[PLATFORM] Generate Cert-Service certs with Cert-Manager

Utilize Cert-Manager to secure communication between
Cert-Service and its clients, adjust templates and
configs.

Issue-ID: OOM-2712
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I96426b1a184b4d254575e76d29214d9deda08cce
Signed-off-by: Remigiusz Janeczek <remigiusz.janeczek@nokia.com>
diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile
deleted file mode 100644
index ea0cb8a..0000000
--- a/kubernetes/platform/components/oom-cert-service/Makefile
+++ /dev/null
@@ -1,183 +0,0 @@
-CERTS_DIR = resources
-CURRENT_DIR := ${CURDIR}
-DOCKER_CONTAINER = generate-certs
-DOCKER_EXEC = docker exec ${DOCKER_CONTAINER}
-
-all: start_docker \
-     clear_all \
-     root_generate_keys \
-     root_create_certificate \
-     root_self_sign_certificate \
-     client_generate_keys \
-     client_generate_csr \
-     client_sign_certificate_by_root \
-     client_import_root_certificate \
-     client_convert_certificate_to_jks \
-     server_generate_keys \
-     server_generate_csr \
-     server_sign_certificate_by_root \
-     server_import_root_certificate \
-     server_convert_certificate_to_jks \
-     server_convert_certificate_to_p12 \
-     convert_truststore_to_p12 \
-     convert_truststore_to_pem \
-     server_export_certificate_to_pem \
-     server_export_key_to_pem \
-     clear_unused_files \
-     stop_docker
-
-.PHONY: all
-
-# Starts docker container for generating certificates - deletes first, if already running
-start_docker:
-	@make stop_docker
-	$(eval REPOSITORY := $(shell cat ./values.yaml | grep -i "^[ \t]*repository" -m1 | xargs | cut -d ' ' -f2))
-	$(eval JAVA_IMAGE := $(shell cat ./values.yaml | grep -i "^[ \t]*certificateGenerationImage" -m1 | xargs | cut -d ' ' -f2))
-	$(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE))
-	$(eval USERNAME :=$(shell id -u))
-	$(eval GROUP :=$(shell id -g))
-	docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE)
-
-# Stops docker container for generating  certificates. 'true' is used to return 0 status code, if container is already deleted
-stop_docker:
-	docker rm ${DOCKER_CONTAINER} -f 1>/dev/null || true
-
-#Clear all files related to certificates
-clear_all:
-	@make clear_existing_certificates
-	@make clear_unused_files
-
-#Clear certificates
-clear_existing_certificates:
-	@echo "Clear certificates"
-	${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem
-	@echo "#####done#####"
-
-#Generate root private and public keys
-root_generate_keys:
-	@echo "Generate root private and public keys"
-	${DOCKER_EXEC} keytool -genkeypair -v -alias root -keyalg RSA -keysize 4096 -validity 3650 -keystore root-keystore.jks \
-    -dname "CN=root.com, OU=Root Org, O=Root Company, L=Wroclaw, ST=Dolny Slask, C=PL" -keypass secret \
-    -storepass secret -ext BasicConstraints:critical="ca:true"
-	@echo "#####done#####"
-
-#Export public key as certificate
-root_create_certificate:
-	@echo "(Export public key as certificate)"
-	${DOCKER_EXEC} keytool -exportcert -alias root -keystore root-keystore.jks -storepass secret -file root.crt -rfc
-	@echo "#####done#####"
-
-#Self-signed root (import root certificate into truststore)
-root_self_sign_certificate:
-	@echo "(Self-signed root (import root certificate into truststore))"
-	${DOCKER_EXEC} keytool -importcert -alias root -keystore truststore.jks -file root.crt -storepass secret -noprompt
-	@echo "#####done#####"
-
-#Generate certService's client private and public keys
-client_generate_keys:
-	@echo "Generate certService's client private and public keys"
-	${DOCKER_EXEC} keytool -genkeypair -v -alias certServiceClient -keyalg RSA -keysize 2048 -validity 365 \
-    -keystore certServiceClient-keystore.jks -storetype JKS \
-    -dname "CN=certServiceClient.com,OU=certServiceClient company,O=certServiceClient org,L=Wroclaw,ST=Dolny Slask,C=PL" \
-    -keypass secret -storepass secret
-	@echo "####done####"
-
-#Generate certificate signing request for certService's client
-client_generate_csr:
-	@echo "Generate certificate signing request for certService's client"
-	${DOCKER_EXEC} keytool -certreq -keystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -file certServiceClient.csr
-	@echo "####done####"
-
-#Sign certService's client certificate by root CA
-client_sign_certificate_by_root:
-	@echo "Sign certService's client certificate by root CA"
-	${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceClient.csr \
-    -outfile certServiceClientByRoot.crt -rfc -ext bc=0  -ext ExtendedkeyUsage="serverAuth,clientAuth"
-	@echo "####done####"
-
-#Import root certificate into client
-client_import_root_certificate:
-	@echo "Import root certificate into intermediate"
-	${DOCKER_EXEC} sh -c "cat root.crt >> certServiceClientByRoot.crt"
-	@echo "####done####"
-
-#Import signed certificate into certService's client
-client_convert_certificate_to_jks:
-	@echo "Import signed certificate into certService's client"
-	${DOCKER_EXEC} keytool -importcert -file certServiceClientByRoot.crt -destkeystore certServiceClient-keystore.jks -alias certServiceClient -storepass secret -noprompt
-	@echo "####done####"
-
-#Generate certService private and public keys
-server_generate_keys:
-	@echo "Generate certService private and public keys"
-	${DOCKER_EXEC} keytool -genkeypair -v -alias oom-cert-service -keyalg RSA -keysize 2048 -validity 365 \
-    -keystore certServiceServer-keystore.jks -storetype JKS \
-    -dname "CN=oom-cert-service,OU=certServiceServer company,O=certServiceServer org,L=Wroclaw,ST=Dolny Slask,C=PL" \
-    -keypass secret -storepass secret -ext BasicConstraints:critical="ca:false"
-	@echo "####done####"
-
-#Generate certificate signing request for certService
-server_generate_csr:
-	@echo "Generate certificate signing request for certService"
-	${DOCKER_EXEC} keytool -certreq -keystore certServiceServer-keystore.jks -alias oom-cert-service -storepass secret -file certServiceServer.csr
-	@echo "####done####"
-
-#Sign certService certificate by root CA
-server_sign_certificate_by_root:
-	@echo "Sign certService certificate by root CA"
-	${DOCKER_EXEC} keytool -gencert -v -keystore root-keystore.jks -storepass secret -alias root -infile certServiceServer.csr \
-    -outfile certServiceServerByRoot.crt -rfc -ext bc=0  -ext ExtendedkeyUsage="serverAuth,clientAuth" \
-    -ext SubjectAlternativeName:="DNS:oom-cert-service,DNS:localhost"
-	@echo "####done####"
-
-#Import root certificate into server
-server_import_root_certificate:
-	@echo "Import root certificate into intermediate(server)"
-	${DOCKER_EXEC} sh -c "cat root.crt >> certServiceServerByRoot.crt"
-	@echo "####done####"
-
-#Import signed certificate into certService
-server_convert_certificate_to_jks:
-	@echo "Import signed certificate into certService"
-	${DOCKER_EXEC} keytool -importcert -file certServiceServerByRoot.crt -destkeystore certServiceServer-keystore.jks -alias oom-cert-service \
-    -storepass secret -noprompt
-	@echo "####done####"
-
-#Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)
-server_convert_certificate_to_p12:
-	@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
-	${DOCKER_EXEC} keytool -importkeystore -srckeystore certServiceServer-keystore.jks -srcstorepass secret \
-        -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
-	@echo "#####done#####"
-
-#Convert truststore(.jks) to PCKS12 format(.p12)
-convert_truststore_to_p12:
-	@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
-	${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \
-        -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret
-	@echo "#####done#####"
-
-#Convert truststore(.p12) to PEM format(.pem)
-convert_truststore_to_pem:
-	@echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)"
-	${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret
-	@echo "#####done#####"
-
-#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem)
-server_export_certificate_to_pem:
-	@echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)"
-	${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem
-	@echo "#####done#####"
-
-#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem)
-server_export_key_to_pem:
-	@echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)"
-	${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem
-	@echo "#####done#####"
-
-
-#Clear unused certificates
-clear_unused_files:
-	@echo "Clear unused certificates"
-	${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt  certServiceServer.csr truststore.p12
-	@echo "#####done#####"
diff --git a/kubernetes/platform/components/oom-cert-service/requirements.yaml b/kubernetes/platform/components/oom-cert-service/requirements.yaml
index e89dc58..6177278 100644
--- a/kubernetes/platform/components/oom-cert-service/requirements.yaml
+++ b/kubernetes/platform/components/oom-cert-service/requirements.yaml
@@ -19,3 +19,9 @@
   - name: repositoryGenerator
     version: ~8.x-0
     repository: '@local'
+  - name: certManagerCertificate
+    version: ~8.x-0
+    repository: '@local'
+  - name: cmpv2Config
+    version: ~8.x-0
+    repository: '@local'
\ No newline at end of file
diff --git a/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
new file mode 100644
index 0000000..fd31770
--- /dev/null
+++ b/kubernetes/platform/components/oom-cert-service/templates/certificate.yaml
@@ -0,0 +1,17 @@
+{{/*
+# Copyright © 2020-2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{ include "certManagerCertificate.certificate" . }}
diff --git a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml
index c4d7440..9a6abd4 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/deployment.yaml
@@ -93,9 +93,9 @@
             - name: ROOT_CERT
               value: "{{ .Values.tls.server.volume.mountPath }}/{{ .Values.envs.truststore.crtName }}"
             - name: KEYSTORE_PASSWORD
-              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "keystore-password" "key" "password") | indent 14 }}
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }}
             - name: TRUSTSTORE_PASSWORD
-              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "truststore-password" "key" "password") | indent 14 }}
+              {{- include "common.secret.envFromSecretFast" (dict "global" . "uid" "certificates-password" "key" "password") | indent 14 }}
           livenessProbe:
             exec:
               command:
diff --git a/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml
new file mode 100644
index 0000000..9047ab7
--- /dev/null
+++ b/kubernetes/platform/components/oom-cert-service/templates/issuer.yaml
@@ -0,0 +1,32 @@
+{{/*
+  # Copyright © 2021, Nokia
+  #
+  # Licensed under the Apache License, Version 2.0 (the "License");
+  # you may not use this file except in compliance with the License.
+  # You may obtain a copy of the License at
+  #
+  #       http://www.apache.org/licenses/LICENSE-2.0
+  #
+  # Unless required by applicable law or agreed to in writing, software
+  # distributed under the License is distributed on an "AS IS" BASIS,
+  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  # See the License for the specific language governing permissions and
+  # limitations under the License.
+*/}}
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Values.tls.issuer.selfsigning.name }}
+  namespace: {{ include "common.namespace" . }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Values.tls.issuer.ca.name }}
+  namespace: {{ include "common.namespace" . }}
+spec:
+  ca:
+    secretName: {{ .Values.tls.issuer.ca.secret.name }}
\ No newline at end of file
diff --git a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
index 2d47e6f..5401801 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
@@ -28,42 +28,5 @@
   {{ (.Files.Glob "resources/default/cmpServers.json").AsSecrets }}
 {{ end }}
 ---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.global.certService.certServiceClient.secret.name | default .Values.tls.client.secret.defaultName }}
-type: Opaque
-data:
-  certServiceClient-keystore.jks:
-  {{ (.Files.Glob "resources/certServiceClient-keystore.jks").AsSecrets }}
-  truststore.jks:
-  {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.tls.server.secret.name }}
-type: Opaque
-data:
-  certServiceServer-keystore.jks:
-  {{ (.Files.Glob "resources/certServiceServer-keystore.jks").AsSecrets }}
-  certServiceServer-keystore.p12:
-  {{ (.Files.Glob "resources/certServiceServer-keystore.p12").AsSecrets }}
-  truststore.jks:
-  {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
-  root.crt:
-  {{ (.Files.Glob "resources/root.crt").AsSecrets }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Values.tls.provider.secret.name }}
-type: Opaque
-data:
-  certServiceServer-key.pem:
-  {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }}
-  certServiceServer-cert.pem:
-  {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }}
-  truststore.pem:
-  {{ (.Files.Glob "resources/truststore.pem").AsSecrets }}
+
 {{ end -}}
diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml
index 537b025..829d3a0 100644
--- a/kubernetes/platform/components/oom-cert-service/values.yaml
+++ b/kubernetes/platform/components/oom-cert-service/values.yaml
@@ -79,38 +79,40 @@
     mountPath: /etc/onap/oom/certservice
 
 tls:
+  issuer:
+    selfsigning:
+      name: &selfSigningIssuer cmpv2-selfsigning-issuer
+    ca:
+      name: &caIssuer cmpv2-ca-issuer
+      secret:
+        name: &caKeyPairSecret  cmpv2-ca-key-pair
   server:
     secret:
-      name: oom-cert-service-server-tls-secret
+      name: &serverSecret oom-cert-service-server-tls-secret
     volume:
       name: oom-cert-service-server-tls-volume
       mountPath: /etc/onap/oom/certservice/certs/
   client:
     secret:
       defaultName: oom-cert-service-client-tls-secret
-  provider:
-    secret:
-      name: cmpv2-issuer-secret
 
 envs:
   keystore:
-    jksName: certServiceServer-keystore.jks
-    p12Name: certServiceServer-keystore.p12
-    pemName: certServiceServer-keystore.pem
+    jksName: keystore.jks
+    p12Name: keystore.p12
+    pemName: tls.crt
   truststore:
     jksName: truststore.jks
-    crtName: root.crt
-    pemName: truststore.pem
+    crtName: ca.crt
+    pemName: tls.crt
   httpsPort: 8443
 
 # External secrets with credentials can be provided to override default credentials defined below,
 # by uncommenting and filling appropriate *ExternalSecret value
 credentials:
   tls:
-    keystorePassword: secret
-    truststorePassword: secret
-    #keystorePasswordExternalSecret:
-    #truststorePasswordExternalSecret:
+    certificatesPassword: secret
+    #certificatesPasswordExternalSecret:
   # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
   cmp:
     # Used only if cmpv2 testing is enabled
@@ -126,17 +128,11 @@
       # rv: unused
 
 secrets:
-  - uid: keystore-password
-    name: '{{ include "common.release" . }}-keystore-password'
+  - uid: certificates-password
+    name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}'
     type: password
-    externalSecret: '{{ tpl (default "" .Values.credentials.tls.keystorePasswordExternalSecret) . }}'
-    password: '{{ .Values.credentials.tls.keystorePassword }}'
-    passwordPolicy: required
-  - uid: truststore-password
-    name: '{{ include "common.release" . }}-truststore-password'
-    type: password
-    externalSecret: '{{ tpl (default "" .Values.credentials.tls.truststorePasswordExternalSecret) . }}'
-    password: '{{ .Values.credentials.tls.truststorePassword }}'
+    externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}'
+    password: '{{ .Values.credentials.tls.certificatesPassword }}'
     passwordPolicy: required
   # Below values are relevant only if global addTestingComponents flag is enabled
   - uid: ejbca-server-client-iak
@@ -155,3 +151,65 @@
     type: password
     externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
     password: '{{ .Values.credentials.cmp.ra.rv }}'
+
+# Certificates definitions
+certificates:
+  - name: selfsigned-cert
+    secretName: *caKeyPairSecret
+    isCA: true
+    commonName: root.com
+    subject:
+      organization: Root Company
+      country: PL
+      locality: Wroclaw
+      province: Dolny Slask
+      organizationalUnit: Root Org
+    issuer:
+      name: *selfSigningIssuer
+      kind: Issuer
+  - name: cert-service-server-cert
+    secretName: *serverSecret
+    commonName: oom-cert-service
+    dnsNames:
+      - oom-cert-service
+      - localhost
+    subject:
+      organization: certServiceServer org
+      country: PL
+      locality: Wroclaw
+      province: Dolny Slask
+      organizationalUnit: certServiceServer company
+    usages:
+      - server auth
+      - client auth
+    keystore:
+      outputType:
+        - jks
+        - p12
+      passwordSecretRef:
+        name: *certificatesPasswordSecretName
+        key: password
+    issuer:
+      name: *caIssuer
+      kind: Issuer
+  - name: cert-service-client-cert
+    secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}'
+    commonName: certServiceClient.com
+    subject:
+      organization: certServiceClient org
+      country: PL
+      locality: Wroclaw
+      province: Dolny Slask
+      organizationalUnit: certServiceClient company
+    usages:
+      - server auth
+      - client auth
+    keystore:
+      outputType:
+        - jks
+      passwordSecretRef:
+        name: *certificatesPasswordSecretName
+        key: password
+    issuer:
+      name: *caIssuer
+      kind: Issuer