2 # Copyright © 2020 Bell Canada, Samsung Electronics
3 # Copyright © 2021 Orange
5 # Licensed under the Apache License, Version 2.0 (the "License");
6 # you may not use this file except in compliance with the License.
7 # You may obtain a copy of the License at
9 # http://www.apache.org/licenses/LICENSE-2.0
11 # Unless required by applicable law or agreed to in writing, software
12 # distributed under the License is distributed on an "AS IS" BASIS,
13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 # See the License for the specific language governing permissions and
15 # limitations under the License.
20 {{- define "common.certInitializer._aafConfigVolumeName" -}}
21 {{ include "common.fullname" . }}-aaf-config
24 {{- define "common.certInitializer._aafAddConfigVolumeName" -}}
25 {{ print "aaf-add-config" }}
29 common templates to enable cert initialization for applictaions
31 In deployments/jobs/stateful include:
33 {{ include "common.certInitializer.initContainer" . | nindent XX }}
37 {{- include "common.certInitializer.volumeMount" . | nindent XX }}
39 {{- include "common.certInitializer.volume" . | nindent XX}}
41 {{- define "common.certInitializer._initContainer" -}}
42 {{- $dot := default . .dot -}}
43 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
44 {{- $initName := default "certInitializer" -}}
45 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
46 {{ include "common.readinessCheck.waitFor" $subchartDot }}
47 - name: {{ include "common.name" $dot }}-aaf-config
48 image: {{ include "repositoryGenerator.repository" $subchartDot }}/{{ $subchartDot.Values.global.aafAgentImage }}
49 imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
51 - mountPath: {{ $initRoot.mountPath }}
52 name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
53 - mountPath: /opt/app/aaf_config/cert/truststoreONAPall.jks.b64
55 subPath: truststoreONAPall.jks.b64
56 - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64
58 subPath: truststoreONAP.p12.b64
59 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
60 mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
61 subPath: retrieval_check.sh
62 {{- if hasKey $initRoot "ingressTlsSecret" }}
63 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
64 mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh
65 subPath: tls_certs_configure.sh
67 {{- if $initRoot.aaf_add_config }}
68 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
69 mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
70 subPath: aaf-add-config.sh
76 /opt/app/aaf_config/bin/agent.sh
77 . /opt/app/aaf_config/bin/retrieval_check.sh
78 {{- if hasKey $initRoot "ingressTlsSecret" }}
79 /opt/app/aaf_config/bin/tls_certs_configure.sh
81 {{- if $initRoot.aaf_add_config }}
82 /opt/app/aaf_config/bin/aaf-add-config.sh
86 value: "{{ $initRoot.fqi }}"
87 - name: aaf_locate_url
88 value: "https://aaf-locate.{{ $dot.Release.Namespace}}:8095"
89 - name: aaf_locator_container
91 - name: aaf_locator_container_ns
92 value: "{{ $dot.Release.Namespace }}"
93 - name: aaf_locator_fqdn
94 value: "{{ $initRoot.fqdn }}"
95 - name: aaf_locator_app_ns
96 value: "{{ $initRoot.app_ns }}"
98 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "login") | indent 6 }}
99 - name: DEPLOY_PASSWORD
100 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "password") | indent 6 }}
101 #Note: want to put this on Nodes, eventually
102 - name: cadi_longitude
103 value: "{{ default "52.3" $initRoot.cadi_longitude }}"
104 - name: cadi_latitude
105 value: "{{ default "13.2" $initRoot.cadi_latitude }}"
106 #Hello specific. Clients don't don't need this, unless Registering with AAF Locator
107 - name: aaf_locator_public_fqdn
108 value: "{{ $initRoot.public_fqdn | default "" }}"
112 This init container will import custom .pem certificates to truststoreONAPall.jks
113 Custom certificates must be placed in common/certInitializer/resources directory.
115 The feature is enabled by setting Values.global.importCustomCertsEnabled = true
116 It can be used independently of aafEnabled, however it requires the same includes
117 as describe above for _initContainer.
119 When AAF is enabled the truststoreONAPAll.jks (which contains AAF CA) will be used
120 to import custom certificates, otherwise the default java keystore will be used.
122 The updated truststore file will be placed in /updatedTruststore and can be mounted per component
123 to a specific path by defining Values.certInitializer.truststoreMountpath (see _trustStoreVolumeMount)
124 The truststore file will be available to mount even if no custom certificates were imported.
126 {{- define "common.certInitializer._initImportCustomCertsContainer" -}}
127 {{- $dot := default . .dot -}}
128 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
129 {{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
130 - name: {{ include "common.name" $dot }}-import-custom-certs
131 image: {{ include "repositoryGenerator.image.jre" $subchartDot }}
132 imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
138 - /root/import-custom-certs.sh
141 value: "{{ $subchartDot.Values.global.aafEnabled }}"
142 - name: TRUSTSTORE_OUTPUT_FILENAME
143 value: "{{ $initRoot.truststoreOutputFileName }}"
144 - name: TRUSTSTORE_PASSWORD
145 {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "truststore-creds" "key" "password") | indent 6 }}
148 name: aaf-agent-certs
149 - mountPath: /more_certs
150 name: provided-custom-certs
151 - mountPath: /root/import-custom-certs.sh
152 name: aaf-agent-certs
153 subPath: import-custom-certs.sh
154 - mountPath: /updatedTruststore
155 name: updated-truststore
158 {{- define "common.certInitializer._volumeMount" -}}
159 {{- $dot := default . .dot -}}
160 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
161 - mountPath: {{ $initRoot.appMountPath }}
162 name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
166 This is used together with _initImportCustomCertsContainer
167 It mounts the updated truststore (with imported custom certificates) to the
168 truststoreMountpath defined in the values file for the component.
170 {{- define "common.certInitializer._trustStoreVolumeMount" -}}
171 {{- $dot := default . .dot -}}
172 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
173 {{- if gt (len $initRoot.truststoreMountpath) 0 }}
174 - mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }}
175 name: updated-truststore
176 subPath: {{ $initRoot.truststoreOutputFileName }}
180 {{- define "common.certInitializer._volumes" -}}
181 {{- $dot := default . .dot -}}
182 {{- $initRoot := default $dot.Values.certInitializer .initRoot -}}
183 {{- $subchartDot := mergeOverwrite (deepCopy (omit $dot "Values")) (dict "Chart" (set (fromJson (toJson $dot.Chart)) "Name" $initRoot.nameOverride) "Values" (mergeOverwrite (deepCopy $initRoot) (dict "global" $dot.Values.global))) }}
184 - name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
187 - name: aaf-agent-certs
189 name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
191 {{- if $dot.Values.global.importCustomCertsEnabled }}
192 - name: provided-custom-certs
193 {{- if $dot.Values.global.customCertsSecret }}
195 secretName: {{ $dot.Values.global.customCertsSecret }}
197 {{- if $dot.Values.global.customCertsConfigMap }}
199 name: {{ $dot.Values.global.customCertsConfigMap }}
206 - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
208 name: {{ include "common.fullname" $subchartDot }}-add-config
210 {{- if $dot.Values.global.importCustomCertsEnabled }}
211 - name: updated-truststore
216 {{- define "common.certInitializer.initContainer" -}}
217 {{- $dot := default . .dot -}}
218 {{- if $dot.Values.global.importCustomCertsEnabled }}
219 {{ include "common.certInitializer._initImportCustomCertsContainer" . }}
221 {{- if $dot.Values.global.aafEnabled }}
222 {{ include "common.certInitializer._initContainer" . }}
226 {{- define "common.certInitializer.volumeMount" -}}
227 {{- $dot := default . .dot -}}
228 {{- if $dot.Values.global.aafEnabled }}
229 {{- include "common.certInitializer._volumeMount" . }}
231 {{- if $dot.Values.global.importCustomCertsEnabled }}
232 {{- include "common.certInitializer._trustStoreVolumeMount" . }}
236 {{- define "common.certInitializer.volumes" -}}
237 {{- $dot := default . .dot -}}
238 {{- if or ($dot.Values.global.aafEnabled ) ($dot.Values.global.importCustomCertsEnabled) }}
239 {{- include "common.certInitializer._volumes" . }}