From af82e2bec90f84bdfcda11ff7c240985b6ab8201 Mon Sep 17 00:00:00 2001 From: Piotr Marcinkiewicz Date: Thu, 11 Feb 2021 11:23:31 +0100 Subject: [PATCH] [SDNC] Fix issue with certs from CMPv2 by Netconf (TLS) - correct cmpv2Certificate to take outputType from 'certificates' - add postStart hook for CertManagerIntegration to make cert dir writable - add setting ODL_CERT_DIR env Issue-ID: SDNC-1477 Signed-off-by: Piotr Marcinkiewicz Change-Id: I4531392cc4f113b173d10a27b98b1fe97d6faa4d --- .../templates/_certificate.tpl | 20 +++++++++++++++++++- .../templates/_certServiceClient.tpl | 12 +++++++++--- kubernetes/sdnc/templates/statefulset.yaml | 13 ++++++++++++- 3 files changed, 40 insertions(+), 5 deletions(-) diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index 4e43f621de..f820c30ca9 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -181,8 +181,10 @@ spec: {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} {{- range $i, $certificate := $dot.Values.certificates -}} {{- $mountPath := $certificate.mountPath -}} -- mountPath: {{ $mountPath }} +- mountPath: {{ (printf "%s/secret-%d" $mountPath $i) }} name: certmanager-certs-volume-{{ $i }} +- mountPath: {{ $mountPath }} + name: certmanager-certs-volume-{{ $i }}-dir {{- end -}} {{- end -}} @@ -194,6 +196,8 @@ spec: {{- range $i, $certificate := $certificates -}} {{- $name := include "common.fullname" $dot -}} {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +- name: certmanager-certs-volume-{{ $i }}-dir + emptyDir: {} - name: certmanager-certs-volume-{{ $i }} projected: sources: @@ -217,3 +221,17 @@ spec: {{- end }} {{- end -}} {{- end -}} + +{{- define "common.certManager.linkVolumeMounts" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- $certificates := $dot.Values.certificates -}} +{{- $certsLinkCommand := "" -}} + {{- range $i, $certificate := $certificates -}} + {{- $destnationPath := (required "'mountPath' for Certificate is required." $certificate.mountPath) -}} + {{- $sourcePath := (printf "%s/secret-%d/*" $destnationPath $i) -}} + {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}} + {{- end -}} +{{ $certsLinkCommand }} +{{- end -}} diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl index 57e6c69b1f..58cc9c7249 100644 --- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl +++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl @@ -27,7 +27,9 @@ Full example (other fields are ignored): certificates: - mountPath: /var/custom-certs caName: RA - outputType: JKS + keystore: + outputType: + - jks commonName: common-name dnsNames: - dns-name-1 @@ -65,7 +67,7 @@ There also need to be some includes used in a target component deployment (inden {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} {{- range $index, $certificate := $dot.Values.certificates -}} {{/*# General certifiacate attributes #*/}} -{{- $commonName := $certificate.commonName -}} +{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} {{/*# SAN's #*/}} {{- $dnsNames := default (list) $certificate.dnsNames -}} {{- $ipAddresses := default (list) $certificate.ipAddresses -}} @@ -87,7 +89,11 @@ There also need to be some includes used in a target component deployment (inden {{- $orgUnit := $certificate.subject.organizationalUnit -}} {{- end -}} {{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}} -{{- $outputType := default $subchartGlobal.platform.certServiceClient.envVariables.outputType $certificate.outputType -}} +{{- $outputType := $subchartGlobal.platform.certServiceClient.envVariables.outputType -}} +{{- if $certificate.keystore -}} +{{- $outputTypeList := (required "'outputType' in 'keystore' section is required." $certificate.keystore.outputType) -}} +{{- $outputType = mustFirst ($outputTypeList) | upper -}} +{{- end -}} {{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} {{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} {{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml index 7441dacd23..96fa3378fb 100644 --- a/kubernetes/sdnc/templates/statefulset.yaml +++ b/kubernetes/sdnc/templates/statefulset.yaml @@ -128,6 +128,13 @@ spec: - name: {{ include "common.name" . }} image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }} imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} + {{- if and .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }} + {{- $linkCommand := include "common.certManager.linkVolumeMounts" . }} + lifecycle: + postStart: + exec: + command: ["sh", "-c", {{$linkCommand | quote}} ] + {{- end }} command: ["/bin/bash"] args: ["-c", "/opt/onap/sdnc/bin/createLinks.sh ; /opt/onap/sdnc/bin/startODL.sh"] ports: @@ -197,7 +204,11 @@ spec: {{- if .Values.config.sdnr.sdnrdbTrustAllCerts }} - name: SDNRDBTRUSTALLCERTS value: "true" - {{ end }} + {{- end }} + {{- if .Values.global.cmpv2Enabled }} + - name: ODL_CERT_DIR + value: {{ (mustFirst (.Values.certificates)).mountPath }} + {{- end }} volumeMounts: {{ include "common.certInitializer.volumeMount" . | indent 10 }} -- 2.16.6