modifications Copyright © 2018,2020 AT&T
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -22,15 +22,46 @@ global:
   readinessImage: readiness-check:2.0.0
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
+  #AAF service
+  aafEnabled: true
 
 #################################################################
 # Application configuration defaults.
 #################################################################
+
 # application image
 repository: nexus3.onap.org:10001
 image: onap/portal-app:2.6.0
 pullPolicy: Always
 
+#AAF local config
+
+aafURL: https://aaf-service:8100/
+aafConfig:
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  fqdn: portal
+  fqi: portal@portal.onap.org
+  publicFqdn: portal.onap.org
+  cadi_latitude: "38.0"
+  cadi_longitude: "-72.0"
+  credsPath: /opt/app/osaaf/local
+  app_ns: org.osaaf.aaf
+  permission_user: 1000
+  permission_group: 999
+  addconfig: true
+  secret_uid: &aaf_secret_uid portal-app-aaf-deploy-creds
+  keystoreFile: "org.onap.portal.p12"
+  truststoreFile: "org.onap.portal.trust.jks"
+
+secrets:
+  - uid: *aaf_secret_uid
+    type: basicAuth
+    externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDiabled" .Values.global.aafEnabled }}'
+    login: '{{ .Values.aafConfig.aafDeployFqi }}'
+    password: '{{ .Values.aafConfig.aafDeployPass }}'
+    passwordPolicy: required
+
 # default number of instances
 replicaCount: 1
 
diff --git a/kubernetes/portal/charts/portal-sdk/resources/server/server.xml b/kubernetes/portal/charts/portal-sdk/resources/server/server.xml
index 506a1ca4cd..dffcfbe419 100644
--- a/kubernetes/portal/charts/portal-sdk/resources/server/server.xml
+++ b/kubernetes/portal/charts/portal-sdk/resources/server/server.xml
@@ -94,7 +94,7 @@
     {{ if .Values.global.aafEnabled }}
     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
-               keystoreFile="{{.Values.persistence.aafCredsPath}}/{{.Values.aafConfig.keystoreFile}}"
+               keystoreFile="{{.Values.aafConfig.credsPath}}/{{.Values.aafConfig.keystoreFile}}"
                keystorePass="${javax.net.ssl.keyStorePassword}"
                clientAuth="false" sslProtocol="TLS" />
     {{ end }}
diff --git a/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml b/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml
index 154276ea26..1dbdeedd5a 100644
--- a/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml
+++ b/kubernetes/portal/charts/portal-sdk/templates/configmap.yaml
@@ -1,5 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
-# Modifications Copyright © 2018 AT&T
+# Modifications Copyright © 2018, 2020 AT&T
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -25,4 +25,18 @@ metadata:
     heritage: {{ .Release.Service }}
 data:
 {{ tpl (.Files.Glob "resources/config/deliveries/properties/ONAPPORTALSDK/*").AsConfig . | indent 2 }}
-{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }}
\ No newline at end of file
+{{ tpl (.Files.Glob "resources/server/*").AsConfig . | indent 2 }}
+
+{{ if .Values.global.aafEnabled }}
+{{- if .Values.aafConfig.addconfig -}}
+---
+apiVersion: v1
+kind: ConfigMap
+{{- $suffix := "aaf-add-config" }}
+metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
+data:
+  aaf-add-config.sh: |-
+    /opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \
+    {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.aafConfig.credsPath }}/mycreds.prop
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml b/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml
index 8465d06ad8..2de9a1bd24 100644
--- a/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml
+++ b/kubernetes/portal/charts/portal-sdk/templates/deployment.yaml
@@ -47,71 +47,23 @@ spec:
               apiVersion: v1
               fieldPath: metadata.namespace
       {{- if .Values.global.aafEnabled }}
-      - name: {{ include "common.name" . }}-aaf-readiness
-        image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        command:
-          - /root/ready.py
-        args:
-          - --container-name
-          - aaf-locate
-          - --container-name
-          - aaf-cm
-        env:
-          - name: NAMESPACE
-            valueFrom:
-              fieldRef:
-                apiVersion: v1
-                fieldPath: metadata.namespace
-      - name: {{ include "common.name" . }}-aaf-config
-        image: "{{ include "common.repository" . }}/{{ .Values.global.aafAgentImage }}"
-        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-        command: ["bash","-c"]
-        args: ["/opt/app/aaf_config/bin/agent.sh;/opt/app/aaf_config/bin/agent.sh local showpass \
-        {{.Values.aafConfig.fqi}} {{ .Values.aafConfig.fqdn }} > {{ .Values.persistence.aafCredsPath }}/mycreds.prop"]
-        volumeMounts:
-          - mountPath: {{ .Values.persistence.aafCredsPath }}
-            name: {{ include "common.fullname" . }}-aaf-config-vol
-        env:
-          - name: APP_FQI
-            value: "{{ .Values.aafConfig.fqi }}"
-          - name: aaf_locate_url
-            value: "https://aaf-locate.{{ .Release.Namespace }}:8095"
-          - name: aaf_locator_container
-            value: "{{ .Values.global.aafLocatorContainer }}"
-          - name: aaf_locator_container_ns
-            value: "{{ .Release.Namespace }}"
-          - name: aaf_locator_fqdn
-            value: "{{ .Values.aafConfig.fqdn }}"
-          - name: aaf_locator_public_fqdn
-            value: "{{.Values.aafConfig.publicFqdn}}"
-          - name: aaf_locator_app_ns
-            value: "{{ .Values.global.aafAppNs }}"
-          - name: DEPLOY_FQI
-            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aaf-deploy-creds" "key" "login") | indent 12 }}
-          - name: DEPLOY_PASSWORD
-            {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "aaf-deploy-creds" "key" "password") | indent 12 }}
-          - name: cadi_longitude
-            value: "{{ .Values.aafConfig.cadiLongitude }}"
-          - name: cadi_latitude
-            value: "{{ .Values.aafConfig.cadiLatitude }}"
-      {{ end }}
+{{ include "common.aaf-config" . | indent 6 }}
+      {{- end }}
       containers:
       - name: {{ include "common.name" . }}
         image: "{{ include "common.repository" . }}/{{ .Values.image }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         command: ["bash","-c"]
         {{- if .Values.global.aafEnabled }}
-        args: ["export $(grep '^c' {{ .Values.persistence.aafCredsPath }}/mycreds.prop | xargs -0);\
+        args: ["export $(grep '^c' {{ .Values.aafConfig.credsPath }}/mycreds.prop | xargs -0);\
         export _JAVA_OPTIONS=\"-Djavax.net.ssl.trustStorePassword=$cadi_truststore_password \
         -Djavax.net.ssl.keyStorePassword=$cadi_keystore_password_p12\";\
-        cat /dev/null > {{ .Values.persistence.aafCredsPath }}/mycreds.prop;\
         /start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"]
         env:
           - name: _CATALINA_OPTS
             value: >
-              -Djavax.net.ssl.keyStore="{{ .Values.persistence.aafCredsPath }}/{{ .Values.aafConfig.keystoreFile }}"
-              -Djavax.net.ssl.trustStore="{{ .Values.persistence.aafCredsPath }}/{{ .Values.aafConfig.truststoreFile }}"
+              -Djavax.net.ssl.keyStore="{{ .Values.aafConfig.credsPath }}/{{ .Values.aafConfig.keystoreFile }}"
+              -Djavax.net.ssl.trustStore="{{ .Values.aafConfig.credsPath }}/{{ .Values.aafConfig.truststoreFile }}"
         {{- else }}
         args: ["/start-apache-tomcat.sh -b {{ .Values.global.env.tomcatDir }}"]
         {{- end }}
@@ -131,8 +83,7 @@ spec:
           periodSeconds: {{ .Values.readiness.periodSeconds }}
         volumeMounts:
         {{- if .Values.global.aafEnabled }}
-        - mountPath: {{ .Values.persistence.aafCredsPath }}
-          name: {{ include "common.fullname" . }}-aaf-config-vol
+{{ include "common.aaf-config-volume-mountpath" . | indent 8 }}
         {{- end }}
         - name: properties-onapportalsdk
           mountPath: "{{ .Values.global.env.tomcatDir }}/conf/server.xml"
@@ -160,7 +111,7 @@ spec:
         - name: var-log-onap
           mountPath: /var/log/onap
         resources:
-{{ include "common.resources" . | indent 12 }}
+{{ include "common.resources" . }}
       {{- if .Values.nodeSelector }}
       nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 10 }}
@@ -198,9 +149,7 @@ spec:
         - name: portal-tomcat-logs
           emptyDir: {}
         {{- if .Values.global.aafEnabled }}
-        - name: {{ include "common.fullname" . }}-aaf-config-vol
-          emptyDir:
-            medium: Memory
+{{ include "common.aaf-config-volumes" . | indent 8 }}
         {{- end }}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/portal/charts/portal-sdk/values.yaml b/kubernetes/portal/charts/portal-sdk/values.yaml
index 34c29b5be1..77ceb274d2 100644
--- a/kubernetes/portal/charts/portal-sdk/values.yaml
+++ b/kubernetes/portal/charts/portal-sdk/values.yaml
@@ -23,47 +23,45 @@ global:
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
   persistence: {}
-  #AAF global config overrides
+  #AAF service
   aafEnabled: true
-  aafAgentImage: onap/aaf/aaf_agent:2.1.15
-  aafAppNs: org.osaaf.aaf
-  aafLocatorContainer: oom
+
 #################################################################
 # Application configuration defaults.
 #################################################################
-secrets:
-  - uid: aaf-deploy-creds
-    type: basicAuth
-    externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDiabled" .Values.global.aafEnabled }}'
-    login: '{{ .Values.aafConfig.aafDeployFqi }}'
-    password: '{{ .Values.aafConfig.aafDeployPass }}'
-    passwordPolicy: required
-
-## Persist cert data to a memory volume
-persistence:
-  aafCredsPath: /opt/app/osaaf/local
 
 # application image
 repository: nexus3.onap.org:10001
 image: onap/portal-sdk:2.6.0
 pullPolicy: Always
 
-#AAF service
-aafURL: https://aaf-service:8100/
-aafLocateUrl: https://aaf-locate:8095
-
 #AAF local config
+aafURL: https://aaf-service:8100/
 aafConfig:
   aafDeployFqi: deployer@people.osaaf.org
   aafDeployPass: demo123456!
   fqdn: portal
   fqi: portal@portal.onap.org
   publicFqdn: portal.onap.org
-  cadiLatitude: 0.0
-  cadiLongitude: 0.0
+  cadi_latitude: "38.0"
+  cadi_longitude: "-72.0"
+  credsPath: /opt/app/osaaf/local
+  app_ns: org.osaaf.aaf
+  permission_user: 1000
+  permission_group: 999
+  addconfig:  true
+  secret_uid: &aaf_secret_uid portal-sdk-aaf-deploy-creds
   keystoreFile: "org.onap.portal.p12"
   truststoreFile: "org.onap.portal.trust.jks"
 
+secrets:
+  - uid: *aaf_secret_uid
+    type: basicAuth
+    externalSecret: '{{ ternary (tpl (default "" .Values.aafConfig.aafDeployCredsExternalSecret) .) "aafIsDiabled" .Values.global.aafEnabled }}'
+    login: '{{ .Values.aafConfig.aafDeployFqi }}'
+    password: '{{ .Values.aafConfig.aafDeployPass }}'
+    passwordPolicy: required
+
 # flag to enable debugging - application support required
 debugEnabled: false
 
diff --git a/kubernetes/portal/values.yaml b/kubernetes/portal/values.yaml
index 8c84cbdbb4..1015c86654 100644
--- a/kubernetes/portal/values.yaml
+++ b/kubernetes/portal/values.yaml
@@ -1,5 +1,5 @@
 # Copyright © 2017 Amdocs, Bell Canada
-# Modifications Copyright © 2018 AT&T
+# Modifications Copyright © 2018, 2020 AT&T
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -21,18 +21,11 @@ global:
   portalFEPort: "30225"
   # application's front end hostname.  Must be resolvable on the client side environment
   portalHostName: "portal.api.simpledemo.onap.org"
-  keystoreFile: "keystoreONAPPortal.p12"
-  truststoreFile: "truststoreONAPall.jks"
-  keypass: ",@{9!OOv%HO@#c+0Z}axu!xV"
-  trustpass: "changeit"
-
 config:
   logstashServiceName: log-ls
   logstashPort: 5044
-  
 portal-mariadb:
   nameOverride: portal-db
-
 mariadb:
   service:
     name: portal-db
@@ -48,10 +41,8 @@ cassandra:
 zookeeper:
   service:
     name: portal-zookeeper
-
 messageRouter:
   service:
     name: message-router
-
 ingress:
   enabled: false
\ No newline at end of file
diff --git a/kubernetes/sdnc/resources/config/bin/startODL.sh b/kubernetes/sdnc/resources/config/bin/startODL.sh
index af5c36207c..6aa796a163 100755
--- a/kubernetes/sdnc/resources/config/bin/startODL.sh
+++ b/kubernetes/sdnc/resources/config/bin/startODL.sh
@@ -4,6 +4,7 @@
 # ============LICENSE_START=======================================================
 # SDNC
 # ================================================================================
+# Copyright © 2020 Samsung Electronics
 # Copyright (C) 2017 AT&T Intellectual Property. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -133,17 +134,17 @@ echo "  AAF_ENABLED=$SDNC_AAF_ENABLED"
 
 
 if $SDNC_AAF_ENABLED; then
-	export SDNC_STORE_DIR=/opt/app/osaaf/local
-	export SDNC_CONFIG_DIR=/opt/app/osaaf/local
+	export SDNC_AAF_STORE_DIR=/opt/app/osaaf/local
+	export SDNC_AAF_CONFIG_DIR=/opt/app/osaaf/local
 	export SDNC_KEYPASS=`cat /opt/app/osaaf/local/.pass`
 	export SDNC_KEYSTORE=org.onap.sdnc.p12
 	sed -i '/cadi_prop_files/d' $ODL_HOME/etc/system.properties
-	echo "cadi_prop_files=$SDNC_CONFIG_DIR/org.onap.sdnc.props" >> $ODL_HOME/etc/system.properties
+	echo "cadi_prop_files=$SDNC_AAF_CONFIG_DIR/org.onap.sdnc.props" >> $ODL_HOME/etc/system.properties
 
 	sed -i '/org.ops4j.pax.web.ssl.keystore/d' $ODL_HOME/etc/custom.properties
 	sed -i '/org.ops4j.pax.web.ssl.password/d' $ODL_HOME/etc/custom.properties
 	sed -i '/org.ops4j.pax.web.ssl.keypassword/d' $ODL_HOME/etc/custom.properties
-	echo org.ops4j.pax.web.ssl.keystore=$SDNC_STORE_DIR/$SDNC_KEYSTORE >> $ODL_HOME/etc/custom.properties
+	echo org.ops4j.pax.web.ssl.keystore=$SDNC_AAF_STORE_DIR/$SDNC_KEYSTORE >> $ODL_HOME/etc/custom.properties
 	echo org.ops4j.pax.web.ssl.password=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties
 	echo org.ops4j.pax.web.ssl.keypassword=$SDNC_KEYPASS >> $ODL_HOME/etc/custom.properties
 fi
diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml
index da5d8f30d4..4511ca9125 100644
--- a/kubernetes/sdnc/templates/statefulset.yaml
+++ b/kubernetes/sdnc/templates/statefulset.yaml
@@ -1,4 +1,5 @@
 {{/*
+# Copyright © 2020 Samsung Electronics
 # Copyright © 2017 Amdocs, Bell Canada
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -208,6 +209,9 @@ spec:
           - mountPath: {{ .Values.config.binDir }}/installSdncDb.sh
             name: bin
             subPath: installSdncDb.sh
+          - mountPath: {{ .Values.config.ccsdkConfigDir }}/aaiclient.properties
+            name: properties
+            subPath: aaiclient.properties
           - mountPath: {{ .Values.config.configDir }}/aaiclient.properties
             name: properties
             subPath: aaiclient.properties
diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml
index 8cb7c339c7..99ff4b7760 100644
--- a/kubernetes/sdnc/values.yaml
+++ b/kubernetes/sdnc/values.yaml
@@ -1,3 +1,4 @@
+# Copyright © 2020 Samsung Electronics
 # Copyright © 2017 Amdocs, Bell Canada
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -159,6 +160,7 @@ config:
   peerODLCluster: 127.0.0.1
   isPrimaryCluster: true
   configDir: /opt/onap/sdnc/data/properties
+  ccsdkConfigDir: /opt/onap/ccsdk/data/properties
   dmaapTopic: SUCCESS
   dmaapPort: 3904
   logstashServiceName: log-ls
diff --git a/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks b/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks
new file mode 100644
index 0000000000..96931ce168
Binary files /dev/null and b/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks differ
diff --git a/kubernetes/so/charts/so-secrets/templates/secrets.yaml b/kubernetes/so/charts/so-secrets/templates/secrets.yaml
index 9a749638f0..5be2cc7c41 100644
--- a/kubernetes/so/charts/so-secrets/templates/secrets.yaml
+++ b/kubernetes/so/charts/so-secrets/templates/secrets.yaml
@@ -25,3 +25,16 @@ data:
   trustStorePassword: {{ .Values.global.client.certs.trustStorePassword }}
   keyStorePassword: {{ .Values.global.client.certs.keyStorePassword}}
 type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "common.release" . }}-so-truststore-secret
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }}
diff --git a/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml
index 00b36a838e..a720753f47 100755
--- a/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml
+++ b/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml
@@ -40,17 +40,17 @@ spec:
         image: {{ include "common.repository" . }}/{{ .Values.image }}
         resources:
 {{ include "common.resources" . | indent 12 }}
-         {{- if eq .Values.global.security.aaf.enabled true }}
         env:
         - name: TRUSTSTORE
-          value: /app/org.onap.so.trust.jks
+          value: {{ .Values.global.client.certs.truststore }}
         - name: TRUSTSTORE_PASSWORD
           valueFrom:
             secretKeyRef:
               name: {{ .Release.Name}}-so-client-certs-secret
               key: trustStorePassword
+        {{ if eq .Values.global.security.aaf.enabled true }}
         - name: KEYSTORE
-          value: /app/org.onap.so.jks
+          value: {{ .Values.global.client.certs.keystore }}
         - name: KEYSTORE_PASSWORD
           valueFrom:
             secretKeyRef:
@@ -67,6 +67,9 @@ spec:
         - name: config
           mountPath: /app/config
           readOnly: true
+        - name: {{ include "common.fullname" . }}-truststore
+          mountPath: /app/client
+          readonly: true
         livenessProbe:
           tcpSocket:
             port: {{ index .Values.livenessProbe.port }}
@@ -84,5 +87,8 @@ spec:
       - name: config
         configMap:
             name: {{ include "common.fullname" . }}-app-configmap
+      - name:  {{ include "common.fullname" . }}-truststore
+        secret:
+          secretName: {{ include "common.release" . }}-so-truststore-secret
       imagePullSecrets:
         - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml
index 4cf991ea60..e9c5637eef 100755
--- a/kubernetes/so/values.yaml
+++ b/kubernetes/so/values.yaml
@@ -60,8 +60,8 @@ global:
     defaultCloudOwner: onap
     cadi:
       cadiLoglevel: DEBUG
-      cadiKeyFile: /app/org.onap.so.keyfile
-      cadiTrustStore: /app/org.onap.so.trust.jks
+      cadiKeyFile: /app/client/org.onap.so.keyfile
+      cadiTrustStore: /app/client/org.onap.so.trust.jks
       cadiTruststorePassword: enc:MFpuxKeYK6Eo6QXjDUjtOBbp0FthY7SB4mKSIJm_RWC
       cadiLatitude: 38.4329
       cadiLongitude: -90.43248
@@ -73,7 +73,9 @@ global:
     msoKey: 07a7159d3bf51a0e53be7a8f89699be7
   client:
     certs:
-      trustStorePassword: b25hcDRzbw==
+      truststore: /app/client/org.onap.so.trust.jks
+      keystore: /app/client/org.onap.so.jks
+      trustStorePassword: LHN4Iy5DKlcpXXdWZ0pDNmNjRkhJIzpI
       keyStorePassword: c280b25hcA==
   certificates:
     path: /etc/ssl/certs