[COMMON] Add template for CertServiceClient
Create generic template to simplify CertServiceClient use
Issue-ID: OOM-2568
Signed-off-by: Remigiusz Janeczek <remigiusz.janeczek@nokia.com>
Change-Id: I4fb9829b27b1dd13a9e7a098f807710cc5648438
diff --git a/kubernetes/common/cmpv2Certificate/Chart.yaml b/kubernetes/common/cmpv2Certificate/Chart.yaml
new file mode 100644
index 0000000..e50de72
--- /dev/null
+++ b/kubernetes/common/cmpv2Certificate/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: Template used to add cmpv2 certificates to components
+name: cmpv2Certificate
+version: 7.0.0
diff --git a/kubernetes/common/cmpv2Certificate/requirements.yaml b/kubernetes/common/cmpv2Certificate/requirements.yaml
new file mode 100644
index 0000000..367d879
--- /dev/null
+++ b/kubernetes/common/cmpv2Certificate/requirements.yaml
@@ -0,0 +1,21 @@
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+dependencies:
+ - name: common
+ version: ~7.x-0
+ repository: 'file://../common'
+ - name: repositoryGenerator
+ version: ~7.x-0
+ repository: 'file://../repositoryGenerator'
diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
new file mode 100644
index 0000000..57e6c69
--- /dev/null
+++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
@@ -0,0 +1,174 @@
+{{/*
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{/*
+In order to use certServiceClient it is needed do define certificates array in target component values.yaml. Each
+certificate will be requested from separate init container
+
+Minimum example of array in target component values.yaml:
+certificates:
+ - mountPath: /var/custom-certs
+ commonName: common-name
+
+Full example (other fields are ignored):
+certificates:
+ - mountPath: /var/custom-certs
+ caName: RA
+ outputType: JKS
+ commonName: common-name
+ dnsNames:
+ - dns-name-1
+ - dns-name-2
+ ipAddresses:
+ - 192.168.0.1
+ - 192.168.0.2
+ emailAddresses:
+ - email-1@onap.org
+ - email-2@onap.org
+ uris:
+ - http://uri-1.onap.org
+ - http://uri-2.onap.org
+ subject:
+ organization: Linux-Foundation
+ country: US
+ locality: San Francisco
+ province: California
+ organizationalUnit: ONAP
+
+There also need to be some includes used in a target component deployment (indent values may need to be adjusted):
+ 1. In initContainers section:
+ {{ include "common.certServiceClient.initContainer" . | indent 6 }}
+ 2. In volumeMounts section of container using certificates:
+ {{ include "common.certServiceClient.volumeMounts" . | indent 10 }}
+ 3. In volumes section:
+ {{ include "common.certServiceClient.volumes" . | indent 8 }}
+
+*/}}
+
+{{- define "common.certServiceClient.initContainer" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
+{{- range $index, $certificate := $dot.Values.certificates -}}
+{{/*# General certifiacate attributes #*/}}
+{{- $commonName := $certificate.commonName -}}
+{{/*# SAN's #*/}}
+{{- $dnsNames := default (list) $certificate.dnsNames -}}
+{{- $ipAddresses := default (list) $certificate.ipAddresses -}}
+{{- $uris := default (list) $certificate.uris -}}
+{{- $emailAddresses := default (list) $certificate.emailAddresses -}}
+{{- $sansList := concat $dnsNames $ipAddresses $uris $emailAddresses -}}
+{{- $sans := join "," $sansList }}
+{{/*# Subject #*/}}
+{{- $organization := $subchartGlobal.certificate.default.subject.organization -}}
+{{- $country := $subchartGlobal.certificate.default.subject.country -}}
+{{- $locality := $subchartGlobal.certificate.default.subject.locality -}}
+{{- $province := $subchartGlobal.certificate.default.subject.province -}}
+{{- $orgUnit := $subchartGlobal.certificate.default.subject.organizationalUnit -}}
+{{- if $certificate.subject -}}
+{{- $organization := $certificate.subject.organization -}}
+{{- $country := $certificate.subject.country -}}
+{{- $locality := $certificate.subject.locality -}}
+{{- $province := $certificate.subject.province -}}
+{{- $orgUnit := $certificate.subject.organizationalUnit -}}
+{{- end -}}
+{{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}}
+{{- $outputType := default $subchartGlobal.platform.certServiceClient.envVariables.outputType $certificate.outputType -}}
+{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}}
+{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}}
+{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}}
+{{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}}
+{{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}}
+{{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}}
+{{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}}
+{{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}}
+- name: certs-init-{{ $index }}
+ image: {{ include "repositoryGenerator.image.certserviceclient" $dot }}
+ imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }}
+ env:
+ - name: REQUEST_URL
+ value: {{ $requestUrl | quote }}
+ - name: REQUEST_TIMEOUT
+ value: {{ $requestTimeout | quote }}
+ - name: OUTPUT_PATH
+ value: {{ $certPath | quote }}
+ - name: OUTPUT_TYPE
+ value: {{ $outputType | quote }}
+ - name: CA_NAME
+ value: {{ $caName | quote }}
+ - name: COMMON_NAME
+ value: {{ $commonName | quote }}
+ - name: SANS
+ value: {{ $sans | quote }}
+ - name: ORGANIZATION
+ value: {{ $organization | quote }}
+ - name: ORGANIZATION_UNIT
+ value: {{ $orgUnit | quote }}
+ - name: LOCATION
+ value: {{ $locality | quote }}
+ - name: STATE
+ value: {{ $province | quote }}
+ - name: COUNTRY
+ value: {{ $country | quote }}
+ - name: KEYSTORE_PATH
+ value: {{ $keystorePath | quote }}
+ - name: KEYSTORE_PASSWORD
+ value: {{ $keystorePassword | quote }}
+ - name: TRUSTSTORE_PATH
+ value: {{ $truststorePath | quote }}
+ - name: TRUSTSTORE_PASSWORD
+ value: {{ $truststorePassword | quote }}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: {{ $certPath }}
+ name: cmpv2-certs-volume-{{ $index }}
+ - mountPath: {{ $certificatesSecretMountPath }}
+ name: certservice-tls-volume
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "common.certServiceClient.volumes" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
+{{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}}
+- name: certservice-tls-volume
+ secret:
+ secretName: {{ $certificatesSecretName }}
+{{ range $index, $certificate := $dot.Values.certificates -}}
+- name: cmpv2-certs-volume-{{ $index }}
+ emptyDir:
+ medium: Memory
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "common.certServiceClient.volumeMounts" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
+{{- range $index, $certificate := $dot.Values.certificates -}}
+{{- $mountPath := $certificate.mountPath -}}
+- mountPath: {{ $mountPath }}
+ name: cmpv2-certs-volume-{{ $index }}
+{{ end -}}
+{{- end -}}
+{{- end -}}
diff --git a/kubernetes/common/cmpv2Certificate/values.yaml b/kubernetes/common/cmpv2Certificate/values.yaml
new file mode 100644
index 0000000..b753143
--- /dev/null
+++ b/kubernetes/common/cmpv2Certificate/values.yaml
@@ -0,0 +1,48 @@
+# Copyright © 2021 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#################################################################
+# Global configuration default values that can be inherited by
+# all subcharts.
+#################################################################
+global:
+ # Enabling CMPv2
+ cmpv2Enabled: true
+ CMPv2CertManagerIntegration: false
+
+ certificate:
+ default:
+ subject:
+ organization: "Linux-Foundation"
+ country: "US"
+ locality: "San-Francisco"
+ province: "California"
+ organizationalUnit: "ONAP"
+
+ platform:
+ certServiceClient:
+ secret:
+ name: oom-cert-service-client-tls-secret
+ mountPath: /etc/onap/oom/certservice/certs/
+ envVariables:
+ certPath: "/var/custom-certs"
+ # Client configuration related
+ caName: "RA"
+ requestURL: "https://oom-cert-service:8443/v1/certificate/"
+ requestTimeout: "30000"
+ keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
+ outputType: "P12"
+ keystorePassword: "secret"
+ truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
+ truststorePassword: "secret"
diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
index ba22bfb..a6b434f 100644
--- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl
+++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
@@ -82,6 +82,10 @@
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "curlImage") .) }}
{{- end -}}
+{{- define "repositoryGenerator.image.certserviceclient" -}}
+ {{- include "repositoryGenerator.image._helper" (merge (dict "image" "certServiceClientImage") .) }}
+{{- end -}}
+
{{- define "repositoryGenerator.image.envsubst" -}}
{{- include "repositoryGenerator.image._helper" (merge (dict "image" "envsubstImage") .) }}
{{- end -}}
diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml
index def7381..7d6fabe 100644
--- a/kubernetes/common/repositoryGenerator/values.yaml
+++ b/kubernetes/common/repositoryGenerator/values.yaml
@@ -1,4 +1,5 @@
# Copyright © 2020 Orange
+# Copyright © 2021 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -22,6 +23,7 @@
# common global images
busyboxImage: busybox:1.32
curlImage: curlimages/curl:7.69.1
+ certServiceClientImage: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.3.2
envsubstImage: dibi/envsubst:1
# there's only latest image for htpasswd
htpasswdImage: xmartlabs/htpasswd:latest
@@ -53,6 +55,7 @@
imageRepoMapping:
busyboxImage: dockerHubRepository
curlImage: dockerHubRepository
+ certServiceClientImage: repository
envsubstImage: dockerHubRepository
htpasswdImage: dockerHubRepository
jreImage: repository