From: Jan Malkiewicz Date: Tue, 8 Dec 2020 14:08:01 +0000 (+0100) Subject: [CMPV2] Add a template for Certificate (cert-manager) X-Git-Tag: 8.0.0~169^2 X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=0e53c9f6efd5508ad4878781cb45f76df65b0a0c [CMPV2] Add a template for Certificate (cert-manager) This commit introduces a template for requesting a cert-manager certificate. See: https://cert-manager.io. It consist of the following parts: - a template for creating certificate in commons component - a definition of a certifcate object in sdnc component Issue-ID: OOM-2568 Signed-off-by: Jan Malkiewicz Change-Id: If58b8f12eff075d058db5a0fee3b2db5c2c93a17 --- diff --git a/.gitignore b/.gitignore index 11c7e801d7..cb4cb34579 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,6 @@ requirements.lock # Mac OS *DS_Store* + +# dist +dist diff --git a/kubernetes/aaf/.gitignore b/kubernetes/aaf/.gitignore index 3a4f8ba352..71fbb5cbb9 100644 --- a/kubernetes/aaf/.gitignore +++ b/kubernetes/aaf/.gitignore @@ -1 +1,2 @@ /sms/ +components/dist diff --git a/kubernetes/common/common/templates/_certificate.tpl b/kubernetes/common/common/templates/_certificate.tpl new file mode 100644 index 0000000000..74f81af901 --- /dev/null +++ b/kubernetes/common/common/templates/_certificate.tpl @@ -0,0 +1,192 @@ +{{/*# +# Copyright © 2020, Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License.*/}} + +{{/* +# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io). +# +# To request a certificate following steps are to be done: +# - create an object 'certificates' in the values.yaml +# - create a file templates/certificates.yaml and invoke the function "commom.certificate". +# +# Here is an example of the certificate request for a component: +# +# Directory structure: +# component +# templates +# certifictes.yaml +# values.yaml +# +# To be added in the file certificates.yamll +# +# To be added in the file values.yaml +# 1. Minimal version (certificates only in PEM format) +# certificates: +# - name: onap-component-certificate +# secretName: onap-component-certificate +# commonName: component.onap.org +# 2. Extended version (with defined own issuer and additional certificate format): +# certificates: +# - name: onap-component-certificate +# secretName: onap-component-certificate +# commonName: component.onap.org +# dnsNames: +# - component.onap.org +# issuer: +# group: certmanager.onap.org +# kind: CMPv2Issuer +# name: cmpv2-issuer-for-the-component +# p12Keystore: +# create: true +# passwordSecretRef: +# name: secret-name +# key: secret-key +# jksKeystore: +# create: true +# passwordSecretRef: +# name: secret-name +# key: secret-key +# +# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. +# Other mandatory fields for the certificate definition do not have to be defined directly, +# in that case they will be taken from default values. +# +# Default values are defined in file onap/values.yaml (see-> global.certificate.default) +# and can be overriden during onap installation process. +# +*/}} + +{{- define "common.certificate" -}} +{{- $dot := default . .dot -}} +{{- $certificates := $dot.Values.certificates -}} + +{{ range $certificate := $certificates }} +{{/*# General certifiacate attributes #*/}} +{{- $name := $certificate.name -}} +{{- $secretName := $certificate.secretName -}} +{{- $commonName := default $dot.Values.global.certificate.default.commonName $certificate.commonName -}} +{{- $renewBefore := default $dot.Values.global.certificate.default.renewBefore $certificate.renewBefore -}} +{{- $duration := $certificate.duration -}} +{{- $namespace := default $dot.Release.Namespace $dot.Values.global.certificate.default.namespace -}} +{{- if $certificate.namespace -}} +{{- $namespace = default $namespace $certificate.namespace -}} +{{- end -}} +{{/*# SAN's #*/}} +{{- $dnsNames := default $dot.Values.global.certificate.default.dnsNames $certificate.dnsNames -}} +{{- $ipAddresses := default $dot.Values.global.certificate.default.ipAddresses $certificate.ipAddresses -}} +{{- $uris := default $dot.Values.global.certificate.default.uris $certificate.uris -}} +{{- $emailAddresses := default $dot.Values.global.certificate.default.emailAddresses $certificate.emailAddresses -}} +{{/*# Subject #*/}} +{{- $subject := $dot.Values.global.certificate.default.subject -}} +{{- if $certificate.subject -}} +{{- $subject = mergeOverwrite $subject $certificate.subject -}} +{{- end -}} +{{/*# Issuer #*/}} +{{- $issuer := $dot.Values.global.certificate.default.issuer -}} +{{- if $certificate.issuer -}} +{{- $issuer = mergeOverwrite $issuer $certificate.issuer -}} +{{- end -}} +{{/*# Keystores #*/}} +{{- $createJksKeystore := $dot.Values.global.certificate.default.jksKeystore.create -}} +{{- $jksKeystorePasswordSecretName := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.name -}} +{{- $jksKeystorePasswordSecreKey := $dot.Values.global.certificate.default.jksKeystore.passwordSecretRef.key -}} +{{- $createP12Keystore := $dot.Values.global.certificate.default.p12Keystore.create -}} +{{- $p12KeystorePasswordSecretName := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.name -}} +{{- $p12KeystorePasswordSecreKey := $dot.Values.global.certificate.default.p12Keystore.passwordSecretRef.key -}} +{{- if $certificate.jksKeystore -}} +{{- $createJksKeystore = default $createJksKeystore $certificate.jksKeystore.create -}} +{{- if $certificate.jksKeystore.passwordSecretRef -}} +{{- $jksKeystorePasswordSecretName = default $jksKeystorePasswordSecretName $certificate.jksKeystore.passwordSecretRef.name -}} +{{- $jksKeystorePasswordSecreKey = default $jksKeystorePasswordSecreKey $certificate.jksKeystore.passwordSecretRef.key -}} +{{- end -}} +{{- end -}} +{{- if $certificate.p12Keystore -}} +{{- $createP12Keystore = default $createP12Keystore $certificate.p12Keystore.create -}} +{{- if $certificate.p12Keystore.passwordSecretRef -}} +{{- $p12KeystorePasswordSecretName = default $p12KeystorePasswordSecretName $certificate.p12Keystore.passwordSecretRef.name -}} +{{- $p12KeystorePasswordSecreKey = default $p12KeystorePasswordSecreKey $certificate.p12Keystore.passwordSecretRef.key -}} +{{- end -}} +{{- end -}} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $name }} + namespace: {{ $namespace }} +spec: + secretName: {{ $secretName }} + commonName: {{ $commonName }} + renewBefore: {{ $renewBefore }} + {{- if $duration }} + duration: {{ $duration }} + {{- end }} + subject: + organizations: + - {{ $subject.organization }} + countries: + - {{ $subject.country }} + localities: + - {{ $subject.locality }} + provinces: + - {{ $subject.province }} + organizationalUnits: + - {{ $subject.organizationalUnit }} + {{- if $dnsNames }} + dnsNames: + {{- range $dnsName := $dnsNames }} + - {{ $dnsName }} + {{- end }} + {{- end }} + {{- if $ipAddresses }} + ipAddresses: + {{- range $ipAddress := $ipAddresses }} + - {{ $ipAddress }} + {{- end }} + {{- end }} + {{- if $uris }} + uris: + {{- range $uri := $uris }} + - {{ $uri }} + {{- end }} + {{- end }} + {{- if $emailAddresses }} + emailAddresses: + {{- range $emailAddress := $emailAddresses }} + - {{ $emailAddress }} + {{- end }} + {{- end }} + issuerRef: + group: {{ $issuer.group }} + kind: {{ $issuer.kind }} + name: {{ $issuer.name }} + {{- if or $createJksKeystore $createP12Keystore }} + keystores: + {{- if $createJksKeystore }} + jks: + create: {{ $createJksKeystore }} + passwordSecretRef: + name: {{ $jksKeystorePasswordSecretName }} + key: {{ $jksKeystorePasswordSecreKey }} + {{- end }} + {{- if $createP12Keystore }} + pkcs12: + create: {{ $createP12Keystore }} + passwordSecretRef: + name: {{ $p12KeystorePasswordSecretName }} + key: {{ $p12KeystorePasswordSecreKey }} + {{- end }} + {{- end }} +{{ end }} + +{{- end -}} diff --git a/kubernetes/contrib/.gitignore b/kubernetes/contrib/.gitignore new file mode 100644 index 0000000000..7020381894 --- /dev/null +++ b/kubernetes/contrib/.gitignore @@ -0,0 +1 @@ +components/dist diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 1998539726..c416f0ddec 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -172,8 +172,34 @@ global: aafEnabled: true aafAgentImage: onap/aaf/aaf_agent:2.1.20 + # default values for certificates + certificate: + default: + renewBefore: 8h + subject: + organization: "Linux-Foundation" + country: "US" + locality: "San-Francisco" + province: "California" + organizationalUnit: "ONAP" + issuer: + group: certmanager.onap.org + kind: CMPv2Issuer + name: cmpv2-issuer-onap + p12Keystore: + create: false + passwordSecretRef: + name: "" + key: "" + jksKeystore: + create: false + passwordSecretRef: + name: "" + key: "" + # Enabling CMPv2 cmpv2Enabled: true + CMPv2CertManagerIntegration: false platform: certServiceClient: image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.1 diff --git a/kubernetes/sdnc/templates/certificates.yaml b/kubernetes/sdnc/templates/certificates.yaml new file mode 100644 index 0000000000..dda16176a5 --- /dev/null +++ b/kubernetes/sdnc/templates/certificates.yaml @@ -0,0 +1,19 @@ +{{/* +# Copyright © 2020 Nokia +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{ if .Values.global.CMPv2CertManagerIntegration }} +{{ include "common.certificate" . }} +{{ end }} diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml index f4f09107bb..44e179114e 100644 --- a/kubernetes/sdnc/values.yaml +++ b/kubernetes/sdnc/values.yaml @@ -32,6 +32,7 @@ global: service: mariadb-galera # Enabling CMPv2 cmpv2Enabled: true + CMPv2CertManagerIntegration: false platform: certServiceClient: image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.1 @@ -132,6 +133,29 @@ secrets: login: '{{ .Values.config.scaleoutUser }}' password: '{{ .Values.config.scaleoutPassword }}' passwordPolicy: required + - uid: keystore-password + type: password + password: secret + passwordPolicy: required +################################################################# +# Certificates +################################################################# +certificates: + - name: onap-sdnc-certificate + secretName: onap-sdnc-certificate + commonName: sdnc.simpledemo.onap.org + dnsNames: + - sdnc.simpledemo.onap.org + p12Keystore: + create: true + passwordSecretRef: + name: keystore-password + key: password + jksKeystore: + create: true + passwordSecretRef: + name: keystore-password + key: password ################################################################# # Application configuration defaults. #################################################################