# See the License for the specific language governing permissions and
# limitations under the License.
-make-contrib: make-contrib-awx make-contrib-netbox make-contrib-core
+make-contrib: make-contrib-awx make-contrib-netbox make-contrib-ejbca make-contrib-core
make-contrib-awx:
cd components && helm dep up awx && helm lint awx
+make-contrib-ejbca:
+ cd components && helm dep up ejbca && helm lint ejbca
+
make-contrib-netbox:
cd components && helm dep up netbox && helm lint netbox
--- /dev/null
+# Copyright © 2020 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: ONAP EJBCA test server
+name: ejbca
+version: 6.0.0
--- /dev/null
+# Copyright © 2020 Orange, Ericsson
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+dependencies:
+ - name: common
+ version: ~6.x-0
+ repository: '@local'
+ - name: mariadb-galera
+ version: ~6.x-0
+ repository: '@local'
+ condition: global.mariadbGalera.localCluster
+ - name: mariadb-init
+ version: ~6.x-0
+ repository: '@local'
+ condition: not global.mariadbGalera.localCluster
--- /dev/null
+#!/bin/bash
+
+waitForEjbcaToStart() {
+ until $(curl -kI https://localhost:8443/ejbca/publicweb/healthcheck/ejbcahealth --output /dev/null --silent --head --fail)
+ do
+ sleep 5
+ done
+}
+
+configureEjbca() {
+ ejbca.sh config cmp addalias --alias cmpRA
+ ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra
+ ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK}
+ ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe
+ ejbca.sh config cmp dumpalias --alias cmpRA
+ ejbca.sh config cmp addalias --alias cmp
+ ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true
+ ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe
+ ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password ${CLIENT_IAK} --type 1 --token USERGENERATED
+ ejbca.sh ra setclearpwd --username Node123 --password ${CLIENT_IAK}
+ ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN
+ ejbca.sh config cmp dumpalias --alias cmp
+ ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem
+}
+
+
+waitForEjbcaToStart
+configureEjbca
--- /dev/null
+# Copyright © 2020, Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: "{{ include "common.fullname" . }}-config-script"
+data:
+{{ tpl (.Files.Glob "resources/ejbca-config.sh").AsConfig . | indent 2 }}
--- /dev/null
+# Copyright © 2020, Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata: {{- include "common.resourceMetadata" . | nindent 2 }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector: {{- include "common.selectors" . | nindent 4 }}
+ template:
+ metadata: {{- include "common.templateMetadata" . | nindent 6 }}
+ spec:
+ initContainers:
+ - name: {{ include "common.name" . }}-db-readiness
+ command:
+ - /root/ready.py
+ args:
+ - --container-name
+ {{- if .Values.global.mariadbGalera.localCluster }}
+ - ejbca-galera
+ {{- else }}
+ - ejbca-config
+ {{- end }}
+ env:
+ - name: NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ containers:
+ - name: {{ include "common.name" . }}-ejbca
+ image: {{ .Values.ejbca.image }}
+ imagePullPolicy: {{ .Values.pullPolicy }}
+ lifecycle:
+ postStart:
+ exec:
+ command: ["/bin/sh", "-c", "/opt/primekey/scripts/ejbca-config.sh"]
+ volumeMounts:
+ - name: "{{ include "common.fullname" . }}-volume"
+ mountPath: /opt/primekey/scripts/
+ ports: {{ include "common.containerPorts" . | nindent 10 }}
+ env:
+ - name: INITIAL_ADMIN
+ value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;"
+ - name: DATABASE_JDBC_URL
+ value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }}
+ - name: DATABASE_USER
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-db-secret" "key" "login") | indent 10 }}
+ - name: DATABASE_PASSWORD
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-db-secret" "key" "password") | indent 10 }}
+ - name: RA_IAK
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-ra-iak" "key" "password") | indent 10 }}
+ - name: CLIENT_IAK
+ {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "ejbca-server-client-iak" "key" "password") | indent 10 }}
+ livenessProbe:
+ httpGet:
+ port: {{ .Values.liveness.port }}
+ path: {{ .Values.liveness.path }}
+ scheme: HTTPS
+ initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.liveness.periodSeconds }}
+ readinessProbe:
+ httpGet:
+ port: {{ .Values.readiness.port }}
+ path: {{ .Values.readiness.path }}
+ scheme: HTTPS
+ initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+ periodSeconds: {{ .Values.readiness.periodSeconds }}
+ {{- if .Values.nodeSelector }}
+ nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }}
+ {{- end -}}
+ {{- if .Values.affinity }}
+ affinity: {{ toYaml .Values.affinity | nindent 10 }}
+ {{- end }}
+ volumes:
+ - configMap:
+ name: "{{ include "common.fullname" . }}-config-script"
+ defaultMode: 0755
+ name: "{{ include "common.fullname" . }}-volume"
--- /dev/null
+# Copyright © 2020, Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.secretFast" . }}
--- /dev/null
+# Copyright © 2020, Nordix Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{ include "common.service" . }}
--- /dev/null
+# Copyright © 2020, Nordix Foundation, Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+global:
+ readinessRepository: oomk8s
+ readinessImage: readiness-check:2.0.1
+ mariadbGalera: &mariadbGalera
+ #This flag allows EJBCA to instantiate its own mariadb-galera cluster
+ localCluster: false
+ service: mariadb-galera
+ internalPort: 3306
+ nameOverride: mariadb-galera
+
+secrets:
+ - uid: ejbca-db-secret
+ name: &ejbca-db-secret '{{ include "common.release" . }}-ejbca-db-secret'
+ type: basicAuth
+ externalSecret: '{{ tpl (default "" .Values.config.db.userCredentialsExternalSecret) . }}'
+ login: '{{ .Values.config.db.userName }}'
+ password: '{{ .Values.config.db.userPassword }}'
+ - uid: ejbca-server-ra-iak
+ name: '{{ include "common.release" . }}-ejbca-ra-iak'
+ type: password
+ password: '{{ .Values.config.ejbca.raIak }}'
+ - uid: ejbca-server-client-iak
+ name: '{{ include "common.release" . }}-ejbca-client-iak'
+ type: password
+ password: '{{ .Values.config.ejbca.clientIak }}'
+
+# application configuration
+config:
+ db:
+ userName: ejbca
+ # userPassword: password
+ # userCredentialsExternalSecret: some-secret
+ ejbca: {}
+ # raIak: mypassword
+ # clientIak: mypassword
+
+mysqlDatabase: &dbName ejbca
+
+#################################################################
+# Application configuration defaults.
+#################################################################
+# application configuration
+replicaCount: 1
+
+ejbca:
+ image: primekey/ejbca-ce:6.15.2.5
+pullPolicy: Always
+
+mariadb-galera:
+ # '&mariadbConfig' means we "store" the values for later use in the file
+ # with '*mariadbConfig' pointer.
+ config: &mariadbConfig
+ userCredentialsExternalSecret: *ejbca-db-secret
+ mysqlDatabase: *dbName
+ nameOverride: ejbca-galera
+ service:
+ name: ejbca-galera
+ portName: ejbca-galera
+ internalPort: 3306
+ replicaCount: 1
+ persistence:
+ enabled: true
+ mountSubPath: ejbca/maria/data
+
+mariadb-init:
+ config: *mariadbConfig
+ nameOverride: ejbca-config
+
+nodeSelector: {}
+
+affinity: {}
+
+# probe configuration parameters
+liveness:
+ path: /ejbca/publicweb/healthcheck/ejbcahealth
+ port: api
+ initialDelaySeconds: 30
+ periodSeconds: 30
+
+readiness:
+ path: /ejbca/publicweb/healthcheck/ejbcahealth
+ port: api
+ initialDelaySeconds: 30
+ periodSeconds: 30
+
+service:
+ type: ClusterIP
+ ports:
+ - name: api
+ port: 8443
+ plain_port: 8080
+ port_protocol: http
- name: common
version: ~6.x-0
repository: '@local'
- - name: netbox
- version: ~6.x-0
- repository: 'file://components/netbox'
- condition: netbox.enabled
- name: awx
version: ~6.x-0
repository: 'file://components/awx'
condition: awx.enabled
+ - name: ejbca
+ version: ~6.x-0
+ repository: 'file://components/ejbca'
+ condition: global.cmpv2Enabled
+ - name: netbox
+ version: ~6.x-0
+ repository: 'file://components/netbox'
+ condition: netbox.enabled
# See the License for the specific language governing permissions and
# limitations under the License.
+global:
+ cmpv2Enabled: true
+
awx:
enabled: true
netbox:
- enabled: true
\ No newline at end of file
+ enabled: true
- name: contrib
version: ~6.x-0
repository: '@local'
- condition: contrib.enabled
+ condition: global.addTestingComponents
- name: dcaegen2
version: ~6.x-0
repository: '@local'
###################################################################
# This override file enables helm charts for all ONAP applications.
###################################################################
+global:
+ addTestingComponents: &testing true
cassandra:
enabled: true
mariadb-galera:
enabled: true
-
aaf:
enabled: true
aai:
enabled: true
cli:
enabled: true
-consul:
- enabled: true
+# Today, "contrib" chart that hosting these components must also be enabled
+# in order to make it work. So `contrib.enabled` must have the same value than
+# addTestingComponents
contrib:
+ enabled: *testing
+consul:
enabled: true
dcaegen2:
enabled: true
nodePortPrefix: 302
nodePortPrefixExt: 304
+
+ # Install test components
+ # test components are out of the scope of ONAP but allow to have a entire
+ # environment to test the different features of ONAP
+ # Current tests environments provided:
+ # - netbox (needed for CDS IPAM)
+ # - AWX (needed for XXX)
+ # - EJBCA Server (needed for CMPv2 tests)
+ # Today, "contrib" chart that hosting these components must also be enabled
+ # in order to make it work. So `contrib.enabled` must have the same value than
+ # addTestingComponents
+ addTestingComponents: &testing false
+
# ONAP Repository
# Uncomment the following to enable the use of a single docker
# repository but ONLY if your repository mirrors all ONAP
# readiness check - temporary repo until images migrated to nexus3
readinessRepository: oomk8s
+ readinessImage: readiness-check:2.0.2
# logging agent - temporary repo until images migrated to nexus3
loggingRepository: docker.elastic.co
aafEnabled: true
aafAgentImage: onap/aaf/aaf_agent:2.1.20
+ # Enabling CMPv2
+ cmpv2Enabled: true
+
# TLS
# Set to false if you want to disable TLS for NodePorts. Be aware that this
# will loosen your security.
enabled: false
consul:
enabled: false
+# Today, "contrib" chart that hosting these components must also be enabled
+# in order to make it work. So `contrib.enabled` must have the same value than
+# addTestingComponents
contrib:
- enabled: false
+ enabled: *testing
dcaegen2:
enabled: false
dcaemod: