tls-init-container/dcae-cert-setup.sh - onap/dcaegen2/deployments - Gitiles

 #!/bin/bash
 # ================================================================================
 # Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
 # ================================================================================
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 # ============LICENSE_END=========================================================
 set -e
 set -x

 # Set sensible DCAE defaults for environment variables needed by AAF.
 # These can be overriden by setting the environment variables on the container
 export APP_FQI=${APP_FQI:-"dcae@dcae.onap.org"}
 export aaf_locate_url=${aaf_locate_url:-"https://aaf-locate.onap:8095"}
 export aaf_locator_container=${aaf_locator_container:-"oom"}
 export aaf_locator_container_ns=${aaf_locator_container_ns:-"onap"}
 export aaf_locator_app_ns=${aaf_locator_app_ns:-"org.osaaf.aaf"}
 export DEPLOY_FQI=${DEPLOY_FQI:-"deployer@people.osaaf.org"}
 export DEPLOY_PASSWORD=${DEPLOY_PASSWORD:-"demo123456!"}
 export cadi_longitude=${cadi_longitude:-"-72.0"}
 export cadi_latitude=${cadi_latitude:-"38.0"}

 # For now, we can deault aaf_locator_fqdn
 # This points to the single DCAE cert with many SANs,
 # as used in previous releases
 # When we have individual certs per component, we will override this
 # by setting the environment variable explicitly in a Helm chart
 # or via the k8s plugin
 export aaf_locator_fqdn=${aaf_locator_fqdn:-"dcae"}

 # Directory where AAF agent puts artifacts
 ARTIFACTS=/opt/app/osaaf/local
 # Directory where DCAE apps expect artifacts
 TARGET=/opt/app/osaaf

 # AAF namespace for the certs--used in naming artifacts
 AAFNS=org.onap.dcae

 # Clean out any existing artifacts
 rm -rf ${ARTIFACTS}
 rm -f ${TARGET}/*

 # Get the certificate artifacts from AAF
 /opt/app/aaf_config/bin/agent.sh

 # Extract the p12 and JKS passwords
 /opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_keystore_password_p12 | cut -d '=' -f 2- > /opt/app/osaaf/p12.pass
 /opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_keystore_password_jks= | cut -d '=' -f 2- > /opt/app/osaaf/jks.pass
 # AAF provides a truststore password, but it appears that the truststore is not password-protected
 /opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} | grep cadi_truststore_password= | cut -d '=' -f 2- > /opt/app/osaaf/trust.pass

 # Copy the p12 and JKS artifacts to target directory and rename according to DCAE conventions
 cp ${ARTIFACTS}/${AAFNS}.p12 ${TARGET}/cert.p12
 cp ${ARTIFACTS}/${AAFNS}.jks ${TARGET}/cert.jks
 cp ${ARTIFACTS}/${AAFNS}.trust.jks ${TARGET}/trust.jks

 # Break out the cert and key (unencrypted) from the p12
 openssl pkcs12 -in ${TARGET}/cert.p12 -passin file:${TARGET}/p12.pass -nodes -nokeys -out ${TARGET}/cert.pem
 openssl pkcs12 -in ${TARGET}/cert.p12 -passin file:${TARGET}/p12.pass -nodes -nocerts -out ${TARGET}/key.pem
 chmod 644 ${TARGET}/cert.pem ${TARGET}/key.pem

 # Get the ONAP AAF CA certificate -- pass in an empty password, since the trust store doesn't have one
 echo "" | keytool -exportcert -rfc -file ${TARGET}/cacert.pem -keystore ${ARTIFACTS}/${AAFNS}.trust.jks -alias ca_local_0
	#!/bin/bash
	# ================================================================================
	# Copyright (c) 2019 AT&T Intellectual Property. All rights reserved.
	# ================================================================================
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	# ============LICENSE_END=========================================================
	set -e
	set -x

	# Set sensible DCAE defaults for environment variables needed by AAF.
	# These can be overriden by setting the environment variables on the container
	export APP_FQI=${APP_FQI:-"dcae@dcae.onap.org"}
	export aaf_locate_url=${aaf_locate_url:-"https://aaf-locate.onap:8095"}
	export aaf_locator_container=${aaf_locator_container:-"oom"}
	export aaf_locator_container_ns=${aaf_locator_container_ns:-"onap"}
	export aaf_locator_app_ns=${aaf_locator_app_ns:-"org.osaaf.aaf"}
	export DEPLOY_FQI=${DEPLOY_FQI:-"deployer@people.osaaf.org"}
	export DEPLOY_PASSWORD=${DEPLOY_PASSWORD:-"demo123456!"}
	export cadi_longitude=${cadi_longitude:-"-72.0"}
	export cadi_latitude=${cadi_latitude:-"38.0"}

	# For now, we can deault aaf_locator_fqdn
	# This points to the single DCAE cert with many SANs,
	# as used in previous releases
	# When we have individual certs per component, we will override this
	# by setting the environment variable explicitly in a Helm chart
	# or via the k8s plugin
	export aaf_locator_fqdn=${aaf_locator_fqdn:-"dcae"}

	# Directory where AAF agent puts artifacts
	ARTIFACTS=/opt/app/osaaf/local
	# Directory where DCAE apps expect artifacts
	TARGET=/opt/app/osaaf

	# AAF namespace for the certs--used in naming artifacts
	AAFNS=org.onap.dcae

	# Clean out any existing artifacts
	rm -rf ${ARTIFACTS}
	rm -f ${TARGET}/*

	# Get the certificate artifacts from AAF
	/opt/app/aaf_config/bin/agent.sh

	# Extract the p12 and JKS passwords
	/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} \| grep cadi_keystore_password_p12 \| cut -d '=' -f 2- > /opt/app/osaaf/p12.pass
	/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} \| grep cadi_keystore_password_jks= \| cut -d '=' -f 2- > /opt/app/osaaf/jks.pass
	# AAF provides a truststore password, but it appears that the truststore is not password-protected
	/opt/app/aaf_config/bin/agent.sh aafcli showpass ${APP_FQI} ${aaf_locator_fqdn} \| grep cadi_truststore_password= \| cut -d '=' -f 2- > /opt/app/osaaf/trust.pass

	# Copy the p12 and JKS artifacts to target directory and rename according to DCAE conventions
	cp ${ARTIFACTS}/${AAFNS}.p12 ${TARGET}/cert.p12
	cp ${ARTIFACTS}/${AAFNS}.jks ${TARGET}/cert.jks
	cp ${ARTIFACTS}/${AAFNS}.trust.jks ${TARGET}/trust.jks

	# Break out the cert and key (unencrypted) from the p12
	openssl pkcs12 -in ${TARGET}/cert.p12 -passin file:${TARGET}/p12.pass -nodes -nokeys -out ${TARGET}/cert.pem
	openssl pkcs12 -in ${TARGET}/cert.p12 -passin file:${TARGET}/p12.pass -nodes -nocerts -out ${TARGET}/key.pem
	chmod 644 ${TARGET}/cert.pem ${TARGET}/key.pem

	# Get the ONAP AAF CA certificate -- pass in an empty password, since the trust store doesn't have one
	echo "" \| keytool -exportcert -rfc -file ${TARGET}/cacert.pem -keystore ${ARTIFACTS}/${AAFNS}.trust.jks -alias ca_local_0