From bca68e048a74ac3754e76ed738090402f7cbfd13 Mon Sep 17 00:00:00 2001
From: EmmettCox <emmett.cox@est.tech>
Date: Thu, 27 Feb 2020 14:20:52 +0000
Subject: [PATCH] [AAF] Add CMPv2 Cert Service

This new micro service allow retrieval of certificates using CMPv2
protocol and relay the requests to CA server (such as EJBCA provided in
contrib folder).

Issue-ID: AAF-1083
Change-Id: Ib3acba3d071533ad933d043f067147e8406d8fa8
Signed-off-by: EmmettCox <emmett.cox@est.tech>
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
---
 docs/oom_hardcoded_certificates.rst                |   2 +
 kubernetes/aaf/charts/aaf-cert-service/.helmignore |  22 ++++
 kubernetes/aaf/charts/aaf-cert-service/Chart.yaml  |  18 +++
 .../resources/certServiceClient-keystore.jks       | Bin 0 -> 4087 bytes
 .../resources/certServiceServer-keystore.jks       | Bin 0 -> 4126 bytes
 .../resources/certServiceServer-keystore.p12       | Bin 0 -> 4691 bytes
 .../resources/default/cmpServers.json              |   3 +
 .../aaf/charts/aaf-cert-service/resources/root.crt |  32 +++++
 .../resources/test/cmpServers.json                 |  24 ++++
 .../aaf-cert-service/resources/truststore.jks      | Bin 0 -> 1722 bytes
 .../aaf-cert-service/templates/deployment.yaml     | 123 ++++++++++++++++++
 .../charts/aaf-cert-service/templates/secret.yaml  |  56 ++++++++
 .../charts/aaf-cert-service/templates/service.yaml |  17 +++
 kubernetes/aaf/charts/aaf-cert-service/values.yaml | 141 +++++++++++++++++++++
 kubernetes/aaf/values.yaml                         |   6 +
 .../overrides/aaf-cert-service-environment.yaml    |  47 +++++++
 kubernetes/onap/values.yaml                        |  21 +++
 17 files changed, 512 insertions(+)
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/.helmignore
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/Chart.yaml
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/resources/certServiceClient-keystore.jks
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/resources/certServiceServer-keystore.jks
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/resources/certServiceServer-keystore.p12
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/resources/default/cmpServers.json
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/resources/root.crt
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/resources/truststore.jks
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/templates/deployment.yaml
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/templates/secret.yaml
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/templates/service.yaml
 create mode 100644 kubernetes/aaf/charts/aaf-cert-service/values.yaml
 create mode 100644 kubernetes/onap/resources/overrides/aaf-cert-service-environment.yaml

diff --git a/docs/oom_hardcoded_certificates.rst b/docs/oom_hardcoded_certificates.rst
index 9cf11c5b26..46d74cd12c 100644
--- a/docs/oom_hardcoded_certificates.rst
+++ b/docs/oom_hardcoded_certificates.rst
@@ -14,6 +14,8 @@ Here's the list of these certificates:
  +-----------------------------------------------------------------------------------------------------------------------------------------------------+
  | Project          | ONAP Certificate | Own Certificate  | MSB Certificate | Path                                                                     |
  +==================+==================+==================+============================================================================================+
+ | AAF              | No               | Yes              | No              | aaf/charts/aaf-cert-service/resources/                                   |
+ +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
  | AAI              | Yes              | No               | No              | aai/oom/resources/config/haproxy/aai.pem                                 |
  +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
  | AAI              | Yes              | No               | No              | aai/oom/resources/config/aai/aai_keystore                                |
diff --git a/kubernetes/aaf/charts/aaf-cert-service/.helmignore b/kubernetes/aaf/charts/aaf-cert-service/.helmignore
new file mode 100644
index 0000000000..50af031725
--- /dev/null
+++ b/kubernetes/aaf/charts/aaf-cert-service/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/kubernetes/aaf/charts/aaf-cert-service/Chart.yaml b/kubernetes/aaf/charts/aaf-cert-service/Chart.yaml
new file mode 100644
index 0000000000..525b2ac4b6
--- /dev/null
+++ b/kubernetes/aaf/charts/aaf-cert-service/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2020 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: ONAP AAF Cert Service
+name: aaf-cert-service
+version: 6.0.0
diff --git a/kubernetes/aaf/charts/aaf-cert-service/resources/certServiceClient-keystore.jks b/kubernetes/aaf/charts/aaf-cert-service/resources/certServiceClient-keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..f24908c55dbb0abb8d38450f0c7c42b03dbfb369
GIT binary patch
literal 4087
zcmc(hXH-+&(#KP2p$AZqUJW$?B?b_bDhkqjl_o6&L+=ozC?L{{f)puIg3_c&6B|XE
z2+~175TrK=B5%~^z3W-`xu5Qr`(dwhX7;RE|1)RyZ}!i%pKAaB07PEE-;2rK5%2Bg
zi1&4|ceHnRarE#e@7z){sB#AYpdcgx@)Jo<K_f;1gaAcBOh6zM03kqDNbUO<CdIhQ
zzWv-Tczx%XVPbz_BZO*$X7!^$sQ-ry7B8Ce#JNr9h_%*)A`Qce330uA_#3doiFYF>
zr5vZ~)Ec+#q~$E%u=3POLAF~~XFjJ)N96&?VcX(nTV@&%(4iWx{w00J>`|5I7kdl_
z{RH~$!HK?m)H+y)Z-jI)%~kt7@G?O~^;{{psCerzdK`o@QE6TU6J<W?OV|ufXtjY5
z%63@ZEu}D*`bddj=I54TgL{Leb~J#jfx6U@AX9}N|H|B&;}wU&vzB7pK)Jdum~B?<
z$xpoztkNuY-=KFxMFMb75JQEua<E95w8&A*E~3bkJ1y?*yE7Eh4CPJZy)0E^>hH*^
z<o8g)?J-gAS=uWUO76?F_Z5U_HVcM@S-~3ay{wo|#OZ<~Ti)1^4nA*HIqX~AUjX&+
zLSc<RY=6on<S1VC-D;4-$$KX`YL4gFK11r9+(_1sT{r__Hrlu;wNS?&JgsNGHot3O
z8$b_2`VWYQJzWlwY)gZZPFeNOD$R8dNVUm-eUNmQR<j4Gj9z5q(G{#qNh#nqlkS^G
zWELJV1zYF7+;blopJZWN>D5IO{qhCdNh=1Y16UtxmNg8V?Mm{TbA?TH?=?JH|M1o0
zLw_LR<W#pBscWWI8Bw;7V!k|A+CJ)&utTNFal;~iP$avKbFMb3e`zeUw9{*K{p6iX
zl|hj;3I^Ntj+$Zn*k3%Z@8tPF6u&v&&8<8(YVx49@&R{w-)?W|TLg6Fa4FZtddw3)
z<Y5=u#ufzkup2Pzk*asSN9#tUdRtzWSWnHG!|Szj`C(j_ZQ&AvW(tD6H2SG2cBs8W
zl|Bu%Sh!)c-CEUzcoOX*U5)nJXuL`L@eDk4jNS0CCE`lfO|0j9lpyn?`v%0qQc16-
zRjqGYb<gMofO)VO9v1_2YwtC4rlGs3Uh1u|8$Q#^i(2VdeQ-m?$$R2{D><Ck^LKf8
zUu}=hDGCyS>U!7KQnLAu_)3T{qu?miL@JntQM`D@^Lm>*&M_?+VJfxG-N%>zTxtJB
zyx5~hs(RP@{ewL1oLa7aQ2)@i^<JGPw2Iq_?@q0Zab`sXM}^Q!QJ>p~$K7<@m5Q-d
zTD+XX7p4+=H<>(HKgVHtsBEBRD){!&ZcC=54fMG5xfr4lr;Gz5%@p@)2Vx}c70D~0
z#&)MN(ar6iO18&WNg*$$p^{|EO3H#-g-Ky$j3wo_84<}xMgodw4AQO##KwGLaL(1^
zJ3tVf??#6Qs-<FOr!SKZHTl%sSQJ@<SkgI<d1A9wcnLh*{m-61XMEKj>c&&cZ+Y+W
zIb$Oo5ZyUltA5uJr_F~zl<{0t-=qoe<hzrS$=xoji_3RUzg#y$(PP*6nq$9W8m=Wp
zUXsD~8-pL_DG7PK!p6SxGu6{`SCF~4e4TR4-CbcST0xbi)1VzS`oPAM`?Vs`&|Iz3
z+|w`XljwWceyAy^N9r~1(^o9mdd}|m%ew^DmLXce0nR>S-Kk@lS0fIww?s>}FPN@$
zWo-ys)%k9`Acmc*k$W-@)D6tC|1|rqGRObOQjfEa^0rZS<i>l`wCf+|TbzD^ha2v8
z&X!PMw>4W&f4=D~2JOk6e+DF3w7=lU(w{$j-z!iS<Bi?0r8s{OJ)*4i8P3O-6Lb#~
z7Z=I0VelK4P*chCNDLW>05TANAPJy_JTM3d0zsr`{jVYED5yoFuS6fv0fDsS2s{dg
zq^1BHK`7uLT`d#~lKGcG1&68P+&uz#4cu>dxuF=zR3&>U;glwLoW1)EKNKqx{>wuH
zr`5;dym?h{SkD_C0VpOU!!I`sPW9WZgTMLzE-;)5PmYwd$6=A&r|6`S$a6>;BnBlb
zjWqvlqLI>nnaGH&|4tM)lJk!!)?Z`7;Ln&)`8_6habzj{NZvo{*#Egt*7f@f{>lM{
z|1-yL?F1nI-%CiIFkk|Zfm~@I4Tt~)0$S810$u2KqO`&^XuUobS%ykJG1HhMQ36U9
zZwkk{28WpBOP&e=-CQ!2_-cMMOuy5logyZ*!DYJ0!RChIzxoutrJeCiLN~Znm2Diy
zyskjP#L#t4#6_pJf6tf*Xvu;d!7&O9!_fD2TleTAoxfMa_m%UQp=gY1qD!u0TRK?6
zCI_@SI2Tts6@qTeYm^;J7Qj2GU#vF^oT?DLmKZd-9<x37BzW?Yh3e<}+fFYY&TxFI
z=WYWnShrBr$3=+vFrY7`kRZtEp8Lgo4^hW%emS9!lx_{OamUO*oTLm@wz<1hu=vB|
z-KXZksyndwIVb$&#wJg1gP>F)BXS1>1_FSEc%&zii(G3idI%eYWnaFjVRLiq;CRa9
zo=ml?Yl_@C-QSJE1&2@}DS*He5D<Xm`4uk!IgMlsXGuu4Oj@d#TWu_9x&0*@q-(-N
zP5hHk2*QSBp`ap<cqo(-4E)y{=<k1p+}L0OIj0iZ$_K~!)MMdwmrFfR&i7WHA6JY9
zPZo*RMN&3_>S%GfjR7I4WE@#^oh$m_Bsc9DS8sSDME#?20H;xhmedXJ!w2OB1R0Er
zXY)>17>mTIs!(%bhdcQ-tPiM9=!M2=%U;I_y(_(3il8{qL0KBFQSy&W|74=`ea!x5
zEB)1e5`NmvGjDz8x?iho!<yFNu@1<nJg|BX1~+cE$(Xf$lW(W3u*^{ytbo;LqDfr{
zXn|RWj9#5tiDh3C!!*SSOk5qp6EvhWzsU<JyiTBBw&^Mzzt=yt>$rm1TTku$FwK`l
zO?UcB*E7Qa@!P&8?O7|GFV_4-hV8uVO&DlMSzrA#IssWZ+s6sLj&27(jcIBNP_rZT
z)!O)|y38JNe?y)yp<BKu5;5C0%%8E`t{_{Dn(wgZ+580GW&O;zYFG8E)78b;=-*%3
zpa(~b*_oYY)Km=vT-zr`S5F)Npx^eTi_I<as8BZePSh1VI*X}!xmws0p_;oKcSRsk
zFa6=#YDj=p#vb9vX{pj%J&4TYa$QXJYEN6g%7>+GifD|nw))(toQc7XA=v1hpw{K)
z{bKvnaQnX9%WwKCRP>4^6{7d0uRQ46qw1o_luZlSJY)QA;e4@O#Hp4Mml&Zcl(2~n
zM+q9QF4(l!++Y0t#r44_vo^<g@RxzIP{6-Xn297nQ;`I4@Lwpr-Y&iUZyoc$M<Gg<
zj6#`TWJLW!A=&(&Xd;0Ai8#<N#DU0&BcG}}#jCxN#8C(1r;UOM)k|TK`Fa;zt>3?r
zsODNU9@tfxJj*u9HvV-?Upai>(i3pX84p=@Lq1x=kM-Re<<g~@2%%tR25#{TLO>cY
z9lcCEN52o#m$roT5#lMz3nwr}2KQ<3GhfK9R@|{LAAMj2SYP<^Na}EYZL|&tRnUK4
zHq_ckfof8I#T0&V>xtAPJ{f0Lpr)TnFB|S`QAxbG2l+4<qhz}Cx?t!rZN9p*T#tp9
zsg3^ULMx}PNSydQGK7!SMhcfgYw4S>`PhH!yV^Ag=w|YgnbPdx<n)=8uKp?EhuGBn
zKNv7s*~YSyidDm~kfhvO38s8plHLuZWqyho;l*i4hE45|s;U9+t3Z9M<MTE2u3`3Q
zR}w`koa+3?I{w2g7zT37fqG4xBVEy2@OF2GTz=%tNxi@w`CgsFnA_+X;+FmGs;5dM
z5I=)t>-=Ee9<hi1y!)vr4l&Je%n`ghgp$xUjJ$W8Az&>`O9<8IXjx7uUc8}EVBH_`
z3BbAyco=XgC!+I*Uj-Lf<hrrxc<U8P1uPY+A?=J&%2E^Uq&Fh)0-_0Xl~$h0Ln<uo
zIp|oMI&TIKEHGnheQBA!rG5f7TiEP<wLGES%{kFRyv@&a%5U=oT$0Cl_pmHXr`9M1
z&7U~}CB(1xSf=7F&#Z60Gu`-uc=81Q8{+>Xuz%eJxZq^GL!d}7`SEWD?l+<>`)-&H
zX_gP`Hx5xd=-_0VTBMp(upQoXg7eN{fuGb1_bp}wcoiev5ZMFVN<4a^)RkPT6-<;&
zRvozb(xnTHwg-(`yl!%z7&dW-R^v@hPj`e!EidA3*Vq(IBaC?=9Fw13$Mgmp1~yBJ
zobu8tJ_^QoCZ8_7A1@;!{hm8{k6k>gxrY<3+-45AY<f9TiKE95Ru&by$T9mSy4C%z
zIh)TwHjP#E8}>QFd62x=g-0<yI5)^_RfxaSF1jxX**oOoyL;$Rp4cW3>id+2Ej2NC
z;dQptL4!>I8-?hMSCnG5ye2ogJ{Z%SE-D&CnVlD_`c}eRnBA+pLnJI0;_^7C;sh`q
zRhi$!j8+JWO2nIYYza<~!u{OBtB4XtJfd959^RU5Q^UHnbU{0en>Nk1yFM0u?Mqae
z0%0iV*$184b1|{bm*C#u_sMs71K~9{4HDIV%Ci(h3^y|pid9Vk&F97v?y!GX16Rgf
zT9mEs`8FByqVnRI%OV!qTJp9`>gs;Jv5Jb^%N41t({F>c)*;My*Pggp1VUmq9u{@Q
z%MoYh8#q7Jc9t-Y4Ty5u&p96{Y$Vs76)%pA=nml`3FgsFrKG17fA&or&v@;4k?Bw-
zrt@6PfVI4~$e^E2YlGH_GOJxz)5ay@w)B+x$9VP<=VB6qXaNOnWn8o>3#e<dut0Zd
N<s@h%Sb;*S{tpq#+&usQ

literal 0
HcmV?d00001

diff --git a/kubernetes/aaf/charts/aaf-cert-service/resources/certServiceServer-keystore.jks b/kubernetes/aaf/charts/aaf-cert-service/resources/certServiceServer-keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..89605b6b7a0b974644c33086d0eb5850d50d10be
GIT binary patch
literal 4126
zcmc(hXH-+o*2mN6ozR;|Q922|gMbt%B2ADkgd!ypA}!Q_fJmeY8W93Wlqy$xkzS;V
z2vP;43!<P%7jDpd?|RmK-cRqB`(f6cy=TvyefF98{pV!!WD@`YfJhDayD_@BxJ$Ys
zP-w{j1S-(W6+s&C*R-f(2LQ-GFf8N*Mo&&HP7Z_s#Xw9zAQ=FHg{(WI2nTMtGKNvY
zI`d~yQvCs<DMw0~S<WrBE$iVDw=UCAzmjIJRMT=qpsJnh%4)l1Z_Y(0l?<+cc=#??
zCeOx|G%Dfbb5QekDz{$c$wht1CBz_tQMX`~4SsVw)tU7@s!>#oK^#?1=LW_^l+7Ze
z$^tkjQ48w<8tk@X8zl!zuazFHxeBA5$vlktp)?TwS1W?0p3&rS>f5xZ&FvURbrp6)
z{`Nq)d8<!KA*7eTuush{WI>f)p-b9f1l;Da><Cp8O|n)zl*@cYLw2i16w11<)MZBz
znIHMqN+3LfkpI5uTw}KUF74sy{SM!rs{xYBYY_)2@U%;nxiec?)a?5}u{(uc44Fgp
z<54f}<$5gEtO_WnQ%}+CBAaFT{R?yN=u%yi{WbJmeIgMgIKfOCiHlDSYmGP3tvWAc
z-#2EgTY}d8!dxVo7-lY&PTbXW4Y`h()mGRx=Jt{AP^?m)wU2l|XKf<D7-RG0G$^2I
zeWLU8<JDQqlPyc)?VHb8JdF}*oJ{aV-nNNJWRnKvS~&Z=5w;P#4iCJ6!3{D-hr`O>
zJ*_@9a4;TvW3Iq8<pXZgg-l(keA1GT6TVf9(z)qHlm}-=I(4-Yx~qKZ)~P!q1l`g6
z6{l}Z$Hv*!@`c2%r~5FS%o^bWD<0=EN~jaw8BzS8_g<jXd{w50)TQ*&?3{V>Zr53~
zQgFAR|8ix`O>dn5Wy9k32=4n5sH2RWt`mae!4J~n&*?qOkwyCJrdBdQV&;1tfAgjN
zNBRbtDen?tVFP)gbEXI1Mt}A(gm?p?I-g9z?^eE3`r`ebS}Tk5hL#VPOnha2gBZ1X
zFzu-@f7H^PGq=kYP~!UWN`la38pVTwbI?_)mz!vzNSWI+=fk;#n@*`)Z}h*8aZ;Gt
zuzL4l_*f`4=lGr=XsSB=vZ{f8wV~^zaWm{dNRfDVLcvbB-?x&#Sm6%cJH|wXH>HgR
zDDl?JyLoS=Ey?cPv=8>Y@^MP?@FAUTP>6KUi=p{GgWjxIQL|xXwq&8<kmC<=nv3&Q
zP4Ai3>9XLC`;OJ?eJyBhOvm_b-lq<7XzBq%h0~=1%7RNA=X`7E!?B)-$=r;@U{g(p
z@4VOs+ZG`U_PS|`q+C8Wu+n_xlY?WY;6RnV>SO#RBoTvIl8%U|%w1MA%ix+tT!-5l
zy`(ZX@Eo3<V0Er=+UM;0So~hN1+Vm+QY}_*%<zs_zwt(ZxKH=ZSrfe82IYO3y7aJ}
z8Z*NDyuVznH9w_6eYGk^?1H1a&Zibz8(LyATr_s`6|F@S4bDK3JgyCRq+1abc>#F@
zOE&xQl!n`hJ=N^sFnPD%Ph`a{!q9f8ouVJn5IfhJcm)Amxl`d#HBgbP&0ktR%vxtE
z#^#Zee4@WP@?b^HK*OTpuE-CIJ`7K=9|M!{ad-aS@@izZ<;MB1?8L{t)*p$QYT0P{
z*y~dcMGPmqgs14QlaO{<fS}}FAP|S^`AmIED0TX<4WW%&pEl>%sHLBGvy~>NS<wii
zDCkM@r^C1d?RX!i$Co&-6}e6?Q3a%RZ)g_Mm!44Dh3OA9CC(m=!ZRK0^^}cIE-=e~
zPATpgEa`QwIhysbjJ?HDVE$RZpNk+fx|DqyTLP1{aZ0(r->UDcQ>xJ|_oK5h#gi$k
z!TndnZ&s4oNXf&LNk9~VVabGGSTHRC3<82c5G$227Z@Eml~|lX+#VeeNJ|EQq2M$y
zDsr$Dgd7SoGlsLkn9mGKD2*=C$1jB6!p9}R8_r0gD#=R$rMQkly85^T!C7I@GY>VC
z)*OjM^XnjeZ@c(~z?onSXKorO<!|>@l*hkaU??Su6e;D3^o8-U)5*YKaxht#GF(AM
z=EiSR5hn956BeEE|4WJw#`7mB)-#2$_#+T!9RkIVB&8w%<NuQ#=ikRkdHwzZP8j=H
z3>f-1rGa6A0)MR@NnF5KAOnEprv_nxKtO(9WIT0+by+2p{tA1+MM*d)Il$;bK=I7j
z(V$WB@-1Kdqq5|uEz$*ph63MQOZBXTv^34x5jeD}?uTvAT6)TiMj`#S!&kOFhw*iv
z?Y9Zq^d;K2dgKkam7CmK{Mz-diOD6XI#Ibk)N^98{CT5^dcyx`Uuz#4n7Rho`_<Vd
zXS}s&jF15*Ykp~O*SmBSiI8^Vp2?HDSUxj~_V`|$$dutSg8QXd3wq9C3JJq?)Rl$r
z#4u}Ti7l!caoD&}v+LuP)N*vVafX4<pc=S9DvBeBoz$%hgE~KNikhekYle_NcwU9E
z<bCksXxq_((!b|Tbm6eizM3qdQHK`<1_FQu(K)c_Coo=85qaq$Y!H^w7x?N>mXOX8
zi$onS7uVFCEU_t==-DtypHCs@V7%DBl^RRsgLHNA@k9ooe{U#WD1;J5P6`JB0kCst
za|IzBFt#WbT!ww>YU!tq`sc4>SMVUS>r7PTf8H$&VS}-dQ<AO%WMmXz;D4S#fBl7|
z0|3U7)>K+V;Kku->_MsdE-ymWoOyrnjkz*IweigrH7bH;Kc5|3!>+x5NulE9_2zN)
z3!xSSHdhHz21d|m!B1E;8EQnDafS&NUAhnWEGC2#$Q;Nbkq#D{e8?38qO`up3Ewt>
zKTb|KSUk2m$t;+5Nu;j8q{Fnlp1MbOVY^nJF`*Et7_W03G4VMXDLpv8IW5t}B3FbV
zJk-HWPxC;!!NqcXVXBjkheX>3L{n(fXW!P-THh;}4GPhqS`^b*24DgGE6r+b&;MAW
zr{w;L0?`!XQZ9IrM^YRuRr!Ycz6K(-l4UP~;_#v8KzH#F+rg>ImtVGgC(KpZSESBA
z<qQL=z5Ivwz0Rvt*V4u_UL*52UK83THq{P4nQ?ey6hO13I}7yEqfeZDg9dl$RCVl5
ztt#1*(Z}t_)XzMCzRn5+{f?je2cFh(I$N`Y{q$bADg(M-OyIAWm9kJ5&eWgHdUje_
zmH?C8!`tJap=?F^^z3_<Oe14eH)Jhay;dsRChK<;{hy5>qfg$jZg{DW;V>Nw1^<u@
zHl8ug6{lSVL+ZJD!&G~APUu`Bx8AmH`ng5_usr%q2z}o&T&r5~CK9jfrkAPGRVUTo
z##LxLQPVgkFj?b?q2=l9&My+lN3rQ?<+3dJS+UVCj+`_vh3%`{fQK~s_ZGGYyafCQ
znU6@w%pf5%>|e+<ZI$`{UpwZ1k4(4%37N8I1cjd=lVtu+a>9cC&O^`{4?!dzl1|k<
z;>Lhf`M8^PMZFO2)oNr+-ZiCLj)R?&uXvZOhj(;lMA*jJran)aYex-h6@k;a{S-JY
z&(m6t)%59?$h>$YDjdelz$cM~4S5L6R9q{Uqu-@5m$8QoVUx&93Z|8<EK;aZb1SwS
zjKsF3#kf5Oz}KafT<L?w&GBj^nVNZR@knz$IlMu;lPOAlyGVKlm4>v<ziggCuMp*F
zS5~h66Y~CDyr#{MuKbZ_w0U}-D*bi=HcsXX1rF}LF-VC;SonEXCuw9lt$kpg;j`fF
z{mVv@WLs&gwwm(?Gqc?3y>CBW$o9=hIc89PjJH;p(RevZ6P}vmkFz<?D}}B*ToWLl
zyRbY9$#SY1(bcu!?+i8fMbvI8?pWf-dsE3Xpp^1s)dC0GG|CWvH>ynuu1pO_q1e7G
zmAsg_(;C5hssmRK;$s!(%C}u(Ush-yf&>_(nit;@ewO#s%lok3<q|iHQa*zAg;QW#
zMqv+rWeGZ7pv6Y$x4mA&5tm)`^Bv!YPXJiI1F}Q3o<?^Z2bJ=IFPd80Of?%&sQFUD
z>mG7jrLQ*7&Y(p@l|&nquh6Pe`bkGVtOfltp(4zofcds;&F%L1ZM{>l?b6mj=i0PM
zAJ6pb@>l^T_Moj(@N)uV;z4ob)herWMS({j$goKp{q`9sd+x7WZ*0E((F2mw|3wY{
zPhg+j8F-;*YCr}9le+&paK904KjdOFVpuY2UOz(Rb``16@LIY-$F~hlC$#7p89Jd?
zuxmFb$gdIOEs7uJ(>!-gjH--xqm+q)$)OFI^kP-1-g&RynBQAvf?*4J;4szTUhzZt
z@O9Ju*h;6uSy5|#2-nO+SNuSjWoV<!MfLz=;!&9L?KF-TDM_*yWd`}uesW4YZtUlQ
zYPZ|~T(Y?oqsi58NmG0`Vwr2cJFeL$@dn$SVLY`%TsP+@%SDi?xKeKX9i%s8{$+Tu
z`;OvJDr{iHD{$w)tt7ccFe0#mnk^$aY^e+HzE|fI!bUDO7jRbtuWHDrSQDn)m?<WP
zp}-RobbBOkT;L4oYr7bk1Mzx>DLn<u-Yv^(U{+Ma+)YN^XxkQ=K8y<Tj(S-xX?0GF
zH_Z=i*z$4IjFt}bgK^8L(Rt^N-B9Z)rJ-OXoJ{0Nhsme-1Wzp}8a$YGk3SSz>0yzq
zccRKdgjjB6;fT66fJV7V+&#|y%iyy6TFVNr`oGMCH<hV#U%F^#Vyx=Sq^B1Yn4qD-
zw^o|LI@^OW{t97E+${383x&jg%P#CqQYoKXtmB!e>UhpPIV{HG`pNT1?OR%vhy*bv
zx-XpfP>4YHF+KAkaUn2yDys{j&U7Ff-ys)2?5JvT@m<i><~rk3ZPuH;4d1lNzsr2o
m8%yGR?nyipEw>{BZI|Y0tP0V^dl-<37K`(JI4p*!e)%UQHr2)e

literal 0
HcmV?d00001

diff --git a/kubernetes/aaf/charts/aaf-cert-service/resources/certServiceServer-keystore.p12 b/kubernetes/aaf/charts/aaf-cert-service/resources/certServiceServer-keystore.p12
new file mode 100644
index 0000000000000000000000000000000000000000..2106c817efbe3c69fc3ad4970fde274e24d9018d
GIT binary patch
literal 4691
zcmY+EbyO6Lw#8?Np*tNykgks*hEN)$8>EC8=`LvyfdPh)lA%$$kq+rbaOjXuK}5Pc
zp7*Zz?p<%4b=KKypR>=OKL~<c3j>G=L6GBu@VJr6$V(z14loBnc8!G~JBJ|1jv)x_
z!2h?xcELhmJN&h6{<Z~(;D1wu_&|&t1lBDCfprPt0^$Fk{r5Q?7A1jJ|B5J}uFCda
za~r8y{=Kjwych!$(5sDwz#6oSdIF!I_UM>?_)G&5?+F~tQ5RjRS0n0TZfd69cjFt{
z+R!u`D!(t48`0oa8y*%JA2h=@h|QF{;bos}D(K_((??yfX8bH-5T>K+rzH`!d*X>&
zo|Tqq^PpLE559UR0ZRa?S!?IL=<NEre<cn!4b=f052|hWrYZ!SlVc*<VItMRdD%Fl
zi|D5*0(2L1yR_pvL~z~oC6~@exm|OaKr8v`Fh0Q~0v~$-T!Jwbxz(`uBObZ+@;i3S
zkzrr@3%77)F-52N!$Mp!-1;*)W*d8KES&_S2d~zd#+eh>Y?W7DZC3C*Q~UBHL5!`*
zb4Ee_ES1lBjU(BW+@Y;rj>#`5M%qc2o;Qt8hddS9%;F$Sp&&YN16oX>b3gHd)0c=A
zaM_ivjlsEjU}Y7wN@(*6%EAQ)wM}qq-n_OP?Fe{_RlqjrUP5;5-I}iTJuglpq2SuD
z<!Z>yU6ZS9xVWM(ZO`WS(|Jbo?w(TR#cWhO5*j>_>l+q&>uPV+1W{ms!)EnuLy6%0
z=6Yz2_@WZ+Ah8(Rd|G`9_sUrxR}8xssDRT0nS<5L@<JD=e`SfGBF<E-eWUufE;aae
zS3iR(-PI9A+4%;<i2bfpGl5x=xk=ew#!Yxt0TC=-M(yTszB)j{QgfdySC?a9gqB{W
z4@osVqh7t12%D*x{=PGGol-wMn@V*)Yv)u^Rkr$E)#^~ED7t#Q0mleTN%TQodH*m#
z{iBY5P@75@eyVLT-JZUWB=N=$$3HzxX+5uq(++B<zMV_OvNvu8Q~jVyTW+4`e!>G@
zMaFX9JM1~66(a=%@fc}Y|Fk*dwV8FT<E#?)@oe`Zdj(VnuZ^oB<vMNCGHz4@?d%`v
zPCU_hYrNkaeOEK_h#%vU8=save~I65RBQD~?<6tDxx3nJQ+P4ZWRn-lDfz|Zr;yp5
zYxtWD@<eLWzR_V;S*vh)V*?NOrO%C3(fTuvrojWMeZ`WR1t<b@%qHIHG9hX&pSIsp
zrvzb6IZNd#4m4*<KxHSvbz{fgC2ro$cm5;4HUwJ;<kK3Vv2aSI@$fy6FnB8kRtT`P
z9jiIkYqIu_1Bt0hdBoRhv5&MFmC(+34xDKvlxq|z1^v@?xA9Px8t%$>`trx0i9Y&l
z4+?McVW$mZTwAgytADhev@8cl+|w}Y(%KJ<t|Ez*L}(WBIo6=z+l9VlN<vRR{kH70
zBz9-(^y~Y*em4|dQ@6`hC?%COR?P1ofbGs_QUxjlvJ|`z;?p_fex7yjGUyeyK913{
zp4ecJ0+RWoMQq?Z87!$Tx#ZDeJol}wp!u07f2tigLN2h}1<P9n$CCqKsI9`RB=Kn$
zd?J55=z51NwGMj|j{N|<+`44C4S}Wi9;CNr`dL(6<9pGI{)}&>ppMeBx@4+*<&uhf
zP5}NwTTbX@nIq#miIZNmu2!3iz2D$%Q~;@bLQ6=N|J%6IO$vDtDl%rF*QX@*y(sFt
z`G=qi90O0J4%&~Ky(r{4qepFzzeerr@WK&!1f9Cr8GGO2LWBP?v}}yZT-Ky;z6NP|
ziM3bws5~W(IFKsV=}C+f-MzT<tSW#~$@O+X)R3pj9HsPL*t7jHahl@#+r9$&5dQz5
z5|2{g86y+G{BPL+_yCpwYrtE8=U?UVZ{-cJ|Ca}0{%?RvfD(&b-`?4pNdPJa6^B5D
z#DqkJpb!M1(|?X|Ksg9Pv%i)x1`zOf=>B&D{D0I1{foM20#drGis$&(KLe!4t=|yh
zzfKeUH+6#%gtU2%4f`P6Sh5=VsZNqNz<o1`$c$_u+U?ta)SvC7n3(JQgpoV5B_hxY
z?_ul%*59Q0gB%`onOdSg!TIAjnURrUB?mln9LcX+qPi(LZ=!a^1!z87tNb%!<Eh%c
zZ2|}O_i(L+3cvNnPLU5B;iPd=P*Ht%iFhCKG5Td&Ir?gv&tj-wdIi7dV<%!l0~Vdk
zIvRZ&^216fBII;BXN?vcTjKDoY0pw3PUm~Kpt|^v9=F({>Z(JtCIj>QMIAejF|&hr
z@#(Vz7zKL?Vuk!!G*&?r(a}6|J}l}UE4PEsL%_3%>cNo&20;6gq0!>8-y8v`c|@_&
z`*;FqC@wOY)|tN|ofLQW%U953w3u~hFN*>5aHS~Mo%5scVpR0bcN^uJXg1z-yxX6~
z36Ztq!in^L`@~dn#cmv}2db&$S&_D6k%}5}osFa>NObf>vs@SIog$cRuB-o!EV#~7
zwMT3t^P?dtZ3~aSJT>m3?dwxV0li(SH@lI?if{rvTwt2rmyu>!2BWH{K}>Xg#A#X+
zKC+r7t;%@~jn?J;aqYG?+$k444Y4O4o9fATQ6}<)`Q!>%XQ(--F_2uYSf+?(vM*+W
zoK#@5U003Q#Br<mdLHnB$zo8oLY`W~ov-WJevub-Wmu`7Ee6dCwJ-RI?{0>F;%jZo
zl<h4@$O^8PX+!;Uak{Qy?<<bRK9GMFVsztf|JZs#1p$qo3h<J=BvW7?w>Ucwx}QxO
z?>RbDe37!-q-*$33TX%)>L?WjtL63)`9u%MaGNYICo2(Olc{A``ZAd@%A~n6iFk>p
zcbXWOgiBTBPNV&2LaWI6@%TFe$7au?BNX@pqr2p`F3xZlXutq(hLMfPpb(Hf?evb}
zDa=*x6Vq>@U(Z(xhVEG7>)o{F7z{_q(-n7ujZP;*{HhINNW&kzYRVLO_?k&UU4`U1
zXk%d4h9H^EJ^^+Ul>0}hFWaKHtM_HA_omH5&)W2YT7*YS5|X}tJLH2ZCakI`lf*xl
z>71U9%k$w(M1zv7Dbv<wDRWxkMw)C!8fXX$6VPNg-}DrA+Bn<G+^;N(zU-3Z&x7rj
z13&$`XzFBRB^4C8r10&rKEuq)Yl(lRKXL-sK)msAFkgP}P8;n9Wx1%V=&?_Ho6lUp
z>YZ^ASu|ng7lZQn)h<W!eB#&F>>TeF?juSq6I9Hz;MQ~@_>93_Y$^Mh=nSWT>vz}a
zvT6-kv4tIq-<(p~Dnp+K-Y(omM+y{tzyh&;u7>)!@jNnzf~Qph?O{x*7t>)X-Go5M
zSP%suPm_YG^%;hlldIy`oX^kYP+L!+fA0}MaS7+0_en)A2TgX~QAbPd9p5r%941X9
zXbCkMk0XN4plrfPene*_xQ4j1u<-sM643INvBGU+HztYa4KCj}9P_GAKVxE(SR{QI
zs^_7|8@9nQRFlK{nt@emB5YooxIP_IP=~o)t@A{Me}(rTLxpbx_vBt<J@PSt<z&Gq
z?s0gzmeDv|Kek9TY-8dvd}pXOS-GS5=`jv#)q^7X{JY;O^FVv0uF%QQOnpZp=yYKS
z;-~%?)_dIOH~s8ak-~hJ;bGeQ`26!WC3E};!eFk8Vd_CTTb4D&aQX|#PZ90<o352~
zOWag)9S-LHVUd6&0A2z)Ry9e6p~wC2n|bp^zhmA2>%tq_q8CY@I89807@gH@GmZ)M
zxJanb#HTAuRL|%9hE7lqYs$KTM47w5P5;_4JCz~+##A!vAL&Nzo0j56?WnH&m+m-;
zy}(cKS8|HzN(z-?4tyons{7jT!Kd3i8sgFqEC!|WG-CwJW{_nvuAx~YXh@BZPX1zI
zt7K^cAewsSQ+*ap>Hc0C7_g1QK4O12k9!`F&vm~kR)9~TM61_wFU}66g?#Sw^yhaV
z?E123`PpnVl<~Wx_aQ&&X;^3Iut)A?2Aik;a3#nKye!K=pi4^X@q&mm6n#Uz=tP|N
zPO!8g+z4T;x*o(sfqPTQ@-mfNVdwN1Q&>rwgEy!_R|Vzr(FB-9udvwY_X|ODb(*GW
z<);&LH|Y@igj3dV%US`-PFG>s$=j?}qe|R4X&eFDyW+y+$j`Ko-%bzU3xMTHWS{2{
zYvFgdoqe!h-qBF@7G=46SGV45B(Zr)C7+Dj#Kk*&|1Rk`D(OZ}l2-ewh^C-HMX$|&
zbW#$3?w?YhexUu9pK-z5Tdyyw?N;!zvFCXKN<9<p$HXt(>3wZ091}JTwdKgz8U<T?
zy^`>jjx>s<^d&`Y@YB=muG}dW*LEnqPT9I@Zy1Vv3=OW)NUf~E$dZF8L0Vyb4?7ci
zdxe9z$EAUe;m9!@>#r?Z5*R*Vj^b-SX&7&xxtjWl0bm&~(MLt+r)=9nGJ=7VyJxHs
zc3x<w6n<SAmL>yw>8vUGihy4<{*W{ab?}Kab&x>e0L2(rr&%)=YEc-jFwa)dFSwug
zhNY(R>NMFaKE*NZ*0}kg1-D!5LKQzMoXs1pC+QNVFwb${lS4B(ryV`F53$|S38+dj
zA6HFEN54Ny{osu=<kNjwvsCYlMdpv80(hEfie<dpAuk!%6QlFn`w$Bny6-DD)+6ha
zUiWL#o%(0yv5w=a<)pz5vf*$v`!Oro_){blj=me>{l49(nr-g7R>K!x$G<EN&1rmf
zE10t;d**k4>t<218UPNzju#A>LG;bLU{|tje6`%DEt+@XR~dfW8Xg=+HK-(v45NTd
zNXMv)agSJ<y+o`4_gTudzVTAt_Oj@`lTLMy5UNa7AR5N8;#cSdzb-f8wV@UokzXP`
zV8`3kwVePh8Y-JR_!<kmxkzyw5(d#hx($GsRe9;}!Sw}r=lF2#nEjDz!*?-l_C8Cs
zRrd&ImL}_oP%1Ij?$Q-nxlOH#;Ymt3<N6Nb*x02Xs$f*Ry^!;IuF@!OgHI}=*+Z%~
zON@9uqGpd|&?J$_Te9d}$@XS63il5?!<3g!cblGWhG4g-P*6;1_Uo%js-0Fwze&Yu
zAHvjd2Hw2facNdTr#M;l?2@3lD@_$GdasG3-nh5%u;L9}4^itezy*6FJ9K-&NsL(d
z?tQAF`{xDnuexUp`F1C~QqIC*Ex-!DxStK?sl(aOm9E!^jkgniJ2|m$`GiS*{l`f!
zza`;Wk*wtj$wxB6t~+MxN2mFlH~qO-T30IhGVOH95^iNC?dv9|&JG=%a!7Vx4YI-?
zwIfqC!Rwn|X6p~VNSlzSgGN!3fP7=FBXBT&o(#}t-|V??>{vmgOX{oZNQoB|YjUyF
z)$<WxQ^AVjiKv(<d9h+Z1%KE8l>z5Y(uEi<Y6P}Q?~uL+^NJOGJoS_D-KZn+D-aXO
z4waTv?coEzUT*t1NXzlhmWL99&IGMfgy7yEA)(Ba=8$A;@+HZe?wzeY$3dS_7ST>a
zvinT4cOkG%NMVxsO>_Al3-!+_HjnuO`|+~GXCLu{3KH${=@Z;8=X|wAYZ7lJ(wArZ
zm-(v7i0WSO(uTNre(1tZV`&p{ni=kr2U$59#;OcQn*~Dx<?_;5tXUIaY9CQQnzjcR
zU!SklpBwU^gV2fB%Y?8MIZN2f-pPTT@D{5Sf2gV@p{IYXRO%~yS<PQ~6Qs|@9vANW
zRZl{83{BM?gv$?1-+6~r$L8i6_S5~U`IEz2Ca;VwT;lv-)&|S<XXrrv=I&Q12~zmx
z^sAG<)`ILtGdW+?ePkNGCU4;}C?AK#j^!WHmX)>)N$f8V7ryy&UFBfn%}u)hQG1Pz
z$CLzH68Qm%>SL>{L=hAnz1&G?Nm!VslLE;Uy8z!<KPY?^4~_#3{#cT1=MwgoTOu-e
z#){lG2ji?TttzzUW*t9qK09fYSS|MqjX&9g&uG7hOj-Kfm0JS_;=8P$@rpq4zbT3B
z_P>9XN*d>2Ox~#cGynrmboJ?CIMOxb!QQ>pUU4mxEIwxGQ4Md;Pq^hG0i&9Hv>9Py
z9B{BU4Ow_`o4oU;h9+C+P9f5jB+WxC%IM6HnJv8{En=(|->Ta#Xzk>zJpYSyy==q+
z9IVFT)jIJ2mb3WcA0aJb$;HUrRI{J6!oX%8h%)_FP!q?_$tMqyf-pnyK-fIQm>6Je
z02XDUY!@-SP?@HUY9J0UBC*%R32?!ptiyX{eArQ{^@ct<Nx8yuYJpi0gn<b}=KK%t
CjL}*E

literal 0
HcmV?d00001

diff --git a/kubernetes/aaf/charts/aaf-cert-service/resources/default/cmpServers.json b/kubernetes/aaf/charts/aaf-cert-service/resources/default/cmpServers.json
new file mode 100644
index 0000000000..358f2a82c7
--- /dev/null
+++ b/kubernetes/aaf/charts/aaf-cert-service/resources/default/cmpServers.json
@@ -0,0 +1,3 @@
+{
+  "cmpv2Servers": []
+}
\ No newline at end of file
diff --git a/kubernetes/aaf/charts/aaf-cert-service/resources/root.crt b/kubernetes/aaf/charts/aaf-cert-service/resources/root.crt
new file mode 100644
index 0000000000..faeee81357
--- /dev/null
+++ b/kubernetes/aaf/charts/aaf-cert-service/resources/root.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFlDCCA3ygAwIBAgIETsAy8jANBgkqhkiG9w0BAQwFADByMQswCQYDVQQGEwJQ
+TDEUMBIGA1UECBMLRG9sbnkgU2xhc2sxEDAOBgNVBAcTB1dyb2NsYXcxFTATBgNV
+BAoTDFJvb3QgQ29tcGFueTERMA8GA1UECxMIUm9vdCBPcmcxETAPBgNVBAMTCHJv
+b3QuY29tMB4XDTIwMDQwMzA5MTYxNloXDTMwMDQwMTA5MTYxNlowcjELMAkGA1UE
+BhMCUEwxFDASBgNVBAgTC0RvbG55IFNsYXNrMRAwDgYDVQQHEwdXcm9jbGF3MRUw
+EwYDVQQKEwxSb290IENvbXBhbnkxETAPBgNVBAsTCFJvb3QgT3JnMREwDwYDVQQD
+Ewhyb290LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImm68wu
+rtdkVrC5JI2y53+DoVE4al7NxC2yHeVW0PRD3CgW1xba6dlSQoDQQKkDkxtuNhlU
+IQxU1bbKR6syqJgpJXwSDx4sl4J5lQGWN+iuNA72C1IyXATOgowGq6PbOVVTkApy
+3+ZZGBCmweTjhvddAO7k5p8v+ePt17VvBTxSt6rSvrkGMbpCxBGAPfGpL9xykm9Z
+okVSlA42gGhbra499QTT0Yc/WPPFotKkDKFGaDrLW3NYX1Lio11myYNvLOMwfSEV
+Xy9vkwxcdqFJpHjx+EVLLQXwkudZP+D53N4bk8nP3SacbZSQ/A85mZpWNtw+r9QL
+fZGecY1YIR0udLj66CIG3ybl3gSXX7TSRERTIMR6Um1lt+039FSa18mRBpQTCDXV
+tSL58Qs5BHFkCe0sGpY+XiSEypc6oYPf/7YjiTvMT/mHhDffrvFjhK+wP/oCIg8u
+vuPRoPWuyw41bBeFGitJgDn7E8p9B4K/1DCO/ZcjXiYMgn5Hwb3ojablYUeiXs99
+2AAV8gCceUCdgcP8d6wdAydOVljavkgHPG0IMbiVG1WT57oM3HQpejgpujlKDDsI
+bi9/lbcC/U0JoN9yAaJZFr7CXJrxRv8DWeTwzMTo203KHNu9roQiERd38P8Dp6AQ
+ivmqf0+0VZM3IpjWBYKM68tclHJcG+7wyFjvAgMBAAGjMjAwMB0GA1UdDgQWBBSN
+lFyR56zh67mnvYTmmgJQVxEJrjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+DAUAA4ICAQBczmFY0kmr1FK50glkT282ur0vukNtwXQNJONof3rYRqP2W98jID6D
+ayma0B4/H1EqCa0d66wRBxFdwW+MqOc4uWD3uUwgazrYD/Bv+V3aumaw8yX6vbyL
+hLNfpd4pViAEGtzYxYfMfFR6uzInF3NMpvt8OXCSGKiQjDMnMs0ekvUZLJm7yxwT
+Qr9aAEFYQYM/GstUC6qFfuUa4MaGvmyKWhZ10JoKXYbGGeFU4wI7Kzifh3VvawTg
+r314ZvQ3zpEwzNJpdvT5ZKuPvyN+drAKFpSPfOTFmmb3uF95FgYq33OFPpo7SR43
+tnw5u5YqKnsHmqCIRMctWiYZc8rBJ3+eBGmke6z/AN6FraG6Ejc8e4WPclrB8STb
++oB3a4Cvri1VHyodkm50Sb/d1FAMDXvzEPBfu2D0dVvOwOcISSN/MQUom8NN4YeI
+aEATdAPNkokgehOzZ1OPRv47FKYEVPCXjaZEWAC7NNmNiRn4RQOti0DlNrLL7Nx9
+vK09G0EnW01MO2ARRkZ3dog+Ph7orJQV3sd7TO4EEortqWtbegSH75ylyYw6rt/j
+uBzYtMOnEtnQKhxj4Wj7PO+StCgspoOByn0d+iSgDd2TlpWm4naP2pfFZT0R+TOH
+wzSH0F47TSfRd0++uEz/QhViybrvQK7yMt1G1YwZp2im+imuWwUC8Q==
+-----END CERTIFICATE-----
diff --git a/kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json b/kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json
new file mode 100644
index 0000000000..06e1087f60
--- /dev/null
+++ b/kubernetes/aaf/charts/aaf-cert-service/resources/test/cmpServers.json
@@ -0,0 +1,24 @@
+{
+  "cmpv2Servers": [
+    {
+      "caName": "CLIENT",
+      "url": "http://ejbca:8080/ejbca/publicweb/cmp/cmp",
+      "issuerDN": "CN=ManagementCA",
+      "caMode": "CLIENT",
+      "authentication": {
+        "iak": "${CLIENT_IAK}",
+        "rv": "${CLIENT_RV}"
+      }
+    },
+    {
+      "caName": "RA",
+      "url": "http://ejbca:8080/ejbca/publicweb/cmp/cmpRA",
+      "issuerDN": "CN=ManagementCA",
+      "caMode": "RA",
+      "authentication": {
+        "iak": "${RA_IAK}",
+        "rv": "${RA_RV}"
+      }
+    }
+  ]
+}
\ No newline at end of file
diff --git a/kubernetes/aaf/charts/aaf-cert-service/resources/truststore.jks b/kubernetes/aaf/charts/aaf-cert-service/resources/truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..c32d37fd9db48fc10cae30976a63b0dbe2f5ab5a
GIT binary patch
literal 1722
zcmV;r21WTWf(Et%0Ru3C25$xlDuzgg_YDCD0ic2gU<85&Trh$LSTKSHR0atuhDe6@
z4FLxRpn?WPFoFg_0s#Opf(AMU2`Yw2hW8Bt2LUiC1_~;MNQU<f0So~KFdGCEThmR9
z6YGw}@?i>ypQ2dILbFIm0s{cUP=JC40BLgQX&X64bt^`=;ZL35U~(9Z_LPX-M|$kk
zIoj|Jy6L0|FSQfi{gK4#mGQteW3pe6+F8<2cbeA->1Ty^{zQ8;4K-4u^WvqJrF@8z
z#?#Y<aOjSZqT}#hT|OTW#0UGSx_>pm^ZR!;5cn=O3AVVWN&Dq2>Da*C!y2Y>@5_>X
z-b>Fh7-g%NM=Gx$YrpjbCM(O@!u4L{<8{_SN6P+oX*Yo5_e&8$pX_;z%UwH!Qqur-
zfFH^euHMe$s2`9-uM#$0LLCbFuc=J_1`siZf?yLq;@uRY`0dV^8fu6b%>0}{Hu3{P
z2L}z+%haiv?}kF`);igKk3X=187f&Ze^-6PHi13(FHP|qnF+kVLP=FRbw-tLsbua}
z@tI;ud5QfmaPVSzp%kD7?wl%}*QN|#q@51NTeu_lT#JD5tn>wrTt%Him9~L$qpd)c
z$C<x>$1!acema-IgwuU$(6DXxIzKoaCvit$^PjPjLNu9IbdRVZN#Uh(uVQ46iwT;_
zrt+5+3ujsW66UB18nI5MN9rg>E-aGG9zI_BV9mYvhx`E{n75dj3bw$lwZH6(0y|>k
z%(&#oZt%z4AJwro^&@z3eA)dtg%yXcwiu51Upri5dSgvgo1%aqA-XP+L!fJbX9sJ0
zONi>soUGN^alyFQuSx&m%USJ4C?#_n3Z56hAm03<t8?W>zf<&YO${bRtpMkCK6t~U
zKtO<=Wb2mz9i2yxZl>vkv~ybLQu8hy`+>UNB3Idy=h69G6pW+TARD~lDoCu3bi3AR
z3_bQejE|3yfk`WX1>%9v%m3?YL@h*buBv2F%=<N^Ck<z}X9E#nhEAGD-Yk4EV(>7|
zL@!G)TTrb|bGGN=*5kVd{DNnS&|)EG%(5&8b(PX1runA0teg4-7pO2e;r-n?GL=b0
z)KAd3Jjz89+96xmuN6D74lkfFwWtL-p0EFXIT>0J($V{pjw<i$Ok3=eZ7JtX5Wqu~
zQ-Qg#c;U3~9Pqk=SbiMj_k>P5r>lU9-=@+P!9vv$SNjP4MHiOML&wy0I=QlvKVjqK
zc}vl{4>&KTnPszsmSxH18A9~@H4t#XVWOMg|NPW+S~o;oTl{&|?a`?DG#9ZInr-oq
zFa(lwqI8wuvlidHkqz-Zx}Nfsg?es<c&k6OcT;-XOpIb06}B!J@PNR_Ws!G|X`db^
z-MJ$y0EFBpfxku>9AIke6i{q%X}sVBYF8}4sVMndU4o<~KBh}jtqbC?LKWisocXtz
z1DZ=5bG(L?jO!Pky-Nfcs+@$+Gfz_bT9Zqb&#=62QOB-lj=}MUC(PY{f3uJaE)|{L
zs#poq360)fs*}wSPF(Ii!0>yA{6vO0lwGeMtW{r2v}*ZTc;ZZ<%uv96b5u;v{oQAr
zB5D-l6jmD}+|ws-DniTNsL!t@0F{gyvP~uyhc?YFUS1d38p5^eXiR05+A1)@If`R7
zRD@mKEX+D#t5IGicj|0oZjGIiU@txqrlr@U<?1o5hc+(J&GOv{W_VWs0{P=g1RY&`
zv_7j}h!R7=V+&bMNZyT8?gj0D$5FAN`#SK<+qE=;OtwF8b$SXn%^x~_m8zPAXQh#n
zLSm{BkD^X~Lp^&Nh(w}K+sH(in_}Hs05{kAEU?9`EP8%z$-PkmYP!G?UTr&r_wC>P
zlT`dcc%YWfKG<}8mJxDCe29{L6xa*JGQ7wl+=9#N#H_cy%Jpg_T&acPT!wN&7r;%~
zmEu;r4ATUxjy-KRN4ek+`fb!&(@6d2_Bm^5NYtM(%Ds+LQ;txJg%jtK1gQgm@Gwy-
z_<-Kq-9RO5P)MRt?-<u`6=<Y~G?1@;P1aafd2ZbHpbQNSu*mw>Y#s!WVc3fTJW7r;
zWISUGyx$uE0cyLM6c?8e0gv_wVo`>j)7qqR&lC1GyAeqg?F2hp;>0FjagQ`$ZITho
zW^kF`bp>*mijsvTF^!H&Y+|}A@Oy-31%A3fr3WS!?))Hdp3q5E>0d1-K7OmNO9~gQ
zL@+)uAutIB1uG5%0vZJX1Qe}2gt$9yT?9O?#L{Xxzkq;%Sr`Nqyd%}a`dA2ua^S-L
QP+N65HcJ*|0s{etpglA>RsaA1

literal 0
HcmV?d00001

diff --git a/kubernetes/aaf/charts/aaf-cert-service/templates/deployment.yaml b/kubernetes/aaf/charts/aaf-cert-service/templates/deployment.yaml
new file mode 100644
index 0000000000..76e610f169
--- /dev/null
+++ b/kubernetes/aaf/charts/aaf-cert-service/templates/deployment.yaml
@@ -0,0 +1,123 @@
+# Copyright © 2020, Nokia
+# Modifications Copyright  © 2020, Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.global.cmpv2Enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector: {{- include "common.selectors" . | nindent 4 }}
+  template:
+    metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+    spec:
+      volumes:
+{{- if .Values.global.addTestingComponents }}
+        - name: cmp-servers-template-volume
+          secret:
+            secretName: {{ .Values.cmpServers.secret.name }}
+        - name: {{ .Values.cmpServers.volume.name }}
+          emptyDir:
+            medium: Memory
+{{- else }}
+        - name: {{ .Values.cmpServers.volume.name }}
+          secret:
+            secretName: {{ .Values.cmpServers.secret.name }}
+{{- end }}
+        - name: {{ .Values.tls.server.volume.name }}
+          secret:
+            secretName: {{ .Values.tls.server.secret.name }}
+{{- if .Values.global.addTestingComponents }}
+      initContainers:
+        - name: wait-for-ejbca
+          command:
+          - /root/ready.py
+          args:
+          - --container-name
+          - ejbca-ejbca
+          env:
+          - name: NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
+          image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        - name: subsitute-envs
+          image: "{{ .Values.global.envsubstImage }}"
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          command: ['sh', '-c', "cd /config-input &&  envsubst < cmpServers.json > {{ .Values.cmpServers.volume.mountPath }}/cmpServers.json"]
+          volumeMounts:
+            - name: cmp-servers-template-volume
+              mountPath: /config-input
+              readOnly: true
+            - name: {{ .Values.cmpServers.volume.name }}
+              mountPath: {{ .Values.cmpServers.volume.mountPath }}
+              readOnly: false
+          env:
+            - name: CLIENT_IAK
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-client-iak" "key" "password") | indent 14 }}
+            - name: CLIENT_RV
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmp-config-client-rv" "key" "password") | indent 14 }}
+            - name: RA_IAK
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-ra-iak" "key" "password") | indent 14 }}
+            - name: RA_RV
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cmp-config-ra-rv" "key" "password") | indent 14 }}
+{{- end }}
+      containers:
+        - name: {{ include "common.name" . }}
+          image: {{ .Values.repository }}/{{ .Values.image }}
+          imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          ports: {{ include "common.containerPorts" . | nindent 10 }}
+          env:
+            - name: HTTPS_PORT
+              value: "{{ .Values.envs.httpsPort }}"
+            - name: KEYSTORE_PATH
+              value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.keystore.jksName }}"
+            - name: KEYSTORE_P12_PATH
+              value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.keystore.p12Name }}"
+            - name: TRUSTSTORE_PATH
+              value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.jksName }}"
+            - name: ROOT_CERT
+              value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}"
+            - name: KEYSTORE_PASSWORD
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 14 }}
+            - name: TRUSTSTORE_PASSWORD
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 14 }}
+          livenessProbe:
+            exec:
+              command:
+                - /bin/bash
+                - -c
+                - {{ .Values.liveness.command }}
+            initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.liveness.periodSeconds }}
+          readinessProbe:
+            exec:
+              command:
+                - /bin/bash
+                - -c
+                - {{ .Values.readiness.command }}
+            initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+            periodSeconds: {{ .Values.readiness.periodSeconds }}
+          volumeMounts:
+            - name: {{ .Values.cmpServers.volume.name }}
+              mountPath: {{ .Values.cmpServers.volume.mountPath }}
+              readOnly: false
+            - name: {{ .Values.tls.server.volume.name }}
+              mountPath: {{ .Values.tls.server.volume.mountPath }}
+              readOnly: true
+          resources: {{ include "common.resources" . | nindent 12 }}
+{{ end -}}
diff --git a/kubernetes/aaf/charts/aaf-cert-service/templates/secret.yaml b/kubernetes/aaf/charts/aaf-cert-service/templates/secret.yaml
new file mode 100644
index 0000000000..ac92f56487
--- /dev/null
+++ b/kubernetes/aaf/charts/aaf-cert-service/templates/secret.yaml
@@ -0,0 +1,56 @@
+# Copyright © 2020, Nokia
+# Modifications Copyright  © 2020, Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.global.cmpv2Enabled }}
+{{ include "common.secretFast" . }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.cmpServers.secret.name }}
+type: Opaque
+data:
+{{ if .Values.global.addTestingComponents }}
+  {{ (.Files.Glob "resources/test/cmpServers.json").AsSecrets }}
+{{ else }}
+  {{ (.Files.Glob "resources/default/cmpServers.json").AsSecrets }}
+{{ end }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.global.aaf.certServiceClient.secret.name | default .Values.tls.client.secret.defaultName }}
+type: Opaque
+data:
+  certServiceClient-keystore.jks:
+  {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }}
+  truststore.jks:
+  {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.tls.server.secret.name }}
+type: Opaque
+data:
+  certServiceServer-keystore.jks:
+  {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }}
+  certServiceServer-keystore.p12:
+  {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }}
+  truststore.jks:
+  {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
+  root.crt:
+  {{ (.Files.Glob "resources/root.crt").AsSecrets }}
+{{ end -}}
\ No newline at end of file
diff --git a/kubernetes/aaf/charts/aaf-cert-service/templates/service.yaml b/kubernetes/aaf/charts/aaf-cert-service/templates/service.yaml
new file mode 100644
index 0000000000..60e2afa41d
--- /dev/null
+++ b/kubernetes/aaf/charts/aaf-cert-service/templates/service.yaml
@@ -0,0 +1,17 @@
+# Copyright © 2020, Nokia
+# Modifications Copyright  © 2020, Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if .Values.global.cmpv2Enabled }}
+  {{ include "common.service" . }}
+{{ end -}}
\ No newline at end of file
diff --git a/kubernetes/aaf/charts/aaf-cert-service/values.yaml b/kubernetes/aaf/charts/aaf-cert-service/values.yaml
new file mode 100644
index 0000000000..c2bbecd81a
--- /dev/null
+++ b/kubernetes/aaf/charts/aaf-cert-service/values.yaml
@@ -0,0 +1,141 @@
+# Copyright © 2020, Nokia
+# Modifications Copyright  © 2020, Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Global
+global:
+  envsubstImage: dibi/envsubst
+
+# Service configuration
+service:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8443
+      port_protocol: http
+
+
+# Deployment configuration
+repository: nexus3.onap.org:10001
+image: onap/org.onap.aaf.certservice.aaf-certservice-api:1.0.0
+pullPolicy: Always
+replicaCount: 1
+
+liveness:
+  initialDelaySeconds: 60
+  periodSeconds: 10
+  command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
+readiness:
+  initialDelaySeconds: 30
+  periodSeconds: 10
+  command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
+
+flavor: small
+resources:
+  small:
+    limits:
+      cpu: 0.5
+      memory: 1Gi
+    requests:
+      cpu: 0.2
+      memory: 512Mi
+  large:
+    limits:
+      cpu: 1
+      memory: 2Gi
+    requests:
+      cpu: 0.4
+      memory: 1Gi
+  unlimited: {}
+
+
+# Application configuration
+cmpServers:
+  secret:
+    name: aaf-cert-service-secret
+  volume:
+    name: aaf-cert-service-volume
+    mountPath: /etc/onap/aaf/certservice
+
+tls:
+  server:
+    secret:
+      name: aaf-cert-service-server-tls-secret
+    volume:
+      name: aaf-cert-service-server-tls-volume
+      mountPath: /etc/onap/aaf/certservice/certs/
+  client:
+    secret:
+      defaultName: aaf-cert-service-client-tls-secret
+
+envs:
+  keystore:
+    jksName: certServiceServer-keystore.jks
+    p12Name: certServiceServer-keystore.p12
+  truststore:
+    jksName: truststore.jks
+    crtName: root.crt
+  httpsPort: 8443
+
+# External secrets with credentials can be provided to override default credentials defined below,
+# by uncommenting and filling appropriate *ExternalSecret value
+credentials:
+  tls:
+    keystorePassword: secret
+    truststorePassword: secret
+    #keystorePasswordExternalSecret:
+    #truststorePasswordExternalSecret:
+  # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
+  cmp:
+    #clientIakExternalSecret:
+    #clientRvExternalSecret:
+    #raIakExternalSecret:
+    #raRvExternalSecret:
+    client: {}
+      # iak: mypassword
+      # rv: unused
+    ra: {}
+      # iak: mypassword
+      # rv: unused
+
+secrets:
+  - uid: keystore-password
+    name: '{{ include "common.release" . }}-keystore-password'
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}'
+    password: '{{ .Values.credentials.tls.keystorePassword }}'
+    passwordPolicy: required
+  - uid: truststore-password
+    name: '{{ include "common.release" . }}-truststore-password'
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}'
+    password: '{{ .Values.credentials.tls.truststorePassword }}'
+    passwordPolicy: required
+  # Below values are relevant only if global addTestingComponents flag is enabled
+  - uid: ejbca-server-client-iak
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.client.iak }}'
+  - uid: cmp-config-client-rv
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.client.rv }}'
+  - uid: ejbca-server-ra-iak
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.ra.iak }}'
+  - uid: cmp-config-ra-rv
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
+    password: '{{ .Values.credentials.cmp.ra.rv }}'
diff --git a/kubernetes/aaf/values.yaml b/kubernetes/aaf/values.yaml
index bedf243639..b1cb25419a 100644
--- a/kubernetes/aaf/values.yaml
+++ b/kubernetes/aaf/values.yaml
@@ -16,6 +16,7 @@
 #################################################################
 # Global configuration defaults.
 #################################################################
+
 global:
   nodePortPrefix: 302
   # Readiness image
@@ -40,6 +41,8 @@ global:
   #pullPolicy: IfNotPresent
   #repository: "nexus3.onap.org:10003"
 
+  cmpv2Enabled: true
+  addTestingComponents: false
   aaf:
     readiness: false
     image: onap/aaf/aaf_core:2.1.20
@@ -73,6 +76,9 @@ global:
       public_port: 31112
 #     Note: as hello is a sample app, find values in charts/aaf-hello/values.yaml
 
+    certServiceClient:
+      secret:
+        name: aaf-cert-service-client-tls-secret
 
 #################################################################
 # Application configuration defaults.
diff --git a/kubernetes/onap/resources/overrides/aaf-cert-service-environment.yaml b/kubernetes/onap/resources/overrides/aaf-cert-service-environment.yaml
new file mode 100644
index 0000000000..da00f61e2f
--- /dev/null
+++ b/kubernetes/onap/resources/overrides/aaf-cert-service-environment.yaml
@@ -0,0 +1,47 @@
+# Copyright © 2020 Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#################################################################
+#
+# These overrides will affect all helm charts (ie. applications)
+# that are listed below and are 'enabled'.
+#
+#
+# This is specifically for the environments which take time to
+# deploy ONAP. This increase in timeouts prevents false restarting of
+# the pods during startup configuration.
+#
+# These timers have been tuned by the ONAP integration team. They
+# have been tested and validated in the ONAP integration lab (Intel/Windriver lab).
+# They are however indicative and may be adapted to your environment as they
+# depend on the performance of the infrastructure you are installing ONAP on.
+#
+# Please note that these timers must remain reasonable, in other words, if
+# your infrastructure is not performant enough, extending the timers to very
+# large value may not fix all installation issues on over subscribed hardware.
+#
+#################################################################
+global:
+  cmpv2Enabled: true
+  aaf:
+    certServiceClient:
+      envVariables:
+        # Certificate related
+        cmpv2Organization: "Linux-Foundation"
+        cmpv2OrganizationalUnit: "ONAP"
+        cmpv2Location: "San-Francisco"
+        cmpv2State: "California"
+        cmpv2Country: "US"
+        # Client configuration related
+        caName: "RA"
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index 973613b464..dcbfd6d0cf 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -101,6 +101,27 @@ global:
 
   # Enabling CMPv2
   cmpv2Enabled: true
+  aaf:
+    certServiceClient:
+      image: onap/org.onap.aaf.certservice.aaf-certservice-client:1.0.0
+      secret:
+        name: aaf-cert-service-client-tls-secret
+        mountPath: /etc/onap/aaf/certservice/certs/
+      envVariables:
+        # Certificate related
+        cmpv2Organization: "Linux-Foundation"
+        cmpv2OrganizationalUnit: "ONAP"
+        cmpv2Location: "San-Francisco"
+        cmpv2State: "California"
+        cmpv2Country: "US"
+        # Client configuration related
+        caName: "RA"
+        requestURL: "https://aaf-cert-service:8443/v1/certificate/"
+        requestTimeout: "20000"
+        keystorePath: "/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks"
+        keystorePassword: "secret"
+        truststorePath: "/etc/onap/aaf/certservice/certs/truststore.jks"
+        truststorePassword: "secret"
 
   # TLS
   # Set to false if you want to disable TLS for NodePorts. Be aware that this
-- 
2.16.6