[MSB] Use certInitializer for MSB

MSB is currently using an hardcoded certificate. In order to follow
SECOMMON requirements, let's use a freshly generated certificate instead

Issue-ID: MSB-521
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I157e44a6e30391c36c0142acfa08604c37b79cc4
diff --git a/kubernetes/msb/components/msb-eag/requirements.yaml b/kubernetes/msb/components/msb-eag/requirements.yaml
index c59eb6f..fe55201 100644
--- a/kubernetes/msb/components/msb-eag/requirements.yaml
+++ b/kubernetes/msb/components/msb-eag/requirements.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2018 Amdocs, Bell Canada , ZTE
+# Copyright © 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,4 +18,7 @@
     repository: '@local'
   - name: repositoryGenerator
     version: ~7.x-0
-    repository: '@local'
\ No newline at end of file
+    repository: '@local'
+  - name: certInitializer
+    version: ~7.x-0
+    repository: '@local'
diff --git a/kubernetes/msb/components/msb-eag/resources/config/log/logback.xml b/kubernetes/msb/components/msb-eag/resources/config/log/logback.xml
deleted file mode 100644
index 680cb73..0000000
--- a/kubernetes/msb/components/msb-eag/resources/config/log/logback.xml
+++ /dev/null
@@ -1,40 +0,0 @@
-<!--# Copyright © 2017 Amdocs, Bell Canada
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#       http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License. -->
-<?xml version="1.0" encoding="UTF-8"?>
-<configuration debug="true" scan="true" scanPeriod="3 seconds">
-   <!--<jmxConfigurator /> -->
-   <!--  specify the base path of the log directory -->
-   <property name="logDir" value="/var/log/onap" />
-   <!--  specify the component name -->
-   <property name="componentName" value="msb" />
-   <!-- specify the sub component name -->
-   <property name="subComponentName" value="discovery" />
-   <!-- The directories where logs are written -->
-   <property name="logDirectory" value="${logDir}/${componentName}/${subComponentName}" />
-   <property name="pattern" value="%d{&amp;quot;yyyy-MM-dd'T'HH:mm:ss.SSSXXX&amp;quot;, UTC}\t[%thread]\t%-5level\t%logger{36}\t%replace(%replace(%replace(%mdc){'\t','\\\\t'}){', ','\t'}){'\n', '\\\\n'}\t%replace(%replace(%msg){'\n', '\\\\n'}){'\t','\\\\t'}%n" />
-   <!--  log file names -->
-   <property name="errorLogName" value="error" />
-   <property name="metricsLogName" value="metrics" />
-   <property name="auditLogName" value="audit" />
-   <property name="debugLogName" value="debug" />
-   <property name="queueSize" value="256" />
-   <property name="maxFileSize" value="50MB" />
-   <property name="maxHistory" value="30" />
-   <property name="totalSizeCap" value="10GB" />
-   <!-- Example evaluator filter applied against console appender -->
-   <appender class="ch.qos.logback.core.ConsoleAppender" name="STDOUT">
-      <encoder>
-         <pattern>${pattern}</pattern>
-      </encoder>
-   </appender>
diff --git a/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf b/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf
new file mode 100644
index 0000000..7012575
--- /dev/null
+++ b/kubernetes/msb/components/msb-eag/resources/config/nginx/msbhttps.conf
@@ -0,0 +1,28 @@
+{{/*
+#
+# Copyright (C) 2017-2018 ZTE, Inc. and others. All rights reserved. (ZTE)
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+*/}}
+server {
+  listen 443 ssl;
+  ssl_certificate {{ .Values.certInitializer.credsPath }}/certs/cert.crt;
+  ssl_certificate_key {{ .Values.certInitializer.credsPath }}/certs/cert.key;
+  ssl_protocols TLSv1.1 TLSv1.2;
+  ssl_dhparam ../ssl/dh-pubkey/dhparams.pem;
+  include ../msb-enabled/location-default/msblocations.conf;
+  # Add below settings for making SDC to work
+  underscores_in_headers on;
+}
\ No newline at end of file
diff --git a/kubernetes/msb/components/msb-eag/templates/configmap.yaml b/kubernetes/msb/components/msb-eag/templates/configmap.yaml
index 33c77e5..30c0a80 100644
--- a/kubernetes/msb/components/msb-eag/templates/configmap.yaml
+++ b/kubernetes/msb/components/msb-eag/templates/configmap.yaml
@@ -1,5 +1,6 @@
 {{/*
 # Copyright © 2018 Amdocs, Bell Canada , ZTE
+# Copyright © 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,3 +21,11 @@
   namespace: {{ include "common.namespace" . }}
 data:
 {{ tpl (.Files.Glob "resources/config/logback.xml").AsConfig . | indent 2 }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-nginx
+  namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/config/nginx/*").AsConfig . | indent 2 }}
diff --git a/kubernetes/msb/components/msb-eag/templates/deployment.yaml b/kubernetes/msb/components/msb-eag/templates/deployment.yaml
index 36cb13d..113a174 100644
--- a/kubernetes/msb/components/msb-eag/templates/deployment.yaml
+++ b/kubernetes/msb/components/msb-eag/templates/deployment.yaml
@@ -1,5 +1,6 @@
 {{/*
 # Copyright © 2018 Amdocs, Bell Canada , ZTE
+# Copyright © 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -38,6 +39,7 @@
     spec:
       serviceAccountName: msb
       initContainers:
+      {{ include "common.certInitializer.initContainer" . | indent 6 | trim }}
       - command:
         - /app/ready.py
         args:
@@ -83,19 +85,15 @@
           - name: ROUTE_LABELS
             value: {{ .Values.config.routeLabels }}
           volumeMounts:
+          {{ include "common.certInitializer.volumeMount" . | indent 10 | trim }}
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
-          - name: {{ include "common.fullname" . }}-cert
-            mountPath: /usr/local/openresty/nginx/ssl/cert/cert.crt
-            readOnly: true
-            subPath: "cert.crt"
-          - name: {{ include "common.fullname" . }}-cert
-            mountPath: /usr/local/openresty/nginx/html/cert/ca.crt
-            readOnly: true
-            subPath: "ca.crt"
           - mountPath: /usr/local/apiroute-works/logs
             name: {{ include "common.fullname" . }}-logs
+          - mountPath: /usr/local/openresty/nginx/msb-enabled/msbhttps.conf
+            name: {{ include "common.fullname" . }}-nginx-conf
+            subPath: msbhttps.conf
           resources:
 {{ include "common.resources" . | indent 12 }}
         {{- if .Values.nodeSelector }}
@@ -122,12 +120,13 @@
             name: {{ include "common.fullname" . }}-log-conf
             subPath: logback.xml
       volumes:
-        - name: {{ include "common.fullname" . }}-cert
-          secret:
-            secretName: {{ include "common.release" . }}-msb-https-cert
+        {{ include "common.certInitializer.volumes" . | indent 8 | trim }}
         - name: {{ include "common.fullname" . }}-log-conf
           configMap:
             name: {{ include "common.fullname" . }}-log
+        - name: {{ include "common.fullname" . }}-nginx-conf
+          configMap:
+            name: {{ include "common.fullname" . }}-nginx
         - name: {{ include "common.fullname" . }}-filebeat-conf
           configMap:
             name: {{ include "common.release" . }}-msb-filebeat-configmap
diff --git a/kubernetes/msb/components/msb-eag/values.yaml b/kubernetes/msb/components/msb-eag/values.yaml
index b8813b8..ff158b5 100644
--- a/kubernetes/msb/components/msb-eag/values.yaml
+++ b/kubernetes/msb/components/msb-eag/values.yaml
@@ -1,4 +1,5 @@
 # Copyright © 2018 Amdocs, Bell Canada , ZTE
+# Copyright © 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,6 +19,45 @@
   nodePortPrefix: 302
 
 #################################################################
+# AAF part
+#################################################################
+certInitializer:
+  nameOverride: msb-eag-cert-initializer
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  # aafDeployCredsExternalSecret: some secret
+  fqdn: msb-eag
+  fqi: msb-eag@msb-eag.onap.org
+  fqi_namespace: org.onap.msb-eag
+  public_fqdn: msb-eag.onap.org
+  cadi_longitude: "0.0"
+  cadi_latitude: "0.0"
+  app_ns: org.osaaf.aaf
+  credsPath: /opt/app/osaaf/local
+  aaf_add_config: |
+    echo "*** retrieving passwords for certificates"
+    export $(/opt/app/aaf_config/bin/agent.sh local showpass \
+      {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c')
+    if [ -z "$cadi_keystore_password_p12" ]
+    then
+      echo "  /!\ certificates retrieval failed"
+      exit 1
+    else
+      mkdir -p {{ .Values.credsPath }}/certs
+      echo "*** retrieve certificate from pkcs12"
+      openssl pkcs12 -in {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.p12 \
+        -out {{ .Values.credsPath }}/certs/cert.crt -nokeys \
+        -passin pass:$cadi_keystore_password_p12 \
+        -passout pass:$cadi_keystore_password_p12
+      echo "*** copy key to relevant place"
+      cp {{ .Values.credsPath }}/{{ .Values.fqi_namespace }}.key {{ .Values.credsPath }}/certs/cert.key
+      echo "*** change ownership and read/write attributes"
+      chown -R 1000 {{ .Values.credsPath }}/certs
+      chmod 600 {{ .Values.credsPath }}/certs/cert.crt
+      chmod 600 {{ .Values.credsPath }}/certs/cert.key
+    fi
+
+#################################################################
 # Application configuration defaults.
 #################################################################
 # application image