From 4d9702f7d3a9f7015d28874a37841c20e5a49efe Mon Sep 17 00:00:00 2001
From: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Date: Thu, 11 Mar 2021 08:31:57 +0100
Subject: [PATCH] [CDS] Update hardcoded certificates

Update CDS UI certificates in order to have validity for one year

Issue-ID: CCSDK-3207
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Id7a0dbdfb6a59ac7e76e00fd106855f05482b041
---
 .../cds-ui/resources/certs/org.onap.sdnc-cds.p12   | Bin 0 -> 4383 bytes
 .../cds/charts/cds-ui/templates/deployment.yaml    |  16 +++++++++++
 kubernetes/cds/charts/cds-ui/templates/secret.yaml |  31 +++++++++++++++++++++
 kubernetes/cds/charts/cds-ui/values.yaml           |  14 ++++++++++
 4 files changed, 61 insertions(+)
 create mode 100644 kubernetes/cds/charts/cds-ui/resources/certs/org.onap.sdnc-cds.p12
 create mode 100644 kubernetes/cds/charts/cds-ui/templates/secret.yaml

diff --git a/kubernetes/cds/charts/cds-ui/resources/certs/org.onap.sdnc-cds.p12 b/kubernetes/cds/charts/cds-ui/resources/certs/org.onap.sdnc-cds.p12
new file mode 100644
index 0000000000000000000000000000000000000000..8240f4c59053e1a4702e71e61357484d05f45df6
GIT binary patch
literal 4383
zcmZXUWmFUZ)`n;3W)K)e5GjEnhYm?Wx;rHVh90Dm9y%SQBqgMj9=fGdx*KT_fsqc^
z-Lv2B+4KFl_1yQ~pDz?aMuP#wgd#xGIQZ-liV>H@KwMxh0@RCz0Db$5+n@;S#Q#}g
zBd`$Ifq(J4zu|>L`0pzs0w6{%0_zrvz`BG&a0vbn|9wt_MPY=msb{`49QtQ(fri9n
z`A7<m^$G(M(5;Duz#4#Lcq8ZoXspw}01lL&_IvM8oGSA4J#HM^D~2(BNja9~ktQ))
zEW}r%kTIM$>*S@l!(-@6nQJ*BO5=Cc(_22;G(f56AAYBdut;qs0=3zIJ%Y-#-$fEP
zqyap0*dUvu?;08TUi-q<uK5(-sd2b9sXh;72Ie~N*r!F4_d!iHv$)KD5kA?~`-<+t
z61ZqtrO4yZI;tko0-G*QaB-&I=?7WK(-Mvd&KbE8?DDUUm7f4U2o^z*;7n399$dX{
zUn7<Fw~aD*W;%r2nOJ=u=e=EDqYIJEm{cfe4a2-n?~igCQJIu+DfOfdZb`G^Z69?2
znDZd?Ew3go0<We2!&w;V>Lr0ry@a*orjM!nIHdu@;*p3RQcLAlT<AIYxlh_eT3o_x
z=iTj1`eQx&Mt&?*x&*m)m|^g>!b0%wCfngc#4!IIaKEF$Q4zx!kdPj?uw(;LbT#J6
zPtOkC<;0uHD>sf0d%qpSPwfeQ*Mh}&kfUzIIznuJO{t$Sj2XOLLoauw1!(93i?wYa
z>oa4j4dH&VJ;YrunNg*svG_4vMcHyj)RQ!e1og#%9AOEW-_U~AL|xfs2-<r1ZECZZ
z#GZ*<<0qwumHyd2sN`m2ioVAUmjb9W7-T5wFi68+`qC(qyE4>TZY`Xu?X+RN=a>vq
ztZ*CUrL<aCajrdGOZ&sB#)Pik3Av)d=3B<+2R<F2Quu0;Wz(sS6Lu8K8xF0tU$C1T
z)!Xq^C5w_N1l#c|*qK&5A;$z6BrS&J7VcS@dZf^rl~N4n)|O1Y1$M8wjq>MZN~zkS
zOk{^8_#W5Z`72>;R5m|%u*fa!@RRHm@|aAfTy1c$X;U)qsK96fF>j_lz}X21rF+ie
z(_@o)A%Xrh%8kC0VK!dL%I-Z^+4Yu1r@)o#`2AwrfHiGA?$FyP*N@{>M7P<ur?(M-
zIvnY|6=P4UoYYrW|Kt`ohb(~uxpS-i**V)gQOy-E(9x3SbS6`UNdrW$@CboA9Kp^9
zZ`bDt_?xpMR`E%Vu_rc;qu1Iixv?^*EtVvkQZ%payFP*vq$Bv-cWH~`Efj`6S(+9U
zWT_JA*c&7?aZ~g`Yq?Vg-v_-&2kyoU!aJp~#)mLk%hVaVh`Ze@m|BAp7e|%4@o-E7
zm4Q3H;=|GSs)92wUks~=oVLKCh1E>3ZRDkWBDekTbq^0&a`-3H;mnDO%PUeux{klw
zAo%uL56g=M@rk-kKYNyya9Th6y{9?DogVB}su*}>{%+ghX3Sg2ea+kQSRu$Z4!sTy
zSOO%Q-b+(u$oFJXY^i$Mt^}ew(=~o&so^L@FQWolSxp7G#etu-kx5RBS<yet1I4|v
z>XQ}X<~->xwX??-SV(21Z^kuw<qOu4QNvr(JMw3r5CzBNx9DXxgPNm^?V?!E*BOx)
zv`Kk{e2KlnN=+u^OljS{N%@y|?|CdnKI{VBYo~YGeJ*m(otJp9%Sx==#z?NN+$cL+
zc>;cd8<uT@OrjPY-KU<em(t6~lXt+V!Ft_3yU~Pw#LGkneF~M*g;)8mwaGFS?oCPN
z?LXkgY#M1Qy|JmA-@}Y}>9FqyEHI3peZITY|C0}*P%du_G+mDK;<bay{>LiuDR_nG
z1OV;;Yk&*j4S?%!SpS`*{~zH7!2c>N0j_|5c5VO|l;OWmD0wNc9_iXU+tBk0@d^qE
zKt=y1J^?6#koi9%T%244A?060h5-cpEd>AF0RP8{asKJV-CN3&%^^*FKwX+5E%lv}
zy!O{M|8nAB1i?7(<L_(ew#TdMr4@`}tLrsl1?qZ)O$BOb)o<CUW3ys4J2%l)?`x#5
z>B`(;)<0ghmNKVr<R`POcMiJ0Zg$=qBFR~zy>g(YvRIbtIh~Z!RS*vBur2=W?An(d
zJoSjcIz$tOTIA9~8rU*DZ~!hoi}c$(ic_lxtuSatz#bt5UdD&w%hL6tBrGS3H}?eM
ze{iAJ+Y1&bB`ZNxD$bU^zs!G1rg-B2I5?~qx89iz(l7MXz=50cL&^Lr`Fijdh^BvK
z>P=6o&``|%8rd+WjR+t8qDU)%Eo;TEGPx5#^xJrqcdmPOr(`;iC2tVy$<gNu+Eau1
zi9R_k13WI!qjnl{*M1o$634b<xpMv}@<1*Uh50new@u~McZRLWw^~A&1yZ7FS?<_!
z{?<IfZ_$<B-}bHJg$-Exs3ETYIjTA1EY{Oq32$~R8m_-Dgh>(Ho1$HmxkN)MVuwtv
zw&A)sY!UY}EbrNS+h<cpG_}4Tyly#l3~>RLCZVM&tpqRraG$wJSZH(RN2%ifl#wAk
z>h*dZ$hk{lYkl(j=thn!uP^|;qat-puPEy#7}0G=HzX$HL9M&A{sD>PGdC(2Cb3kd
zq27t|R|=9;`)z6}D3roMO_ASG*!Qy*Z@U!K9fQ#k7g?s#3qh`4NH<Iw$*?HBI%Yw!
zm{)%Fz8VCQ+-Qjb8^wK|o*dWOR~lV=ips3(P9vb15K4oK3ybmBxnL^Z2*i0x+vT<w
z=h%EU)%OThN5&chtan_`GqK%M3>A;Pt1e(1eiED-OP$@;xK6th2j1?{&k<E`*@}Z9
z9vXDq#T~P3VY=T5z0i}Vac75@hlO?ixwRjIS{zE)cK-0*`6{;REMCZvf1P3N{Ekjz
zOBiEg9C1n>CXqVlz{8xHGs2^(qpo!^n~*NPx@K!AmmtMWIeB$}d+{uP3$$d}(4O9s
z04EofOy4*9ohJMys4$gkjLeK!>HKgD%fBzjc3P2!ZbJ+viLNHUiR5*z`Xu4;NG>_u
zohjtt;5xh=-lh8ZW5c6N)px_cEAd}_J_E^j>RCJ4+L%hF4QR_&^JH(OE6Ol@+N^(`
zrP#GXElgLoJ+pEKp%#Oj-9P0abI4skEqXwfSQ48(6AnT09yz8I*$31Z-fL{`67=hW
zDa;%E$y_i}U?c_8z`U;y+^R3|8TNjNG<e=XV_cZ#y`I34cEiIR>8XQFFK&Ip%JX#}
zm@)R1O6Ou3JK&isCEn~}S5IOf3^FQx#kf+f{WC37Q|M9Ve$Knl5YdY_O747Rx2rk3
zxDSW%a*7d{rPoIO<Kci8gAOMbUpBmcH5m@LXw<*iH_J9RD;EI4UG{L%!*L{oq}VZw
zzkXp7Tv0P42^;+d*CG`1oU(KhbX?uQ#VzVIem7fdSpne{t(_nG>PCV?f=7>81h`29
z3)`FCByZ`AmdU+M<wtq@XrL&UaSbKpMXMQw=Te31a*KNXQze(G)mMiq+FK9!b?KW?
zEpEMA8E|fmwX<@jGEiFLpei5W#-}1Aes&O51V1KXsNS@K_&kK87xU!#7bI)jInRZu
zmq?a|CSt0@;G2V5t`nQx_v94cs@Y-k7ns1PpHQ5BcI6H601;7QF1s1tnySSzwK!fp
zzGBK-kVA&Dj<#;H8f7DW$kP-xZLIE(>ZI!}I*ejC3>H#n^wS18#cmH6O7Q}|LMC<U
zniIQx-P7{WU1f;a(VjXw*`|QCf99q_9#*9*I+*76SgI#6v%OW-h92wa@zp21#ZFkx
z_Cx2M(LBkHD&e!vZj{fich)0e<r>%L9hR{x^mXo6R7iU1KJoWArwaHrTmH12SgNuG
zpKWTRSC{axp!46YZf7yOVG=AaVbWnLiEcSqRCcMP#T-T)c41(Czd!eFg(mI7J&)%<
ze+<KKo}E&^zf-!OwbjYm#}N&}FJDRBWFCoPtNegwLvV#SWRRi~)jUeXg!WZ*VHcx6
zBs91fj$yqWVcRvx)pX8T=W%fPgtR<4ri6VF%VC7GSBAonX!ywpC<cQ+Q1aDG1Z}2^
z1l}dDv_~D|Tn~M6MMgnV4tDHLq_6f;bD`IC<yjzO@Z!aXg3EqDhe!g=VgC%^g2QSl
zOjW~xi!42Tt33Iwc84Ig#_)X!L$t_A`j>|WFM?MP{9pQJcdvVT3h6_Xf;Nm4x!S?;
zc+2<A_z^E8#%V|b=)LY7qV4wW`Eq^746KxYif(=uPM~1+CQ*E{wn?Qpg`Q~i#C0@{
zagI7S1(@;Q{`|6gzbRXhQ_Wf?>qWZ#g;Cc9js!2rfx#&bp(S_+rM5E$JO%X~XP<95
zPkoTiB=%as7{_m0^TnUMooK*%T4gUp`qAvcH|6iz2R@ClQfz6lcy|?Lk|nAjW0>a+
z%_Kc-O~;s$14ueM7<-5?tCYf%AJusT3t<loX*n_D<6uBM(iPsk=2WV7!Vm)?P&J1D
znL<F#`+W$`Q0&Eao=q0dx%v@%*qY*kryrb(<7Mgd!#A(mCbt*KJs7Qyt{-}TuiHf$
z$kHEtB`?p^{d~1|^ry+i#qz1}hsYn1)KNRMaXq({xqRiu(v4>{acvM`bs6!9%aXo<
z7;LaFrKPZ9l?0R`%JOpAFM7WGI?Z`=sWPq^M(@{Cn<-J_xIzg8cFnM67qVuI0m(EI
z=;c2O42R}~UrAKKT(}LDGEPDS`(Kh6jh<U|+l-v}bd<t`s<)^KgnO9`LAH-ntOnQ{
z?t(8FCv+#<@dfIC->XKY)+etV`8`6ZF&xL1aI$K|)b`AET87t*<QeN+IEPjD*F9Zf
zl}PUTL^m4kW!ACGz2)A1_9-|#<0{<ash57=-P}N~(ulO1YlcrSljj#N!nmkX@gEpe
zDbhq4x7HKS)+^sFQ1C&eCas50AbT{d5Ajl{p_O&wkZ9Klj<z*nsm&x|Y&Osv4#U-R
zJxNpcS)$pD`yLXE(6?B8E^@~E17*I6rAP%&lj!~`kh-eZWJYkqFC_S*KIE&;Zu!<^
z@*GJt?+IjpRdSQ}W=f~zOWCq2ER`+3^l)CF)|>Gg%6dIUC`cqRA`sW)VgD;Ku~hmk
zqZS;1!Tsy8ErEVwTtf3lB2D>_Wz+!2(}~zI@-*}@Dv5%J7A$9UZ@9ynsr7<q>?oE$
z*}^qc9trK3CPFz{(mFf5npeO+5VxQb(exW35SQP5y+=U$Ge^yMt5T*?F+gU>k+?}e
z4L|fi5eKPrDFky2QxPQ~?%c@xkvGJ|aaG_vLGDSWys12!e3esO^C8j;Y<Ec1M2DD7
z=U#nNeDXw1GQLk{5oMCn>lb*kq@l@R&W#!Edw;L3{|kDMxVf+fui<ejP?G{^7fg!i
z`q<rrTk~O~53Qdza7{kfV{47q;K`%Ur8S}8u^fQ_%LI&yDu*wV*!UY?mV&4y4|^AY
z_p!svhkX*q{LdHzfHrzgV|(9R!MUpway}kR#PBiOw}wzw|KU)M+ch%Nmf$#WzRf&~
zFr*6tv?P9sm?(vjCjBW`(T=*p88d!JBDh+5KSDIPPg44!D?#w-z6%wRkl?inTD#y@
z=@SkJww&5I3U4I{XkfN^);+$zP=FIA+-G+JN7sNqYHoLptOTgT4w=5KT56`*&>{v2
z++5U+LZ5|eSgIv+Q#i!EQkS<^k}+z4N<tZ+_&C@cB$yaaumM;U4LKSy{p?OCB{zaw
oII|g3SAW|e7DaJS5jl3ji}cctGJO+SY3#eAvu7BXz=+&`0B49d3jhEB

literal 0
HcmV?d00001

diff --git a/kubernetes/cds/charts/cds-ui/templates/deployment.yaml b/kubernetes/cds/charts/cds-ui/templates/deployment.yaml
index 4d3d8347db..a0774ec859 100644
--- a/kubernetes/cds/charts/cds-ui/templates/deployment.yaml
+++ b/kubernetes/cds/charts/cds-ui/templates/deployment.yaml
@@ -52,6 +52,13 @@ spec:
             initialDelaySeconds: {{ .Values.liveness.initialDelaySeconds }}
             periodSeconds: {{ .Values.liveness.periodSeconds }}
           {{ end }}
+          command:
+          - sh
+          args:
+          - -c
+          - |
+            echo "cadi_keystore_password_p12=$PASSPHRASE_VALUE" > .enc
+            node .
           env:
             - name: HOST
               value: 0.0.0.0
@@ -71,6 +78,10 @@ spec:
               value: "{{ .Values.config.api.processor.grpc.port }}"
             - name: API_BLUEPRINT_PROCESSOR_GRPC_AUTH_TOKEN
               value: {{ .Values.config.api.processor.grpc.authToken }}
+            - name: KEYSTORE
+              value: "/certs/org.onap.sdnc-cds.p12"
+            - name: PASSPHRASE_VALUE
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "cds-certs-pass" "key" "password") | indent 14 }}
           readinessProbe:
             tcpSocket:
               port: {{ .Values.service.internalPort }}
@@ -80,6 +91,8 @@ spec:
             - mountPath: /etc/localtime
               name: localtime
               readOnly: true
+            - mountPath: /certs
+              name: certs
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
@@ -94,5 +107,8 @@ spec:
         - name: localtime
           hostPath:
             path: /etc/localtime
+        - name: certs
+          secret:
+            secretName: {{ include "common.fullname" . }}-certs
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/cds/charts/cds-ui/templates/secret.yaml b/kubernetes/cds/charts/cds-ui/templates/secret.yaml
new file mode 100644
index 0000000000..6dcf31f6ca
--- /dev/null
+++ b/kubernetes/cds/charts/cds-ui/templates/secret.yaml
@@ -0,0 +1,31 @@
+{{/*
+# Copyright © 2021 Orange
+# Modifications Copyright © 2018  Amdocs, Bell Canada
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "common.fullname" . }}-certs
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ include "common.release" . }}
+    heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/certs/*").AsSecrets . | indent 2 }}
+---
+{{ include "common.secretFast" . }}
diff --git a/kubernetes/cds/charts/cds-ui/values.yaml b/kubernetes/cds/charts/cds-ui/values.yaml
index 496aa85fea..d94c59f02a 100644
--- a/kubernetes/cds/charts/cds-ui/values.yaml
+++ b/kubernetes/cds/charts/cds-ui/values.yaml
@@ -21,6 +21,20 @@ global:
   loggingRepository: docker.elastic.co
   loggingImage: beats/filebeat:5.5.0
 
+
+#################################################################
+# Secrets metaconfig
+#################################################################
+secrets:
+  - uid: cds-certs-pass
+    type: password
+    externalSecret: '{{ tpl (default "" .Values.certs.certsExternalSecret) . }}'
+    password: '{{ .Values.certs.password }}'
+
+certs:
+  password: "DG*HkOIe5W^F}XYI6o!2sD(6"
+  #certsExternalSecret:
+
 subChartsOnly:
   enabled: true
 
-- 
2.16.6