From 9794a7b6c51208c55586ec8bd4e96723c6ad7d5f Mon Sep 17 00:00:00 2001 From: Andreas Geissler Date: Tue, 26 Jul 2022 13:51:08 +0200 Subject: [PATCH] [PLATFORM] Create Ingress Certificates for ServiceMesh Add issuers and self-signed certificates for the Ingress controller Additionally a new override file is created for Istio Ingress setup Issue-ID: OOM-3001 Signed-off-by: Andreas Geissler Change-Id: I6da12e54ecc4bbb15e3bcf1aa259e50f5be320b6 --- .../overrides/onap-all-ingress-istio.yaml | 148 +++++++++++++++++++++ .../oom-cert-service/templates/certificate.yaml | 53 ++++++++ .../oom-cert-service/templates/issuer.yaml | 24 +++- .../components/oom-cert-service/values.yaml | 18 +++ 4 files changed, 242 insertions(+), 1 deletion(-) create mode 100644 kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml new file mode 100644 index 0000000000..dc98a422cc --- /dev/null +++ b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml @@ -0,0 +1,148 @@ +# Copyright © 2019 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################### +# This override file enables helm charts for all ONAP applications. +################################################################### +#ingress virtualhost based configuration +global: + ingress: + enabled: true + # All http requests via ingress will be redirected + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # tls: + # secret: 'my-ingress-cert' + # optional: Namespace of the Istio IngressGateway + namespace: istio-ingress + # don't need ejbca server + addTestingComponents: &testing false + centralizedLoggingEnabled: ¢ralizedLogging false + # Disabling CMPv2 + cmpv2Enabled: false + +cassandra: + enabled: true +mariadb-galera: + enabled: true +postgres: + enabled: true +aaf: + enabled: false + aaf-sms: + cps: + # you must always set the same values as value set in cps.enabled + enabled: true +aai: + enabled: true +appc: + enabled: false +cds: + enabled: true +cli: + enabled: true +# Today, "contrib" chart that hosting these components must also be enabled +# in order to make it work. So `contrib.enabled` must have the same value than +# addTestingComponents +contrib: + enabled: *testing +consul: + enabled: true +cps: + enabled: true +dcaegen2: + enabled: true +dcaegen2-services: + enabled: true + dcae-datafile-collector: + enabled: true + dcae-datalake-admin-ui: + enabled: true + dcae-datalake-des: + enabled: true + dcae-datalake-feeder: + enabled: true + dcae-heartbeat: + enabled: true + dcae-hv-ves-collector: + enabled: true + dcae-kpi-ms: + enabled: true + dcae-ms-healthcheck: + enabled: true + dcae-pm-mapper: + enabled: true + dcae-pmsh: + enabled: true + dcae-prh: + enabled: true + dcae-restconf-collector: + enabled: true + dcae-slice-analysis-ms: + enabled: true + dcae-snmptrap-collector: + enabled: true + dcae-son-handler: + enabled: true + dcae-tcagen2: + enabled: true + dcae-ves-collector: + enabled: true + dcae-ves-mapper: + enabled: true + dcae-ves-openapi-manager: + enabled: true +dcaemod: + enabled: true +holmes: + enabled: true +dmaap: + enabled: true +oof: + enabled: true +msb: + enabled: true +multicloud: + enabled: true +nbi: + enabled: true +policy: + enabled: true +portal: + enabled: false +robot: + enabled: true +sdc: + enabled: true +sdnc: + enabled: true +so: + enabled: true +strimzi: + enabled: true +uui: + enabled: true +vfc: + enabled: true +vid: + enabled: false +vnfsdk: + enabled: true +modeling: + enabled: true +platform: + enabled: true +a1policymanagement: + enabled: true diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml index fd317703e3..8f49424b54 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml @@ -14,4 +14,57 @@ # limitations under the License. */}} +{{- if .Values.global.cmpv2Enabled }} {{ include "certManagerCertificate.certificate" . }} +{{- end -}} + +{{- if (include "common.onServiceMesh" .) }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ingress-ca-certificate + namespace: {{ .Values.tls.issuer.ingressCa.namespace }} +spec: + isCA: true + commonName: "{{ .Values.global.ingress.virtualhost.baseurl }}" #not important as it is self signed + secretName: {{ .Values.tls.issuer.ingressCa.secret.name }} + usages: + - server auth + - client auth + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: {{ .Values.tls.issuer.ingressSelfsigned.name }} + kind: Issuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: ingress-selfsigned-certificate + namespace: {{ .Values.tls.issuer.ingressSelfsigned.namespace }} +spec: + secretName: ingress-tls-secret + privateKey: + rotationPolicy: Always + algorithm: RSA + encoding: PKCS1 + size: 4096 + duration: 9000h0m0s # 1 Year + renewBefore: 4000h0m0s #9 months + commonName: "*.{{ .Values.global.ingress.virtualhost.baseurl }}" +# usages: +# - server auth +# - client auth + dnsNames: + - {{ .Values.global.ingress.virtualhost.baseurl }} + - "*.{{ .Values.global.ingress.virtualhost.baseurl }}" + - "*.*.{{ .Values.global.ingress.virtualhost.baseurl }}" + - "*.*.*.{{ .Values.global.ingress.virtualhost.baseurl }}" + issuerRef: + name: {{ .Values.tls.issuer.ingressCa.name }} + kind: Issuer + group: cert-manager.io +{{- end -}} diff --git a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml index 9047ab73d3..1220ad35a9 100644 --- a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml +++ b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml @@ -14,6 +14,7 @@ # limitations under the License. */}} +{{- if .Values.global.cmpv2Enabled }} apiVersion: cert-manager.io/v1 kind: Issuer metadata: @@ -29,4 +30,25 @@ metadata: namespace: {{ include "common.namespace" . }} spec: ca: - secretName: {{ .Values.tls.issuer.ca.secret.name }} \ No newline at end of file + secretName: {{ .Values.tls.issuer.ca.secret.name }} +{{- end -}} + +{{- if (include "common.onServiceMesh" .) }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.ingressSelfsigned.name }} + namespace: {{ .Values.tls.issuer.ingressSelfsigned.namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ .Values.tls.issuer.ingressCa.name }} + namespace: {{ .Values.tls.issuer.ingressCa.namespace }} +spec: + ca: + secretName: {{ .Values.tls.issuer.ingressCa.secret.name }} +{{- end -}} \ No newline at end of file diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml index c74fe9b2c0..7778c03e34 100644 --- a/kubernetes/platform/components/oom-cert-service/values.yaml +++ b/kubernetes/platform/components/oom-cert-service/values.yaml @@ -22,6 +22,16 @@ global: # Standard OOM pullPolicy: "Always" repository: "nexus3.onap.org:10001" + ingress: + enabled: true + # All http requests via ingress will be redirected + config: + ssl: "redirect" + # you can set an own Secret containing a certificate + # tls: + # secret: 'my-ingress-cert' + # optional: Namespace of the Istio IngressGateway + namespace: &ingressNamespace istio-ingress # Service configuration @@ -82,6 +92,14 @@ tls: name: &caIssuer cmpv2-issuer-onap secret: name: &caKeyPairSecret cmpv2-ca-key-pair + ingressSelfsigned: + name: ingress-selfsigned-issuer + namespace: *ingressNamespace + ingressCa: + name: ingress-ca-issuer + namespace: *ingressNamespace + secret: + name: ingress-ca-key-pair server: secret: name: &serverSecret oom-cert-service-server-tls-secret -- 2.16.6