[SDNC] Fix issue with certs from CMPv2 by Netconf (TLS)

- correct cmpv2Certificate to take outputType from 'certificates'
- add postStart hook for CertManagerIntegration to make cert dir writable
- add setting ODL_CERT_DIR env

Issue-ID: SDNC-1477
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I4531392cc4f113b173d10a27b98b1fe97d6faa4d

diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
index 4e43f62..f820c30 100644 (file)
--- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
+++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
@@ -181,8 +181,10 @@ spec:
 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
   {{- range $i, $certificate := $dot.Values.certificates -}}
     {{- $mountPath := $certificate.mountPath -}}
-- mountPath: {{ $mountPath }}
+- mountPath: {{ (printf "%s/secret-%d" $mountPath $i) }}
   name: certmanager-certs-volume-{{ $i }}
+- mountPath: {{ $mountPath }}
+  name: certmanager-certs-volume-{{ $i }}-dir
    {{- end -}}
 {{- end -}}
 
@@ -194,6 +196,8 @@ spec:
   {{- range $i, $certificate := $certificates -}}
     {{- $name := include "common.fullname" $dot -}}
     {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+- name: certmanager-certs-volume-{{ $i }}-dir
+  emptyDir: {}
 - name: certmanager-certs-volume-{{ $i }}
   projected:
     sources:
@@ -217,3 +221,17 @@ spec:
      {{- end }}
   {{- end -}}
 {{- end -}}
+
+{{- define "common.certManager.linkVolumeMounts" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- $certificates := $dot.Values.certificates -}}
+{{- $certsLinkCommand := "" -}}
+  {{- range $i, $certificate := $certificates -}}
+    {{- $destnationPath := (required "'mountPath' for Certificate is required." $certificate.mountPath) -}}
+    {{- $sourcePath := (printf "%s/secret-%d/*" $destnationPath $i) -}}
+    {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}}
+  {{- end -}}
+{{ $certsLinkCommand }}
+{{- end -}}

diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
index 57e6c69..58cc9c7 100644 (file)
--- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
+++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
@@ -27,7 +27,9 @@ Full example (other fields are ignored):
 certificates:
   - mountPath:  /var/custom-certs
     caName: RA
-    outputType: JKS
+    keystore:
+      outputType:
+        - jks
     commonName: common-name
     dnsNames:
       - dns-name-1
@@ -65,7 +67,7 @@ There also need to be some includes used in a target component deployment (inden
 {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
 {{- range $index, $certificate := $dot.Values.certificates -}}
 {{/*# General certifiacate attributes  #*/}}
-{{- $commonName     := $certificate.commonName     -}}
+{{- $commonName     := (required "'commonName' for Certificate is required." $certificate.commonName) -}}
 {{/*# SAN's #*/}}
 {{- $dnsNames       := default (list)    $certificate.dnsNames       -}}
 {{- $ipAddresses    := default (list)    $certificate.ipAddresses    -}}
@@ -87,7 +89,11 @@ There also need to be some includes used in a target component deployment (inden
 {{- $orgUnit        := $certificate.subject.organizationalUnit -}}
 {{- end -}}
 {{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}}
-{{- $outputType := default $subchartGlobal.platform.certServiceClient.envVariables.outputType  $certificate.outputType  -}}
+{{- $outputType := $subchartGlobal.platform.certServiceClient.envVariables.outputType -}}
+{{- if $certificate.keystore -}}
+{{- $outputTypeList := (required "'outputType' in 'keystore' section is required." $certificate.keystore.outputType) -}}
+{{- $outputType = mustFirst ($outputTypeList) | upper -}}
+{{- end -}}
 {{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}}
 {{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}}
 {{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}}

diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml
index 7441dac..96fa337 100644 (file)
--- a/kubernetes/sdnc/templates/statefulset.yaml
+++ b/kubernetes/sdnc/templates/statefulset.yaml
@@ -128,6 +128,13 @@ spec:
         - name: {{ include "common.name" . }}
           image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          {{- if and .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }}
+          {{- $linkCommand := include "common.certManager.linkVolumeMounts" . }}
+          lifecycle:
+            postStart:
+              exec:
+                command: ["sh", "-c", {{$linkCommand | quote}} ]
+          {{- end }}
           command: ["/bin/bash"]
           args: ["-c", "/opt/onap/sdnc/bin/createLinks.sh ; /opt/onap/sdnc/bin/startODL.sh"]
           ports:
@@ -197,7 +204,11 @@ spec:
           {{- if .Values.config.sdnr.sdnrdbTrustAllCerts }}
           - name: SDNRDBTRUSTALLCERTS
             value: "true"
-          {{ end }}
+          {{- end }}
+          {{- if .Values.global.cmpv2Enabled }}
+          - name: ODL_CERT_DIR
+            value: {{ (mustFirst (.Values.certificates)).mountPath }}
+          {{- end }}
 
           volumeMounts:
 {{ include "common.certInitializer.volumeMount" . | indent 10 }}