[SDNC] Fix issue with certs from CMPv2 by Netconf (TLS)
- correct cmpv2Certificate to take outputType from 'certificates'
- add postStart hook for CertManagerIntegration to make cert dir writable
- add setting ODL_CERT_DIR env
Issue-ID: SDNC-1477
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I4531392cc4f113b173d10a27b98b1fe97d6faa4d
diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
index 4e43f62..f820c30 100644
--- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
+++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl
@@ -181,8 +181,10 @@
{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
{{- range $i, $certificate := $dot.Values.certificates -}}
{{- $mountPath := $certificate.mountPath -}}
-- mountPath: {{ $mountPath }}
+- mountPath: {{ (printf "%s/secret-%d" $mountPath $i) }}
name: certmanager-certs-volume-{{ $i }}
+- mountPath: {{ $mountPath }}
+ name: certmanager-certs-volume-{{ $i }}-dir
{{- end -}}
{{- end -}}
@@ -194,6 +196,8 @@
{{- range $i, $certificate := $certificates -}}
{{- $name := include "common.fullname" $dot -}}
{{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+- name: certmanager-certs-volume-{{ $i }}-dir
+ emptyDir: {}
- name: certmanager-certs-volume-{{ $i }}
projected:
sources:
@@ -217,3 +221,17 @@
{{- end }}
{{- end -}}
{{- end -}}
+
+{{- define "common.certManager.linkVolumeMounts" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- $certificates := $dot.Values.certificates -}}
+{{- $certsLinkCommand := "" -}}
+ {{- range $i, $certificate := $certificates -}}
+ {{- $destnationPath := (required "'mountPath' for Certificate is required." $certificate.mountPath) -}}
+ {{- $sourcePath := (printf "%s/secret-%d/*" $destnationPath $i) -}}
+ {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}}
+ {{- end -}}
+{{ $certsLinkCommand }}
+{{- end -}}
diff --git a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
index 57e6c69..58cc9c7 100644
--- a/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
+++ b/kubernetes/common/cmpv2Certificate/templates/_certServiceClient.tpl
@@ -27,7 +27,9 @@
certificates:
- mountPath: /var/custom-certs
caName: RA
- outputType: JKS
+ keystore:
+ outputType:
+ - jks
commonName: common-name
dnsNames:
- dns-name-1
@@ -65,7 +67,7 @@
{{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}}
{{- range $index, $certificate := $dot.Values.certificates -}}
{{/*# General certifiacate attributes #*/}}
-{{- $commonName := $certificate.commonName -}}
+{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}}
{{/*# SAN's #*/}}
{{- $dnsNames := default (list) $certificate.dnsNames -}}
{{- $ipAddresses := default (list) $certificate.ipAddresses -}}
@@ -87,7 +89,11 @@
{{- $orgUnit := $certificate.subject.organizationalUnit -}}
{{- end -}}
{{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}}
-{{- $outputType := default $subchartGlobal.platform.certServiceClient.envVariables.outputType $certificate.outputType -}}
+{{- $outputType := $subchartGlobal.platform.certServiceClient.envVariables.outputType -}}
+{{- if $certificate.keystore -}}
+{{- $outputTypeList := (required "'outputType' in 'keystore' section is required." $certificate.keystore.outputType) -}}
+{{- $outputType = mustFirst ($outputTypeList) | upper -}}
+{{- end -}}
{{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}}
{{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}}
{{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}}
diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml
index 7441dac..96fa337 100644
--- a/kubernetes/sdnc/templates/statefulset.yaml
+++ b/kubernetes/sdnc/templates/statefulset.yaml
@@ -128,6 +128,13 @@
- name: {{ include "common.name" . }}
image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ {{- if and .Values.global.cmpv2Enabled .Values.global.CMPv2CertManagerIntegration }}
+ {{- $linkCommand := include "common.certManager.linkVolumeMounts" . }}
+ lifecycle:
+ postStart:
+ exec:
+ command: ["sh", "-c", {{$linkCommand | quote}} ]
+ {{- end }}
command: ["/bin/bash"]
args: ["-c", "/opt/onap/sdnc/bin/createLinks.sh ; /opt/onap/sdnc/bin/startODL.sh"]
ports:
@@ -197,7 +204,11 @@
{{- if .Values.config.sdnr.sdnrdbTrustAllCerts }}
- name: SDNRDBTRUSTALLCERTS
value: "true"
- {{ end }}
+ {{- end }}
+ {{- if .Values.global.cmpv2Enabled }}
+ - name: ODL_CERT_DIR
+ value: {{ (mustFirst (.Values.certificates)).mountPath }}
+ {{- end }}
volumeMounts:
{{ include "common.certInitializer.volumeMount" . | indent 10 }}