kubernetes/platform/components/oom-cert-service/values.yaml

   1 # Copyright © 2020-2021, Nokia
   2 # Modifications Copyright  © 2020, Nordix Foundation, Orange
   3 # Modifications Copyright © 2020 Nokia
   4 #
   5 # Licensed under the Apache License, Version 2.0 (the "License");
   6 # you may not use this file except in compliance with the License.
   7 # You may obtain a copy of the License at
   8 #
   9 #       http://www.apache.org/licenses/LICENSE-2.0
  10 #
  11 # Unless required by applicable law or agreed to in writing, software
  12 # distributed under the License is distributed on an "AS IS" BASIS,
  13 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14 # See the License for the specific language governing permissions and
  15 # limitations under the License.
  16
  17 # Global
  18 global:
  19   nodePortPrefix: 302
  20   persistence:
  21     enabled: true
  22   # Standard OOM
  23   pullPolicy: "Always"
  24   repository: "nexus3.onap.org:10001"
  25   offlineDeploymentBuild: false
  26
  27
  28 # Service configuration
  29 service:
  30   type: ClusterIP
  31   ports:
  32     - name: http
  33       port: 8443
  34       port_protocol: http
  35
  36 # Certificates generation configuration
  37 certificateGenerationImage: onap/integration-java11:7.2.0
  38
  39 # Deployment configuration
  40 repository: "nexus3.onap.org:10001"
  41 image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3
  42 pullPolicy: Always
  43 replicaCount: 1
  44
  45 liveness:
  46   initialDelaySeconds: 60
  47   periodSeconds: 10
  48   command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
  49 readiness:
  50   initialDelaySeconds: 30
  51   periodSeconds: 10
  52   command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
  53
  54 flavor: small
  55 resources:
  56   small:
  57     limits:
  58       cpu: 0.5
  59       memory: 1Gi
  60     requests:
  61       cpu: 0.2
  62       memory: 512Mi
  63   large:
  64     limits:
  65       cpu: 1
  66       memory: 2Gi
  67     requests:
  68       cpu: 0.4
  69       memory: 1Gi
  70   unlimited: {}
  71
  72
  73 # Application configuration
  74 cmpServers:
  75   secret:
  76     name: oom-cert-service-secret
  77   volume:
  78     name: oom-cert-service-volume
  79     mountPath: /etc/onap/oom/certservice
  80
  81 tls:
  82   issuer:
  83     selfsigning:
  84       name: &selfSigningIssuer cmpv2-selfsigning-issuer
  85     ca:
  86       name: &caIssuer cmpv2-ca-issuer
  87       secret:
  88         name: &caKeyPairSecret  cmpv2-ca-key-pair
  89   server:
  90     secret:
  91       name: &serverSecret oom-cert-service-server-tls-secret
  92     volume:
  93       name: oom-cert-service-server-tls-volume
  94       mountPath: /etc/onap/oom/certservice/certs/
  95   client:
  96     secret:
  97       defaultName: oom-cert-service-client-tls-secret
  98
  99 envs:
 100   keystore:
 101     jksName: keystore.jks
 102     p12Name: keystore.p12
 103     pemName: tls.crt
 104   truststore:
 105     jksName: truststore.jks
 106     crtName: ca.crt
 107     pemName: tls.crt
 108   httpsPort: 8443
 109
 110 # External secrets with credentials can be provided to override default credentials defined below,
 111 # by uncommenting and filling appropriate *ExternalSecret value
 112 credentials:
 113   tls:
 114     certificatesPassword: secret
 115     #certificatesPasswordExternalSecret:
 116   # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
 117   cmp:
 118     # Used only if cmpv2 testing is enabled
 119     clientIakExternalSecret: '{{ include "common.release" . }}-ejbca-client-iak'
 120     #clientRvExternalSecret:
 121     raIakExternalSecret: '{{ include "common.release" . }}-ejbca-ra-iak'
 122     #raRvExternalSecret:
 123     client: {}
 124       # iak: mypassword
 125       # rv: unused
 126     ra: {}
 127       # iak: mypassword
 128       # rv: unused
 129
 130 secrets:
 131   - uid: certificates-password
 132     name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}'
 133     type: password
 134     externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}'
 135     password: '{{ .Values.credentials.tls.certificatesPassword }}'
 136     passwordPolicy: required
 137   # Below values are relevant only if global addTestingComponents flag is enabled
 138   - uid: ejbca-server-client-iak
 139     type: password
 140     externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}'
 141     password: '{{ .Values.credentials.cmp.client.iak }}'
 142   - uid: cmp-config-client-rv
 143     type: password
 144     externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}'
 145     password: '{{ .Values.credentials.cmp.client.rv }}'
 146   - uid: ejbca-server-ra-iak
 147     type: password
 148     externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}'
 149     password: '{{ .Values.credentials.cmp.ra.iak }}'
 150   - uid: cmp-config-ra-rv
 151     type: password
 152     externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
 153     password: '{{ .Values.credentials.cmp.ra.rv }}'
 154
 155 # Certificates definitions
 156 certificates:
 157   - name: selfsigned-cert
 158     secretName: *caKeyPairSecret
 159     isCA: true
 160     commonName: root.com
 161     subject:
 162       organization: Root Company
 163       country: PL
 164       locality: Wroclaw
 165       province: Dolny Slask
 166       organizationalUnit: Root Org
 167     issuer:
 168       name: *selfSigningIssuer
 169       kind: Issuer
 170   - name: cert-service-server-cert
 171     secretName: *serverSecret
 172     commonName: oom-cert-service
 173     dnsNames:
 174       - oom-cert-service
 175       - localhost
 176     subject:
 177       organization: certServiceServer org
 178       country: PL
 179       locality: Wroclaw
 180       province: Dolny Slask
 181       organizationalUnit: certServiceServer company
 182     usages:
 183       - server auth
 184       - client auth
 185     keystore:
 186       outputType:
 187         - jks
 188         - p12
 189       passwordSecretRef:
 190         name: *certificatesPasswordSecretName
 191         key: password
 192     issuer:
 193       name: *caIssuer
 194       kind: Issuer
 195   - name: cert-service-client-cert
 196     secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}'
 197     commonName: certServiceClient.com
 198     subject:
 199       organization: certServiceClient org
 200       country: PL
 201       locality: Wroclaw
 202       province: Dolny Slask
 203       organizationalUnit: certServiceClient company
 204     usages:
 205       - server auth
 206       - client auth
 207     keystore:
 208       outputType:
 209         - jks
 210       passwordSecretRef:
 211         name: *certificatesPasswordSecretName
 212         key: password
 213     issuer:
 214       name: *caIssuer
 215       kind: Issuer