.. http://creativecommons.org/licenses/by/4.0
.. Copyright 2020 NOKIA
-K8s external provider
+CMPv2 certificate provider
==============================
General information
------------------------------
-Cert Service K8s external provider is a part of certificate distribution infrastructure in ONAP.
+CMPv2 certificate provider is a part of certificate distribution infrastructure in ONAP.
The main functionality of the provider is to forward Certificate Signing Requests (CSRs) created by cert-mananger (https://cert-manager.io) to CertServiceAPI.
Additional information can be found on a dedicated page: https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration.
CMPv2 Issuer
------------------------------
-In order to be able to request a certificate via K8s external provider a *CMPv2Issuer* CRD (Customer Resource Definition) instance has to be created.
+In order to be able to request a certificate via CMPv2 provider a *CMPv2Issuer* CRD (Customer Resource Definition) instance has to be created.
It is important to note that the attribute *kind* has to be set to **CMPv2Issuer**, all other attributes can be set as needed.
-NOTE: a default instance of CMPv2Issuer is created when installing ONAP via OOM deployment (values can also be adjusted as needed)
+**NOTE: a default instance of CMPv2Issuer is created when installing ONAP via OOM deployment.**
-Here is an example of a *CMPv2Issuer*:
+Here is a definition of a *CMPv2Issuer* provided with ONAP installation:
.. code-block:: yaml
apiVersion: certmanager.onap.org/v1
kind: CMPv2Issuer
metadata:
- name: cmpv2-issuer
+ name: cmpv2-issuer-onap
namespace: onap
spec:
url: https://oom-cert-service:8443
In order to request a certificate a K8s *Certificate* CRD (Custom Resource Definition) has to be created.
-It is important that in the section issuerRef following attributes have correct values:
- - group: **certmanager.onap.org**
- - kind: **CMPv2Issuer**
+It is important that in the section issuerRef following attributes have those values:
-After *Certificate* CRD has been placed cert manager will send a *CSR* (Certificate Sign Request) to CA (Certificate Authority) via K8s external provider.
+- group: certmanager.onap.org
+
+- kind: CMPv2Issuer
+
+After *Certificate* CRD has been placed cert manager will send a *CSR* (Certificate Sign Request) to CA (Certificate Authority) via CMPv2 provider.
Signed certificate as well as trust anchor (CA root certificate) will be stored in the K8s *secret* specified in *Certificate* CRD (see secretName attribute).
By default certificates will be stored in PEM format. It is possible to get certificates also in JKS and P12 format - see example below - more information can be found on official cert manager page.
issuerRef:
group: certmanager.onap.org
kind: CMPv2Issuer
- name: cmpv2-issuer
+ name: cmpv2-issuer-onap
# Section keystores is optional and defines in which format certificates will be stored
# If this section is omitted than only PEM format will be present in the secret
keystores: