[CMPv2-CERT-PROVIDER] Add helm chart for K8s external provider

Cert Service K8s external provider ia a part of certificate distribution infrastructure in ONAP.
The main functionality of the provider is to forward Certificate Signing Requests (CSRs) created by cert-mananger (https://cert-manager.io) to CertServiceAPI.

More information can found on a dedicated page:  https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration.

Issue-ID: OOM-2560
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: Ibc94d5db5cac9649d47143406b47ce179beddd14
diff --git a/kubernetes/.gitignore b/kubernetes/.gitignore
new file mode 100644
index 0000000..bc3a4f1
--- /dev/null
+++ b/kubernetes/.gitignore
@@ -0,0 +1 @@
+chartstorage/
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/.helmignore b/kubernetes/platform/components/cmpv2-cert-provider/.helmignore
new file mode 100644
index 0000000..50af031
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml
new file mode 100644
index 0000000..38446f1
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright © 2020 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: ONAP CMPv2 certificate external provider for cert-manager
+name: cmpv2-cert-provider
+version: 7.0.0
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml
new file mode 100644
index 0000000..0bc24af
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/crds/cmpv2issuer.yaml
@@ -0,0 +1,138 @@
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: cmpv2issuers.certmanager.onap.org
+spec:
+  group: certmanager.onap.org
+  names:
+    kind: CMPv2Issuer
+    listKind: CMPv2IssuerList
+    plural: cmpv2issuers
+    singular: cmpv2issuer
+  scope: Namespaced
+  versions:
+    - name: v1
+      served: true
+      storage: true
+      schema:
+        openAPIV3Schema:
+          description: CMPv2Issuer is the Schema for the cmpv2issuers API
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation
+                of an object. Servers should convert recognized schemas to the latest
+                internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/cmpv2api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this
+                object represents. Servers may infer this from the endpoint the client
+                submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/cmpv2api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: CMPv2IssuerSpec defines the desired state of CMPv2Issuer
+              properties:
+                url:
+                  description: URL to CertService API.
+                  type: string
+                healthEndpoint:
+                  description: Path of health check endpoint.
+                  type: string
+                certEndpoint:
+                  description: Path of cerfificate signing enpoint.
+                  type: string
+                caName:
+                  description: Name of the external CA server configured on CertService API side.
+                  type: string
+                certSecretRef:
+                  description: Reference to K8s secret which contains certificate, private key and CA certificate
+                    needed to connect to CertService API (which requires client certificate authentication)
+                  properties:
+                    name:
+                      description: The name of K8s secret to select certificates from. Secret must be in the same
+                        namespace as CMPv2Issuer.
+                      type: string
+                    keyRef:
+                      description: The key of the secret to select private key from. Must be a
+                        valid secret key.
+                      type: string
+                    certRef:
+                      description: The key of the secret to select cert from. Must be a
+                        valid secret key.
+                      type: string
+                    cacertRef:
+                      description: The key of the secret to select cacert from. Must be a
+                        valid secret key.
+                      type: string
+                  required:
+                    - name
+                    - keyRef
+                    - certRef
+                    - cacertRef
+                  type: object
+              required:
+                - url
+                - healthEndpoint
+                - certEndpoint
+                - caName
+                - certSecretRef
+              type: object
+            status:
+              description: CMPv2IssuerStatus defines the observed state of CMPv2Issuer
+              properties:
+                conditions:
+                  items:
+                    description: CMPv2IssuerCondition contains condition information for
+                      the certservice issuer.
+                    properties:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the timestamp corresponding
+                          to the last status change of this condition.
+                        format: date-time
+                        type: string
+                      message:
+                        description: Message is a human readable description of the details
+                          of the last transition, complementing reason.
+                        type: string
+                      reason:
+                        description: Reason is a brief machine readable explanation for
+                          the condition's last transition.
+                        type: string
+                      status:
+                        allOf:
+                          - enum:
+                              - "True"
+                              - "False"
+                              - Unknown
+                        description: Status of the condition, one of ('True', 'False',
+                          'Unknown').
+                        type: string
+                      type:
+                        description: Type of the condition, currently ('Ready').
+                        enum:
+                          - Ready
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+              type: object
+          type: object
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/requirements.yaml b/kubernetes/platform/components/cmpv2-cert-provider/requirements.yaml
new file mode 100644
index 0000000..def3586
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/requirements.yaml
@@ -0,0 +1,17 @@
+# Copyright © 2020 Nokia
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ dependencies:
+  - name: common
+    version: ~7.x-0
+    repository: '@local'
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml
new file mode 100644
index 0000000..9ba61a5
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml
@@ -0,0 +1,34 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: certmanager.onap.org/v1
+kind: CMPv2Issuer
+metadata:
+  name: {{ .Values.cmpv2issuer.name }}
+  namespace: {{ include "common.namespace" . }}
+spec:
+  url:  {{ .Values.cmpv2issuer.url }}
+  healthEndpoint:  {{ .Values.cmpv2issuer.healthcheckEndpoint }}
+  certEndpoint:  {{ .Values.cmpv2issuer.certEndpoint }}
+  caName:  {{ .Values.cmpv2issuer.caName }}
+  certSecretRef:
+    name:  {{ .Values.cmpv2issuer.certSecretRef.name }}
+    keyRef:  {{ .Values.cmpv2issuer.certSecretRef.keyRef }}
+    certRef: {{ .Values.cmpv2issuer.certSecretRef.certRef }}
+    cacertRef: {{ .Values.cmpv2issuer.certSecretRef.cacertRef }}
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml
new file mode 100644
index 0000000..3f0027f
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml
@@ -0,0 +1,71 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: {{ include "common.fullname" . }}
+  namespace: {{ include "common.namespace" . }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+    spec:
+      containers:
+      - name: {{ .Values.deploymentProxy.name }}
+        image: {{ .Values.deploymentProxy.image }}
+        imagePullPolicy: {{ .Values.deploymentProxy.pullPolicy }}
+        args:
+        - --secure-listen-address=0.0.0.0:8443
+        - --upstream=http://127.0.0.1:8080/
+        - --logtostderr=true
+        - --v=10
+        ports:
+        - containerPort: 8443
+          name: https
+        resources:
+          limits:
+            cpu: {{ .Values.deploymentProxy.resources.limits.cpu }}
+            memory: {{ .Values.deploymentProxy.resources.limits.memory }}
+          requests:
+            cpu: {{ .Values.deploymentProxy.resources.requests.cpu }}
+            memory: {{ .Values.deploymentProxy.resources.requests.memory }}
+      - name: provider
+        image: {{ .Values.global.repository }}{{if .Values.global.repository }}/{{ end }}{{ .Values.deployment.image }}
+        imagePullPolicy: {{ .Values.deployment.pullPolicy }}
+        command:
+        - /oom-certservice-cmpv2issuer
+        args:
+        - --metrics-addr=127.0.0.1:8080
+        - --log-level={{ .Values.deployment.logLevel }}
+        resources:
+          limits:
+            cpu: {{ .Values.deployment.resources.limits.cpu }}
+            memory: {{ .Values.deployment.resources.limits.memory }}
+          requests:
+            cpu: {{ .Values.deployment.resources.requests.cpu }}
+            memory: {{ .Values.deployment.resources.requests.memory }}
+      terminationGracePeriodSeconds: 10
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml
new file mode 100644
index 0000000..add5622
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml
@@ -0,0 +1,167 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cmpv2-issuer-leader-election-role
+  namespace: {{ include "common.namespace" . }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps/status
+    verbs:
+      - get
+      - update
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cmpv2-issuer-manager-role
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificaterequests
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - cert-manager.io
+    resources:
+      - certificaterequests/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - certmanager.onap.org
+    resources:
+      - cmpv2issuers
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - certmanager.onap.org
+    resources:
+      - cmpv2issuers/status
+    verbs:
+      - get
+      - patch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cmpv2-issuer-proxy-role
+rules:
+  - apiGroups:
+      - authentication.k8s.io
+    resources:
+      - tokenreviews
+    verbs:
+      - create
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cmpv2-issuer-leader-election-rolebinding
+  namespace: {{ include "common.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cmpv2-issuer-leader-election-role
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: {{ include "common.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cmpv2-issuer-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cmpv2-issuer-manager-role
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: {{ include "common.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cmpv2-issuer-proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cmpv2-issuer-proxy-role
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: {{ include "common.namespace" . }}
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml
new file mode 100644
index 0000000..152bd68
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml
@@ -0,0 +1,38 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    prometheus.io/port: "8443"
+    prometheus.io/scheme: https
+    prometheus.io/scrape: "true"
+  labels:
+    control-plane: controller-manager
+  name: {{ .Values.service.name }}
+  namespace: {{ include "common.namespace" . }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - name: {{ .Values.service.ports.name }}
+      port: {{ .Values.service.ports.port }}
+      targetPort: {{ .Values.service.ports.targetPort }}
+  selector:
+    control-plane: controller-manager
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/values.yaml b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
new file mode 100644
index 0000000..5ea763a
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/values.yaml
@@ -0,0 +1,79 @@
+# Copyright © 2020, Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Global
+global:
+  nodePortPrefix: 302
+  readinessImage: onap/oom/readiness:3.0.1
+  loggingRepository: docker.elastic.co
+  loggingImage: beats/filebeat:5.5.0
+  busyboxRepository: registry.hub.docker.com
+  busyboxImage: library/busybox:latest
+  repository: "nexus3.onap.org:10001"
+  CMPv2CertManagerIntegration: false
+
+namespace: onap
+
+# Service configuration
+service:
+  name: oom-certservice-cmpv2issuer-metrics-service
+  type: ClusterIP
+  ports:
+    name: https
+    port: 8443
+    targetPort: https
+
+# Deployment configuration
+deployment:
+  name: oom-certservice-cmpv2issuer
+  image: onap/org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider:2.3.0
+  proxyImage: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
+  # fol local development use IfNotPresent
+  pullPolicy: Always
+  logLevel: debug
+  resources:
+    limits:
+      cpu: 250m
+      memory: 128Mi
+    requests:
+      cpu: 100m
+      memory: 64Mi
+deploymentProxy:
+  name: kube-rbac-proxy
+  image: gcr.io/kubebuilder/kube-rbac-proxy:v0.4.0
+  pullPolicy: IfNotPresent
+  resources:
+    limits:
+      cpu: 250m
+      memory: 128Mi
+    requests:
+      cpu: 50m
+      memory: 32Mi
+
+# CMPv2Issuer
+cmpv2issuer:
+  name: cmpv2-issuer-onap
+  url: https://oom-cert-service:8443
+  healthcheckEndpoint: actuator/health
+  certEndpoint: v1/certificate
+  caName: RA
+  certSecretRef:
+    name: cmpv2-issuer-secret
+    certRef: certServiceServer-cert.pem
+    keyRef: certServiceServer-key.pem
+    cacertRef: truststore.pem
+
+
+
+
diff --git a/kubernetes/platform/components/oom-cert-service/.gitignore b/kubernetes/platform/components/oom-cert-service/.gitignore
new file mode 100644
index 0000000..d5e121c
--- /dev/null
+++ b/kubernetes/platform/components/oom-cert-service/.gitignore
@@ -0,0 +1,5 @@
+resources/*.jks
+resources/*.pem
+resources/*.p12
+resources/*.crt
+resources/*.csr
diff --git a/kubernetes/platform/components/oom-cert-service/.helmignore b/kubernetes/platform/components/oom-cert-service/.helmignore
index 50af031..5d9272c 100644
--- a/kubernetes/platform/components/oom-cert-service/.helmignore
+++ b/kubernetes/platform/components/oom-cert-service/.helmignore
@@ -20,3 +20,4 @@
 .idea/
 *.tmproj
 .vscode/
+
diff --git a/kubernetes/platform/components/oom-cert-service/Makefile b/kubernetes/platform/components/oom-cert-service/Makefile
index 736a19f..ea0cb8a 100644
--- a/kubernetes/platform/components/oom-cert-service/Makefile
+++ b/kubernetes/platform/components/oom-cert-service/Makefile
@@ -19,6 +19,10 @@
      server_import_root_certificate \
      server_convert_certificate_to_jks \
      server_convert_certificate_to_p12 \
+     convert_truststore_to_p12 \
+     convert_truststore_to_pem \
+     server_export_certificate_to_pem \
+     server_export_key_to_pem \
      clear_unused_files \
      stop_docker
 
@@ -32,7 +36,7 @@
 	$(eval FULL_JAVA_IMAGE := $(REPOSITORY)/$(JAVA_IMAGE))
 	$(eval USERNAME :=$(shell id -u))
 	$(eval GROUP :=$(shell id -g))
-	docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/app -w /app --entrypoint "sh" -td $(FULL_JAVA_IMAGE)
+	docker run --rm --name ${DOCKER_CONTAINER} --user "$(USERNAME):$(GROUP)" --mount type=bind,source=${CURRENT_DIR}/${CERTS_DIR},target=/certs -w /certs --entrypoint "sh" -td $(FULL_JAVA_IMAGE)
 
 # Stops docker container for generating  certificates. 'true' is used to return 0 status code, if container is already deleted
 stop_docker:
@@ -46,7 +50,7 @@
 #Clear certificates
 clear_existing_certificates:
 	@echo "Clear certificates"
-	${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12
+	${DOCKER_EXEC} rm -f certServiceClient-keystore.jks certServiceServer-keystore.jks root.crt truststore.jks certServiceServer-keystore.p12 truststore.pem certServiceServer-cert.pem certServiceServer-key.pem
 	@echo "#####done#####"
 
 #Generate root private and public keys
@@ -146,8 +150,34 @@
         -destkeystore certServiceServer-keystore.p12 -deststoretype PKCS12 -deststorepass secret
 	@echo "#####done#####"
 
+#Convert truststore(.jks) to PCKS12 format(.p12)
+convert_truststore_to_p12:
+	@echo "Convert certServiceServer-keystore(.jks) to PCKS12 format(.p12)"
+	${DOCKER_EXEC} keytool -importkeystore -srckeystore truststore.jks -srcstorepass secret \
+        -destkeystore truststore.p12 -deststoretype PKCS12 -deststorepass secret
+	@echo "#####done#####"
+
+#Convert truststore(.p12) to PEM format(.pem)
+convert_truststore_to_pem:
+	@echo "Convert certServiceServer-keystore(.p12) to PEM format(.pem)"
+	${DOCKER_EXEC} openssl pkcs12 -nodes -in truststore.p12 -out truststore.pem -passin pass:secret
+	@echo "#####done#####"
+
+#Export certificates from certServiceServer-keystore(.p12) to PEM format(.pem)
+server_export_certificate_to_pem:
+	@echo "Export certificates from certServiceClient-keystore(.p12) to PEM format(.pem)"
+	${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nokeys -out certServiceServer-cert.pem
+	@echo "#####done#####"
+
+#Export keys from certServiceServer-keystore(.p12) to PEM format(.pem)
+server_export_key_to_pem:
+	@echo "Export keys from certServiceClient-keystore(.p12) to PEM format(.pem)"
+	${DOCKER_EXEC} openssl pkcs12 -in certServiceServer-keystore.p12 -passin 'pass:secret' -nodes -nocerts -out certServiceServer-key.pem
+	@echo "#####done#####"
+
+
 #Clear unused certificates
 clear_unused_files:
 	@echo "Clear unused certificates"
-	${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt  certServiceServer.csr
+	${DOCKER_EXEC} rm -f certServiceClientByRoot.crt certServiceClient.csr root-keystore.jks certServiceServerByRoot.crt  certServiceServer.csr truststore.p12
 	@echo "#####done#####"
diff --git a/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json b/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json
index 358f2a8..c6d76c1 100644
--- a/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json
+++ b/kubernetes/platform/components/oom-cert-service/resources/default/cmpServers.json
@@ -1,3 +1,3 @@
 {
   "cmpv2Servers": []
-}
\ No newline at end of file
+}
diff --git a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
index 280922a..2d47e6f 100644
--- a/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
+++ b/kubernetes/platform/components/oom-cert-service/templates/secret.yaml
@@ -53,4 +53,17 @@
   {{ (.Files.Glob "resources/truststore.jks").AsSecrets }}
   root.crt:
   {{ (.Files.Glob "resources/root.crt").AsSecrets }}
-{{ end -}}
\ No newline at end of file
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.tls.provider.secret.name }}
+type: Opaque
+data:
+  certServiceServer-key.pem:
+  {{ (.Files.Glob "resources/certServiceServer-key.pem").AsSecrets }}
+  certServiceServer-cert.pem:
+  {{ (.Files.Glob "resources/certServiceServer-cert.pem").AsSecrets }}
+  truststore.pem:
+  {{ (.Files.Glob "resources/truststore.pem").AsSecrets }}
+{{ end -}}
diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml
index ee51ec7..5e2a1be 100644
--- a/kubernetes/platform/components/oom-cert-service/values.yaml
+++ b/kubernetes/platform/components/oom-cert-service/values.yaml
@@ -34,7 +34,7 @@
       port_protocol: http
 
 # Certificates generation configuration
-certificateGenerationImage: onap/integration-java11:7.1.0
+certificateGenerationImage: onap/integration-java11:7.2.0
 
 # Deployment configuration
 repository: "nexus3.onap.org:10001"
@@ -88,14 +88,19 @@
   client:
     secret:
       defaultName: oom-cert-service-client-tls-secret
+  provider:
+    secret:
+      name: cmpv2-issuer-secret
 
 envs:
   keystore:
     jksName: certServiceServer-keystore.jks
     p12Name: certServiceServer-keystore.p12
+    pemName: certServiceServer-keystore.pem
   truststore:
     jksName: truststore.jks
     crtName: root.crt
+    pemName: truststore.pem
   httpsPort: 8443
 
 # External secrets with credentials can be provided to override default credentials defined below,
diff --git a/kubernetes/platform/requirements.yaml b/kubernetes/platform/requirements.yaml
index a7ff4de..7ddef47 100644
--- a/kubernetes/platform/requirements.yaml
+++ b/kubernetes/platform/requirements.yaml
@@ -18,4 +18,7 @@
 dependencies:
   - name: oom-cert-service
     version: ~7.x-0
-    repository: 'file://components/oom-cert-service'
\ No newline at end of file
+    repository: 'file://components/oom-cert-service'
+  - name: cmpv2-cert-provider
+    version: ~7.x-0
+    repository: 'file://components/cmpv2-cert-provider'