From 75f18758d0cc3e14ec5dd4fd61ee9a46a838a272 Mon Sep 17 00:00:00 2001 From: Krzysztof Opasiak Date: Wed, 9 Sep 2020 20:32:56 +0200 Subject: [PATCH] [COMMON] Make certInitializer share truststore among instances Truststore is quite heavy. If it is included several times in the component it can easily cross helm chart size limit. To fix this issue let's make sure that the truststore is created only once and then shared among all certInitializer instances. Issue-ID: AAF-1134 Change-Id: I546a88fea3fe869748194682e7dcf3ad566282ab Signed-off-by: Krzysztof Opasiak --- kubernetes/common/Makefile | 6 ++++-- kubernetes/common/cert-wrapper/Chart.yaml | 18 ++++++++++++++++++ kubernetes/common/cert-wrapper/requirements.yaml | 18 ++++++++++++++++++ kubernetes/common/cert-wrapper/values.yaml | 17 +++++++++++++++++ .../certInitializer/templates/_certInitializer.yaml | 2 +- .../common/certInitializer/templates/configmap.yaml | 2 ++ kubernetes/common/certInitializer/values.yaml | 3 +++ kubernetes/onap/requirements.yaml | 4 ++++ kubernetes/onap/values.yaml | 3 +++ 9 files changed, 70 insertions(+), 3 deletions(-) create mode 100644 kubernetes/common/cert-wrapper/Chart.yaml create mode 100644 kubernetes/common/cert-wrapper/requirements.yaml create mode 100644 kubernetes/common/cert-wrapper/values.yaml diff --git a/kubernetes/common/Makefile b/kubernetes/common/Makefile index 58125f8506..817a2e24bc 100644 --- a/kubernetes/common/Makefile +++ b/kubernetes/common/Makefile @@ -20,12 +20,14 @@ SECRET_DIR := $(OUTPUT_DIR)/secrets COMMON_CHARTS_DIR := common EXCLUDES := +PROCESSED_LAST := cert-wrapper +TO_FILTER := $(EXCLUDES) $(PROCESSED_LAST) HELM_BIN := helm -HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.)))) +HELM_CHARTS := $(filter-out $(TO_FILTER), $(sort $(patsubst %/.,%,$(wildcard */.)))) $(PROCESSED_LAST) HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}") -.PHONY: $(EXCLUDES) $(HELM_CHARTS) +.PHONY: $(HELM_CHARTS) $(TO_FILTER) all: $(COMMON_CHARTS_DIR) $(HELM_CHARTS) diff --git a/kubernetes/common/cert-wrapper/Chart.yaml b/kubernetes/common/cert-wrapper/Chart.yaml new file mode 100644 index 0000000000..68d5400743 --- /dev/null +++ b/kubernetes/common/cert-wrapper/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Wrapper chart to allow truststore to be shared among cert-initializer instances +name: cert-wrapper +version: 6.0.0 diff --git a/kubernetes/common/cert-wrapper/requirements.yaml b/kubernetes/common/cert-wrapper/requirements.yaml new file mode 100644 index 0000000000..b6a667e448 --- /dev/null +++ b/kubernetes/common/cert-wrapper/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: certInitializer + version: ~6.x-0 + repository: 'file://../certInitializer' diff --git a/kubernetes/common/cert-wrapper/values.yaml b/kubernetes/common/cert-wrapper/values.yaml new file mode 100644 index 0000000000..fcece0e3f5 --- /dev/null +++ b/kubernetes/common/cert-wrapper/values.yaml @@ -0,0 +1,17 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +certInitializer: + nameOverride: cert-initializer + createCertsCM: true diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml index 6734e0be81..800364f1a2 100644 --- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml +++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml @@ -172,7 +172,7 @@ medium: Memory - name: aaf-agent-certs configMap: - name: {{ include "common.fullname" $subchartDot }}-certs + name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }} defaultMode: 0700 {{- if $initRoot.aaf_add_config }} diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml index a89a33152b..69d74e1ca7 100644 --- a/kubernetes/common/certInitializer/templates/configmap.yaml +++ b/kubernetes/common/certInitializer/templates/configmap.yaml @@ -23,6 +23,7 @@ data: aaf-add-config.sh: | {{ tpl .Values.aaf_add_config . | indent 4 }} {{- end }} +{{- if .Values.createCertsCM }} --- apiVersion: v1 kind: ConfigMap @@ -30,3 +31,4 @@ kind: ConfigMap metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . ) | nindent 2 }} data: {{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }} +{{- end -}} diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml index 642fe7799b..00e74c46d6 100644 --- a/kubernetes/common/certInitializer/values.yaml +++ b/kubernetes/common/certInitializer/values.yaml @@ -56,3 +56,6 @@ importCustomCertsEnabled: false truststoreMountpath: "" truststoreOutputFileName: truststore.jks truststorePassword: changeit + +createCertsCM: false +certsCMName: '{{ include "common.release" . }}-cert-initializer-certs' diff --git a/kubernetes/onap/requirements.yaml b/kubernetes/onap/requirements.yaml index 9143c1feff..7110117442 100755 --- a/kubernetes/onap/requirements.yaml +++ b/kubernetes/onap/requirements.yaml @@ -162,3 +162,7 @@ dependencies: version: ~6.x-0 repository: '@local' condition: a1policymanagement.enabled + - name: cert-wrapper + version: ~6.x-0 + repository: '@local' + condition: cert-wrapper.enabled diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml index 3413c3840e..2791f0fab0 100755 --- a/kubernetes/onap/values.yaml +++ b/kubernetes/onap/values.yaml @@ -313,3 +313,6 @@ platform: enabled: false a1policymanagement: enabled: false + +cert-wrapper: + enabled: true -- 2.16.6