[CONTRIB] Introduce certificate update use case in CertService 1. Make changes in order to allow performing KUR/CR in EJBCA: - Add Certificate Update Admin role - Enable EndEntityAuthentication module - Create and set CA with constant UID - Add configuration for provider. 2. Update CertService, which provides with new certificate update endpoint. 3. Update release-notes. Issue-ID: OOM-2753 Issue-ID: OOM-2754 Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> Change-Id: I9cb0cb4d6d6939ad229a4ea254f2bc35d45a3d52 Signed-off-by: Joanna Jeremicz <joanna.jeremicz@nokia.com>

commit: 31dceea4851d67ec706185f9d6f5bd0bf427b2c3 [log] [tgz]
author: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> Tue Jun 29 16:15:49 2021 +0200
committer: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> Mon Sep 06 10:42:00 2021 +0200
tree: c66e3b75b83cb4ef6f5aff7d81bbcb0c02f0145b
parent: f94a5f639cb670fbc4d3902f80d3b5b6714b1ec6 [diff]
diff --git a/kubernetes/common/cmpv2Config/values.yaml b/kubernetes/common/cmpv2Config/values.yaml
index 02595b3..4b8438a 100644
--- a/kubernetes/common/cmpv2Config/values.yaml
+++ b/kubernetes/common/cmpv2Config/values.yaml

@@ -35,5 +35,5 @@
       truststorePasswordSecretName: oom-cert-service-truststore-password
       truststorePasswordSecretKey: password
     certPostProcessor:
-      image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
+      image: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0
 

diff --git a/kubernetes/contrib/components/ejbca/requirements.yaml b/kubernetes/contrib/components/ejbca/requirements.yaml
index 31db08a..8762d96 100644
--- a/kubernetes/contrib/components/ejbca/requirements.yaml
+++ b/kubernetes/contrib/components/ejbca/requirements.yaml

@@ -26,3 +26,6 @@
   - name: repositoryGenerator
     version: ~8.x-0
     repository: '@local'
+  - name: cmpv2Config
+    version: ~8.x-0
+    repository: '@local'

diff --git a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
index ad10240..2c672e2 100755
--- a/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh
+++ b/kubernetes/contrib/components/ejbca/resources/ejbca-config.sh

@@ -8,16 +8,31 @@
 }
 
 configureEjbca() {
+    ejbca.sh ca init \
+      --caname ManagementCA \
+      --dn "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345" \
+      --tokenType soft \
+      --keyspec 3072 \
+      --keytype RSA \
+      -v 3652 \
+      --policy null \
+      -s SHA256WithRSA \
+      -type "x509"
     ejbca.sh config cmp addalias --alias cmpRA
     ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra
     ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value ${RA_IAK}
-    ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe
+    ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value signature
+    ejbca.sh config cmp updatealias --alias cmpRA --key authenticationmodule --value 'HMAC;EndEntityCertificate'
+    ejbca.sh config cmp updatealias --alias cmpRA --key authenticationparameters --value '-;ManagementCA'
+    ejbca.sh config cmp updatealias --alias cmpRA --key allowautomatickeyupdate --value true
     #Custom EJBCA cert profile and endentity are imported to allow issuing certificates with correct extended usage (containing serverAuth)
     ejbca.sh ca importprofiles -d /opt/primekey/custom_profiles
     #Profile name taken from certprofile filename (certprofile_<profile-name>-<id>.xml)
     ejbca.sh config cmp updatealias --alias cmpRA --key ra.certificateprofile --value CUSTOM_ENDUSER
     #ID taken from entityprofile filename (entityprofile_<profile-name>-<id>.xml)
     ejbca.sh config cmp updatealias --alias cmpRA --key ra.endentityprofileid --value 1356531849
+    caSubject=$(ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout | grep 'Subject' | sed -e "s/^Subject: //" | sed -n '1p')
+    ejbca.sh config cmp updatealias --alias cmpRA --key defaultca --value "$caSubject"
     ejbca.sh config cmp dumpalias --alias cmpRA
     ejbca.sh config cmp addalias --alias cmp
     ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true
@@ -27,6 +42,13 @@
     ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN
     ejbca.sh config cmp dumpalias --alias cmp
     ejbca.sh ca getcacert --caname ManagementCA -f /dev/stdout > cacert.pem
+    #Add "Certificate Update Admin" role to allow performing KUR/CR for certs within specific organization (e.g. Linux-Foundation)
+    ejbca.sh roles addrole "Certificate Update Admin"
+    ejbca.sh roles changerule "Certificate Update Admin" /ca/ManagementCA/ ACCEPT
+    ejbca.sh roles changerule "Certificate Update Admin" /ca_functionality/create_certificate/ ACCEPT
+    ejbca.sh roles changerule "Certificate Update Admin" /endentityprofilesrules/Custom_EndEntity/ ACCEPT
+    ejbca.sh roles changerule "Certificate Update Admin" /ra_functionality/edit_end_entity/ ACCEPT
+    ejbca.sh roles addrolemember "Certificate Update Admin" ManagementCA WITH_ORGANIZATION --value "{{ .Values.cmpv2Config.global.certificate.default.subject.organization }}"
 }
 
 

diff --git a/kubernetes/contrib/components/ejbca/templates/deployment.yaml b/kubernetes/contrib/components/ejbca/templates/deployment.yaml
index 46f7d35..fc163ee 100644
--- a/kubernetes/contrib/components/ejbca/templates/deployment.yaml
+++ b/kubernetes/contrib/components/ejbca/templates/deployment.yaml

@@ -61,6 +61,8 @@
         env:
         - name: INITIAL_ADMIN
           value: ";PublicAccessAuthenticationToken:TRANSPORT_ANY;"
+        - name: NO_CREATE_CA
+          value: "true"
         - name: DATABASE_JDBC_URL
           value: jdbc:mariadb://{{ include "common.mariadbService" . }}:{{ include "common.mariadbPort" . }}/{{ .Values.mysqlDatabase }}
         - name: DATABASE_USER

diff --git a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
index 838e49e..670e6c1 100644
--- a/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-datafile-collector/values.yaml

@@ -34,7 +34,7 @@
 #################################################################
 tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1
-certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
+certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0
 
 #################################################################
 # Application Configuration Defaults.

diff --git a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
index 9b943c4..7f17532 100644
--- a/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-hv-ves-collector/values.yaml

@@ -35,7 +35,7 @@
 #################################################################
 tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1
-certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
+certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0
 
 #################################################################
 # Application configuration defaults.

diff --git a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
index 34adba7..bfea92a 100644
--- a/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml
+++ b/kubernetes/dcaegen2-services/components/dcae-ves-collector/values.yaml

@@ -35,7 +35,7 @@
 #################################################################
 tlsImage: onap/org.onap.dcaegen2.deployments.tls-init-container:2.1.0
 consulLoaderImage: onap/org.onap.dcaegen2.deployments.consul-loader-container:1.1.1
-certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.3.3
+certPostProcessorImage: onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.4.0
 
 #################################################################
 # Application configuration defaults.

diff --git a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml
index 0bc24af..e841835 100644
--- a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml
+++ b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml

@@ -56,7 +56,10 @@
                   description: Path of health check endpoint.
                   type: string
                 certEndpoint:
-                  description: Path of cerfificate signing enpoint.
+                  description: Path of cerfificate signing endpoint.
+                  type: string
+                updateEndpoint:
+                  description: Path of certificate update endpoint.
                   type: string
                 caName:
                   description: Name of the external CA server configured on CertService API side.

diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml
index ae4ae81..52e3537 100644
--- a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml

@@ -25,6 +25,7 @@
   url:  {{ .Values.cmpv2issuer.url }}
   healthEndpoint:  {{ .Values.cmpv2issuer.healthcheckEndpoint }}
   certEndpoint:  {{ .Values.cmpv2issuer.certEndpoint }}
+  updateEndpoint:  {{ .Values.cmpv2issuer.updateEndpoint }}
   caName:  {{ .Values.cmpv2issuer.caName }}
   certSecretRef:
     name:  {{ .Values.cmpv2issuer.certSecretRef.name }}

diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
index 38bddfb..2237811 100644
--- a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
+++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml

@@ -28,7 +28,7 @@
 # Deployment configuration
 deployment:
   name: oom-certservice-cmpv2issuer
-  image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.3.2
+  image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.4.0
   proxyImage: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
   # fol local development use IfNotPresent
   pullPolicy: Always
@@ -50,6 +50,7 @@
   url: https://oom-cert-service:8443
   healthcheckEndpoint: actuator/health
   certEndpoint: v1/certificate
+  updateEndpoint: v1/certificate-update
   caName: RA
   certSecretRef:
     name: oom-cert-service-client-tls-secret

diff --git a/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json b/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json
index 06e1087..5a967f0 100644
--- a/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json
+++ b/kubernetes/platform/components/oom-cert-service/resources/test/cmpServers.json

@@ -3,7 +3,7 @@
     {
       "caName": "CLIENT",
       "url": "http://ejbca:8080/ejbca/publicweb/cmp/cmp",
-      "issuerDN": "CN=ManagementCA",
+      "issuerDN": "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345",
       "caMode": "CLIENT",
       "authentication": {
         "iak": "${CLIENT_IAK}",
@@ -13,7 +13,7 @@
     {
       "caName": "RA",
       "url": "http://ejbca:8080/ejbca/publicweb/cmp/cmpRA",
-      "issuerDN": "CN=ManagementCA",
+      "issuerDN": "O=EJBCA Container Quickstart,CN=ManagementCA,UID=12345",
       "caMode": "RA",
       "authentication": {
         "iak": "${RA_IAK}",
@@ -21,4 +21,4 @@
       }
     }
   ]
-}
\ No newline at end of file
+}

diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml
index 2e14968..fbd545c 100644
--- a/kubernetes/platform/components/oom-cert-service/values.yaml
+++ b/kubernetes/platform/components/oom-cert-service/values.yaml

@@ -34,7 +34,7 @@
 
 # Deployment configuration
 repository: "nexus3.onap.org:10001"
-image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.3.3
+image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.4.0
 pullPolicy: Always
 replicaCount: 1
commit	31dceea4851d67ec706185f9d6f5bd0bf427b2c3	[log] [tgz]
author	Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>	Tue Jun 29 16:15:49 2021 +0200
committer	Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>	Mon Sep 06 10:42:00 2021 +0200
tree	c66e3b75b83cb4ef6f5aff7d81bbcb0c02f0145b
parent	f94a5f639cb670fbc4d3902f80d3b5b6714b1ec6 [diff]