# Copyright © 2020-2021, Nokia # Modifications Copyright © 2020, Nordix Foundation, Orange # Modifications Copyright © 2020 Nokia # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Global global: nodePortPrefix: 302 persistence: enabled: true # Standard OOM pullPolicy: "Always" repository: "nexus3.onap.org:10001" offlineDeploymentBuild: false # Service configuration service: type: ClusterIP ports: - name: http port: 8443 port_protocol: http # Certificates generation configuration certificateGenerationImage: onap/integration-java11:7.2.0 # Deployment configuration repository: "nexus3.onap.org:10001" image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3 pullPolicy: Always replicaCount: 1 liveness: initialDelaySeconds: 60 periodSeconds: 10 command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD readiness: initialDelaySeconds: 30 periodSeconds: 10 command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD flavor: small resources: small: limits: cpu: 0.5 memory: 1Gi requests: cpu: 0.2 memory: 512Mi large: limits: cpu: 1 memory: 2Gi requests: cpu: 0.4 memory: 1Gi unlimited: {} # Application configuration cmpServers: secret: name: oom-cert-service-secret volume: name: oom-cert-service-volume mountPath: /etc/onap/oom/certservice tls: issuer: selfsigning: name: &selfSigningIssuer cmpv2-selfsigning-issuer ca: name: &caIssuer cmpv2-ca-issuer secret: name: &caKeyPairSecret cmpv2-ca-key-pair server: secret: name: &serverSecret oom-cert-service-server-tls-secret volume: name: oom-cert-service-server-tls-volume mountPath: /etc/onap/oom/certservice/certs/ client: secret: defaultName: oom-cert-service-client-tls-secret envs: keystore: jksName: keystore.jks p12Name: keystore.p12 pemName: tls.crt truststore: jksName: truststore.jks crtName: ca.crt pemName: tls.crt httpsPort: 8443 # External secrets with credentials can be provided to override default credentials defined below, # by uncommenting and filling appropriate *ExternalSecret value credentials: tls: certificatesPassword: secret #certificatesPasswordExternalSecret: # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled cmp: # Used only if cmpv2 testing is enabled clientIakExternalSecret: '{{ include "common.release" . }}-ejbca-client-iak' #clientRvExternalSecret: raIakExternalSecret: '{{ include "common.release" . }}-ejbca-ra-iak' #raRvExternalSecret: client: {} # iak: mypassword # rv: unused ra: {} # iak: mypassword # rv: unused secrets: - uid: certificates-password name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}' type: password externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}' password: '{{ .Values.credentials.tls.certificatesPassword }}' passwordPolicy: required # Below values are relevant only if global addTestingComponents flag is enabled - uid: ejbca-server-client-iak type: password externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}' password: '{{ .Values.credentials.cmp.client.iak }}' - uid: cmp-config-client-rv type: password externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}' password: '{{ .Values.credentials.cmp.client.rv }}' - uid: ejbca-server-ra-iak type: password externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}' password: '{{ .Values.credentials.cmp.ra.iak }}' - uid: cmp-config-ra-rv type: password externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}' password: '{{ .Values.credentials.cmp.ra.rv }}' # Certificates definitions certificates: - name: selfsigned-cert secretName: *caKeyPairSecret isCA: true commonName: root.com subject: organization: Root Company country: PL locality: Wroclaw province: Dolny Slask organizationalUnit: Root Org issuer: name: *selfSigningIssuer kind: Issuer - name: cert-service-server-cert secretName: *serverSecret commonName: oom-cert-service dnsNames: - oom-cert-service - localhost subject: organization: certServiceServer org country: PL locality: Wroclaw province: Dolny Slask organizationalUnit: certServiceServer company usages: - server auth - client auth keystore: outputType: - jks - p12 passwordSecretRef: name: *certificatesPasswordSecretName key: password issuer: name: *caIssuer kind: Issuer - name: cert-service-client-cert secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}' commonName: certServiceClient.com subject: organization: certServiceClient org country: PL locality: Wroclaw province: Dolny Slask organizationalUnit: certServiceClient company usages: - server auth - client auth keystore: outputType: - jks passwordSecretRef: name: *certificatesPasswordSecretName key: password issuer: name: *caIssuer kind: Issuer