[CMPv2-CERT-PROVIDER] Add helm chart for K8s external provider
Cert Service K8s external provider ia a part of certificate distribution infrastructure in ONAP.
The main functionality of the provider is to forward Certificate Signing Requests (CSRs) created by cert-mananger (https://cert-manager.io) to CertServiceAPI.
More information can found on a dedicated page: https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration.
Issue-ID: OOM-2560
Signed-off-by: Jan Malkiewicz <jan.malkiewicz@nokia.com>
Change-Id: Ibc94d5db5cac9649d47143406b47ce179beddd14
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml
new file mode 100644
index 0000000..9ba61a5
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/configuration.yaml
@@ -0,0 +1,34 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: certmanager.onap.org/v1
+kind: CMPv2Issuer
+metadata:
+ name: {{ .Values.cmpv2issuer.name }}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ url: {{ .Values.cmpv2issuer.url }}
+ healthEndpoint: {{ .Values.cmpv2issuer.healthcheckEndpoint }}
+ certEndpoint: {{ .Values.cmpv2issuer.certEndpoint }}
+ caName: {{ .Values.cmpv2issuer.caName }}
+ certSecretRef:
+ name: {{ .Values.cmpv2issuer.certSecretRef.name }}
+ keyRef: {{ .Values.cmpv2issuer.certSecretRef.keyRef }}
+ certRef: {{ .Values.cmpv2issuer.certSecretRef.certRef }}
+ cacertRef: {{ .Values.cmpv2issuer.certSecretRef.cacertRef }}
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml
new file mode 100644
index 0000000..3f0027f
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/deployment.yaml
@@ -0,0 +1,71 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ control-plane: controller-manager
+ name: {{ include "common.fullname" . }}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ control-plane: controller-manager
+ template:
+ metadata:
+ labels:
+ control-plane: controller-manager
+ spec:
+ containers:
+ - name: {{ .Values.deploymentProxy.name }}
+ image: {{ .Values.deploymentProxy.image }}
+ imagePullPolicy: {{ .Values.deploymentProxy.pullPolicy }}
+ args:
+ - --secure-listen-address=0.0.0.0:8443
+ - --upstream=http://127.0.0.1:8080/
+ - --logtostderr=true
+ - --v=10
+ ports:
+ - containerPort: 8443
+ name: https
+ resources:
+ limits:
+ cpu: {{ .Values.deploymentProxy.resources.limits.cpu }}
+ memory: {{ .Values.deploymentProxy.resources.limits.memory }}
+ requests:
+ cpu: {{ .Values.deploymentProxy.resources.requests.cpu }}
+ memory: {{ .Values.deploymentProxy.resources.requests.memory }}
+ - name: provider
+ image: {{ .Values.global.repository }}{{if .Values.global.repository }}/{{ end }}{{ .Values.deployment.image }}
+ imagePullPolicy: {{ .Values.deployment.pullPolicy }}
+ command:
+ - /oom-certservice-cmpv2issuer
+ args:
+ - --metrics-addr=127.0.0.1:8080
+ - --log-level={{ .Values.deployment.logLevel }}
+ resources:
+ limits:
+ cpu: {{ .Values.deployment.resources.limits.cpu }}
+ memory: {{ .Values.deployment.resources.limits.memory }}
+ requests:
+ cpu: {{ .Values.deployment.resources.requests.cpu }}
+ memory: {{ .Values.deployment.resources.requests.memory }}
+ terminationGracePeriodSeconds: 10
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml
new file mode 100644
index 0000000..add5622
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/roles.yaml
@@ -0,0 +1,167 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cmpv2-issuer-leader-election-role
+ namespace: {{ include "common.namespace" . }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - ""
+ resources:
+ - configmaps/status
+ verbs:
+ - get
+ - update
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cmpv2-issuer-manager-role
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+ - apiGroups:
+ - cert-manager.io
+ resources:
+ - certificaterequests
+ verbs:
+ - get
+ - list
+ - update
+ - watch
+ - apiGroups:
+ - cert-manager.io
+ resources:
+ - certificaterequests/status
+ verbs:
+ - get
+ - patch
+ - update
+ - apiGroups:
+ - certmanager.onap.org
+ resources:
+ - cmpv2issuers
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+ - apiGroups:
+ - certmanager.onap.org
+ resources:
+ - cmpv2issuers/status
+ verbs:
+ - get
+ - patch
+ - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: cmpv2-issuer-proxy-role
+rules:
+ - apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cmpv2-issuer-leader-election-rolebinding
+ namespace: {{ include "common.namespace" . }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cmpv2-issuer-leader-election-role
+subjects:
+ - kind: ServiceAccount
+ name: default
+ namespace: {{ include "common.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cmpv2-issuer-manager-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cmpv2-issuer-manager-role
+subjects:
+ - kind: ServiceAccount
+ name: default
+ namespace: {{ include "common.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: cmpv2-issuer-proxy-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cmpv2-issuer-proxy-role
+subjects:
+ - kind: ServiceAccount
+ name: default
+ namespace: {{ include "common.namespace" . }}
+{{ end }}
diff --git a/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml b/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml
new file mode 100644
index 0000000..152bd68
--- /dev/null
+++ b/kubernetes/platform/components/cmpv2-cert-provider/templates/service.yaml
@@ -0,0 +1,38 @@
+{{ if .Values.global.CMPv2CertManagerIntegration }}
+
+# ============LICENSE_START=======================================================
+# Copyright (c) 2020 Nokia
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+
+apiVersion: v1
+kind: Service
+metadata:
+ annotations:
+ prometheus.io/port: "8443"
+ prometheus.io/scheme: https
+ prometheus.io/scrape: "true"
+ labels:
+ control-plane: controller-manager
+ name: {{ .Values.service.name }}
+ namespace: {{ include "common.namespace" . }}
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - name: {{ .Values.service.ports.name }}
+ port: {{ .Values.service.ports.port }}
+ targetPort: {{ .Values.service.ports.targetPort }}
+ selector:
+ control-plane: controller-manager
+{{ end }}