+.. note::
+ If you want to use CMPv2 certificate onboarding, Cert-Manager must be installed.
+ :doc:`Click here <oom_setup_paas>` to see how to install Cert-Manager.
+
+
+
a. Enabling/Disabling Components:
Here is an example of the nominal entries that need to be provided.
We have different values file available for different contexts.
honolulu 1.2.0 13.x
============== ============= =================
-This guide provides instructions on how to install the following PaaS
-components for ONAP:
+This guide provides instructions on how to install the PaaS
+components for ONAP.
-- Cert-Manager
-- Prometheus Stack
+.. contents::
+ :depth: 1
+ :local:
+..
Cert-Manager
============
org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
-multi.tenancy.enabled=true
+multi.tenancy.enabled={{ .Values.config.keycloak.multiTenancy.enabled }}
keycloak.auth-server-url=http://{{ .Values.config.keycloak.host }}:{{ .Values.config.keycloak.port }}/auth
-keycloak.realm=aai-resources
-keycloak.resource=aai-resources-app
+keycloak.realm={{ .Values.config.keycloak.realm }}
+keycloak.resource={{ .Values.config.keycloak.resource }}
keycloak.public-client=true
keycloak.principal-attribute=preferred_username
# Active spring profiles for the resources microservice
profiles:
- active: production,dmaap,aaf-auth
+ active: production,dmaap,aaf-auth #,keycloak
# Notification event specific properties
notification:
# Configuration for the resources deployment
config:
+ # configure keycloak according to your environment.
+ # don't forget to add keycloak in active profiles above (global.config.profiles)
keycloak:
- host: localhost
+ host: keycloak.your.domain
port: 8180
+ # Specifies a set of users, credentials, roles, and groups
+ realm: aai-resources
+ # Used by any client application for enabling fine-grained authorization for their protected resources
+ resource: aai-resources-app
+ # If set to true, additional criteria will be added that match the data-owner property with the given role
+ # to the user in keycloak
+ multiTenancy:
+ enabled: true
# Specifies crud related operation timeouts and overrides
crud:
#set -x
*/}}
-function enable_odl_cluster(){
+enable_odl_cluster () {
if [ -z $APPC_REPLICAS ]; then
echo "APPC_REPLICAS is not configured in Env field"
exit
ss="snapshots"
me=`basename $0`
-function find_target_table_name()
+find_target_table_name ()
{
dest_path=$1
keyspace_name=$2
printf $dest_table_name
}
-function print_usage()
+print_usage ()
{
echo "NAME"
echo " Script to restore Cassandra database from Nuvo/Cain snapshot"
- name: common
version: ~8.x-0
repository: 'file://../common'
+ - name: cmpv2Config
+ version: ~8.x-0
+ repository: 'file://../cmpv2Config'
#
# To request a certificate following steps are to be done:
# - create an object 'certificates' in the values.yaml
-# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate".
+# - create a file templates/certificate.yaml and invoke the function "certManagerCertificate.certificate".
#
# Here is an example of the certificate request for a component:
#
# passwordSecretRef:
# name: secret-name
# key: secret-key
+# create: true
#
# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
# Other mandatory fields for the certificate definition do not have to be defined directly,
{{/*# General certifiacate attributes #*/}}
{{- $name := include "common.fullname" $dot -}}
{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}}
-{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+{{- $secretName := default (printf "%s-secret-%d" $name $i) (tpl (default "" $certificate.secretName) $ ) -}}
{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}}
{{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}}
{{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}}
{{- if $certificate.issuer -}}
{{- $issuer = $certificate.issuer -}}
{{- end -}}
----
-{{- if $certificate.keystore }}
+{{/*# Secret #*/}}
+{{ if $certificate.keystore -}}
{{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}}
- {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }}
+ {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote -}}
+ {{- if $passwordSecretRef.create }}
apiVersion: v1
kind: Secret
metadata:
type: Opaque
stringData:
{{ $passwordSecretRef.key }}: {{ $password }}
-{{- end }}
+ {{- end }}
+{{ end -}}
---
apiVersion: cert-manager.io/v1
kind: Certificate
{{- if $duration }}
duration: {{ $duration }}
{{- end }}
+ {{- if $certificate.isCA }}
+ isCA: {{ $certificate.isCA }}
+ {{- end }}
+ {{- if $certificate.usages }}
+ usages:
+ {{- range $usage := $certificate.usages }}
+ - {{ $usage }}
+ {{- end }}
+ {{- end }}
subject:
organizations:
- {{ $subject.organization }}
{{- end }}
{{- end }}
issuerRef:
+ {{- if not (eq $issuer.kind "Issuer" ) }}
group: {{ $issuer.group }}
+ {{- end }}
kind: {{ $issuer.kind }}
name: {{ $issuer.name }}
{{- if $certificate.keystore }}
{{ $outputType }}:
create: true
passwordSecretRef:
- name: {{ $certificate.keystore.passwordSecretRef.name }}
+ name: {{ tpl (default "" $certificate.keystore.passwordSecretRef.name) $ }}
key: {{ $certificate.keystore.passwordSecretRef.key }}
{{- end }}
{{- end }}
{{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}}
{{- end -}}
{{ $certsLinkCommand }}
-{{- end -}}
+{{- end -}}
\ No newline at end of file
- name: repositoryGenerator
version: ~8.x-0
repository: 'file://../repositoryGenerator'
+ - name: cmpv2Config
+ version: ~8.x-0
+ repository: 'file://../cmpv2Config'
{{- define "common.certServiceClient.initContainer" -}}
{{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
{{- range $index, $certificate := $dot.Values.certificates -}}
{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}}
{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}}
{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}}
-{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}}
-{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}}
-{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}}
-{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}}
-{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}}
+{{- $certificatesSecret:= $subchartGlobal.platform.certServiceClient.clientSecretName -}}
+{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath -}}
+{{- $keystorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.keystoreKeyRef ) -}}
+{{- $keystorePasswordSecret := $subchartGlobal.platform.certificates.keystorePasswordSecretName -}}
+{{- $keystorePasswordSecretKey := $subchartGlobal.platform.certificates.keystorePasswordSecretKey -}}
+{{- $truststorePath := (printf "%s%s" $subchartGlobal.platform.certServiceClient.certificatesSecretMountPath $subchartGlobal.platform.certificates.truststoreKeyRef ) -}}
+{{- $truststorePasswordSecret := $subchartGlobal.platform.certificates.truststorePasswordSecretName -}}
+{{- $truststorePasswordSecretKey := $subchartGlobal.platform.certificates.truststorePasswordSecretKey -}}
- name: certs-init-{{ $index }}
image: {{ include "repositoryGenerator.image.certserviceclient" $dot }}
imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
- name: KEYSTORE_PATH
value: {{ $keystorePath | quote }}
- name: KEYSTORE_PASSWORD
- value: {{ $keystorePassword | quote }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $keystorePasswordSecret | quote}}
+ key: {{ $keystorePasswordSecretKey | quote}}
- name: TRUSTSTORE_PATH
value: {{ $truststorePath | quote }}
- name: TRUSTSTORE_PASSWORD
- value: {{ $truststorePassword | quote }}
+ valueFrom:
+ secretKeyRef:
+ name: {{ $truststorePasswordSecret | quote}}
+ key: {{ $truststorePasswordSecretKey | quote}}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
{{- define "common.certServiceClient.volumes" -}}
{{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
-{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}}
+{{- $certificatesSecretName := $subchartGlobal.platform.certificates.clientSecretName -}}
- name: certservice-tls-volume
secret:
secretName: {{ $certificatesSecretName }}
{{- define "common.certServiceClient.volumeMounts" -}}
{{- $dot := default . .dot -}}
-{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate.cmpv2Config .initRoot -}}
{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
{{- range $index, $certificate := $dot.Values.certificates -}}
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
-
-#################################################################
-# Global configuration default values that can be inherited by
-# all subcharts.
-#################################################################
-global:
- # Enabling CMPv2
- cmpv2Enabled: true
- CMPv2CertManagerIntegration: false
-
- certificate:
- default:
- subject:
- organization: "Linux-Foundation"
- country: "US"
- locality: "San-Francisco"
- province: "California"
- organizationalUnit: "ONAP"
-
- platform:
- certServiceClient:
- secret:
- name: oom-cert-service-client-tls-secret
- mountPath: /etc/onap/oom/certservice/certs/
- envVariables:
- certPath: "/var/custom-certs"
- # Client configuration related
- caName: "RA"
- requestURL: "https://oom-cert-service:8443/v1/certificate/"
- requestTimeout: "30000"
- keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
- outputType: "P12"
- keystorePassword: "secret"
- truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
- truststorePassword: "secret"
# See the License for the specific language governing permissions and
# limitations under the License.
global:
+
+ # Enabling CMPv2
+ cmpv2Enabled: true
+ CMPv2CertManagerIntegration: false
+
+ certificate:
+ default:
+ subject:
+ organization: "Linux-Foundation"
+ country: "US"
+ locality: "San-Francisco"
+ province: "California"
+ organizationalUnit: "ONAP"
+
platform:
+ certificates:
+ clientSecretName: oom-cert-service-client-tls-secret
+ keystoreKeyRef: keystore.jks
+ truststoreKeyRef: truststore.jks
+ keystorePasswordSecretName: oom-cert-service-keystore-password
+ keystorePasswordSecretKey: password
+ truststorePasswordSecretName: oom-cert-service-truststore-password
+ truststorePasswordSecretKey: password
certServiceClient:
image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
- secretName: oom-cert-service-client-tls-secret
+ certificatesSecretMountPath: /etc/onap/oom/certservice/certs/
envVariables:
+ certPath: "/var/custom-certs"
# Certificate related
- cmpv2Organization: "Linux-Foundation"
- cmpv2OrganizationalUnit: "ONAP"
- cmpv2Location: "San-Francisco"
- cmpv2State: "California"
- cmpv2Country: "US"
+ caName: "RA"
# Client configuration related
requestURL: "https://oom-cert-service:8443/v1/certificate/"
requestTimeout: "30000"
- keystorePassword: "secret"
- truststorePassword: "secret"
+ outputType: "P12"
certPostProcessor:
image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
innodb_flush_log_at_trx_commit=2
# MYISAM REPLICATION SUPPORT #
wsrep_replicate_myisam=ON
+ binlog_format=row
+ default_storage_engine=InnoDB
+ innodb_autoinc_lock_mode=2
+ transaction-isolation=READ-COMMITTED
+ wsrep_causal_reads=1
+ wsrep_sync_wait=7
[mariadb]
plugin_load_add=auth_pam
#argument: yaml file
#calling syntax: parse_yaml <yaml_file_name>
-function parse_yaml {
+parse_yaml () {
local prefix=$2
local s='[[:space:]]*' w='[a-zA-Z0-9_]*' fs=$(echo @|tr @ '\034')
sed -ne "s|^\($s\):|\1|" \
change-log: classpath:changelog/changelog-master.yaml
labels: ${LIQUIBASE_LABELS}
+security:
+ # comma-separated uri patterns which do not require authorization
+ permit-uri: /manage/health/**,/manage/info,/swagger-ui/**,/swagger-resources/**,/v3/api-docs
+ auth:
+ username: ${CPS_USERNAME}
+ password: ${CPS_PASSWORD}
+
# Actuator
management:
endpoints:
{{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "pg-user-creds" "key" "password") | indent 12 }}
- name: LIQUIBASE_LABELS
value: {{ .Values.config.liquibaseLabels }}
+ - name: CPS_USERNAME
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }}
+ - name: CPS_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }}
volumeMounts:
- mountPath: /config-input
name: init-data-input
path: {{ .Values.readiness.path }}
initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
periodSeconds: {{ .Values.readiness.periodSeconds }}
- env:
- - name: CPS_USERNAME
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "login") | indent 12 }}
- - name: CPS_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "app-user-creds" "key" "password") | indent 12 }}
resources: {{ include "common.resources" . | nindent 10 }}
{{- if .Values.nodeSelector }}
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 12 }}
virtualhost:
baseurl: "simpledemo.onap.org"
-image: onap/cps-and-nf-proxy:1.0.0
+image: onap/cps-and-nf-proxy:1.0.1
containerPort: &svc_port 8080
service:
"image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certServiceClient.image }}",
"request_url": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestURL }}",
"timeout": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.requestTimeout }}",
- "country": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Country }}",
- "organization": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Organization }}",
- "state": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2State }}",
- "organizational_unit": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }}",
- "location": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.cmpv2Location }}",
- "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certServiceClient.secretName }}",
- "keystore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.keystorePassword }}",
- "truststore_password": "{{ .Values.cmpv2Config.global.platform.certServiceClient.envVariables.truststorePassword }}"
+ "country": "{{ .Values.cmpv2Config.global.certificate.default.subject.country }}",
+ "organization": "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}",
+ "state": "{{ .Values.cmpv2Config.global.certificate.default.subject.province }}",
+ "organizational_unit": "{{ .Values.cmpv2Config.global.certificate.default.subject.organizationalUnit }}",
+ "location": "{{ .Values.cmpv2Config.global.certificate.default.subject.locality }}",
+ "cert_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName }}",
+ "keystore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystoreKeyRef }}",
+ "truststore_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststoreKeyRef }}",
+ "keystore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}",
+ "keystore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretKey }}",
+ "truststore_password_secret_name": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretName }}",
+ "truststore_password_secret_key": "{{ .Values.cmpv2Config.global.platform.certificates.truststorePasswordSecretKey }}"
},
"cert_post_processor": {
"image_tag": "{{ include "repositoryGenerator.repository" . }}/{{ .Values.cmpv2Config.global.platform.certPostProcessor.image }}"
# Application configuration defaults.
#################################################################
# application image
-image: onap/org.onap.dcaegen2.deployments.cm-container:4.4.2
+image: onap/org.onap.dcaegen2.deployments.cm-container:4.5.0
pullPolicy: Always
# name of shared ConfigMap with kubeconfig for multiple clusters
# Application configuration defaults.
#################################################################
# application image
-image: onap/dmaap/kafka111:1.0.4
+image: onap/dmaap/kafka111:1.0.5
pullPolicy: Always
# Application configuration defaults.
#################################################################
# application image
-image: onap/dmaap/dmaap-mr:1.1.18
+image: onap/dmaap/dmaap-mr:1.1.20
pullPolicy: Always
kafka:
# Application configuration defaults.
#################################################################
# application image
-image: onap/multicloud/k8s:0.8.0
+image: onap/multicloud/k8s:0.8.1
pullPolicy: Always
# flag to enable debugging - application support required
app_ns: org.osaaf.aaf
credsPath: /opt/app/osaaf/local
aaf_add_config: >
- /opt/app/aaf_config/bin/agent.sh;
- /opt/app/aaf_config/bin/agent.sh local showpass
- {{.Values.fqi}} {{ .Values.fqdn }} > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_keystore_password_p12=$cadi_keystore_password_p12" > {{ .Values.credsPath }}/mycreds.prop
+ echo "cadi_truststore_password=$cadi_truststore_password" >> {{ .Values.credsPath }}/mycreds.prop
aafConfig:
permission_user: 1000
cmpv2Enabled: true
CMPv2CertManagerIntegration: false
platform:
+ certificates:
+ clientSecretName: oom-cert-service-client-tls-secret
+ keystoreKeyRef: keystore.jks
+ truststoreKeyRef: truststore.jks
+ keystorePasswordSecretName: oom-cert-service-certificates-password
+ keystorePasswordSecretKey: password
+ truststorePasswordSecretName: oom-cert-service-certificates-password
+ truststorePasswordSecretKey: password
certServiceClient:
image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.3
- secret:
- name: oom-cert-service-client-tls-secret
- mountPath: /etc/onap/oom/certservice/certs/
+ certificatesSecretMountPath: /etc/onap/oom/certservice/certs/
envVariables:
certPath: "/var/custom-certs"
# Certificate related
- cmpv2Organization: "Linux-Foundation"
- cmpv2OrganizationalUnit: "ONAP"
- cmpv2Location: "San-Francisco"
- cmpv2State: "California"
- cmpv2Country: "US"
- # Client configuration related
caName: "RA"
+ # Client configuration related
requestURL: "https://oom-cert-service:8443/v1/certificate/"
requestTimeout: "30000"
- keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
outputType: "P12"
- keystorePassword: "secret"
- truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
- truststorePassword: "secret"
# Indicates offline deployment build
# Set to true if you are rendering helm charts for offline deployment
enabled: true
# application image
-image: onap/optf-cmso-optimizer:2.3.3
+image: onap/optf-cmso-optimizer:2.3.4
pullPolicy: Always
#init container image
dbinit:
- image: onap/optf-cmso-dbinit:2.3.3
+ image: onap/optf-cmso-dbinit:2.3.4
# flag to enable debugging - application support required
debugEnabled: false
- mountPath: /usr/share/filebeat/data
name: {{ include "common.fullname" . }}-filebeat
resources:
-{{ include "common.resources" . }}
- - name: mso-simulator
- image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.robotimage }}
- imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- volumeMounts:
- - name: {{ include "common.fullname" . }}-config
- mountPath: /share/etc/config
- ports:
- - containerPort: 5000
- resources:
{{ include "common.resources" . }}
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
enabled: true
# application image
-image: onap/optf-cmso-service:2.3.3
-robotimage: onap/optf-cmso-robot:2.3.3
+image: onap/optf-cmso-service:2.3.4
pullPolicy: Always
#init container image
dbinit:
- image: onap/optf-cmso-dbinit:2.3.3
+ image: onap/optf-cmso-dbinit:2.3.4
# flag to enable debugging - application support required
debugEnabled: false
enabled: true
# application image
-image: onap/optf-cmso-ticketmgt:2.3.3
+image: onap/optf-cmso-ticketmgt:2.3.4
pullPolicy: Always
enabled: true
# application image
-image: onap/optf-cmso-topology:2.3.3
+image: onap/optf-cmso-topology:2.3.4
pullPolicy: Always
certEndpoint: v1/certificate
caName: RA
certSecretRef:
- name: cmpv2-issuer-secret
- certRef: certServiceServer-cert.pem
- keyRef: certServiceServer-key.pem
- cacertRef: truststore.pem
+ name: oom-cert-service-server-tls-secret
+ certRef: tls.crt
+ keyRef: tls.key
+ cacertRef: ca.crt
+++ /dev/null
-CERTS_DIR = resources
-CURRENT_DIR := ${CURDIR}
-DOCKER_CONTAINER = generate-certs
-DOCKER_EXEC = docker exec ${DOCKER_CONTAINER}
-
-all: start_docker \
- clear_all \
- root_generate_keys \
- root_create_certificate \
- root_self_sign_certificate \
- client_generate_keys \
- client_generate_csr \
- client_sign_certificate_by_root \
- client_import_root_certificate \
- client_convert_certificate_to_jks \
- server_generate_keys \
- server_generate_csr \
- server_sign_certificate_by_root \
- server_import_root_certificate \
- server_convert_certificate_to_jks \
- server_convert_certificate_to_p12 \
- convert_truststore_to_p12 \
- convert_truststore_to_pem \
- server_export_certificate_to_pem \
- server_export_key_to_pem \
- clear_unused_files \
- stop_docker
-
-.PHONY: all
-
-# Starts docker container for generating certificates - deletes first, if already running
-start_docker:
- @make stop_docker
- $(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2))
- $(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2))
- $(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE))
- $(eval USERNAME :=$(shell id -u))
- $(eval GROUP :=$(shell id -g))
- docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE)
-
-# Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted
-stop_docker:
- docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true
-
-#Clear all files related to certificates
-clear_all:
- @make clear_existing_certificates
- @make clear_unused_files
-
-#Clear certificates
-clear_existing_certificates:
- @echo "Clear certificates"
- ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem
- @echo "#####done#####"
-
-#Generate root private and public keys
-root_generate_keys:
- @echo "Generate root private and public keys"
- ${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
- -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
- -storepass secret -ext BasicConstraints:critical="ca:true"
- @echo "#####done#####"
-
-#Export public key as certificate
-root_create_certificate:
- @echo "(Export public key as certificate)"
- ${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
- @echo "#####done#####"
-
-#Self-signed root (import root certificate into truststore)
-root_self_sign_certificate:
- @echo "(Self-signed root (import root certificate into truststore))"
- ${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
- @echo "#####done#####"
-
-#Generate certService's client private and public keys
-client_generate_keys:
- @echo "Generate certService's client private and public keys"
- ${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \
- -keystore certServiceClient-keystore.jks -storetype JKS \
- -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
- -keypass secret -storepass secret
- @echo "####done####"
-
-#Generate certificate signing request for certService's client
-client_generate_csr:
- @echo "Generate certificate signing request for certService's client"
- ${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
- @echo "####done####"
-
-#Sign certService's client certificate by root CA
-client_sign_certificate_by_root:
- @echo "Sign certService's client certificate by root CA"
- ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
- -outfile certServiceClientByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth"
- @echo "####done####"
-
-#Import root certificate into client
-client_import_root_certificate:
- @echo "Import root certificate into intermediate"
- ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt"
- @echo "####done####"
-
-#Import signed certificate into certService's client
-client_convert_certificate_to_jks:
- @echo "Import signed certificate into certService's client"
- ${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
- @echo "####done####"
-
-#Generate certService private and public keys
-server_generate_keys:
- @echo "Generate certService private and public keys"
- ${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \
- -keystore certServiceServer-keystore.jks -storetype JKS \
- -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
- -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
- @echo "####done####"
-
-#Generate certificate signing request for certService
-server_generate_csr:
- @echo "Generate certificate signing request for certService"
- ${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr
- @echo "####done####"
-
-#Sign certService certificate by root CA
-server_sign_certificate_by_root:
- @echo "Sign certService certificate by root CA"
- ${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
- -outfile certServiceServerByRoot.crt -rfc -ext bc=0 -ext ExtendedkeyUsage="serverAuth,clientAuth" \
- -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost"
- @echo "####done####"
-
-#Import root certificate into server
-server_import_root_certificate:
- @echo "Import root certificate into intermediate(server)"
- ${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt"
- @echo "####done####"
-
-#Import signed certificate into certService
-server_convert_certificate_to_jks:
- @echo "Import signed certificate into certService"
- ${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \
- -storepass secret -noprompt
- @echo "####done####"
-
-#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
-server_convert_certificate_to_p12:
- @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
- ${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
- -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
- @echo "#####done#####"
-
-#Convert truststore(.jks) to PCKS12 format(.p12)
-convert_truststore_to_p12:
- @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
- ${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \
- -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret
- @echo "#####done#####"
-
-#Convert truststore(.p12) to PEM format(.pem)
-convert_truststore_to_pem:
- @echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)"
- ${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret
- @echo "#####done#####"
-
-#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem)
-server_export_certificate_to_pem:
- @echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)"
- ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem
- @echo "#####done#####"
-
-#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem)
-server_export_key_to_pem:
- @echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)"
- ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem
- @echo "#####done#####"
-
-
-#Clear unused certificates
-clear_unused_files:
- @echo "Clear unused certificates"
- ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr truststore.p12
- @echo "#####done#####"
- name: repositoryGenerator
version: ~8.x-0
repository: '@local'
+ - name: certManagerCertificate
+ version: ~8.x-0
+ repository: '@local'
+ - name: cmpv2Config
+ version: ~8.x-0
+ repository: '@local'
\ No newline at end of file
--- /dev/null
+{{/*
+# Copyright © 2020-2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "certManagerCertificate.certificate" . }}
- name: ROOT_CERT
value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}"
- name: KEYSTORE_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 14 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }}
- name: TRUSTSTORE_PASSWORD
- {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 14 }}
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }}
livenessProbe:
exec:
command:
--- /dev/null
+{{/*
+ # Copyright © 2021, Nokia
+ #
+ # Licensed under the Apache License, Version 2.0 (the "License");
+ # you may not use this file except in compliance with the License.
+ # You may obtain a copy of the License at
+ #
+ # http://www.apache.org/licenses/LICENSE-2.0
+ #
+ # Unless required by applicable law or agreed to in writing, software
+ # distributed under the License is distributed on an "AS IS" BASIS,
+ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+*/}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ .Values.tls.issuer.selfsigning.name }}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ name: {{ .Values.tls.issuer.ca.name }}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ ca:
+ secretName: {{ .Values.tls.issuer.ca.secret.name }}
\ No newline at end of file
{{ (.Files.Glob "resources/default/cmpServers.json").AsSecrets }}
{{ end }}
---
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.global.certService.certServiceClient.secret.name | default .Values.tls.client.secret.defaultName }}
-type: Opaque
-data:
- certServiceClient-keystore.jks:
- {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }}
- truststore.jks:
- {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.tls.server.secret.name }}
-type: Opaque
-data:
- certServiceServer-keystore.jks:
- {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }}
- certServiceServer-keystore.p12:
- {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }}
- truststore.jks:
- {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
- root.crt:
- {{ (.Files.Glob "resources/root.crt").AsSecrets }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Values.tls.provider.secret.name }}
-type: Opaque
-data:
- certServiceServer-key.pem:
- {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }}
- certServiceServer-cert.pem:
- {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }}
- truststore.pem:
- {{ (.Files.Glob "resources/truststore.pem").AsSecrets }}
+
{{ end -}}
mountPath: /etc/onap/oom/certservice
tls:
+ issuer:
+ selfsigning:
+ name: &selfSigningIssuer cmpv2-selfsigning-issuer
+ ca:
+ name: &caIssuer cmpv2-ca-issuer
+ secret:
+ name: &caKeyPairSecret cmpv2-ca-key-pair
server:
secret:
- name: oom-cert-service-server-tls-secret
+ name: &serverSecret oom-cert-service-server-tls-secret
volume:
name: oom-cert-service-server-tls-volume
mountPath: /etc/onap/oom/certservice/certs/
client:
secret:
defaultName: oom-cert-service-client-tls-secret
- provider:
- secret:
- name: cmpv2-issuer-secret
envs:
keystore:
- jksName: certServiceServer-keystore.jks
- p12Name: certServiceServer-keystore.p12
- pemName: certServiceServer-keystore.pem
+ jksName: keystore.jks
+ p12Name: keystore.p12
+ pemName: tls.crt
truststore:
jksName: truststore.jks
- crtName: root.crt
- pemName: truststore.pem
+ crtName: ca.crt
+ pemName: tls.crt
httpsPort: 8443
# External secrets with credentials can be provided to override default credentials defined below,
# by uncommenting and filling appropriate *ExternalSecret value
credentials:
tls:
- keystorePassword: secret
- truststorePassword: secret
- #keystorePasswordExternalSecret:
- #truststorePasswordExternalSecret:
+ certificatesPassword: secret
+ #certificatesPasswordExternalSecret:
# Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
cmp:
# Used only if cmpv2 testing is enabled
# rv: unused
secrets:
- - uid: keystore-password
- name: '{{ include "common.release" . }}-keystore-password'
- type: password
- externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}'
- password: '{{ .Values.credentials.tls.keystorePassword }}'
- passwordPolicy: required
- - uid: truststore-password
- name: '{{ include "common.release" . }}-truststore-password'
+ - uid: certificates-password
+ name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}'
type: password
- externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}'
- password: '{{ .Values.credentials.tls.truststorePassword }}'
+ externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}'
+ password: '{{ .Values.credentials.tls.certificatesPassword }}'
passwordPolicy: required
# Below values are relevant only if global addTestingComponents flag is enabled
- uid: ejbca-server-client-iak
type: password
externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
password: '{{ .Values.credentials.cmp.ra.rv }}'
+
+# Certificates definitions
+certificates:
+ - name: selfsigned-cert
+ secretName: *caKeyPairSecret
+ isCA: true
+ commonName: root.com
+ subject:
+ organization: Root Company
+ country: PL
+ locality: Wroclaw
+ province: Dolny Slask
+ organizationalUnit: Root Org
+ issuer:
+ name: *selfSigningIssuer
+ kind: Issuer
+ - name: cert-service-server-cert
+ secretName: *serverSecret
+ commonName: oom-cert-service
+ dnsNames:
+ - oom-cert-service
+ - localhost
+ subject:
+ organization: certServiceServer org
+ country: PL
+ locality: Wroclaw
+ province: Dolny Slask
+ organizationalUnit: certServiceServer company
+ usages:
+ - server auth
+ - client auth
+ keystore:
+ outputType:
+ - jks
+ - p12
+ passwordSecretRef:
+ name: *certificatesPasswordSecretName
+ key: password
+ issuer:
+ name: *caIssuer
+ kind: Issuer
+ - name: cert-service-client-cert
+ secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}'
+ commonName: certServiceClient.com
+ subject:
+ organization: certServiceClient org
+ country: PL
+ locality: Wroclaw
+ province: Dolny Slask
+ organizationalUnit: certServiceClient company
+ usages:
+ - server auth
+ - client auth
+ keystore:
+ outputType:
+ - jks
+ passwordSecretRef:
+ name: *certificatesPasswordSecretName
+ key: password
+ issuer:
+ name: *caIssuer
+ kind: Issuer
#
# Execute tags built to support the hands-on demo
#
-function usage
+usage ()
{
echo "Usage: demo-k8s.sh <namespace> <command> [<parameters>] [execscript]"
echo " "
FOLDER=
POLL=0
-function check_required_parameter() {
+check_required_parameter () {
# arg1 = parameter
# arg2 = parameter name
if [ -z "$1" ]; then
fi
}
-function check_optional_paramater() {
+check_optional_paramater () {
# arg1 = parameter
# arg2 = parameter name
if [ -z $1 ]; then
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-backend-all-plugins:1.8.4
-backendInitImage: onap/sdc-backend-init:1.8.4
+image: onap/sdc-backend-all-plugins:1.8.5
+backendInitImage: onap/sdc-backend-init:1.8.5
pullPolicy: Always
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/sdc-cassandra:1.8.4
-cassandraInitImage: onap/sdc-cassandra-init:1.8.4
+image: onap/sdc-cassandra:1.8.5
+cassandraInitImage: onap/sdc-cassandra-init:1.8.5
pullPolicy: Always
config:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-frontend:1.8.4
+image: onap/sdc-frontend:1.8.5
pullPolicy: Always
config:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdc-onboard-backend:1.8.4
-onboardingInitImage: onap/sdc-onboard-cassandra-init:1.8.4
+image: onap/sdc-onboard-backend:1.8.5
+onboardingInitImage: onap/sdc-onboard-cassandra-init:1.8.5
pullPolicy: Always
# flag to enable debugging - application support required
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdnc-dmaap-listener-image:2.1.3
+image: onap/sdnc-dmaap-listener-image:2.1.5
pullPolicy: Always
# flag to enable debugging - application support required
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdnc-ansible-server-image:2.1.3
+image: onap/sdnc-ansible-server-image:2.1.5
pullPolicy: Always
# flag to enable debugging - application support required
# Application configuration defaults.
#################################################################
# application image
-image: "onap/sdnc-web-image:2.1.3"
+image: "onap/sdnc-web-image:2.1.5"
pullPolicy: Always
config:
# Application configuration defaults.
#################################################################
# application image
-image: onap/sdnc-ueb-listener-image:2.1.3
+image: onap/sdnc-ueb-listener-image:2.1.5
pullPolicy: Always
# flag to enable debugging - application support required
# limitations under the License.
*/}}
-function usage()
+usage ()
{
echo usage: switchVoting.sh primary\|secondary
exit 1
outputType:
- jks
passwordSecretRef:
+ create: true
name: sdnc-cmpv2-keystore-password
key: password
issuer:
# application images
pullPolicy: Always
-image: onap/sdnc-image:2.1.3
+image: onap/sdnc-image:2.1.5
# flag to enable debugging - application support required
debugEnabled: false
max-threads: 50
mso:
site-name: localSite
- logPath: ./logs/cnf
+ logPath: ./logs/cnf-adapter
msb-ip: msb-iag.{{ include "common.namespace" . }}
msb-port: 80
#Actuator
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/mso-cnf-adapter:1.8.0
+image: onap/so/so-cnf-adapter:1.8.3
pullPolicy: Always
readinessCheck:
replicaCount: 1
minReadySeconds: 10
containerPort: &containerPort 8090
-logPath: ./logs/cnf/
+logPath: ./logs/cnf-adapter/
app: cnf-adapter
service:
type: ClusterIP
mso:
site-name: localSite
- logPath: ./logs/nssmf
+ logPath: ./logs/nssmf-adapter
msb-ip: msb-iag.{{ include "common.namespace" . }}
msb-port: 80
adapters:
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/nssmf-adapter:1.8.0
+image: onap/so/so-nssmf-adapter:1.8.3
pullPolicy: Always
db:
replicaCount: 1
minReadySeconds: 10
containerPort: &containerPort 8088
-logPath: ./logs/nssmf/
+logPath: ./logs/nssmf-adapter/
app: nssmf-adapter
service:
type: ClusterIP
mso:
site-name: localSite
- logPath: ./logs/oof
+ logPath: ./logs/oof-adapter
msb-ip: msb-iag.{{ include "common.namespace" . }}
msb-port: 80
msoKey: ${MSO_KEY}
#################################################################
# Application configuration defaults.
#################################################################
-image: onap/so/so-oof-adapter:1.8.2
+image: onap/so/so-oof-adapter:1.8.3
pullPolicy: Always
mso:
containerPort: &containerPort 8090
minReadySeconds: 10
containerPort: *containerPort
-logPath: ./logs/oof/
+logPath: ./logs/oof-adapter/
app: so-oof-adapter
service:
type: ClusterIP
[testenv:docs]
deps = -rdocs/requirements-docs.txt
commands =
- sphinx-build -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html
+ sphinx-build -q -W -b html -n -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/html
[testenv:docs-linkcheck]
deps = -rdocs/requirements-docs.txt
-commands = sphinx-build -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck
+commands = sphinx-build -q -W -b linkcheck -d {envtmpdir}/doctrees ./docs/ {toxinidir}/docs/_build/linkcheck
[testenv:spelling]
#basepython = python3
Code Review / oom.git / commitdiff