Added trust store for SOL003 Adapter & ETSI Catalog Manager

Added the trust store provided by waqas to be included
with vnfm adapter jvm arguments.

Issue-ID: SO-2765
Signed-off-by: Ramesh Parthasarathy(rp6768)<ramesh.parthasarathy@att.com>
Change-Id: Ifbe7bd54dcf1f79b49bed1f887e472ad9b7ac634

diff --git a/docs/oom_hardcoded_certificates.rst b/docs/oom_hardcoded_certificates.rst
index 0745ec0..b5f3c07 100644 (file)
--- a/docs/oom_hardcoded_certificates.rst
+++ b/docs/oom_hardcoded_certificates.rst
@@ -48,5 +48,7 @@ Here's the list of these certificates:
  +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
  | SO/VNFM          | Yes              | No?              | Yes             | kubernetes/so/resources/config/certificates                              |
  +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
+ | SO/VNFM          | No               | Yes?             | Yes             | kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks    |
+ +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+
  | VID              | No               | Yes              | No              | kubernetes/vid/resources/cert                                            |
  +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+

diff --git a/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks b/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks
new file mode 100644 (file)
index 0000000..96931ce
Binary files /dev/null and b/kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks differ

diff --git a/kubernetes/so/charts/so-secrets/templates/secrets.yaml b/kubernetes/so/charts/so-secrets/templates/secrets.yaml
index 9a74963..5be2cc7 100644 (file)
--- a/kubernetes/so/charts/so-secrets/templates/secrets.yaml
+++ b/kubernetes/so/charts/so-secrets/templates/secrets.yaml
@@ -25,3 +25,16 @@ data:
   trustStorePassword: {{ .Values.global.client.certs.trustStorePassword }}
   keyStorePassword: {{ .Values.global.client.certs.keyStorePassword}}
 type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "common.release" . }}-so-truststore-secret
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }}

diff --git a/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml b/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml
index 00b36a8..a720753 100755 (executable)
--- a/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml
+++ b/kubernetes/so/charts/so-vnfm-adapter/templates/deployment.yaml
@@ -40,17 +40,17 @@ spec:
         image: {{ include "common.repository" . }}/{{ .Values.image }}
         resources:
 {{ include "common.resources" . | indent 12 }}
-         {{- if eq .Values.global.security.aaf.enabled true }}
         env:
         - name: TRUSTSTORE
-          value: /app/org.onap.so.trust.jks
+          value: {{ .Values.global.client.certs.truststore }}
         - name: TRUSTSTORE_PASSWORD
           valueFrom:
             secretKeyRef:
               name: {{ .Release.Name}}-so-client-certs-secret
               key: trustStorePassword
+        {{ if eq .Values.global.security.aaf.enabled true }}
         - name: KEYSTORE
-          value: /app/org.onap.so.jks
+          value: {{ .Values.global.client.certs.keystore }}
         - name: KEYSTORE_PASSWORD
           valueFrom:
             secretKeyRef:
@@ -67,6 +67,9 @@ spec:
         - name: config
           mountPath: /app/config
           readOnly: true
+        - name: {{ include "common.fullname" . }}-truststore
+          mountPath: /app/client
+          readonly: true
         livenessProbe:
           tcpSocket:
             port: {{ index .Values.livenessProbe.port }}
@@ -84,5 +87,8 @@ spec:
       - name: config
         configMap:
             name: {{ include "common.fullname" . }}-app-configmap
+      - name:  {{ include "common.fullname" . }}-truststore
+        secret:
+          secretName: {{ include "common.release" . }}-so-truststore-secret
       imagePullSecrets:
         - name: "{{ include "common.namespace" . }}-docker-registry-key"

diff --git a/kubernetes/so/values.yaml b/kubernetes/so/values.yaml
index 4cf991e..e9c5637 100755 (executable)
--- a/kubernetes/so/values.yaml
+++ b/kubernetes/so/values.yaml
@@ -60,8 +60,8 @@ global:
     defaultCloudOwner: onap
     cadi:
       cadiLoglevel: DEBUG
-      cadiKeyFile: /app/org.onap.so.keyfile
-      cadiTrustStore: /app/org.onap.so.trust.jks
+      cadiKeyFile: /app/client/org.onap.so.keyfile
+      cadiTrustStore: /app/client/org.onap.so.trust.jks
       cadiTruststorePassword: enc:MFpuxKeYK6Eo6QXjDUjtOBbp0FthY7SB4mKSIJm_RWC
       cadiLatitude: 38.4329
       cadiLongitude: -90.43248
@@ -73,7 +73,9 @@ global:
     msoKey: 07a7159d3bf51a0e53be7a8f89699be7
   client:
     certs:
-      trustStorePassword: b25hcDRzbw==
+      truststore: /app/client/org.onap.so.trust.jks
+      keystore: /app/client/org.onap.so.jks
+      trustStorePassword: LHN4Iy5DKlcpXXdWZ0pDNmNjRkhJIzpI
       keyStorePassword: c280b25hcA==
   certificates:
     path: /etc/ssl/certs