[SO] Onboard ONAP CA during init phase
Workaround for retrieving ONAP root CA and keeping SO container being
run by no root user.
Issue-ID: SO-2730
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Ib1b48c0a6fcca359a780640b8c705e75fd78dc1a
diff --git a/kubernetes/so/templates/_certificates.tpl b/kubernetes/so/templates/_certificates.tpl
new file mode 100644
index 0000000..8bd25d2
--- /dev/null
+++ b/kubernetes/so/templates/_certificates.tpl
@@ -0,0 +1,32 @@
+{{- define "so.certificate.container_importer" -}}
+- name: {{ include "common.name" . }}-certs-importer
+ image: "{{ include "common.repository" . }}/{{ .Values.global.soBaseImage }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ command:
+ - "/bin/sh"
+ args:
+ - "-c"
+ - "update-ca-certificates --fresh && \
+ cp -r {{ .Values.global.certificates.path }}/* /certificates"
+ volumeMounts:
+ - name: {{ include "common.name" . }}-certificates
+ mountPath: /certificates
+ - name: {{ include "common.name" . }}-onap-certificates
+ mountPath: {{ .Values.global.certificates.share_path }}
+{{- end -}}
+
+{{- define "so.certificate.volume-mounts" -}}
+- name: {{ include "common.name" . }}-certificates
+ mountPath: {{ .Values.global.certificates.path }}
+- name: {{ include "common.name" . }}-onap-certificates
+ mountPath: {{ .Values.global.certificates.share_path }}
+{{- end -}}
+
+{{- define "so.certificate.volumes" -}}
+- name: {{ include "common.name" . }}-certificates
+ emptyDir:
+ medium: Memory
+- name: {{ include "common.name" . }}-onap-certificates
+ secret:
+ secretName: {{ include "common.secret.getSecretNameFast" (dict "global" . "uid" "so-onap-certs") }}
+{{- end -}}
diff --git a/kubernetes/so/templates/deployment.yaml b/kubernetes/so/templates/deployment.yaml
index ca6be72..0739009 100755
--- a/kubernetes/so/templates/deployment.yaml
+++ b/kubernetes/so/templates/deployment.yaml
@@ -34,8 +34,9 @@
app: {{ include "common.name" . }}
release: {{ include "common.release" . }}
spec:
- initContainers:
- - command:
+ initContainers: {{ include "so.certificate.container_importer" . | nindent 6 }}
+ - name: {{ include "common.name" . }}-readiness
+ command:
- /root/job_complete.py
args:
- --job-name
@@ -93,7 +94,7 @@
- configMapRef:
name: {{ include "common.fullname" . }}-configmap
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
- volumeMounts:
+ volumeMounts: {{ include "so.certificate.volume-mounts" . | nindent 8 }}
- name: logs
mountPath: /app/logs
- name: config
@@ -120,7 +121,7 @@
mountPath: /var/log/onap/so
- name: {{ include "common.fullname" . }}-logs
mountPath: /var/log/onap
- volumes:
+ volumes: {{ include "so.certificate.volumes" . | nindent 6 }}
- name: logs
emptyDir: {}
- name: config
diff --git a/kubernetes/so/templates/secret.yaml b/kubernetes/so/templates/secret.yaml
index bd7eb8e..bdcecdd 100644
--- a/kubernetes/so/templates/secret.yaml
+++ b/kubernetes/so/templates/secret.yaml
@@ -1,4 +1,5 @@
# Copyright © 2020 Samsung Electronics
+# Modifications Copyright © 2020 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -12,4 +13,4 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-{{ include "common.secretFast" . }}
+{{ include "common.secret" . }}