2 # Copyright © 2020 Bell Canada, Samsung Electronics
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
19 {{- define "common.certInitializer._aafConfigVolumeName" -}}
20 {{ include "common.fullname" . }}-aaf-config
23 {{- define "common.certInitializer._aafAddConfigVolumeName" -}}
24 {{ print "aaf-add-config" }}
28 common templates to enable cert initialization for applictaions
30 In deployments/jobs/stateful include:
32 {{ include "common.certInitializer.initContainer" . | nindent XX }}
36 {{- include "common.certInitializer.volumeMount" . | nindent XX }}
38 {{- include "common.certInitializer.volume" . | nindent XX}}
40 {{- define "common.certInitializer._initContainer" -}}
41 {{- $dot := default . .dot -}}
42 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
43 {{- $initName := default "certInitializer" -}}
44 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
45 {{ include "common.readinessCheck.waitFor" $subchartDot }}
46 - name: {{ include "common.name" $dot }}-aaf-config
47 image: {{ include "repositoryGenerator.repository" $subchartDot }}/{{ $subchartDot.Values.global.aafAgentImage }}
48 imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
50 - mountPath: {{ $initRoot.mountPath }}
51 name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
52 - mountPath: /opt/app/aaf_config/cert/truststoreONAPall.jks.b64
54 subPath: truststoreONAPall.jks.b64
55 - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64
57 subPath: truststoreONAP.p12.b64
58 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
59 mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
60 subPath: retrieval_check.sh
61 {{- if $initRoot.aaf_add_config }}
62 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
63 mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
64 subPath: aaf-add-config.sh
70 /opt/app/aaf_config/bin/agent.sh
71 . /opt/app/aaf_config/bin/retrieval_check.sh
72 {{- if $initRoot.aaf_add_config }}
73 /opt/app/aaf_config/bin/aaf-add-config.sh
77 value: "{{ $initRoot.fqi }}"
78 - name: aaf_locate_url
79 value: "https://aaf-locate.{{ $dot.Release.Namespace}}:8095"
80 - name: aaf_locator_container
82 - name: aaf_locator_container_ns
83 value: "{{ $dot.Release.Namespace }}"
84 - name: aaf_locator_fqdn
85 value: "{{ $initRoot.fqdn }}"
86 - name: aaf_locator_app_ns
87 value: "{{ $initRoot.app_ns }}"
89 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "login") | indent 6 }}
90 - name: DEPLOY_PASSWORD
91 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "password") | indent 6 }}
92 #Note: want to put this on Nodes, eventually
93 - name: cadi_longitude
94 value: "{{ default "52.3" $initRoot.cadi_longitude }}"
96 value: "{{ default "13.2" $initRoot.cadi_latitude }}"
97 #Hello specific. Clients don't don't need this, unless Registering with AAF Locator
98 - name: aaf_locator_public_fqdn
99 value: "{{ $initRoot.public_fqdn | default "" }}"
103 This init container will import custom .pem certificates to truststoreONAPall.jks
104 Custom certificates must be placed in common/certInitializer/resources directory.
106 The feature is enabled by setting Values.global.importCustomCertsEnabled = true
107 It can be used independently of aafEnabled, however it requires the same includes
108 as describe above for _initContainer.
110 When AAF is enabled the truststoreONAPAll.jks (which contains AAF CA) will be used
111 to import custom certificates, otherwise the default java keystore will be used.
113 The updated truststore file will be placed in /updatedTruststore and can be mounted per component
114 to a specific path by defining Values.certInitializer.truststoreMountpath (see _trustStoreVolumeMount)
115 The truststore file will be available to mount even if no custom certificates were imported.
117 {{- define "common.certInitializer._initImportCustomCertsContainer" -}}
118 {{- $dot := default . .dot -}}
119 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
120 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
121 - name: {{ include "common.name" $dot }}-import-custom-certs
122 image: {{ include "repositoryGenerator.image.jre" $subchartDot }}
123 imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
129 - /root/import-custom-certs.sh
132 value: "{{ $subchartDot.Values.global.aafEnabled }}"
133 - name: TRUSTSTORE_OUTPUT_FILENAME
134 value: "{{ $initRoot.truststoreOutputFileName }}"
135 - name: TRUSTSTORE_PASSWORD
136 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "truststore-creds" "key" "password") | indent 6 }}
139 name: aaf-agent-certs
140 - mountPath: /root/import-custom-certs.sh
141 name: aaf-agent-certs
142 subPath: import-custom-certs.sh
143 - mountPath: /updatedTruststore
144 name: updated-truststore
147 {{- define "common.certInitializer._volumeMount" -}}
148 {{- $dot := default . .dot -}}
149 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
150 - mountPath: {{ $initRoot.appMountPath }}
151 name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
155 This is used together with _initImportCustomCertsContainer
156 It mounts the updated truststore (with imported custom certificates) to the
157 truststoreMountpath defined in the values file for the component.
159 {{- define "common.certInitializer._trustStoreVolumeMount" -}}
160 {{- $dot := default . .dot -}}
161 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
162 {{- if gt (len $initRoot.truststoreMountpath) 0 }}
163 - mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }}
164 name: updated-truststore
165 subPath: {{ $initRoot.truststoreOutputFileName }}
169 {{- define "common.certInitializer._volumes" -}}
170 {{- $dot := default . .dot -}}
171 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
172 {{- $subchartDot := mergeOverwrite (deepCopy (omit $dot "Values")) (dict "Chart" (set (fromJson (toJson $dot.Chart)) "Name" $initRoot.nameOverride) "Values" (mergeOverwrite (deepCopy $initRoot) (dict "global" $dot.Values.global))) }}
173 - name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
176 - name: aaf-agent-certs
178 name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
180 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
182 name: {{ include "common.fullname" $subchartDot }}-add-config
184 {{- if $dot.Values.global.importCustomCertsEnabled }}
185 - name: updated-truststore
190 {{- define "common.certInitializer.initContainer" -}}
191 {{- $dot := default . .dot -}}
192 {{- if $dot.Values.global.importCustomCertsEnabled }}
193 {{ include "common.certInitializer._initImportCustomCertsContainer" . }}
195 {{- if $dot.Values.global.aafEnabled }}
196 {{ include "common.certInitializer._initContainer" . }}
200 {{- define "common.certInitializer.volumeMount" -}}
201 {{- $dot := default . .dot -}}
202 {{- if $dot.Values.global.aafEnabled }}
203 {{- include "common.certInitializer._volumeMount" . }}
205 {{- if $dot.Values.global.importCustomCertsEnabled }}
206 {{- include "common.certInitializer._trustStoreVolumeMount" . }}
210 {{- define "common.certInitializer.volumes" -}}
211 {{- $dot := default . .dot -}}
212 {{- if or ($dot.Values.global.aafEnabled ) ($dot.Values.global.importCustomCertsEnabled) }}
213 {{- include "common.certInitializer._volumes" . }}