From: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Date: Sun, 28 Feb 2021 13:59:22 +0000 (+0100)
Subject: [AAI][BABEL] Remove Hardcoded certificates
X-Git-Tag: 9.0.0~21^2
X-Git-Url: https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff_plain;h=1e99719c0224863cf26c5362243a4fa1b955c362

[AAI][BABEL] Remove Hardcoded certificates

Use Certinitializer in order to retrieve needed certificates.
Change ModelLoader also as it needs valid certificate to communicate
with Babel.

Issue-ID: OOM-2693
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I64b8ede24643f942dc99956030c202c50d41ad1e
---

diff --git a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat
index 23a068763a..a463985ef4 100644
--- a/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat
+++ b/kubernetes/aaf/components/aaf-cass/resources/cass-init-dats/artifact.dat
@@ -2,11 +2,11 @@ a1p@a1p.onap.org|a1p|local|/opt/app/osaaf/local||mailto:|org.onap.a1p|root|30|{'
 aaf@aaf.osaaf.org|aaf-hello|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30|{'aaf-hello', 'aaf-hello.api.simpledemo.onap.org', 'aaf-hello.onap', 'aaf.osaaf.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
 aaf@aaf.osaaf.org|aaf|local|/opt/app/osaaf/local||mailto:|org.osaaf.aaf|root|30|{'aaf', 'aaf.api.simpledemo.onap.org', 'aaf.onap'}|aaf_admin@osaaf.org|{'pkcs12', 'script'}
 aaf-sms@aaf-sms.onap.org|aaf-sms|local|/opt/app/osaaf/local||mailto:|org.onap.aaf-sms|root|30|{'aaf-sms-db.onap', 'aaf-sms.api.simpledemo.onap.org', 'aaf-sms.onap', 'aaf-sms.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12', 'file'}
-aai@aai.onap.org|aai1|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'}
-aai@aai.onap.org|aai2|aaf|/Users/jf2512||mailto:|org.onap.aai|jf2512|60|{'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.onap aai-sparky-be.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org aai1.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
-aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
-aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12'}
-aai@aai.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.aai|jg1555|30|{'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'}
+aai@aai.onap.org|aai1|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'pkcs12'}
+aai@aai.onap.org|aai2|aaf|/Users/jf2512||mailto:|org.onap.aai|jf2512|60|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.onap aai-sparky-be.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org aai1.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12', 'script'}
+aai@aai.onap.org|aai|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|60|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-search-data.onap', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
+aai@aai.onap.org|aai.onap|local|/opt/app/osaaf/local||mailto:|org.onap.aai|root|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'jks', 'pkcs12'}
+aai@aai.onap.org|mithrilcsp.sbc.com|local|/tmp/onap||mailto:|org.onap.aai|jg1555|30|{'aai-babel.onap', 'aai-babel', 'aai-modelloader.onap', 'aai-modelloader', 'aai-sparky-be.onap', 'aai.api.simpledemo.onap.org', 'aai.elasticsearch.simpledemo.onap.org', 'aai.gremlinserver.simpledemo.onap.org', 'aai.hbase.simpledemo.onap.org', 'aai.onap', 'aai.searchservice.simpledemo.onap.org', 'aai.simpledemo.onap.org', 'aai.ui.simpledemo.onap.org'}|aaf_admin@osaaf.org|{'file', 'pkcs12', 'script'}
 aai-resources@aai-resources.onap.org|aai-resources|local|/opt/app/osaaf/local||mailto:|org.onap.aai-resources|root|30|{'aai-resources', 'aai-resources.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
 aai-traversal@aai-traversal.onap.org|aai-traversal|local|/opt/app/osaaf/local||mailto:|org.onap.aai-traversal|root|30|{'aai-traversal', 'aai-traversal.onap'}|mmanager@osaaf.org|{'file', 'jks', 'pkcs12'}
 appc@appc.onap.org|appc|local|/opt/app/osaaf/local||mailto:|org.onap.appc|root|60|{'appc.api.simpledemo.onap.org', 'appc.onap', 'appc.simpledemo.onap.org'}|mmanager@osaaf.org|{'pkcs12'}
diff --git a/kubernetes/aai/components/aai-babel/requirements.yaml b/kubernetes/aai/components/aai-babel/requirements.yaml
index a725a4ef30..7a434fc276 100644
--- a/kubernetes/aai/components/aai-babel/requirements.yaml
+++ b/kubernetes/aai/components/aai-babel/requirements.yaml
@@ -21,6 +21,9 @@ dependencies:
     # a part of this chart's package and will not
     # be published independently to a repo (at this point)
     repository: '@local'
+  - name: certInitializer
+    version: ~9.x-0
+    repository: '@local'
   - name: repositoryGenerator
     version: ~9.x-0
     repository: '@local'
diff --git a/kubernetes/aai/components/aai-babel/resources/config/application.properties b/kubernetes/aai/components/aai-babel/resources/config/application.properties
index 21ed6cd9ee..6a3a74c0a6 100644
--- a/kubernetes/aai/components/aai-babel/resources/config/application.properties
+++ b/kubernetes/aai/components/aai-babel/resources/config/application.properties
@@ -1,14 +1,33 @@
+{{/*
+# Copyright Â© 2018 Amdocs, Bell Canada, AT&T
+# Copyright Â© 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
 server.port=9516
 {{ if ( include "common.needTLS" .) }}
-server.ssl.key-store=${CONFIG_HOME}/auth/tomcat_keystore
+server.ssl.key-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.p12
+server.ssl.key-store-password=${KEYSTORE_PASSWORD}
+server.ssl.trust-store={{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+server.ssl.trust-store-password=${TRUSTSTORE_PASSWORD}
 server.ssl.client-auth=need
+server.ssl.key-store-type=PKCS12
 {{ else }}
 security.require-ssl=false
 server.ssl.enabled=false
 {{ end }}
 
+spring.main.allow-bean-definition-overriding=true
 server.servlet.context-path=/services/babel-service
-
 logging.config=${CONFIG_HOME}/logback.xml
-
 tosca.mappings.config=${CONFIG_HOME}/tosca-mappings.json
diff --git a/kubernetes/aai/components/aai-babel/resources/config/auth/tomcat_keystore b/kubernetes/aai/components/aai-babel/resources/config/auth/tomcat_keystore
deleted file mode 100644
index e1d24d9b4d..0000000000
Binary files a/kubernetes/aai/components/aai-babel/resources/config/auth/tomcat_keystore and /dev/null differ
diff --git a/kubernetes/aai/components/aai-babel/resources/config/logback.xml b/kubernetes/aai/components/aai-babel/resources/config/logback.xml
index c29da77d84..125731cf6e 100644
--- a/kubernetes/aai/components/aai-babel/resources/config/logback.xml
+++ b/kubernetes/aai/components/aai-babel/resources/config/logback.xml
@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
 # Copyright Â© 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright Â© 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -27,25 +28,20 @@
   <property name="auditLogName" value="audit" />
   <property name="debugLogName" value="debug" />
 
-  <property name="errorLogPattern"
-        value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%.-5level|%logger|%mdc{ClassName}|%msg%n" />
+  <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%.-5level|%logger|%mdc{ClassName}|%msg%n" />
 
-  <property name="auditLogPattern"
-        value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
+  <property name="auditLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
 
-  <property name="metricsLogPattern"
-        value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
+  <property name="metricsLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{BeginTimestamp}|%mdc{EndTimestamp}|%mdc{RequestId}|%mdc{ServiceInstanceId}|%thread|%mdc{ServerFQDN}|%mdc{ServiceName}|%mdc{PartnerName}|%mdc{TargetEntity}|%mdc{TargetServiceName}|%mdc{StatusCode}|%mdc{ResponseCode}|%mdc{ResponseDescription}|%logger|%.-5level|||%mdc{ElapsedTime}|%mdc{RemoteHost}|%mdc{ClientAddress}|%mdc{ClassName}|||%msg%n" />
 
   <!-- ============================================================================ -->
   <!-- EELF Appenders -->
   <!-- ============================================================================ -->
 
-  <appender name="EELF"
-        class="ch.qos.logback.core.rolling.RollingFileAppender">
+  <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender">
     <file>${logDirectory}/${generalLogName}.log</file>
     <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
-      <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip
-      </fileNamePattern>
+      <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
       <maxHistory>60</maxHistory>
     </rollingPolicy>
     <encoder>
@@ -65,12 +61,10 @@
        are specializations of the EELF application root logger and appender. This can be used to segregate Policy engine events
        from other components, or it can be eliminated to record these events as part of the application root log. -->
 
-  <appender name="EELFAudit"
-        class="ch.qos.logback.core.rolling.RollingFileAppender">
+  <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender">
     <file>${logDirectory}/${auditLogName}.log</file>
     <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
-      <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip
-      </fileNamePattern>
+      <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
       <maxHistory>60</maxHistory>
     </rollingPolicy>
     <encoder>
@@ -82,12 +76,10 @@
     <appender-ref ref="EELFAudit" />
   </appender>
 
-  <appender name="EELFMetrics"
-        class="ch.qos.logback.core.rolling.RollingFileAppender">
+  <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender">
     <file>${logDirectory}/${metricsLogName}.log</file>
     <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
-      <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip
-      </fileNamePattern>
+      <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
       <maxHistory>60</maxHistory>
     </rollingPolicy>
     <encoder>
@@ -100,14 +92,10 @@
     <appender-ref ref="EELFMetrics" />
   </appender>
 
-  <appender name="EELFDebug"
-        class="ch.qos.logback.core.rolling.RollingFileAppender">
-    <file>
-      ${logDirectory}/${debugLogName}.log
-    </file>
+  <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender">
+    <file>${logDirectory}/${debugLogName}.log</file>
     <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
-      <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip
-      </fileNamePattern>
+      <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
       <maxHistory>60</maxHistory>
     </rollingPolicy>
     <encoder>
@@ -119,9 +107,7 @@
     <!-- allow only events with a level below INFO, that is TRACE and DEBUG -->
     <filter class="ch.qos.logback.core.filter.EvaluatorFilter">
       <evaluator class="ch.qos.logback.classic.boolex.GEventEvaluator">
-        <expression>
-          e.level.toInt() &lt; INFO.toInt()
-        </expression>
+        <expression>e.level.toInt() &lt; INFO.toInt()</expression>
       </evaluator>
       <OnMismatch>DENY</OnMismatch>
       <OnMatch>NEUTRAL</OnMatch>
@@ -131,6 +117,15 @@
     <includeCallerData>false</includeCallerData>
   </appender>
 
+  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+    <encoder>
+      <pattern>${errorLogPattern}</pattern>
+    </encoder>
+  </appender>
+  <appender name="AsyncSysOut" class="ch.qos.logback.classic.AsyncAppender">
+    <appender-ref ref="STDOUT" />
+  </appender>
+
   <!-- ============================================================================ -->
   <!-- Default / root appenders -->
   <!-- This determines the logging level for 3rd party code -->
@@ -138,29 +133,34 @@
 
   <root level="INFO">
     <appender-ref ref="asyncEELF" />
-  <appender-ref ref="asyncEELFDebug" />
-</root>
+    <appender-ref ref="asyncEELFDebug" />
+    <appender-ref ref="AsyncSysOut" />
+  </root>
 
   <!-- ============================================================================ -->
   <!--  EELF loggers -->
   <!-- ============================================================================ -->
 
   <logger name="com.att.eelf" level="INFO" additivity="false">
-  <appender-ref ref="asyncEELF" />
-</logger>
+    <appender-ref ref="asyncEELF" />
+    <appender-ref ref="AsyncSysOut" />
+  </logger>
 
   <!-- The level of this logger determines the contents of the debug log -->
   <logger name="com.att.eelf.debug" level="INFO" additivity="false">
-  <appender-ref ref="asyncEELFDebug" />
-</logger>
+    <appender-ref ref="asyncEELFDebug" />
+    <appender-ref ref="AsyncSysOut" />
+  </logger>
 
   <logger name="com.att.eelf.audit" level="INFO" additivity="false">
-  <appender-ref ref="asyncEELFAudit" />
-</logger>
+    <appender-ref ref="asyncEELFAudit" />
+    <appender-ref ref="AsyncSysOut" />
+  </logger>
 
   <logger name="com.att.eelf.metrics" level="INFO" additivity="false">
-  <appender-ref ref="asyncEELFMetrics" />
-</logger>
+    <appender-ref ref="asyncEELFMetrics" />
+    <appender-ref ref="AsyncSysOut" />
+  </logger>
 
   <!-- ============================================================================ -->
   <!-- Non-EELF loggers -->
diff --git a/kubernetes/aai/components/aai-babel/templates/deployment.yaml b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
index e12a234b8e..bd6b8c728c 100644
--- a/kubernetes/aai/components/aai-babel/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/deployment.yaml
@@ -37,10 +37,22 @@ spec:
         app: {{ include "common.name" . }}
         release: {{ include "common.release" . }}
     spec:
+      initContainers:  {{ include "common.certInitializer.initContainer" . | nindent 6 }}
       containers:
         - name: {{ include "common.name" . }}
           image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          {{- if .Values.global.aafEnabled }}
+          command:
+          - sh
+          args:
+          - -c
+          - |
+            echo "*** retrieve Truststore and Keystore password"
+            export $(cat {{ .Values.certInitializer.credsPath }}/mycreds.prop | xargs -0)
+            echo "*** actual launch of AAI Babel"
+            /bin/bash /opt/app/babel/bin/start.sh
+          {{- end }}
           ports:
           - containerPort: {{ .Values.service.internalPort }}
           # disable liveness probe when breakpoints set in debugger
@@ -60,35 +72,28 @@ spec:
           env:
             - name: CONFIG_HOME
               value: /opt/app/babel/config
-            - name: KEY_STORE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "common.fullname" . }}-pass
-                  key: KEY_STORE_PASSWORD
-            - name: KEY_MANAGER_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "common.fullname" . }}-pass
-                  key: KEY_MANAGER_PASSWORD
-          volumeMounts:
+          volumeMounts:  {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
+          - mountPath: /opt/app/babel/config/application.properties
+            name: config
+            subPath: application.properties
           - mountPath: /opt/app/babel/config/artifact-generator.properties
-            name: {{ include "common.fullname" . }}-config
+            name: config
             subPath: artifact-generator.properties
           - mountPath: /opt/app/babel/config/tosca-mappings.json
-            name: {{ include "common.fullname" . }}-config
+            name: config
             subPath: tosca-mappings.json
           - mountPath: /opt/app/babel/config/babel-auth.properties
-            name: {{ include "common.fullname" . }}-config
+            name: config
             subPath: babel-auth.properties
           - mountPath: /opt/app/babel/config/auth
-            name: {{ include "common.fullname" . }}-secrets
+            name: secrets
           - mountPath: {{ .Values.log.path }}
             name: logs
           - mountPath: /opt/app/babel/config/logback.xml
-            name: {{ include "common.fullname" . }}-config
+            name: config
             subPath: logback.xml
           resources:
 {{ include "common.resources" . }}
@@ -104,23 +109,14 @@ spec:
         # side car containers
       {{ include "common.log.sidecar" . | nindent 8 }}
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
-      volumes:
+      volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
         - name: localtime
           hostPath:
             path: /etc/localtime
-        - name: {{ include "common.fullname" . }}-config
+        - name: config
           configMap:
             name: {{ include "common.fullname" . }}-configmap
-            items:
-            - key: artifact-generator.properties
-              path: artifact-generator.properties
-            - key: tosca-mappings.json
-              path: tosca-mappings.json
-            - key: babel-auth.properties
-              path: babel-auth.properties
-            - key: logback.xml
-              path: logback.xml
-        - name: {{ include "common.fullname" . }}-secrets
+        - name: secrets
           secret:
             secretName: {{ include "common.fullname" . }}-babel-secrets
         - name: logs
diff --git a/kubernetes/aai/components/aai-babel/templates/secrets.yaml b/kubernetes/aai/components/aai-babel/templates/secrets.yaml
index b81ffa05b9..9d7d2c5a80 100644
--- a/kubernetes/aai/components/aai-babel/templates/secrets.yaml
+++ b/kubernetes/aai/components/aai-babel/templates/secrets.yaml
@@ -29,18 +29,3 @@ metadata:
 type: Opaque
 data:
 {{ tpl (.Files.Glob "resources/config/auth/*").AsSecrets . | indent 2 }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "common.fullname" . }}-pass
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
-type: Opaque
-data:
-  KEY_STORE_PASSWORD: {{ .Values.config.keyStorePassword | b64enc | quote }}
-  KEY_MANAGER_PASSWORD: {{ .Values.config.keyManagerPassword | b64enc | quote }}
diff --git a/kubernetes/aai/components/aai-babel/values.yaml b/kubernetes/aai/components/aai-babel/values.yaml
index 0c34deae13..3b68f4defe 100644
--- a/kubernetes/aai/components/aai-babel/values.yaml
+++ b/kubernetes/aai/components/aai-babel/values.yaml
@@ -19,6 +19,41 @@
 #################################################################
 global: {}
 
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+  nameOverride: aai-babel-cert-initializer
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  # aafDeployCredsExternalSecret: some secret
+  fqdn: aai
+  fqi: aai@aai.onap.org
+  public_fqdn: aai.onap.org
+  cadi_longitude: "0.0"
+  cadi_latitude: "0.0"
+  app_ns: org.osaaf.aaf
+  credsPath: /opt/app/osaaf/local
+  fqi_namespace: org.onap.aai
+  aaf_add_config: |
+    echo "*** changing them into shell safe ones"
+    export KEYSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    export TRUSTSTORE_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    cd {{ .Values.credsPath }}
+    keytool -storepasswd -new "${KEYSTORE_PASSWORD}" \
+      -storepass "${cadi_keystore_password_p12}" \
+      -keystore {{ .Values.fqi_namespace }}.p12
+    keytool -storepasswd -new "${TRUSTSTORE_PASSWORD}" \
+      -storepass "${cadi_truststore_password}" \
+      -keystore {{ .Values.fqi_namespace }}.trust.jks
+    echo "*** writing passwords into prop file"
+    echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+    echo "KEY_STORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+    echo "KEY_MANAGER_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+    echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+    echo "*** change ownership of certificates to targeted user"
+    chown -R 1000 {{ .Values.credsPath }}
+
 #################################################################
 # Application configuration defaults.
 #################################################################
@@ -29,11 +64,6 @@ image: onap/babel:1.9.1
 flavor: small
 flavorOverride: small
 
-# application configuration
-config:
-  keyStorePassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
-  keyManagerPassword: OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
-
 # default number of instances
 replicaCount: 1
 
diff --git a/kubernetes/aai/components/aai-graphadmin/values.yaml b/kubernetes/aai/components/aai-graphadmin/values.yaml
index 031a082eac..b02e5cd11c 100644
--- a/kubernetes/aai/components/aai-graphadmin/values.yaml
+++ b/kubernetes/aai/components/aai-graphadmin/values.yaml
@@ -99,12 +99,12 @@ global: # global defaults
     # Keystore configuration password and filename
     keystore:
       filename: aai_keystore
-      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
 
     # Truststore configuration password and filename
     truststore:
       filename: aai_keystore
-      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
 
 
 
diff --git a/kubernetes/aai/components/aai-modelloader/requirements.yaml b/kubernetes/aai/components/aai-modelloader/requirements.yaml
index d80dc5aea2..5a41aefe84 100644
--- a/kubernetes/aai/components/aai-modelloader/requirements.yaml
+++ b/kubernetes/aai/components/aai-modelloader/requirements.yaml
@@ -21,6 +21,9 @@ dependencies:
     # a part of this chart's package and will not
     # be published independently to a repo (at this point)
     repository: '@local'
+  - name: certInitializer
+    version: ~9.x-0
+    repository: '@local'
   - name: repositoryGenerator
     version: ~9.x-0
     repository: '@local'
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12 b/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12
deleted file mode 100644
index e64895e911..0000000000
Binary files a/kubernetes/aai/components/aai-modelloader/resources/config/auth/babel-client-cert.p12 and /dev/null differ
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore b/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore
deleted file mode 100644
index e1d24d9b4d..0000000000
Binary files a/kubernetes/aai/components/aai-modelloader/resources/config/auth/tomcat_keystore and /dev/null differ
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml
index cd36e799d6..129af8f2ac 100644
--- a/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml
+++ b/kubernetes/aai/components/aai-modelloader/resources/config/log/logback.xml
@@ -1,6 +1,7 @@
 {{/*
 <!--
 # Copyright Â© 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright Â© 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -26,8 +27,7 @@
   <property name="auditLogName" value="audit" />
   <property name="debugLogName" value="debug" />
 
-  <property name="errorLogPattern"
-        value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|ModelLoader|%mdc{PartnerName}|%logger||%.-5level|%msg%n" />
+  <property name="errorLogPattern" value="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX}|%mdc{RequestId}|%thread|ModelLoader|%mdc{PartnerName}|%logger||%.-5level|%msg%n" />
   <property name="auditMetricPattern" value="%m%n" />
 
   <property name="logDirectory" value="${logDir}/${componentName}" />
@@ -35,9 +35,12 @@
   <!-- Example evaluator filter applied against console appender -->
   <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
     <encoder>
-      <pattern>${defaultPattern}</pattern>
+      <pattern>${errorLogPattern}</pattern>
     </encoder>
   </appender>
+  <appender name="AsyncSysOut" class="ch.qos.logback.classic.AsyncAppender">
+    <appender-ref ref="STDOUT" />
+  </appender>
 
   <!-- ============================================================================ -->
   <!-- EELF Appenders -->
@@ -46,8 +49,7 @@
   <!-- The EELFAppender is used to record events to the general application
        log -->
 
-  <appender name="EELF"
-        class="ch.qos.logback.core.rolling.RollingFileAppender">
+  <appender name="EELF" class="ch.qos.logback.core.rolling.RollingFileAppender">
     <file>${logDirectory}/${generalLogName}.log</file>
     <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
       <fileNamePattern>${logDirectory}/${generalLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -66,8 +68,7 @@
     <appender-ref ref="EELF" />
   </appender>
 
-  <appender name="EELFAudit"
-        class="ch.qos.logback.core.rolling.RollingFileAppender">
+  <appender name="EELFAudit" class="ch.qos.logback.core.rolling.RollingFileAppender">
     <file>${logDirectory}/${auditLogName}.log</file>
     <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
       <fileNamePattern>${logDirectory}/${auditLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -82,8 +83,7 @@
     <appender-ref ref="EELFAudit" />
   </appender>
 
-  <appender name="EELFMetrics"
-        class="ch.qos.logback.core.rolling.RollingFileAppender">
+  <appender name="EELFMetrics" class="ch.qos.logback.core.rolling.RollingFileAppender">
     <file>${logDirectory}/${metricsLogName}.log</file>
     <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
       <fileNamePattern>${logDirectory}/${metricsLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -98,8 +98,7 @@
     <appender-ref ref="EELFMetrics" />
   </appender>
 
-  <appender name="EELFDebug"
-        class="ch.qos.logback.core.rolling.RollingFileAppender">
+  <appender name="EELFDebug" class="ch.qos.logback.core.rolling.RollingFileAppender">
     <file>${logDirectory}/${debugLogName}.log</file>
     <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
       <fileNamePattern>${logDirectory}/${debugLogName}.%d{yyyy-MM-dd}.log.zip</fileNamePattern>
@@ -121,12 +120,15 @@
   <logger name="com.att.eelf" level="info" additivity="false">
     <appender-ref ref="asyncEELF" />
     <appender-ref ref="asyncEELFDebug" />
+    <appender-ref ref="AsyncSysOut" />
   </logger>
   <logger name="com.att.eelf.audit" level="info" additivity="false">
     <appender-ref ref="asyncEELFAudit" />
+    <appender-ref ref="AsyncSysOut" />
   </logger>
   <logger name="com.att.eelf.metrics" level="info" additivity="false">
     <appender-ref ref="asyncEELFMetrics" />
+    <appender-ref ref="AsyncSysOut" />
   </logger>
 
   <!-- Spring related loggers -->
@@ -162,8 +164,9 @@
   <logger name="ch.qos.logback.core" level="WARN" />
 
   <root>
-  <appender-ref ref="asyncEELF" />
-  <!-- <appender-ref ref="asyncEELFDebug" /> -->
-</root>
+    <appender-ref ref="asyncEELF" />
+    <appender-ref ref="AsyncSysOut" />
+    <!-- <appender-ref ref="asyncEELFDebug" /> -->
+  </root>
 
 </configuration>
diff --git a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
index 41b855490a..09eb397860 100644
--- a/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
+++ b/kubernetes/aai/components/aai-modelloader/resources/config/model-loader.properties
@@ -1,5 +1,6 @@
 {{/*
 # Copyright Â© 2018 Amdocs, Bell Canada, AT&T
+# Modifications Copyright Â© 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,7 +21,7 @@ ml.distribution.ACTIVE_SERVER_TLS_AUTH=false
 ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8443
 ml.distribution.ASDC_USE_HTTPS=true
 ml.distribution.KEYSTORE_PASSWORD=
-ml.distribution.KEYSTORE_FILE=asdc-client.jks
+ml.distribution.KEYSTORE_FILE=
 ml.distribution.PASSWORD=OBF:1ks51l8d1o3i1pcc1r2r1e211r391kls1pyj1z7u1njf1lx51go21hnj1y0k1mli1sop1k8o1j651vu91mxw1vun1mze1vv11j8x1k5i1sp11mjc1y161hlr1gm41m111nkj1z781pw31kku1r4p1e391r571pbm1o741l4x1ksp
 {{ else }}
 ml.distribution.ASDC_ADDRESS=sdc-be.{{.Release.Namespace}}:8080
@@ -54,8 +55,8 @@ ml.aai.AUTH_PASSWORD=OBF:1qvu1v2h1sov1sar1wfw1j7j1wg21saj1sov1v1x1qxw
 ml.babel.BASE_URL={{ include "common.scheme" . }}://aai-babel.{{.Release.Namespace}}:9516
 ml.babel.GENERATE_ARTIFACTS_URL=/services/babel-service/v1/app/generateArtifacts
 {{ if ( include "common.needTLS" .) }}
-ml.babel.KEYSTORE_FILE=babel-client-cert.p12
-ml.babel.KEYSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
-ml.babel.TRUSTSTORE_FILE=tomcat_keystore
-ml.babel.TRUSTSTORE_PASSWORD=OBF:1y0q1uvc1uum1uvg1pil1pjl1uuq1uvk1uuu1y10
+ml.babel.KEYSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.p12
+ml.babel.KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}
+ml.babel.TRUSTSTORE_FILE=aaf/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+ml.babel.TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}
 {{ end }}
diff --git a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
index 7e05d3b6cf..0213d631a3 100644
--- a/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
+++ b/kubernetes/aai/components/aai-modelloader/templates/deployment.yaml
@@ -1,7 +1,7 @@
 {{/*
 # Copyright Â© 2018 Amdocs, AT&T
 # Modifications Copyright Â© 2018 Bell Canada
-# Modifications Copyright Â© 2020 Orange
+# Modifications Copyright Â© 2020-2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -39,12 +39,53 @@ spec:
       name: {{ include "common.name" . }}
     spec:
       {{- if .Values.nodeSelector }}
-      nodeSelector:
-{{ toYaml .Values.nodeSelector | indent 8 }}
+      nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
       {{- end -}}
       {{- if .Values.affinity }}
-      affinity:
-{{ toYaml .Values.affinity | indent 8 }}
+      affinity: {{ toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.global.aafEnabled }}
+      initContainers: {{ include "common.certInitializer.initContainer" . | nindent 6 }}
+      - command:
+        - sh
+        args:
+        - -c
+        - |
+          echo "*** retrieve Truststore and Keystore password"
+          export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+          echo "*** obfuscate them "
+          export KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}
+          export TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}
+          export KEYSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${KEYSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+          export TRUSTSTORE_PASSWORD=`java -cp /usr/local/jetty/lib/jetty-util-9.4.44.v20210927.jar org.eclipse.jetty.util.security.Password ${TRUSTSTORE_PLAIN_PASSWORD} 2>&1 | grep "OBF:"`
+          echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+          echo "TRUSTSTORE_PASSWORD=${TRUSTSTORE_PASSWORD}" >> {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop
+        image: {{ include "repositoryGenerator.image.jetty" . }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: {{ include "common.name" . }}-obfuscate
+        volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+        securityContext:
+          runAsUser: {{ .Values.securityContext.user_id }}
+      - command:
+        - sh
+        args:
+        - -c
+        - |
+          echo "*** Set obfuscated Truststore and Keystore password into configuration file"
+          export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0)
+          cd /config-input
+          for PFILE in `ls -1`
+          do
+            envsubst <${PFILE} >/config/${PFILE}
+          done
+        volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+        - mountPath: /config-input
+          name: prop-config-input
+        - mountPath: /config
+          name: prop-config
+        image: {{ include "repositoryGenerator.image.envsubst" . }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        name: {{ include "common.name" . }}-update-config
       {{- end }}
       containers:
       - name: {{ include "common.name" . }}
@@ -53,43 +94,41 @@ spec:
         env:
         - name: CONFIG_HOME
           value: /opt/app/model-loader/config/
-        volumeMounts:
+        volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
         - mountPath: /etc/localtime
           name: localtime
           readOnly: true
         - mountPath: /opt/app/model-loader/config/model-loader.properties
           subPath: model-loader.properties
-          name: {{ include "common.fullname" . }}-prop-config
+          name: prop-config
         - mountPath: /opt/app/model-loader/config/auth/
-          name: {{ include "common.fullname" . }}-auth-config
+          name: auth-config
         - mountPath: {{ .Values.log.path }}
           name: logs
         - mountPath: /opt/app/model-loader/logback.xml
-          name: {{ include "common.fullname" . }}-log-conf
+          name: log-config
           subPath: logback.xml
-        ports:
-        - containerPort: {{ .Values.service.internalPort }}
-        - containerPort: {{ .Values.service.internalPort2 }}
-        resources:
-{{ include "common.resources" . }}
-
+        resources: {{ include "common.resources" . | nindent 10 }}
       # side car containers
         {{ include "common.log.sidecar" . | nindent 6 }}
       serviceAccountName: {{ include "common.fullname" (dict "suffix" "read" "dot" . )}}
-      volumes:
+      volumes: {{ include "common.certInitializer.volumes" . | nindent 6 }}
       - name: localtime
         hostPath:
           path: /etc/localtime
-      - name: {{ include "common.fullname" . }}-prop-config
+      - name: prop-config-input
         configMap:
           name: {{ include "common.fullname" . }}-prop
-      - name: {{ include "common.fullname" . }}-auth-config
+      - name: prop-config
+        emptyDir:
+          medium: Memory
+      - name: auth-config
         secret:
           secretName: {{ include "common.fullname" . }}
       - name: logs
         emptyDir: {}
       {{ include "common.log.volumes" (dict "dot" . "configMapNamePrefix" (tpl .Values.logConfigMapNamePrefix .)) | nindent 6 }}
-      - name: {{ include "common.fullname" . }}-log-conf
+      - name: log-config
         configMap:
           name: {{ include "common.fullname" . }}-log
       restartPolicy: {{ .Values.global.restartPolicy | default .Values.restartPolicy }}
diff --git a/kubernetes/aai/components/aai-modelloader/templates/ingress.yaml b/kubernetes/aai/components/aai-modelloader/templates/ingress.yaml
deleted file mode 100644
index 8f87c68f1e..0000000000
--- a/kubernetes/aai/components/aai-modelloader/templates/ingress.yaml
+++ /dev/null
@@ -1 +0,0 @@
-{{ include "common.ingress" . }}
diff --git a/kubernetes/aai/components/aai-modelloader/templates/service.yaml b/kubernetes/aai/components/aai-modelloader/templates/service.yaml
deleted file mode 100644
index fad857bb41..0000000000
--- a/kubernetes/aai/components/aai-modelloader/templates/service.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-{{/*
-# Copyright Â© 2018 Amdocs, Bell Canada, AT&T
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#       http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-*/}}
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "common.servicename" . }}
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
-spec:
-  type: {{ .Values.service.type }}
-  ports:
-  {{if eq .Values.service.type "NodePort" -}}
-  - port: {{ .Values.service.internalPort }}
-    nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort }}
-    name: {{ .Values.service.portName }}
-  - port: {{ .Values.service.internalPort2 }}
-    nodePort: {{ .Values.global.nodePortPrefix | default .Values.nodePortPrefix }}{{ .Values.service.nodePort2 }}
-    name: {{ .Values.service.portName2 }}
-  {{- else -}}
-  - port: {{ .Values.service.internalPort }}
-    name: {{ .Values.service.portName }}
-  - port: {{ .Values.service.internalPort2 }}
-    name: {{ .Values.service.portName2 }}
-  {{- end}}
-  selector:
-    app: {{ include "common.name" . }}
-    release: {{ include "common.release" . }}
diff --git a/kubernetes/aai/components/aai-modelloader/values.yaml b/kubernetes/aai/components/aai-modelloader/values.yaml
index 443bf40122..95eae6a80b 100644
--- a/kubernetes/aai/components/aai-modelloader/values.yaml
+++ b/kubernetes/aai/components/aai-modelloader/values.yaml
@@ -1,5 +1,5 @@
 # Copyright Â© 2018 Amdocs, Bell Canada, AT&T
-# Modifications Copyright Â© 2020 Orange
+# Modifications Copyright Â© 2020-2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,6 +19,42 @@
 global: # global defaults
   nodePortPrefix: 302
 
+#################################################################
+# Certificate configuration
+#################################################################
+certInitializer:
+  nameOverride: aai-ml-cert-initializer
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  # aafDeployCredsExternalSecret: some secret
+  fqdn: aai
+  fqi: aai@aai.onap.org
+  public_fqdn: aai.onap.org
+  cadi_longitude: "0.0"
+  cadi_latitude: "0.0"
+  app_ns: org.osaaf.aaf
+  credsPath: /opt/app/osaaf/local
+  appMountPath: /opt/app/model-loader/config/auth/aaf
+  fqi_namespace: org.onap.aai
+  user_id: &user_id 1000
+  group_id: &group_id 1000
+  aaf_add_config: |
+    echo "*** changing them into shell safe ones"
+    export KEYSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    export TRUSTSTORE_PLAIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    cd {{ .Values.credsPath }}
+    keytool -storepasswd -new "${KEYSTORE_PLAIN_PASSWORD}" \
+      -storepass "${cadi_keystore_password_p12}" \
+      -keystore {{ .Values.fqi_namespace }}.p12
+    keytool -storepasswd -new "${TRUSTSTORE_PLAIN_PASSWORD}" \
+      -storepass "${cadi_truststore_password}" \
+      -keystore {{ .Values.fqi_namespace }}.trust.jks
+    echo "*** writing passwords into prop file"
+    echo "KEYSTORE_PLAIN_PASSWORD=${KEYSTORE_PLAIN_PASSWORD}" > {{ .Values.credsPath }}/mycreds.prop
+    echo "TRUSTSTORE_PLAIN_PASSWORD=${TRUSTSTORE_PLAIN_PASSWORD}" >> {{ .Values.credsPath }}/mycreds.prop
+    echo "*** change ownership of certificates to targeted user"
+    chown -R {{ .Values.user_id }}:{{ .Values.group_id }} {{ .Values.credsPath }}
+
 # application image
 image: onap/model-loader:1.9.1
 pullPolicy: Always
@@ -47,26 +83,6 @@ readiness:
   initialDelaySeconds: 10
   periodSeconds: 10
 
-service:
-  type: NodePort
-  portName: http
-  externalPort: 8080
-  internalPort: 8080
-  nodePort: 10
-  portName2: https
-  externalPort2: 8443
-  internalPort2: 8443
-  nodePort2: 29
-
-ingress:
-  enabled: false
-  service:
-    - baseaddr: "aaimodelloader"
-      name: "aai-modelloader"
-      port: 8443
-  config:
-    ssl: "redirect"
-
 resources:
   small:
     limits:
@@ -90,6 +106,11 @@ serviceAccount:
   roles:
     - read
 
+# Not fully used for now
+securityContext:
+  user_id: *user_id
+  group_id: *group_id
+
 #Log configuration
 log:
   path: /var/log/onap
diff --git a/kubernetes/aai/components/aai-schema-service/values.yaml b/kubernetes/aai/components/aai-schema-service/values.yaml
index 4c2b64af82..121809e89e 100644
--- a/kubernetes/aai/components/aai-schema-service/values.yaml
+++ b/kubernetes/aai/components/aai-schema-service/values.yaml
@@ -61,12 +61,12 @@ global: # global defaults
     # Keystore configuration password and filename
     keystore:
       filename: aai_keystore
-      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
 
     # Truststore configuration password and filename
     truststore:
       filename: aai_keystore
-      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
 
     # Specifies a list of files to be included in auth volume
     auth:
diff --git a/kubernetes/aai/components/aai-sparky-be/values.yaml b/kubernetes/aai/components/aai-sparky-be/values.yaml
index b9c8207d7e..5c540c9b96 100644
--- a/kubernetes/aai/components/aai-sparky-be/values.yaml
+++ b/kubernetes/aai/components/aai-sparky-be/values.yaml
@@ -75,7 +75,7 @@ config:
   gerritBranch: 3.0.0-ONAP
   gerritProject: http://gerrit.onap.org/r/aai/test-config
   portalUsername: aaiui
-  portalPassword: OBF:1t2v1vfv1unz1vgz1t3b
+  portalPassword: OBF:1t2v1vfv1unz1vgz1t3b # aaiui
   portalCookieName: UserId
   portalAppRoles: ui_view
   cadiFileLocation: /opt/app/sparky/config/portal/cadi.properties
diff --git a/kubernetes/aai/values.yaml b/kubernetes/aai/values.yaml
index 79a0f045bc..3ceeb8439e 100644
--- a/kubernetes/aai/values.yaml
+++ b/kubernetes/aai/values.yaml
@@ -252,12 +252,12 @@ global: # global defaults
     # Keystore configuration password and filename
     keystore:
       filename: aai_keystore
-      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
 
     # Truststore configuration password and filename
     truststore:
       filename: aai_keystore
-      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0
+      passwd: OBF:1vn21ugu1saj1v9i1v941sar1ugw1vo0 # changeit
 
     # Specifies a list of files to be included in auth volume
     auth:
diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
index 1662985d0a..349bb4072a 100644
--- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl
+++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
@@ -105,6 +105,10 @@
   {{- include "repositoryGenerator.image._helper" (merge (dict "image" "htpasswdImage") .) }}
 {{- end -}}
 
+{{- define "repositoryGenerator.image.jetty" -}}
+  {{- include "repositoryGenerator.image._helper" (merge (dict "image" "jettyImage") .) }}
+{{- end -}}
+
 {{- define "repositoryGenerator.image.jre" -}}
   {{- include "repositoryGenerator.image._helper" (merge (dict "image" "jreImage") .) }}
 {{- end -}}
diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml
index f4104538f7..e2fe1ffbdb 100644
--- a/kubernetes/common/repositoryGenerator/values.yaml
+++ b/kubernetes/common/repositoryGenerator/values.yaml
@@ -28,6 +28,7 @@ global:
   envsubstImage: dibi/envsubst:1
   # there's only latest image for htpasswd
   htpasswdImage: xmartlabs/htpasswd:latest
+  jettyImage: jetty:9-jdk11-slim
   jreImage: onap/integration-java11:7.1.0
   kubectlImage: bitnami/kubectl:1.19
   loggingImage: beats/filebeat:5.5.0
@@ -60,6 +61,7 @@ imageRepoMapping:
   curlImage: dockerHubRepository
   envsubstImage: dockerHubRepository
   htpasswdImage: dockerHubRepository
+  jettyImage: dockerHubRepository
   jreImage: repository
   kubectlImage: dockerHubRepository
   loggingImage: elasticRepository