[COMMON][CERTINIT] Fail if cert retrieval fails
Current script that retrieve certificates can fail but exit code will be
0. We then add a check in the script in order to avoid such issue
Issue-ID: OOM-2688
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: Ib41c66a4de46db8752f68ef35a2bfb67ca575246
diff --git a/kubernetes/common/certInitializer/resources/retrieval_check.sh b/kubernetes/common/certInitializer/resources/retrieval_check.sh
new file mode 100644
index 0000000..f3af14b
--- /dev/null
+++ b/kubernetes/common/certInitializer/resources/retrieval_check.sh
@@ -0,0 +1,26 @@
+{{/*
+# Copyright © 2021 Orange
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+#!/bin/sh
+
+echo "*** retrieving passwords for certificates"
+export $(/opt/app/aaf_config/bin/agent.sh local showpass \
+ {{.Values.fqi}} {{ .Values.fqdn }} | grep '^c' | xargs -0)
+if [ -z "${{ .Values.envVarToCheck }}" ]
+then
+ echo " /!\ certificates retrieval failed"
+ exit 1
+fi
+echo "*** password retrieval succeeded"
diff --git a/kubernetes/common/certInitializer/templates/_certInitializer.yaml b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
index 5a8e84c..a46400b 100644
--- a/kubernetes/common/certInitializer/templates/_certInitializer.yaml
+++ b/kubernetes/common/certInitializer/templates/_certInitializer.yaml
@@ -55,6 +55,9 @@
- mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64
name: aaf-agent-certs
subPath: truststoreONAP.p12.b64
+ - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
+ mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
+ subPath: retrieval_check.sh
{{- if $initRoot.aaf_add_config }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
@@ -66,6 +69,7 @@
- |
#!/usr/bin/env bash
/opt/app/aaf_config/bin/agent.sh
+ source /opt/app/aaf_config/bin/retrieval_check.sh
{{- if $initRoot.aaf_add_config }}
/opt/app/aaf_config/bin/aaf-add-config.sh
{{- end }}
@@ -174,13 +178,10 @@
configMap:
name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
defaultMode: 0700
-
-{{- if $initRoot.aaf_add_config }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
configMap:
name: {{ include "common.fullname" $subchartDot }}-add-config
defaultMode: 0700
-{{- end -}}
{{- if $dot.Values.global.importCustomCertsEnabled }}
- name: updated-truststore
emptyDir: {}
diff --git a/kubernetes/common/certInitializer/templates/configmap.yaml b/kubernetes/common/certInitializer/templates/configmap.yaml
index 7eae899..1e9254a 100644
--- a/kubernetes/common/certInitializer/templates/configmap.yaml
+++ b/kubernetes/common/certInitializer/templates/configmap.yaml
@@ -14,12 +14,13 @@
# limitations under the License.
*/}}
-{{ if .Values.aaf_add_config }}
apiVersion: v1
kind: ConfigMap
{{- $suffix := "add-config" }}
metadata: {{- include "common.resourceMetadata" (dict "suffix" $suffix "dot" . )| nindent 2 }}
data:
+{{ tpl (.Files.Glob "resources/*").AsConfig . | indent 2 }}
+{{ if .Values.aaf_add_config }}
aaf-add-config.sh: |
{{ tpl .Values.aaf_add_config . | indent 4 | trim }}
{{- end }}
diff --git a/kubernetes/common/certInitializer/values.yaml b/kubernetes/common/certInitializer/values.yaml
index e7a0a3f..52b2765 100644
--- a/kubernetes/common/certInitializer/values.yaml
+++ b/kubernetes/common/certInitializer/values.yaml
@@ -54,6 +54,7 @@
truststoreMountpath: ""
truststoreOutputFileName: truststore.jks
truststorePassword: changeit
+envVarToCheck: cadi_keystore_password_p12
# This introduces implicit dependency on cert-wrapper
# if you are using cert initializer cert-wrapper has to be also deployed.