Deploy dmaap-bc with downloaded certs

This fixes the charts to properly install new SSL artifacts from AAF.
And we use the newest container version that uses cadi library to read
these artifacts.

Issue-ID: DMAAP-1401
Signed-off-by: Dominic Lunanuova <dgl@research.att.com>
Change-Id: I4d70716220a7f3e629762d3bef2149e3b0147133
diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env b/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env
index cde43f9..84a42d6 100644
--- a/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env
+++ b/kubernetes/dmaap/components/dmaap-bc/resources/config/buscontroller.env
@@ -14,4 +14,4 @@
 
 # Environment settings for starting a container
 DMAAPBC_WAIT_TO_EXIT=Y
-
+DMAAPBC_KSTOREFILE=/opt/app/osaaf/local/org.onap.dmaap-bc.jks
diff --git a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
index e43182d..59f64bd 100644
--- a/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
+++ b/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
@@ -12,43 +12,47 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-#####################################################
-#
-# ONAP Casablanca oom configurable deployment params:
-#
-#####################################################
-
 
 #####################################################
 #
 # Hooks for specific environment configurations
 #
 #####################################################
-# Indicator for whether to use AAF
+# Indicator for whether to use AAF for authentication
 UseAAF: {{ .Values.global.aafEnabled }}
 
-# csit: stubs out some southbound APIs for csit
-csit: No
+# Stub out southbound calls for Unit Test cases to run.  e.g. not timeout
+# Comment out in other environments to get default (No)
+#UnitTest: Yes
 
-# name of this DMaaP instance (deprecated)
-#DmaapName: demo
 
 #####################################################
 #
 # Settings for Southbound API: Datarouter
 #
 #####################################################
-# FQDN of DR Prov Server (deprecated)
-#DR.provhost: dcae-drps.domain.not.set
 
 # URI to retrieve dynamic DR configuration
 ProvisioningURI:  /internal/prov
 
 # indicator for handling feed delete:
 #  DeleteOnDR - means use the DR API to DELETE a feed.  (default for backwards compatibility)
-#  SimulateDelete - means preserve the feed on DR (after cleaning it up), and mark as DELETED in DBCL.  Better for cfy environments.
+#  SimulateDelete - means preserve the feed on DR (after cleaning it up), and mark as DELETED in DBCL.  Better for cloudify environments.
 Feed.deleteHandling: SimulateDelete
 
+###########################################################
+# The following properties default to match ONAP DR instance.
+# However, there are some non-ONAP DR instances that require other values.
+# Sets the X-DR-ON-BEHALF-OF HTTP Header value
+#DR.onBehalfHeader:
+# Value for the Content-Type Header in DR Feed API
+#DR.feedContentType:
+# Value for the Content-Type Header in DR Subscription API
+#DR.subContentType:
+#
+# END OF properties helpful for non-ONAP DR instance.
+############################################################
+
 #####################################################
 #
 # Settings for Soutbound API: Postgresql
@@ -86,6 +90,9 @@
 # In a multi-site, MR cluster deployment, use the CNAME DNS entry which resolves to the primary central MR
 MR.CentralCname: {{ .Values.dmaapMessageRouterService }}
 
+# Indicator for whether we want hostname verification on SSL connection to MR
+MR.hostnameVerify: false
+
 # MR Client Delete Level thoroughness:
 #  0 = don't delete
 #  1 = delete from persistent store
@@ -104,6 +111,12 @@
 # Use Basic Authentication when provisioning topics
 MR.authentication: basicAuth
 
+# MR topic name style (default is FQTN_LEGACY_FORMAT)
+#MR.topicStyle: FQTN_LEGACY_FORMAT
+#
+# end of MR Related Properties
+################################################################################
+
 
 #####################################################
 #
@@ -136,14 +149,20 @@
 # Identity that is owner of any created namespaces for topics
 aaf.NsOwnerIdentity: {{ .Values.adminUser }}
 
-# location of the codec keyfile used to decrypt passwords in this properties file before they are passed to AAF
-CredentialCodeKeyfile: etc/LocalKey
 
 # this overrides the Class used for Decryption.
 # This allows for a plugin encryption/decryption method if needed.
 # Call this Class for decryption at runtime.
 #AafDecryption.Class: com.company.proprietaryDecryptor
 
+# location of the codec keyfile used to decrypt passwords in this properties file before they are passed to AAF
+# Not used in ONAP, but possibly used with Decryption override class.
+#CredentialCodeKeyfile: etc/LocalKey
+
+#
+# endof AAF Properties
+####################################################
+
 
 #####################################################
 #
@@ -172,11 +191,53 @@
 # pwd for Identity used to publish MM prov cmds
 MM.ProvUserPwd: demo123456!
 
-# AAF Role of MirrorMaker agent subscribed to prov cmds
+# AAF Role of MirrorMaker agent subscribed to prov cmds.
 MM.AgentRole: org.onal.dmaap-bc-mm-prov.agent
 
 #####################################################
 #
+# Certificate Management
+#
+#####################################################
+
+# Indicates how we are expecting certificates to be provided:
+#  cadi - a set of artifacts will be downloaded from AAF at deployment time, and details will be in a cadi properties file
+#  legacy (default) - artifacts will be installed manually or some other way and details will be in this file
+CertificateManagement: cadi
+
+# When CertificateManagement is cadi, then this is where all the cadi properties will be.
+# Note that the cadi properties include where the cert is, and the encrypted passwords to read.
+cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props
+
+###########################################################################################
+# When CertificateManagement is legacy, we need to provide more details about cert handling:
+#CertificateManagement: legacy
+# the type of keystore for https (for legacy CertificateManagment only)
+#KeyStoreType: jks
+
+# path to the keystore file (for legacy CertificateManagment only)
+#KeyStoreFile: etc/keystore
+
+# password for the https keystore (for legacy CertificateManagment only)
+#KeyStorePassword:  Y@Y5f&gm?PAz,CVQL,lk[VAF
+# password for the private key in the https keystore (for legacy CertificateManagment only)
+#KeyPassword: changeit
+
+# type of truststore for https (for legacy CertificateManagment only)
+#TrustStoreType: jks
+
+# path to the truststore for https (for legacy CertificateManagment only)
+#TrustStoreFile: etc/org.onap.dmaap-bc.trust.jks
+
+# password for the https truststore (for legacy CertificateManagment only)
+#TrustStorePassword: changeit
+#
+# END OF legacy CertificateManagement properties
+###########################################################################################
+
+
+#####################################################
+#
 # HTTP Server Configuration
 #
 #####################################################
@@ -191,30 +252,24 @@
 # set to 0 if no certificates are available.
 IntHttpsPort: 8443
 
-# external port number for https taking port mapping into account
-ExtHttpsPort: 443
 
-# the type of keystore for https
-KeyStoreType: jks
-
-# path to the keystore file
-KeyStoreFile: etc/keystore
-
-# password for the https keystore
-KeyStorePassword:  Y@Y5f&gm?PAz,CVQL,lk[VAF
-# password for the private key in the https keystore
-KeyPassword: Y@Y5f&gm?PAz,CVQL,lk[VAF
-
-# type of truststore for https
-TrustStoreType: jks
-
-# path to the truststore for https
-TrustStoreFile: etc/org.onap.dmaap-bc.trust.jks
-
-# password for the https truststore
-TrustStorePassword: 8b&R5%l$l:@jSWz@FCs;rhY*
-
-# path to the file used to trigger an orderly shutdown
-QuiesceFile: etc/SHUTDOWN
 
 inHttpsPort: 0
+
+#####################################################
+#
+# Deprecated
+#
+#####################################################
+# csit: stubs out some southbound APIs for csit  (deprecated)
+#csit: No
+# name of this DMaaP instance (deprecated)
+#DmaapName: demo
+# external port number for https taking port mapping into account  (deprecated)
+#ExtHttpsPort: 443
+# path to the file used to trigger an orderly shutdown (deprecated)
+#QuiesceFile: etc/SHUTDOWN
+# FQDN of DR Prov Server (deprecated)
+#DR.provhost: dcae-drps.domain.not.set
+# root of topic namespace (decrecated)
+#topicNsRoot: org.onap.dcae.dmaap
diff --git a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
index 3e08185..ea2720f 100644
--- a/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
+++ b/kubernetes/dmaap/components/dmaap-bc/templates/deployment.yaml
@@ -48,7 +48,7 @@
         command: ["bash","-c","exec /opt/app/aaf_config/bin/agent.sh"]
         volumeMounts:
         - mountPath: {{ .Values.persistence.aafCredsPath }}
-          name: {{ include "common.name" . }}-aaf-config
+          name: {{ include "common.name" . }}-aaf-config-vol
         env:
         - name: APP_FQI
           value: "{{ .Values.aafConfig.fqi }}"
@@ -75,6 +75,26 @@
           value: "{{ .Values.aafConfig.cadiLongitude }}"
         - name: cadi_latitude
           value: "{{ .Values.aafConfig.cadiLatitude }}"
+      - name: {{ include "common.name" . }}-permission-fixer
+        image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        volumeMounts:
+        - mountPath: {{ .Values.persistence.aafCredsPath }}
+          name: {{ include "common.name" . }}-aaf-config-vol
+        command: ["chown","-Rf","1000:1001", "/opt/app/"]
+#       See AAF-425 for explanation of why this is needed.
+#       This artifact is provisioned in AAF for both pks12 and jks format and apparently
+#       the cadi library is not using the jks password on the jks keystore.
+#       So, this attempts to "fix" the credential property file until this is fixed properly.
+      - name: {{ include "common.name" . }}-cred-fixer
+        image: "{{ .Values.global.busyBoxRepository }}/{{ .Values.global.busyBoxImage }}"
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+        volumeMounts:
+        - mountPath: {{ .Values.persistence.aafCredsPath }}
+          name: {{ include "common.name" . }}-aaf-config-vol
+        command: ["/bin/sh"]
+        args: [ "-c", "sed -i -e '/cadi_keystore_password=/d' -e '/cadi_keystore_password_jks/p' -e 's/cadi_keystore_password_jks/cadi_keystore_password/' -e 's/dmaap-bc.p12/dmaap-bc.jks/' /opt/app/osaaf/local/org.onap.dmaap-bc.cred.props" ]
+
 {{- end }}
 {{- if .Values.PG.enabled }}
       - name: {{ include "common.name" . }}-postgres-readiness
@@ -95,7 +115,7 @@
 {{- end }}
       containers:
         - name: {{ include "common.name" . }}
-          image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+          image: "{{ .Values.repository }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           ports: {{ include "common.containerPorts" . | nindent 10  }}
           {{ if eq .Values.liveness.enabled true -}}
@@ -118,13 +138,12 @@
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
+          - mountPath: {{ .Values.persistence.aafCredsPath }}
+            name: {{ include "common.name" . }}-aaf-config-vol
 # NOTE: on the following several configMaps, careful to include / at end
 #       since there may be more than one file in each mountPath
           - name: {{ include "common.name" . }}-config
             mountPath: /opt/app/config/conf/
-          - name: {{ include "common.name" . }}-aaf-config
-            mountPath: /opt/app/dmaapbc/etc/org.onap.dmaap-bc.props
-            subPath: org.onap.dmaap-bc.props
           resources: {{ include "common.resources" . | nindent 12 }}
         {{- if .Values.nodeSelector }}
         nodeSelector: {{ toYaml .Values.nodeSelector | nindent 10 }}
@@ -139,8 +158,7 @@
         - name: {{ include "common.name" . }}-config
           configMap:
             name: {{ include "common.fullname" . }}-config
-        - name: {{ include "common.name" . }}-aaf-config
-          configMap:
-            name: {{ include "common.fullname" . }}-aaf-config
+        - name: {{ include "common.name" . }}-aaf-config-vol
+          emptyDir: {}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dmaap/components/dmaap-bc/values.yaml b/kubernetes/dmaap/components/dmaap-bc/values.yaml
index 28c77eb..3a18787 100644
--- a/kubernetes/dmaap/components/dmaap-bc/values.yaml
+++ b/kubernetes/dmaap/components/dmaap-bc/values.yaml
@@ -30,7 +30,8 @@
 
 # application images
 repository: nexus3.onap.org:10001
-image: onap/dmaap/dmaap-bc:2.0.3
+#repository:  10.12.7.57:5000
+image: onap/dmaap/dmaap-bc:2.0.4
 
 
 # application configuration
@@ -49,7 +50,7 @@
 
 #AAF local config
 aafConfig:
-  aafDeployFqi: dmaap-bc@dmaap-bc.onap.org
+  aafDeployFqi: deployer@people.osaaf.org
   aafDeployPass: demo123456!
   fqdn: dmaap-bc
   fqi: dmaap-bc@dmaap-bc.onap.org
@@ -58,7 +59,7 @@
   cadiLongitude: 0.0
 
 persistence:
-  aafCredsPath: /opt/app/osaaf/local
+  aafCredsPath: /opt/app/osaaf/local/
 
 # for Casablanca default deployment, leave this true to
 # get a topic namespace that matches MR.  When set to false,