kubernetes/platform/components/oom-cert-service/values.yaml

   1 # Copyright © 2020-2021, Nokia
   2 # Modifications Copyright  © 2020, Nordix Foundation, Orange
   3 # Modifications Copyright © 2020 Nokia
   4 #
   5 # Licensed under the Apache License, Version 2.0 (the "License");
   6 # you may not use this file except in compliance with the License.
   7 # You may obtain a copy of the License at
   8 #
   9 #       http://www.apache.org/licenses/LICENSE-2.0
  10 #
  11 # Unless required by applicable law or agreed to in writing, software
  12 # distributed under the License is distributed on an "AS IS" BASIS,
  13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 # See the License for the specific language governing permissions and
  15 # limitations under the License.
  16
  17 # Global
  18 global:
  19   nodePortPrefix: 302
  20   persistence:
  21     enabled: true
  22   # Standard OOM
  23   pullPolicy: "Always"
  24   repository: "nexus3.onap.org:10001"
  25   ingress:
  26     enabled: true
  27     # All http requests via ingress will be redirected
  28     config:
  29       ssl: "redirect"
  30     # you can set an own Secret containing a certificate
  31     #  tls:
  32     #    secret: 'my-ingress-cert'
  33     # optional: Namespace of the Istio IngressGateway
  34     namespace: &ingressNamespace istio-ingress
  35
  36
  37 # Service configuration
  38 service:
  39   type: ClusterIP
  40   ports:
  41     - name: http
  42       port: 8443
  43       port_protocol: http
  44
  45 # Deployment configuration
  46 repository: "nexus3.onap.org:10001"
  47 image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.5.0
  48 pullPolicy: Always
  49 replicaCount: 1
  50
  51 liveness:
  52   initialDelaySeconds: 60
  53   periodSeconds: 10
  54   command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
  55 readiness:
  56   initialDelaySeconds: 30
  57   periodSeconds: 10
  58   command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
  59
  60 flavor: small
  61 resources:
  62   small:
  63     limits:
  64       cpu: 0.5
  65       memory: 1Gi
  66     requests:
  67       cpu: 0.2
  68       memory: 512Mi
  69   large:
  70     limits:
  71       cpu: 1
  72       memory: 2Gi
  73     requests:
  74       cpu: 0.4
  75       memory: 1Gi
  76   unlimited: {}
  77
  78
  79 # Application configuration
  80 cmpServers:
  81   secret:
  82     name: oom-cert-service-secret
  83   volume:
  84     name: oom-cert-service-volume
  85     mountPath: /etc/onap/oom/certservice
  86
  87 tls:
  88   issuer:
  89     selfsigning:
  90       name: &selfSigningIssuer cmpv2-selfsigning-issuer
  91     ca:
  92       name: &caIssuer cmpv2-issuer-onap
  93       secret:
  94         name: &caKeyPairSecret  cmpv2-ca-key-pair
  95     ingressSelfsigned:
  96       name: ingress-selfsigned-issuer
  97       namespace: *ingressNamespace
  98     ingressCa:
  99       name: ingress-ca-issuer
 100       namespace: *ingressNamespace
 101       secret:
 102         name: ingress-ca-key-pair
 103   server:
 104     secret:
 105       name: &serverSecret oom-cert-service-server-tls-secret
 106     volume:
 107       name: oom-cert-service-server-tls-volume
 108       mountPath: /etc/onap/oom/certservice/certs/
 109   client:
 110     secret:
 111       defaultName: oom-cert-service-client-tls-secret
 112
 113 envs:
 114   keystore:
 115     jksName: keystore.jks
 116     p12Name: keystore.p12
 117     pemName: tls.crt
 118   truststore:
 119     jksName: truststore.jks
 120     crtName: ca.crt
 121     pemName: tls.crt
 122   httpsPort: 8443
 123
 124 # External secrets with credentials can be provided to override default credentials defined below,
 125 # by uncommenting and filling appropriate *ExternalSecret value
 126 credentials:
 127   tls:
 128     certificatesPassword: secret
 129     #certificatesPasswordExternalSecret:
 130   # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
 131   cmp:
 132     # Used only if cmpv2 testing is enabled
 133     clientIakExternalSecret: '{{ include "common.release" . }}-ejbca-client-iak'
 134     #clientRvExternalSecret:
 135     raIakExternalSecret: '{{ include "common.release" . }}-ejbca-ra-iak'
 136     #raRvExternalSecret:
 137     client: {}
 138       # iak: mypassword
 139       # rv: unused
 140     ra: {}
 141       # iak: mypassword
 142       # rv: unused
 143
 144 secrets:
 145   - uid: certificates-password
 146     name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}'
 147     type: password
 148     externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}'
 149     password: '{{ .Values.credentials.tls.certificatesPassword }}'
 150     passwordPolicy: required
 151   # Below values are relevant only if global addTestingComponents flag is enabled
 152   - uid: ejbca-server-client-iak
 153     type: password
 154     externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}'
 155     password: '{{ .Values.credentials.cmp.client.iak }}'
 156   - uid: cmp-config-client-rv
 157     type: password
 158     externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}'
 159     password: '{{ .Values.credentials.cmp.client.rv }}'
 160   - uid: ejbca-server-ra-iak
 161     type: password
 162     externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}'
 163     password: '{{ .Values.credentials.cmp.ra.iak }}'
 164   - uid: cmp-config-ra-rv
 165     type: password
 166     externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
 167     password: '{{ .Values.credentials.cmp.ra.rv }}'
 168
 169 # Certificates definitions
 170 certificates:
 171   - name: selfsigned-cert
 172     secretName: *caKeyPairSecret
 173     isCA: true
 174     commonName: root.com
 175     subject:
 176       organization: Root Company
 177       country: PL
 178       locality: Wroclaw
 179       province: Dolny Slask
 180       organizationalUnit: Root Org
 181     issuer:
 182       name: *selfSigningIssuer
 183       kind: Issuer
 184   - name: cert-service-server-cert
 185     secretName: *serverSecret
 186     commonName: oom-cert-service
 187     dnsNames:
 188       - oom-cert-service
 189       - localhost
 190     subject:
 191       organization: certServiceServer org
 192       country: PL
 193       locality: Wroclaw
 194       province: Dolny Slask
 195       organizationalUnit: certServiceServer company
 196     usages:
 197       - server auth
 198       - client auth
 199     keystore:
 200       outputType:
 201         - jks
 202         - p12
 203       passwordSecretRef:
 204         name: *certificatesPasswordSecretName
 205         key: password
 206     issuer:
 207       name: *caIssuer
 208       kind: Issuer
 209   - name: cert-service-client-cert
 210     secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}'
 211     commonName: certServiceClient.com
 212     subject:
 213       organization: certServiceClient org
 214       country: PL
 215       locality: Wroclaw
 216       province: Dolny Slask
 217       organizationalUnit: certServiceClient company
 218     usages:
 219       - server auth
 220       - client auth
 221     keystore:
 222       outputType:
 223         - jks
 224       passwordSecretRef:
 225         name: *certificatesPasswordSecretName
 226         key: password
 227     issuer:
 228       name: *caIssuer
 229       kind: Issuer