2 # Copyright © 2020 Bell Canada, Samsung Electronics
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
19 {{- define "common.certInitializer._aafConfigVolumeName" -}}
20 {{ include "common.fullname" . }}-aaf-config
23 {{- define "common.certInitializer._aafAddConfigVolumeName" -}}
24 {{ print "aaf-add-config" }}
28 common templates to enable cert initialization for applictaions
30 In deployments/jobs/stateful include:
32 {{ include "common.certInitializer.initContainer" . | nindent XX }}
36 {{- include "common.certInitializer.volumeMount" . | nindent XX }}
38 {{- include "common.certInitializer.volume" . | nindent XX}}
40 {{- define "common.certInitializer._initContainer" -}}
41 {{- $dot := default . .dot -}}
42 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
43 {{- $initName := default "certInitializer" -}}
44 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
45 {{ include "common.readinessCheck.waitFor" $subchartDot }}
46 - name: {{ include "common.name" $dot }}-aaf-config
47 image: {{ include "repositoryGenerator.repository" $subchartDot }}/{{ $subchartDot.Values.global.aafAgentImage }}
48 imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
50 - mountPath: {{ $initRoot.mountPath }}
51 name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
52 - mountPath: /opt/app/aaf_config/cert/truststoreONAPall.jks.b64
54 subPath: truststoreONAPall.jks.b64
55 - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64
57 subPath: truststoreONAP.p12.b64
58 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
59 mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
60 subPath: retrieval_check.sh
61 {{- if $initRoot.aaf_add_config }}
62 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
63 mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
64 subPath: aaf-add-config.sh
71 /opt/app/aaf_config/bin/agent.sh
72 source /opt/app/aaf_config/bin/retrieval_check.sh
73 {{- if $initRoot.aaf_add_config }}
74 /opt/app/aaf_config/bin/aaf-add-config.sh
78 value: "{{ $initRoot.fqi }}"
79 - name: aaf_locate_url
80 value: "https://aaf-locate.{{ $dot.Release.Namespace}}:8095"
81 - name: aaf_locator_container
83 - name: aaf_locator_container_ns
84 value: "{{ $dot.Release.Namespace }}"
85 - name: aaf_locator_fqdn
86 value: "{{ $initRoot.fqdn }}"
87 - name: aaf_locator_app_ns
88 value: "{{ $initRoot.app_ns }}"
90 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "login") | indent 6 }}
91 - name: DEPLOY_PASSWORD
92 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "password") | indent 6 }}
93 #Note: want to put this on Nodes, eventually
94 - name: cadi_longitude
95 value: "{{ default "52.3" $initRoot.cadi_longitude }}"
97 value: "{{ default "13.2" $initRoot.cadi_latitude }}"
98 #Hello specific. Clients don't don't need this, unless Registering with AAF Locator
99 - name: aaf_locator_public_fqdn
100 value: "{{ $initRoot.public_fqdn | default "" }}"
104 This init container will import custom .pem certificates to truststoreONAPall.jks
105 Custom certificates must be placed in common/certInitializer/resources directory.
107 The feature is enabled by setting Values.global.importCustomCertsEnabled = true
108 It can be used independently of aafEnabled, however it requires the same includes
109 as describe above for _initContainer.
111 When AAF is enabled the truststoreONAPAll.jks (which contains AAF CA) will be used
112 to import custom certificates, otherwise the default java keystore will be used.
114 The updated truststore file will be placed in /updatedTruststore and can be mounted per component
115 to a specific path by defining Values.certInitializer.truststoreMountpath (see _trustStoreVolumeMount)
116 The truststore file will be available to mount even if no custom certificates were imported.
118 {{- define "common.certInitializer._initImportCustomCertsContainer" -}}
119 {{- $dot := default . .dot -}}
120 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
121 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
122 - name: {{ include "common.name" $dot }}-import-custom-certs
123 image: {{ include "repositoryGenerator.image.jre" $subchartDot }}
124 imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
130 - /root/import-custom-certs.sh
133 value: "{{ $subchartDot.Values.global.aafEnabled }}"
134 - name: TRUSTSTORE_OUTPUT_FILENAME
135 value: "{{ $initRoot.truststoreOutputFileName }}"
136 - name: TRUSTSTORE_PASSWORD
137 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "truststore-creds" "key" "password") | indent 6 }}
140 name: aaf-agent-certs
141 - mountPath: /root/import-custom-certs.sh
142 name: aaf-agent-certs
143 subPath: import-custom-certs.sh
144 - mountPath: /updatedTruststore
145 name: updated-truststore
148 {{- define "common.certInitializer._volumeMount" -}}
149 {{- $dot := default . .dot -}}
150 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
151 - mountPath: {{ $initRoot.appMountPath }}
152 name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
156 This is used together with _initImportCustomCertsContainer
157 It mounts the updated truststore (with imported custom certificates) to the
158 truststoreMountpath defined in the values file for the component.
160 {{- define "common.certInitializer._trustStoreVolumeMount" -}}
161 {{- $dot := default . .dot -}}
162 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
163 {{- if gt (len $initRoot.truststoreMountpath) 0 }}
164 - mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }}
165 name: updated-truststore
166 subPath: {{ $initRoot.truststoreOutputFileName }}
170 {{- define "common.certInitializer._volumes" -}}
171 {{- $dot := default . .dot -}}
172 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
173 {{- $subchartDot := mergeOverwrite (deepCopy (omit $dot "Values")) (dict "Chart" (set (fromJson (toJson $dot.Chart)) "Name" $initRoot.nameOverride) "Values" (mergeOverwrite (deepCopy $initRoot) (dict "global" $dot.Values.global))) }}
174 - name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
177 - name: aaf-agent-certs
179 name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
181 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
183 name: {{ include "common.fullname" $subchartDot }}-add-config
185 {{- if $dot.Values.global.importCustomCertsEnabled }}
186 - name: updated-truststore
191 {{- define "common.certInitializer.initContainer" -}}
192 {{- $dot := default . .dot -}}
193 {{- if $dot.Values.global.importCustomCertsEnabled }}
194 {{ include "common.certInitializer._initImportCustomCertsContainer" . }}
196 {{- if $dot.Values.global.aafEnabled }}
197 {{ include "common.certInitializer._initContainer" . }}
201 {{- define "common.certInitializer.volumeMount" -}}
202 {{- $dot := default . .dot -}}
203 {{- if $dot.Values.global.aafEnabled }}
204 {{- include "common.certInitializer._volumeMount" . }}
206 {{- if $dot.Values.global.importCustomCertsEnabled }}
207 {{- include "common.certInitializer._trustStoreVolumeMount" . }}
211 {{- define "common.certInitializer.volumes" -}}
212 {{- $dot := default . .dot -}}
213 {{- if or ($dot.Values.global.aafEnabled ) ($dot.Values.global.importCustomCertsEnabled) }}
214 {{- include "common.certInitializer._volumes" . }}