[SO] Import various CAs in truststore

Per default, SO truststore has only one CA, the ONAP one.
But we also need MSB root CA. The process to onboard was broken and this
patch solves it
We also needs "common root CAs" in order to discuss with other
components such as the underneath OpenStack.
In this patch we also import all "known" root CA from truststoreONAPall.

Issue-ID: OOM-2606
Issue-ID: OOM-2607
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Ia67bd4aec7a0b122fb9fda11e1e48c4e6e55430c

diff --git a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml
index 45668ed..2327e19 100644 (file)
--- a/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml
+++ b/kubernetes/so/components/so-etsi-nfvo-ns-lcm/templates/deployment.yaml
@@ -39,6 +39,7 @@ spec:
               {{- if .Values.global.aafEnabled }}
               export $(grep '^c' {{ .Values.soHelpers.certInitializer.credsPath }}/mycreds.prop | xargs -0)
               export TRUSTSTORE_PASSWORD="${cadi_truststore_password}"
+              export TRUSTSTORE="file:/${TRUSTSTORE}"
               {{- if .Values.global.security.aaf.enabled }}
               export KEYSTORE_PASSWORD="${cadi_keystore_password}"
               {{- end }}

diff --git a/kubernetes/so/components/soHelpers/templates/_certificates.tpl b/kubernetes/so/components/soHelpers/templates/_certificates.tpl
index fa25ba5..ef3b076 100644 (file)
--- a/kubernetes/so/components/soHelpers/templates/_certificates.tpl
+++ b/kubernetes/so/components/soHelpers/templates/_certificates.tpl
@@ -16,7 +16,11 @@
     keytool -import -trustcacerts -alias msb_root -file \
       /certificates/msb-ca.crt -keystore \
       "{{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.aaf.trustore }}" \
-      -keypass $cadi_truststore_password -noprompt
+      -storepass $cadi_truststore_password -noprompt
+    keytool -importkeystore -srckeystore "{{ $subchartDot.Values.certInitializer.credsPath }}/truststoreONAPall.jks" \
+      -srcstorepass {{ $subchartDot.Values.certInitializer.trustStoreAllPass }} \
+      -destkeystore "{{ $subchartDot.Values.certInitializer.credsPath }}/{{ $subchartDot.Values.aaf.trustore }}" \
+      -deststorepass $cadi_truststore_password -noprompt
   volumeMounts:
   {{ include "common.certInitializer.volumeMount" $subchartDot | indent 2 | trim }}
   - name: {{ include "common.name" $dot }}-msb-certificate

diff --git a/kubernetes/so/components/soHelpers/values.yaml b/kubernetes/so/components/soHelpers/values.yaml
index 5dbe46c..3919381 100755 (executable)
--- a/kubernetes/so/components/soHelpers/values.yaml
+++ b/kubernetes/so/components/soHelpers/values.yaml
@@ -37,7 +37,7 @@ global:
 # Secrets metaconfig
 #################################################################
 secrets:
-  - uid: "so-onap-certs"
+  - uid: 'so-onap-certs'
     name: '{{ include "common.release" . }}-so-certs'
     externalSecret: '{{ tpl (default "" .Values.certSecret) . }}'
     type: generic
@@ -54,10 +54,11 @@ certInitializer:
   fqdn: so
   fqi: so@so.onap.org
   public_fqdn: so.onap.org
-  cadi_longitude: "0.0"
-  cadi_latitude: "0.0"
+  cadi_longitude: '0.0'
+  cadi_latitude: '0.0'
   app_ns: org.osaaf.aaf
   credsPath: /opt/app/osaaf/local
+  trustStoreAllPass: changeit
   aaf_add_config: >
     /opt/app/aaf_config/bin/agent.sh local showpass
     {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop