[CMPv2-CERT-PROVIDER] Add helm chart for K8s external provider
Cert Service K8s external provider ia a part of certificate distribution infrastructure in ONAP.
The main functionality of the provider is to forward Certificate Signing Requests (CSRs) created by cert-mananger (https://cert-manager.io) to CertServiceAPI.
More information can found on a dedicated page: https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration.
Issue-ID: OOM-2560
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: Ibc94d5db5cac9649d47143406b47ce179beddd14
diff --git a/kubernetes/.gitignore b/kubernetes/.gitignore
new file mode 100644
index 0000000..bc3a4f1
--- /dev/null
+++ b/kubernetes/.gitignore
@@ -0,0 +1 @@
+chartstorage/
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/.helmignore b/kubernetes/platform/components/cmpv2-cert-provider/.helmignore
new file mode 100644
index 0000000..50af031
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml
new file mode 100644
index 0000000..38446f1
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2020 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: ONAP CMPv2 certificate external provider for cert-manager
+name: cmpv2-cert-provider
+version: 7.0.0
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml
new file mode 100644
index 0000000..0bc24af
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml
@@ -0,0 +1,138 @@
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: cmpv2issuers.certmanager.onap.org
+spec:
+ group: certmanager.onap.org
+ names:
+ kind: CMPv2Issuer
+ listKind: CMPv2IssuerList
+ plural: cmpv2issuers
+ singular: cmpv2issuer
+ scope: Namespaced
+ versions:
+ - name: v1
+ served: true
+ storage: true
+ schema:
+ openAPIV3Schema:
+ description: CMPv2Issuer is the Schema for the cmpv2issuers API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/cmpv2api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/cmpv2api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: CMPv2IssuerSpec defines the desired state of CMPv2Issuer
+ properties:
+ url:
+ description: URL to CertService API.
+ type: string
+ healthEndpoint:
+ description: Path of health check endpoint.
+ type: string
+ certEndpoint:
+ description: Path of cerfificate signing enpoint.
+ type: string
+ caName:
+ description: Name of the external CA server configured on CertService API side.
+ type: string
+ certSecretRef:
+ description: Reference to K8s secret which contains certificate, private key and CA certificate
+ needed to connect to CertService API (which requires client certificate authentication)
+ properties:
+ name:
+ description: The name of K8s secret to select certificates from. Secret must be in the same
+ namespace as CMPv2Issuer.
+ type: string
+ keyRef:
+ description: The key of the secret to select private key from. Must be a
+ valid secret key.
+ type: string
+ certRef:
+ description: The key of the secret to select cert from. Must be a
+ valid secret key.
+ type: string
+ cacertRef:
+ description: The key of the secret to select cacert from. Must be a
+ valid secret key.
+ type: string
+ required:
+ - name
+ - keyRef
+ - certRef
+ - cacertRef
+ type: object
+ required:
+ - url
+ - healthEndpoint
+ - certEndpoint
+ - caName
+ - certSecretRef
+ type: object
+ status:
+ description: CMPv2IssuerStatus defines the observed state of CMPv2Issuer
+ properties:
+ conditions:
+ items:
+ description: CMPv2IssuerCondition contains condition information for
+ the certservice issuer.
+ properties:
+ lastTransitionTime:
+ description: LastTransitionTime is the timestamp corresponding
+ to the last status change of this condition.
+ format: date-time
+ type: string
+ message:
+ description: Message is a human readable description of the details
+ of the last transition, complementing reason.
+ type: string
+ reason:
+ description: Reason is a brief machine readable explanation for
+ the condition's last transition.
+ type: string
+ status:
+ allOf:
+ - enum:
+ - "True"
+ - "False"
+ - Unknown
+ description: Status of the condition, one of ('True', 'False',
+ 'Unknown').
+ type: string
+ type:
+ description: Type of the condition, currently ('Ready').
+ enum:
+ - Ready
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/requirements.yaml b/kubernetes/platform/components/cmpv2-cert-provider/requirements.yaml
new file mode 100644
index 0000000..def3586
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/requirements.yaml
@@ -0,0 +1,17 @@
+# Copyright © 2020 Nokia
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ dependencies:
+ - name: common
+ version: ~7.x-0
+ repository: '@local'
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml
new file mode 100644
index 0000000..9ba61a5
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml
@@ -0,0 +1,34 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: certmanager.onap.org/v1
+kind: CMPv2Issuer
+metadata:
+ name: {{ .Values.cmpv2issuer.name }}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ url: {{ .Values.cmpv2issuer.url }}
+ healthEndpoint: {{ .Values.cmpv2issuer.healthcheckEndpoint }}
+ certEndpoint: {{ .Values.cmpv2issuer.certEndpoint }}
+ caName: {{ .Values.cmpv2issuer.caName }}
+ certSecretRef:
+ name: {{ .Values.cmpv2issuer.certSecretRef.name }}
+ keyRef: {{ .Values.cmpv2issuer.certSecretRef.keyRef }}
+ certRef: {{ .Values.cmpv2issuer.certSecretRef.certRef }}
+ cacertRef: {{ .Values.cmpv2issuer.certSecretRef.cacertRef }}
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml
new file mode 100644
index 0000000..3f0027f
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml
@@ -0,0 +1,71 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ control-plane: controller-manager
+ name: {{ include "common.fullname" . }}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ control-plane: controller-manager
+ template:
+ metadata:
+ labels:
+ control-plane: controller-manager
+ spec:
+ containers:
+ - name: {{ .Values.deploymentProxy.name }}
+ image: {{ .Values.deploymentProxy.image }}
+ imagePullPolicy: {{ .Values.deploymentProxy.pullPolicy }}
+ args:
+ - --secure-listen-address=0.0.0.0:8443
+ - --upstream=http://127.0.0.1:8080/
+ - --logtostderr=true
+ - --v=10
+ ports:
+ - containerPort: 8443
+ name: https
+ resources:
+ limits:
+ cpu: {{ .Values.deploymentProxy.resources.limits.cpu }}
+ memory: {{ .Values.deploymentProxy.resources.limits.memory }}
+ requests:
+ cpu: {{ .Values.deploymentProxy.resources.requests.cpu }}
+ memory: {{ .Values.deploymentProxy.resources.requests.memory }}
+ - name: provider
+ image: {{ .Values.global.repository }}{{if .Values.global.repository }}/{{ end }}{{ .Values.deployment.image }}
+ imagePullPolicy: {{ .Values.deployment.pullPolicy }}
+ command:
+ - /oom-certservice-cmpv2issuer
+ args:
+ - --metrics-addr=127.0.0.1:8080
+ - --log-level={{ .Values.deployment.logLevel }}
+ resources:
+ limits:
+ cpu: {{ .Values.deployment.resources.limits.cpu }}
+ memory: {{ .Values.deployment.resources.limits.memory }}
+ requests:
+ cpu: {{ .Values.deployment.resources.requests.cpu }}
+ memory: {{ .Values.deployment.resources.requests.memory }}
+ terminationGracePeriodSeconds: 10
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml
new file mode 100644
index 0000000..add5622
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml
@@ -0,0 +1,167 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cmpv2-issuer-leader-election-role
+ namespace: {{ include "common.namespace" . }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps/status
+ verbs:
+ - get
+ - update
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cmpv2-issuer-manager-role
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - cert-manager.io
+ resources:
+ - certificaterequests
+ verbs:
+ - get
+ - list
+ - update
+ - watch
+ - apiGroups:
+ - cert-manager.io
+ resources:
+ - certificaterequests/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - certmanager.onap.org
+ resources:
+ - cmpv2issuers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - certmanager.onap.org
+ resources:
+ - cmpv2issuers/status
+ verbs:
+ - get
+ - patch
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cmpv2-issuer-proxy-role
+rules:
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cmpv2-issuer-leader-election-rolebinding
+ namespace: {{ include "common.namespace" . }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cmpv2-issuer-leader-election-role
+subjects:
+ - kind: ServiceAccount
+ name: default
+ namespace: {{ include "common.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cmpv2-issuer-manager-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cmpv2-issuer-manager-role
+subjects:
+ - kind: ServiceAccount
+ name: default
+ namespace: {{ include "common.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cmpv2-issuer-proxy-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cmpv2-issuer-proxy-role
+subjects:
+ - kind: ServiceAccount
+ name: default
+ namespace: {{ include "common.namespace" . }}
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml
new file mode 100644
index 0000000..152bd68
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml
@@ -0,0 +1,38 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ prometheus.io/port: "8443"
+ prometheus.io/scheme: https
+ prometheus.io/scrape: "true"
+ labels:
+ control-plane: controller-manager
+ name: {{ .Values.service.name }}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - name: {{ .Values.service.ports.name }}
+ port: {{ .Values.service.ports.port }}
+ targetPort: {{ .Values.service.ports.targetPort }}
+ selector:
+ control-plane: controller-manager
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
new file mode 100644
index 0000000..5ea763a
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
@@ -0,0 +1,79 @@
+# Copyright © 2020, Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Global
+global:
+ nodePortPrefix: 302
+ readinessImage: onap/oom/readiness:3.0.1
+ loggingRepository: docker.elastic.co
+ loggingImage: beats/filebeat:5.5.0
+ busyboxRepository: registry.hub.docker.com
+ busyboxImage: library/busybox:latest
+ repository: "nexus3.onap.org:10001"
+ CMPv2CertManagerIntegration: false
+
+namespace: onap
+
+# Service configuration
+service:
+ name: oom-certservice-cmpv2issuer-metrics-service
+ type: ClusterIP
+ ports:
+ name: https
+ port: 8443
+ targetPort: https
+
+# Deployment configuration
+deployment:
+ name: oom-certservice-cmpv2issuer
+ image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.3.0
+ proxyImage: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
+ # fol local development use IfNotPresent
+ pullPolicy: Always
+ logLevel: debug
+ resources:
+ limits:
+ cpu: 250m
+ memory: 128Mi
+ requests:
+ cpu: 100m
+ memory: 64Mi
+deploymentProxy:
+ name: kube-rbac-proxy
+ image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
+ pullPolicy: IfNotPresent
+ resources:
+ limits:
+ cpu: 250m
+ memory: 128Mi
+ requests:
+ cpu: 50m
+ memory: 32Mi
+
+# CMPv2Issuer
+cmpv2issuer:
+ name: cmpv2-issuer-onap
+ url: https://oom-cert-service:8443
+ healthcheckEndpoint: actuator/health
+ certEndpoint: v1/certificate
+ caName: RA
+ certSecretRef:
+ name: cmpv2-issuer-secret
+ certRef: certServiceServer-cert.pem
+ keyRef: certServiceServer-key.pem
+ cacertRef: truststore.pem
+
+
+
+
diff --git a/kubernetes/platform/components/oom-cert-service/.gitignore b/kubernetes/platform/components/oom-cert-service/.gitignore
new file mode 100644
index 0000000..d5e121c
--- /dev/null
+++ b/kubernetes/platform/components/oom-cert-service/.gitignore
@@ -0,0 +1,5 @@
+resources/*.jks
+resources/*.pem
+resources/*.p12
+resources/*.crt
+resources/*.csr
diff --git a/kubernetes/platform/components/oom-cert-service/.helmignore b/kubernetes/platform/components/oom-cert-service/.helmignore
index 50af031..5d9272c 100644
--- a/kubernetes/platform/components/oom-cert-service/.helmignore
+++ b/kubernetes/platform/components/oom-cert-service/.helmignore
@@ -20,3 +20,4 @@
.idea/
*.tmproj
.vscode/
+
diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile
index 736a19f..ea0cb8a 100644
--- a/kubernetes/platform/components/oom-cert-service/Makefile
+++ b/kubernetes/platform/components/oom-cert-service/Makefile
@@ -19,6 +19,10 @@
server_import_root_certificate \
server_convert_certificate_to_jks \
server_convert_certificate_to_p12 \
+ convert_truststore_to_p12 \
+ convert_truststore_to_pem \
+ server_export_certificate_to_pem \
+ server_export_key_to_pem \
clear_unused_files \
stop_docker
@@ -32,7 +36,7 @@
$(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE))
$(eval USERNAME :=$(shell id -u))
$(eval GROUP :=$(shell id -g))
- docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/app -w /app --entrypoint "sh" -td $(FULL_JAVA_IMAGE)
+ docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE)
# Stops docker container for generating certificates. 'true' is used to return 0 status code, if container is already deleted
stop_docker:
@@ -46,7 +50,7 @@
#Clear certificates
clear_existing_certificates:
@echo "Clear certificates"
- ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12
+ ${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem
@echo "#####done#####"
#Generate root private and public keys
@@ -146,8 +150,34 @@
-destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
@echo "#####done#####"
+#Convert truststore(.jks) to PCKS12 format(.p12)
+convert_truststore_to_p12:
+ @echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
+ ${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \
+ -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret
+ @echo "#####done#####"
+
+#Convert truststore(.p12) to PEM format(.pem)
+convert_truststore_to_pem:
+ @echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)"
+ ${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret
+ @echo "#####done#####"
+
+#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem)
+server_export_certificate_to_pem:
+ @echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)"
+ ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem
+ @echo "#####done#####"
+
+#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem)
+server_export_key_to_pem:
+ @echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)"
+ ${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem
+ @echo "#####done#####"
+
+
#Clear unused certificates
clear_unused_files:
@echo "Clear unused certificates"
- ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr
+ ${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt certServiceServer.csr truststore.p12
@echo "#####done#####"
diff --git a/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json b/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json
index 358f2a8..c6d76c1 100644
--- a/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json
+++ b/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json
@@ -1,3 +1,3 @@
{
"cmpv2Servers": []
-}
\ No newline at end of file
+}
diff --git a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
index 280922a..2d47e6f 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
@@ -53,4 +53,17 @@
{{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
root.crt:
{{ (.Files.Glob "resources/root.crt").AsSecrets }}
-{{ end -}}
\ No newline at end of file
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ .Values.tls.provider.secret.name }}
+type: Opaque
+data:
+ certServiceServer-key.pem:
+ {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }}
+ certServiceServer-cert.pem:
+ {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }}
+ truststore.pem:
+ {{ (.Files.Glob "resources/truststore.pem").AsSecrets }}
+{{ end -}}
diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml
index ee51ec7..5e2a1be 100644
--- a/kubernetes/platform/components/oom-cert-service/values.yaml
+++ b/kubernetes/platform/components/oom-cert-service/values.yaml
@@ -34,7 +34,7 @@
port_protocol: http
# Certificates generation configuration
-certificateGenerationImage: onap/integration-java11:7.1.0
+certificateGenerationImage: onap/integration-java11:7.2.0
# Deployment configuration
repository: "nexus3.onap.org:10001"
@@ -88,14 +88,19 @@
client:
secret:
defaultName: oom-cert-service-client-tls-secret
+ provider:
+ secret:
+ name: cmpv2-issuer-secret
envs:
keystore:
jksName: certServiceServer-keystore.jks
p12Name: certServiceServer-keystore.p12
+ pemName: certServiceServer-keystore.pem
truststore:
jksName: truststore.jks
crtName: root.crt
+ pemName: truststore.pem
httpsPort: 8443
# External secrets with credentials can be provided to override default credentials defined below,
diff --git a/kubernetes/platform/requirements.yaml b/kubernetes/platform/requirements.yaml
index a7ff4de..7ddef47 100644
--- a/kubernetes/platform/requirements.yaml
+++ b/kubernetes/platform/requirements.yaml
@@ -18,4 +18,7 @@
dependencies:
- name: oom-cert-service
version: ~7.x-0
- repository: 'file://components/oom-cert-service'
\ No newline at end of file
+ repository: 'file://components/oom-cert-service'
+ - name: cmpv2-cert-provider
+ version: ~7.x-0
+ repository: 'file://components/cmpv2-cert-provider'