From daf4e90f1cdcb766298506ecbafd094681fa1b6c Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Thu, 2 Jul 2020 09:35:39 +0200 Subject: [PATCH] [CDS] Add hardcoded certificates to CDS Issue-ID: CCSDK-2410 Issue-ID: CCSDK-2519 Signed-off-by: Sylvain Desbureaux Change-Id: I23aa5fd6c23659efece70067172660aaa3d4909c --- docs/oom_hardcoded_certificates.rst | 134 +++++++++++---------- .../resources/certs/py-executor-chain.pem | 38 ++++++ .../resources/certs/py-executor-key.pem | 52 ++++++++ .../resources/certs/py-executor.conf | 46 +++++++ .../cds-py-executor/templates/deployment.yaml | 14 ++- .../charts/cds-py-executor/templates/secret.yaml | 2 +- kubernetes/cds/charts/cds-py-executor/values.yaml | 8 ++ 7 files changed, 222 insertions(+), 72 deletions(-) create mode 100644 kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem create mode 100644 kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem create mode 100644 kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf diff --git a/docs/oom_hardcoded_certificates.rst b/docs/oom_hardcoded_certificates.rst index 085beaa4d1..8943910eb0 100644 --- a/docs/oom_hardcoded_certificates.rst +++ b/docs/oom_hardcoded_certificates.rst @@ -11,68 +11,72 @@ ONAP Hardcoded certificates ONAP current installation have hardcoded certificates. Here's the list of these certificates: - +-----------------------------------------------------------------------------------------------------------------------------------------------------+ - | Project | ONAP Certificate | Own Certificate | MSB Certificate | Path | - +==================+==================+==================+============================================================================================+ - | AAF | No | Yes | No | aaf/charts/aaf-cert-service/resources/ | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | AAF | Yes | No | No | aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | AAI | Yes | No | No | aai/oom/resources/config/haproxy/aai.pem | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | AAI | Yes | No | No | aai/oom/resources/config/aai/aai_keystore | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | AAI/SEARCH-DATA | Yes | No | No | aai/oom/components/aai-search-data/resources/config/auth/tomcat_keystore | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | AAI/SPARKY-BE | Yes | No | No | aai/oom/components/aai-spary-be/resources/config/auth/org.onap.aai.p12 | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | AAI/BABEL | No | Yes | No | aai/oom/components/aai-babel/resources/config/auth/tomcat_keystore | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | AAI/MODEL-LOADER | Yes | Yes | No | aai/oom/components/aai-model-loaderresources/config/auth/tomcat_keystore | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | APPC | Yes | No | No | kubernetes/appc/resources/config/certs/org.onap.appc.keyfile | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | APPC | Yes | No | No | kubernetes/appc/resources/config/certs/org.onap.appc.p12 | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | certInitializer | Yes | No | No | kubernetes/common/certInitializer/resources | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | MSB | Yes | No? | Yes | kubernetes/msb/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | MUSIC | Yes | No? | No? | kubernetes/common/music/charts/music/resources/keys/ | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SDC | Yes | No? | No? | kubernetes/sdc/resources/cert | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/BPMN | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/Catalog | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/Monitoring | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/OpenStack | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/RequestDb | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/SDC | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/SDNC | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/VE/VNFM | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/VFC | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/VNFM | Yes | No? | Yes | kubernetes/so/resources/config/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | SO/VNFM | No | Yes? | Yes | kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | VID | No | Yes | No | kubernetes/vid/resources/cert | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | OOF/OOF-CMSO | Yes | No | No | kubernetes/oof/charts/oof-cmso/resources/certs | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | OOF/OOF-HAS | Yes | No | No | kubernetes/oof/charts/oof-has/resources/config | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | OOF/OOF-OSDF | Yes | No | No | kubernetes/oof/resources/config | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ - | CLI | No | Yes | No | kubernetes/cli/resources/certificates | - +------------------+------------------+------------------+--------------------------------------------------------------------------------------------+ + +------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Project | ONAP Certificate | Own Certificate | MSB Certificate | Path | + +==================+==================+==================+===================================================================================================+ + | AAF | No | Yes | No | aaf/charts/aaf-cert-service/resources/ | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | AAF | Yes | No | No | aaf/components/aaf-sms/resources/certs/intermediate_root_ca.pem | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | AAI | Yes | No | No | aai/oom/resources/config/haproxy/aai.pem | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | AAI | Yes | No | No | aai/oom/resources/config/aai/aai_keystore | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | AAI/SEARCH-DATA | Yes | No | No | aai/oom/components/aai-search-data/resources/config/auth/tomcat_keystore | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | AAI/SPARKY-BE | Yes | No | No | aai/oom/components/aai-spary-be/resources/config/auth/org.onap.aai.p12 | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | AAI/BABEL | No | Yes | No | aai/oom/components/aai-babel/resources/config/auth/tomcat_keystore | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | AAI/MODEL-LOADER | Yes | Yes | No | aai/oom/components/aai-model-loaderresources/config/auth/tomcat_keystore | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | APPC | Yes | No | No | kubernetes/appc/resources/config/certs/org.onap.appc.keyfile | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | APPC | Yes | No | No | kubernetes/appc/resources/config/certs/org.onap.appc.p12 | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | certInitializer | Yes | No | No | kubernetes/common/certInitializer/resources | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | MSB | Yes | No? | Yes | kubernetes/msb/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | MUSIC | Yes | No? | No? | kubernetes/common/music/charts/music/resources/keys/ | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SDC | Yes | No? | No? | kubernetes/sdc/resources/cert | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/BPMN | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/Catalog | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/Monitoring | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/OpenStack | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/RequestDb | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/SDC | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/SDNC | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/VE/VNFM | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/VFC | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/VNFM | Yes | No? | Yes | kubernetes/so/resources/config/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | SO/VNFM | No | Yes? | Yes | kubernetes/so/charts/so-secrets/resources/certs/org.onap.so.trust.jks | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | VID | No | Yes | No | kubernetes/vid/resources/cert | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | OOF/OOF-CMSO | Yes | No | No | kubernetes/oof/charts/oof-cmso/resources/certs | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | OOF/OOF-HAS | Yes | No | No | kubernetes/oof/charts/oof-has/resources/config | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | OOF/OOF-OSDF | Yes | No | No | kubernetes/oof/resources/config | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | CLI | No | Yes | No | kubernetes/cli/resources/certificates | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | CDS PY Executor | No | Yes | No | kubernetes/cds/charts/cds-py-executor/resources/certs | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ + | CDS BP Executor | Yes | No | No | kubernetes/cds/charts/cds-blueprints-processor/resources/config/ONAP_RootCA.cer | + +------------------+------------------+------------------+---------------------------------------------------------------------------------------------------+ diff --git a/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem new file mode 100644 index 0000000000..7d626d3922 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-chain.pem @@ -0,0 +1,38 @@ +-----BEGIN CERTIFICATE----- +MIIGmjCCBIKgAwIBAgIUKY54WlWSTO1gukYe2chbzm9mVIowDQYJKoZIhvcNAQEL +BQAwfzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCk5ldyBKZXJzZXkxEzARBgNVBAcM +Ck1pZGRsZXRvd24xFzAVBgNVBAoMDk9OQVAgQ29tbXVuaXR5MQ4wDAYDVQQDDAVD +Q1NESzEdMBsGCSqGSIb3DQEJARYOYnMyNzk2QGF0dC5jb20wHhcNMjAwNjA1MDgx +NjAwWhcNMzAwNjAzMDgxNjAwWjB/MQswCQYDVQQGEwJVUzETMBEGA1UECAwKTmV3 +IEplcnNleTETMBEGA1UEBwwKTWlkZGxldG93bjEXMBUGA1UECgwOT05BUCBDb21t +dW5pdHkxDjAMBgNVBAMMBUNDU0RLMR0wGwYJKoZIhvcNAQkBFg5iczI3OTZAYXR0 +LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMNqVzDC+BpV9iV1 +2sB3ya9Bwx2qTqmygV/ZM/2/Bd6z4duUHd5dK3ZeRablfB2HmaFsjXTTvf+/nVC8 +Q0e4yrOBXRY6qGD27YEkwTebP1Mjvj5uOuamGr6bsZOuJr8HooIA5L25D5GZ37bV +H4Wq1xz1PG+PgldUf/YXOcwuzO2Nq3FS3I0xKeaNI5YmmlW8gFeGKtPR8vRwpg45 +I+orp2NnO7tFqjwxO3Ka7se9s9fy3GUg0Yn4N1So36r3G2NNbueN34I/d8IazT3Z +dnWT4amnMXy455ijr1yucaGwKkc7nQDn2cNGlQOIlpzEU90w/V8ne73hAfWKZ+7p +o3BFOE1X0PV1fFZ4d9rf7slUCWYiUcaKRBbCf+Tu3EBonpJJBQBJTb78pln/5x5r +d9av0eruCm0K8MZVgHPNRnZVeggi34YFGo1MmDMZDPAYSxBX7z106QmHJiuFvzdc +u2AIht5jMnXERGO1mzLtjUjWgdjN2zxpARiCPoR59jBuX/DO+vBeSJZ3dFjWFHrM +2bDg8328ZU6/cVoU30vKR9J+CrBv+V5mvpqRVx/atHIuJ6aQne1FW+qYE/aWw6CH +IrJbHXLYb1T6nMhzu7rX5YVXSDGu5wLTjnBZlh8XVjn3UBgopS4EnceJRW9Jn01L +sGlNoEamKVVZ8jS4dif+8zgLsznzAgMBAAGjggEMMIIBCDAdBgNVHQ4EFgQUaigR +IIb+2J4zJ4bi2IIxICIOSyMwHwYDVR0jBBgwFoAUaigRIIb+2J4zJ4bi2IIxICIO +SyMwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwEw +awYDVR0RBGQwYoIRKmNkcy1jb250cm9sbGVyLSqCEipjZHMtcHktZXhlY3V0b3It +KoIMKnB5LWV4ZWN1dG9ygg4qcHktZXhlY3V0b3ItKoIKKi1weWV4ZWMtKoIJbG9j +YWxob3N0hwR/AAABMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBD +ZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAgEAMooc0ZyZVzLePmm0q2iU6jls +ORmfpNXe/MqCRfEPr7sZAy3jGtJK9+ShoVVbvQbXaQ2wDe9XxwnrblWB+SaAwZiL +A8gF7ozgwavatwZ70683fnCsPC061WDlC965UWCbPL5opxW4ulL3meSYEdzvS3hm +oxeMhaLJSZpkk4D9tyVHwPtLJBpWD5a3rp9y6e2Q87XhrQKB+y2/QHeaDs3l+tKa +o6GW/PqKKM3ktboXBlGDT7bLhCpg179dOzXgdtHNtqv7zmXLDbGKV0mbQpjBVu72 +tWKf6KoVFhvXQP2he6vgvcMeycOS9ff3RLePwt61WiDXnQ97kD2UubTrdsQ0QieZ +r5NHeDQEEnEMW9kHQrYDEGk5s881QTg8EmrKKdcUH9+65ka/0HnKF9cQ+MklRMtG +8QDiwTd8AIyeOLg/9l9VP09IglksrmkfxqWD7zFyFKlyZZbiBH5XrYGlnGgezIUx +T41ulfQyQ6Ef1z97EUzYTOmxWRWReoFbLsqFOg1KLD2Y0wZkT22IdBreEO9W/W+X +OQuLLA3qwOZMF/mKwzp6SSLbelVIOhhx4k1sQy95dqMMQQMuLK/uPNETlenE36fT +yhiCa7B6VyPKVsYDcte2Cs8wo2uhMb7i5VaFIZD8Cjswkx1GbcQs9X0Fm1W9g5J0 +j/cJjXSeCIp84F+fxZo= +-----END CERTIFICATE----- diff --git a/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem new file mode 100644 index 0000000000..c6ef005641 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor-key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDDalcwwvgaVfYl +ddrAd8mvQcMdqk6psoFf2TP9vwXes+HblB3eXSt2XkWm5Xwdh5mhbI10073/v51Q +vENHuMqzgV0WOqhg9u2BJME3mz9TI74+bjrmphq+m7GTria/B6KCAOS9uQ+Rmd+2 +1R+Fqtcc9Txvj4JXVH/2FznMLsztjatxUtyNMSnmjSOWJppVvIBXhirT0fL0cKYO +OSPqK6djZzu7Rao8MTtymu7HvbPX8txlINGJ+DdUqN+q9xtjTW7njd+CP3fCGs09 +2XZ1k+GppzF8uOeYo69crnGhsCpHO50A59nDRpUDiJacxFPdMP1fJ3u94QH1imfu +6aNwRThNV9D1dXxWeHfa3+7JVAlmIlHGikQWwn/k7txAaJ6SSQUASU2+/KZZ/+ce +a3fWr9Hq7gptCvDGVYBzzUZ2VXoIIt+GBRqNTJgzGQzwGEsQV+89dOkJhyYrhb83 +XLtgCIbeYzJ1xERjtZsy7Y1I1oHYzds8aQEYgj6EefYwbl/wzvrwXkiWd3RY1hR6 +zNmw4PN9vGVOv3FaFN9LykfSfgqwb/leZr6akVcf2rRyLiemkJ3tRVvqmBP2lsOg +hyKyWx1y2G9U+pzIc7u61+WFV0gxrucC045wWZYfF1Y591AYKKUuBJ3HiUVvSZ9N +S7BpTaBGpilVWfI0uHYn/vM4C7M58wIDAQABAoICAGFZMGZSOlakTCMNOxR2mDp+ +gDzfAqD3FAwzn/rgloQDCJjiiJ6lu2kUPY6O8+2iB56q/S0d7qDhS/VUVA/+trwF +zeGtBwSG/no/XSHebQV14Ogo8Z7FUL1zwlrXfuXbX9FzsH/zGRZnmVLziOiF2vPK +F3lb/IqUxcpKd7iH9/6/fJDPvp93xm/cD8ZVJL1hUm5HoD41cNrk41RiksmtRY33 +d4IrikrCG+NT23AVyOnjSnf2iWw6AxZhqkr5HuOxR3aC7r1r8LT5tRUCqEiaiuiB +Kd4AHx+jK1D4dhMeN3GU+PnihlEJcGJ6QM2H4F9ocFBe0v4cgWVYtb4HFixvz0OY +E+4vsrMObxVBkJtEvEntdQqBEKxdHUotTzJvF3NocncM65VzKViyCBiFXyijQ2Aw +zFtyBNSzMLMBfkfJNXKhlDz4sOeDFjVaDTl6Rn3tnIHpjgbbbm5CXqNi0JRNi36C +/ANTAoxrol/FSkPxdsCdhYaU6CxZpelu2FbwjyV189dEyCROOTelqAC0k0YsmcOJ +FsQEkr8baWTIjgKta+kxo8SllPWntDeXfiM6iI4NeAwneIIJwqQb5WQiJWtnv0QX +eH/cbnXHJgxTw4Hb0LzDBYG3nY5LHW//eaXTt1vSwJh7AbPo0hl7JBe6JNUMT9ih ++LUE1zzOj3dJbnFh+QLBAoIBAQD601wIBHeGnm4TwnjpEWExb2VlC0uMYhik1uql +1zCsn7vgCFspq2tJugfALG4QEoti51AHkOybHX43jD6wvtPFT1HNL7yP63Zm27GP +3bkCsZLVWnIEtPCR266ENSdGr3cnoO91Pf4efINKlZPIo4jLwfYgJhcVbhHb57uw +j/VKhit9Cm+OnPD7PpKiGi4vUQPnbeIZsUTf5v4lYLR5r9uW91q07mS+jsoKcPyy +dHZBM1nz7vMQitTYAhL17x6rINtTl7ulBHfLxHpPZxvVN5z+pJpKhYJP2pIWwKZY +EBBMefiJhx6pR/T4YlFMdx0AmvVbeYZraIhh2vyNH5IeygNXAoIBAQDHclpbFNyd +ZfkufMIq7N0oGDOuYwfzfAYK93lHgAm6NXibbyY7v49WAViOILSSGo4edCB53mLq +9bLCsc0x9SL/OgZTCHwlY3cgc3WNAbICCsvinZS87XwPU3ZEMzy5T9AA1WlV0QSv +6FXffF71skKM7yaWRhNJ6zWLSVBZ5iRAcmg5IboWFseGx845RSp/M1FZTuRvX5Ne +7qQyJfJ0pu72Y6KkICpOqLmWYbxs3bcBpXdIGueUC4A6QlY+QrbGjGapkNhWzM1x +vMK+8cpuSNhIHDtEWf43jw0Oz59vmPws/iTENtk4RDgIncD7bJ4HWjb+ZZtjHnSG +r7L/HKS69ZjFAoIBAQDbpCwKBUdZhfCksv5IMeTnckHa+socU2Z7Kovtz4ObFoFh +jE+wLKDVvea9nOqAfoy6fg4xofHfXzNAlznqciBlvrDGOhAoAyv6pFVXwvQY7MDE +vd/sSToEr9ehhB4xosN321D1XOTjc2tQ66yu3K2Up/PMcS5zoKBY7hMIaPeGW/lH +FNVdkAbiLAghlUVuP8ZoaWu9zeKfItrYhldj2+Ax0ccHe16TE9zOyeQurRdEvx/9 +IPiOOtRpl19dJxi3CB2nlM5HkaMJt7LXR1YzHvEGd8N4kHLtVFvrOqYvpVlwbrp6 +S+1IlW9p9kZ07DVka02B3egctDwBXM8dEVFWTtYfAoIBAFOhB3IZlUgKcimj9ma5 +WyJsw37j13mpD3+ZtSjd7zY9JY1HVejHsfqGJfOykwSQTfdHCjcPoLqUu5gXpcrE +1x/d3LkEXcnvowvgXfH6PAHPNR6YpL1zdwmWHYkLUvMBHF69HaX2NtjrutYy+D5d +uLoPrUZlq8Da92CoJSEM9zZuwnTyR2zrsE47iaVJ8z/S7NFd2zs4ADtWJVNBxiBT +vu9hZ9kaA6Nn7Cm6YZ/kd9Ag6Zs6bNAO4n2LQ05n+uvWA1YmfhAnYB3I4H/gMtl7 +gfT6oX9PnOD/AqKrPFc29saG6jO8K+kD8drrCvhh2wGKOnUBdd5h7spq8cs233vl +b2ECggEAKL5rjbcUhRtJjobcIqnk1FeN43cXmFnlIICsY3ouskzGgDx5z4f8e9Oo +1fzoV4PVBf7uVPjgyiQy4Zio3qOcodvUi1xdv0mQEJzwyKpd12842pqVh3IvcVwf +V64Yr5m5CylDAfIsabT4uP9Cmh7TC87YD3Fiu2OPUTTIWfLY16iJfV8lvLyBxFNE +8VAqgnf3EH9VBNFWVUSaPcLO2BoduC1v74utK+T9+bqdLujBP5ZfQ1anfvYMlQVE +1e5twdnYJTHHWhlT6EtnaHmLJ0SuTFJfZNxxdAeRWyyqnS0vZvWvIonafnVi6g5X +m3FiOonz1SF53erfm5chlHxpQbUIhA== +-----END PRIVATE KEY----- diff --git a/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf new file mode 100644 index 0000000000..547810b081 --- /dev/null +++ b/kubernetes/cds/charts/cds-py-executor/resources/certs/py-executor.conf @@ -0,0 +1,46 @@ +[req] +default_bits = 4096 +default_keyfile = py-executor-key.pem +distinguished_name = subject +req_extensions = extensions +x509_extensions = extensions +string_mask = utf8only + +[ subject ] +countryName = Country Name (2 letter code) +countryName_default = US + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = New Jersey + +localityName = Locality Name (eg, city) +localityName_default = Middletown + +organizationName = Organization Name (eg, company) +organizationName_default = ONAP Community + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_default = CCSDK + +emailAddress = Email Address +emailAddress_default = bs2796@att.com + +[ extensions ] + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +subjectAltName = @alt_names +nsComment = "OpenSSL Generated Certificate" + +[alt_names] +DNS.1 = *cds-controller-* +DNS.2 = *cds-py-executor-* +DNS.3 = *py-executor +DNS.4 = *py-executor-* +DNS.5 = *-pyexec-* +DNS.6 = localhost +IP.1 = 127.0.0.1 diff --git a/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml b/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml index f9c3377dd8..4210a0311a 100755 --- a/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml +++ b/kubernetes/cds/charts/cds-py-executor/templates/deployment.yaml @@ -66,15 +66,14 @@ spec: readOnly: true - mountPath: {{ .Values.persistence.deployedBlueprint }} name: {{ include "common.fullname" . }}-blueprints - resources: -{{ include "common.resources" . | nindent 12 }} + - mountPath: /opt/app/onap/python/certs/py-executor/ + name: certificates + resources: {{ include "common.resources" . | nindent 12 }} {{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | nindent 10 }} + nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }} {{- end -}} {{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | nindent 10 }} + affinity: {{ toYaml .Values.affinity | nindent 10 }} {{- end }} volumes: - name: localtime @@ -86,5 +85,8 @@ spec: - name: {{ include "common.fullname" . }}-blueprints persistentVolumeClaim: claimName: {{ include "common.release" . }}-cds-blueprints + - name: certificates + secret: + secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "cds-py-onap-certs") }} imagePullSecrets: - name: "{{ include "common.namespace" . }}-docker-registry-key" diff --git a/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml b/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml index c36607b172..c13b7d814b 100644 --- a/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml +++ b/kubernetes/cds/charts/cds-py-executor/templates/secret.yaml @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -{{ include "common.secretFast" . }} \ No newline at end of file +{{ include "common.secretFast" . }} diff --git a/kubernetes/cds/charts/cds-py-executor/values.yaml b/kubernetes/cds/charts/cds-py-executor/values.yaml index bbae1b9e5a..2b3ffa3971 100755 --- a/kubernetes/cds/charts/cds-py-executor/values.yaml +++ b/kubernetes/cds/charts/cds-py-executor/values.yaml @@ -79,6 +79,14 @@ secrets: login: '{{ .Values.config.apiUsername }}' password: '{{ .Values.config.apiPassword }}' passwordPolicy: required + - uid: "cds-py-onap-certs" + name: '{{ include "common.release" . }}-cds-py-certs' + externalSecret: '{{ tpl (default "" .Values.certSecret) . }}' + type: generic + filePaths: + - resources/certs/py-executor.conf + - resources/certs/py-executor-chain.pem + - resources/certs/py-executor-key.pem config: # the api credentials below are used to authenticate communication with blueprint -- 2.16.6