[DMAAP][MR] Retrieve certs automatically

Instead of hardcoding certificates inside the container, use cert
initializer in order to retrieve them automatically at start.

Issue-ID: DMAAP-1547
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I7fcb8831539d8d9d5d25bcaae44a3c66672f7b1a
diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/requirements.yaml b/kubernetes/dmaap/components/message-router/components/message-router-kafka/requirements.yaml
index 343812d..68c3169 100644
--- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/requirements.yaml
+++ b/kubernetes/dmaap/components/message-router/components/message-router-kafka/requirements.yaml
@@ -20,6 +20,9 @@
     # a part of this chart's package and will not
     # be published independently to a repo (at this point)
     repository: '@local'
+  - name: certInitializer
+    version: ~8.x-0
+    repository: '@local'
   - name: repositoryGenerator
     version: ~8.x-0
     repository: '@local'
diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/resources/config/cadi.properties b/kubernetes/dmaap/components/message-router/components/message-router-kafka/resources/config/cadi.properties
deleted file mode 100644
index 2bee404..0000000
--- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/resources/config/cadi.properties
+++ /dev/null
@@ -1,18 +0,0 @@
-aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1
-aaf_env=DEV
-aaf_lur=org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm
-
-cadi_truststore=/etc/kafka/secrets/cert/org.onap.dmaap.mr.trust.jks
-cadi_truststore_password=enc:mN6GiIzFQxKGDzAXDOs7b4j8DdIX02QrZ9QOWNRpxV3rD6whPCfizSMZkJwxi_FJ
-
-cadi_keyfile=/etc/kafka/secrets/cert/org.onap.dmaap.mr.keyfile
-
-cadi_alias=dmaapmr@mr.dmaap.onap.org
-cadi_keystore=/etc/kafka/secrets/cert/org.onap.dmaap.mr.p12
-cadi_keystore_password=enc:_JJT2gAEkRzXla5xfDIHal8pIoIB5iIos3USvZQT6sL-l14LpI5fRFR_QIGUCh5W
-cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US
-
-cadi_loglevel=INFO
-cadi_protocols=TLSv1.1,TLSv1.2
-cadi_latitude=37.78187
-cadi_longitude=-122.26147
\ No newline at end of file
diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/configmap.yaml b/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/configmap.yaml
index b5eed38..d881fef 100644
--- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/configmap.yaml
+++ b/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/configmap.yaml
@@ -18,19 +18,6 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "common.fullname" . }}-cadi-prop-configmap
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/cadi.properties").AsConfig . | indent 2 }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
   name: {{ include "common.fullname" . }}-jaas-configmap
   namespace: {{ include "common.namespace" . }}
   labels:
@@ -57,7 +44,6 @@
 {{ tpl (.Files.Glob "resources/jaas/zk_client_jaas.conf").AsConfig . | indent 2 }}
 ---
 {{- end }}
-
 {{- if  .Values.prometheus.jmx.enabled }}
 apiVersion: v1
 kind: ConfigMap
diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/statefulset.yaml
index 1eabe3a..62a25e6 100644
--- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/statefulset.yaml
+++ b/kubernetes/dmaap/components/message-router/components/message-router-kafka/templates/statefulset.yaml
@@ -97,6 +97,7 @@
         image: {{ include "repositoryGenerator.image.envsubst" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-update-config
+      {{ include "common.certInitializer.initContainer" . | indent 6 | trim }}
       containers:
       {{- if .Values.prometheus.jmx.enabled }}
       - name: prometheus-jmx-exporter
@@ -129,6 +130,7 @@
         - |
           export KAFKA_BROKER_ID=${HOSTNAME##*-} && \
           {{- if  .Values.global.aafEnabled }}
+          cp {{ .Values.certInitializer.credsPath }}/{{ .Values.certInitializer.final_cadi_files }} /etc/kafka/data/{{ .Values.certInitializer.final_cadi_files }} && \
           export KAFKA_ADVERTISED_LISTENERS=EXTERNAL_SASL_PLAINTEXT://$(HOST_IP):$(( $KAFKA_BROKER_ID + {{ .Values.service.baseNodePort }} )),INTERNAL_SASL_PLAINTEXT://:{{ .Values.service.internalPort }} && \
           {{ else }}
           export KAFKA_ADVERTISED_LISTENERS=EXTERNAL_PLAINTEXT://$(HOST_IP):$(( $KAFKA_BROKER_ID + {{ .Values.service.baseNodePort }} )),INTERNAL_PLAINTEXT://:{{ .Values.service.internalPort }} && \
@@ -143,7 +145,7 @@
         - containerPort: {{ .Values.jmx.port }}
           name: jmx
         {{- end }}
-       {{ if eq .Values.liveness.enabled true }}
+        {{ if eq .Values.liveness.enabled true }}
         livenessProbe:
           tcpSocket:
             port: {{ .Values.service.internalPort }}
@@ -167,8 +169,6 @@
           value: {{ include "common.release" . }}-{{.Values.zookeeper.name}}-0.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}},{{ include "common.release" . }}-{{.Values.zookeeper.name}}-1.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}},{{ include "common.release" . }}-{{.Values.zookeeper.name}}-2.{{.Values.zookeeper.name}}.{{.Release.Namespace}}.svc.cluster.local:{{.Values.zookeeper.port}}
         - name: KAFKA_CONFLUENT_SUPPORT_METRICS_ENABLE
           value: "{{ .Values.kafka.enableSupport }}"
-        - name: KAFKA_OPTS
-          value: "{{ .Values.kafka.jaasOptions }}"
         {{- if  .Values.global.aafEnabled }}
         - name: KAFKA_OPTS
           value: "{{ .Values.kafka.jaasOptionsAaf }}"
@@ -206,17 +206,12 @@
         {{- end }}
         - name: enableCadi
           value: "{{ .Values.global.aafEnabled }}"
-        volumeMounts:
+        volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
         - mountPath: /etc/localtime
           name: localtime
           readOnly: true
         - mountPath: /var/run/docker.sock
           name: docker-socket
-        {{- if .Values.global.aafEnabled }}
-        - mountPath: /etc/kafka/data/cadi.properties
-          subPath: cadi.properties
-          name: cadi
-        {{ end  }}
         - name: jaas-config
           mountPath: /etc/kafka/secrets/jaas
         - mountPath: /var/lib/kafka/data
@@ -225,7 +220,7 @@
       tolerations:
         {{ toYaml .Values.tolerations | indent 10 }}
       {{- end }}
-      volumes:
+      volumes:  {{ include "common.certInitializer.volumes" . | nindent 6 }}
       - name: localtime
         hostPath:
           path: /etc/localtime
@@ -243,11 +238,11 @@
       - name: jaas
         configMap:
           name: {{ include "common.fullname" . }}-jaas-configmap
-       {{- if .Values.prometheus.jmx.enabled }}
+      {{- if .Values.prometheus.jmx.enabled }}
       - name: jmx-config
         configMap:
           name: {{ include "common.fullname" . }}-prometheus-configmap
-       {{- end }}
+      {{- end }}
 {{ if not .Values.persistence.enabled }}
       - name: kafka-data
         emptyDir: {}
diff --git a/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml b/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml
index 6c3cbc3..fa3218b 100644
--- a/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml
+++ b/kubernetes/dmaap/components/message-router/components/message-router-kafka/values.yaml
@@ -20,6 +20,35 @@
   nodePortPrefix: 302
   persistence: {}
 
+
+#################################################################
+# AAF part
+#################################################################
+certInitializer:
+  nameOverride: dmaap-mr-kafka-cert-initializer
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  # aafDeployCredsExternalSecret: some secret
+  fqdn: dmaap-mr
+  fqi: dmaapmr@mr.dmaap.onap.org
+  public_fqdn: mr.dmaap.onap.org
+  cadi_longitude: "-122.26147"
+  cadi_latitude: "37.78187"
+  app_ns: org.osaaf.aaf
+  credsPath: /opt/app/osaaf/local
+  fqi_namespace: org.onap.dmaap.mr
+  final_cadi_files: cadi.properties
+  aaf_add_config: |
+    echo "*** concat the three prop files"
+    cd {{ .Values.credsPath }}
+    cat {{ .Values.fqi_namespace }}.props > {{ .Values.final_cadi_files }}
+    cat {{ .Values.fqi_namespace }}.cred.props >> {{ .Values.final_cadi_files }}
+    cat {{ .Values.fqi_namespace }}.location.props >> {{ .Values.final_cadi_files }}
+    echo "*** configuration result:"
+    cat {{ .Values.final_cadi_files }}
+    chown -R 1000 .
+
+
 #################################################################
 # Application configuration defaults.
 #################################################################
diff --git a/kubernetes/dmaap/components/message-router/requirements.yaml b/kubernetes/dmaap/components/message-router/requirements.yaml
index fd0ae68..5adbb62 100644
--- a/kubernetes/dmaap/components/message-router/requirements.yaml
+++ b/kubernetes/dmaap/components/message-router/requirements.yaml
@@ -1,5 +1,6 @@
 # Copyright © 2017 Amdocs, Bell Canada
 # Modifications Copyright © 2018 AT&T
+# Modifications Copyright © 2021 Orange
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,6 +21,9 @@
     # a part of this chart's package and will not
     # be published independently to a repo (at this point)
     repository: '@local'
+  - name: certInitializer
+    version: ~8.x-0
+    repository: '@local'
   - name: repositoryGenerator
     version: ~8.x-0
     repository: '@local'
diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/cadi.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/cadi.properties
deleted file mode 100755
index dca56c8..0000000
--- a/kubernetes/dmaap/components/message-router/resources/config/dmaap/cadi.properties
+++ /dev/null
@@ -1,19 +0,0 @@
-aaf_locate_url=https://aaf-locate.{{ include "common.namespace" . }}:8095
-aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1
-aaf_env=DEV
-aaf_lur=org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm
-
-cadi_truststore=/appl/dmaapMR1/etc/org.onap.dmaap.mr.trust.jks
-cadi_truststore_password=enc:mN6GiIzFQxKGDzAXDOs7b4j8DdIX02QrZ9QOWNRpxV3rD6whPCfizSMZkJwxi_FJ
-
-cadi_keyfile=/appl/dmaapMR1/etc/org.onap.dmaap.mr.keyfile
-
-cadi_alias=dmaapmr@mr.dmaap.onap.org
-cadi_keystore=/appl/dmaapMR1/etc/org.onap.dmaap.mr.p12
-cadi_keystore_password=enc:_JJT2gAEkRzXla5xfDIHal8pIoIB5iIos3USvZQT6sL-l14LpI5fRFR_QIGUCh5W
-cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US
-
-cadi_loglevel=INFO
-cadi_protocols=TLSv1.1,TLSv1.2
-cadi_latitude=37.78187
-cadi_longitude=-122.26147
\ No newline at end of file
diff --git a/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties b/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties
new file mode 100644
index 0000000..cd88565
--- /dev/null
+++ b/kubernetes/dmaap/components/message-router/resources/config/dmaap/sys-props.properties
@@ -0,0 +1,165 @@
+###############################################################################
+#  ============LICENSE_START=======================================================
+#  org.onap.dmaap
+#  ================================================================================
+#  Copyright (c) 2017-201 AT&T Intellectual Property. All rights reserved.
+#  Copyright (c) 2021 Orange Intellectual Property. All rights reserved.
+#  ================================================================================
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+#  ============LICENSE_END=========================================================
+#
+#  ECOMP is a trademark and service mark of AT&T Intellectual Property.
+#
+###############################################################################
+#This file is used for defining AJSC system properties for different configuration schemes and is necessary for the AJSC to run properly.
+#The sys-props.properties file is used for running locally. The template.sys-props.properties file will be used when deployed
+#to a SOA/CSI Cloud node. For more information,
+
+#AJSC System Properties. The following properties are required for ALL AJSC services. If you are adding System Properties for your
+#particular service, please add them AFTER all AJSC related System Properties.
+
+#For Cadi Authorization, use value="authentication-scheme-1
+CadiAuthN=authentication-scheme-1
+
+#For Basic Authorization, use value="authentication-scheme-1
+authN=authentication-scheme-2
+
+#Persistence used for AJSC meta-data storage. For most environments, "file" should be used.
+ajscPersistence=file
+
+# If using hawtio for local development, these properties will allow for faster server startup and usage for local development
+hawtio.authenticationEnabled=false
+hawtio.config.pullOnStartup=false
+
+#Removes the extraneous restlet console output
+org.restlet.engine.loggerFacadeClass=org.restlet.ext.slf4j.Slf4jLoggerFacade
+
+#server.host property to be enabled for local DME2 related testing
+#server.host=<Your network IP address>
+
+#Enable/disable SSL (values=true/false). This property also determines which protocol to use (https if true, http otherwise), to register services into GRM through DME2.
+enableSSL=false
+
+#Enable/disable csi logging (values=true/false). This can be disabled during local development
+csiEnable=false
+
+#Enable/disable CAET This can be disabled during local development
+isCAETEnable=true
+
+#Enable/disable EJB Container
+ENABLE_EJB=false
+
+#Enable/disable OSGI
+isOSGIEnable=false
+
+#Configure JMS Queue (WMQ/TIBCO)
+JMS_BROKER=WMQ
+
+#Generate/Skip api docs
+isApiDoc=false
+
+
+#WMQ connectivity
+JMS_WMQ_PROVIDER_URL=aftdsc://AFTUAT/34.07/-84.28
+JMS_WMQ_CONNECTION_FACTORY_NAME=aftdsc://AFTUAT/?service=CSILOG,version=1.0,bindingType=fusionBus,envContext=Q,Q30A=YES
+JMS_WMQ_INITIAL_CONNECTION_FACTORY_NAME=com.att.aft.jms.FusionCtxFactory
+JMS_WMQ_AUDIT_DESTINATION_NAME=queue:///CSILOGQL.M2E.DASHBOARD01.NOT.Q30A
+JMS_WMQ_PERF_DESTINATION_NAME=queue:///CSILOGQL.M2E.PERFORMANCE01.NOT.Q30A
+
+#CSI related variables for CSM framework
+csm.hostname=d1a-m2e-q112m2e1.edc.cingular.net
+
+#Enable/disable endpoint level logging (values=true/false). This can be disabled during local development
+endpointLogging=false
+
+#Enable/disable trail logging and trail logging summary
+enableTrailLogging=false
+enableTrailLoggingSummary=false
+
+#SOA_CLOUD_ENV is used to register your service with dme2 and can be turned off for local development (values=true/false).
+SOA_CLOUD_ENV=false
+
+#CONTINUE_ON_LISTENER_EXCEPTION will exit the application if there is a DME2 exception at the time of registration.
+CONTINUE_ON_LISTENER_EXCEPTION=false
+
+#Jetty Container ThreadCount Configuration Variables
+AJSC_JETTY_ThreadCount_MIN=1
+AJSC_JETTY_ThreadCount_MAX=200
+AJSC_JETTY_IDLETIME_MAX=3000
+
+#Camel Context level default threadPool Profile configuration
+CAMEL_POOL_SIZE=10
+CAMEL_MAX_POOL_SIZE=20
+CAMEL_KEEP_ALIVE_TIME=60
+CAMEL_MAX_QUEUE_SIZE=1000
+
+#File Monitor configurations
+ssf_filemonitor_polling_interval=5
+ssf_filemonitor_threadpool_size=10
+
+#GRM/DME2 System Properties
+AFT_DME2_CONN_IDLE_TIMEOUTMS=5000
+AJSC_ENV=SOACLOUD
+
+SOACLOUD_NAMESPACE=org.onap.dmaap.dev
+SOACLOUD_ENV_CONTEXT=TEST
+SOACLOUD_PROTOCOL=http
+SOACLOUD_ROUTE_OFFER=DEFAULT
+
+AFT_LATITUDE=23.4
+AFT_LONGITUDE=33.6
+AFT_ENVIRONMENT=AFTUAT
+
+#Restlet Component Default Properties
+RESTLET_COMPONENT_CONTROLLER_DAEMON=true
+RESTLET_COMPONENT_CONTROLLER_SLEEP_TIME_MS=100
+RESTLET_COMPONENT_INBOUND_BUFFER_SIZE=8192
+RESTLET_COMPONENT_MIN_THREADS=1
+RESTLET_COMPONENT_MAX_THREADS=10
+RESTLET_COMPONENT_LOW_THREADS=8
+RESTLET_COMPONENT_MAX_QUEUED=0
+RESTLET_COMPONENT_MAX_CONNECTIONS_PER_HOST=-1
+RESTLET_COMPONENT_MAX_TOTAL_CONNECTIONS=-1
+RESTLET_COMPONENT_OUTBOUND_BUFFER_SIZE=8192
+RESTLET_COMPONENT_PERSISTING_CONNECTIONS=true
+RESTLET_COMPONENT_PIPELINING_CONNECTIONS=false
+RESTLET_COMPONENT_THREAD_MAX_IDLE_TIME_MS=60000
+RESTLET_COMPONENT_USE_FORWARDED_HEADER=false
+RESTLET_COMPONENT_REUSE_ADDRESS=true
+
+#Externalized jar and properties file location. In CSI environments, there are a few libs that have been externalized to aid
+#in CSTEM maintenance of the versions of these libs. The most important to the AJSC is the DME2 lib. Not only is this lib necessary
+#for proper registration of your AJSC service on a node, but it is also necessary for running locally as well. Another framework
+#used in CSI envs is the CSM framework. These 2 framework libs are shown as "provided" dependencies within the pom.xml. These
+#dependencies will be copied into the target/commonLibs folder with the normal "mvn clean package" goal of the AJSC. They will
+#then be added to the classpath via AJSC_EXTERNAL_LIB_FOLDERS system property. Any files (mainly property files) that need
+#to be on the classpath should be added to the AJSC_EXTERNAL_PROPERTIES_FOLDERS system property. The default scenario when
+#testing your AJSC service locally will utilize the target/commonLibs directory for DME2 and CSM related artifacts and 2
+#default csm properties files will be used for local testing with anything CSM knorelated.
+#NOTE: we are using maven-replacer-plugin to replace "(doubleUnderscore)basedir(doubleUnderscore)" with ${basedir} within the
+#target directory for running locally. Multiple folder locations can be separated by the pipe ("|") character.
+#Please, NOTE: for running locally, we are setting this system property in the antBuild/build.xml "runLocal" target and in the
+#"runAjsc" profile within the pom.xml. This is to most effectively use maven variables (${basedir}, most specifically. Therefore,
+#when running locally, the following 2 properties should be set within the profile(s) themselves.
+#Example: target/commonLibs|target/otherLibs
+#AJSC_EXTERNAL_LIB_FOLDERS=__basedir__/target/commonLibs
+#AJSC_EXTERNAL_PROPERTIES_FOLDERS=__basedir__/ajsc-shared-config/etc
+#End of AJSC System Properties
+
+#Service System Properties. Please, place any Service related System Properties below.
+
+#msgrtr content length and error message
+#100mb
+maxcontentlength=10000
+msg_size_exceeds=Message size exceeds the default size.
+forceAAF=false
+cadi_prop_files={{.Values.certInitializer.appMountPath}}/local/{{.Values.certInitializer.fqi_namespace}}.properties
\ No newline at end of file
diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml b/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml
new file mode 100644
index 0000000..49196e4
--- /dev/null
+++ b/kubernetes/dmaap/components/message-router/resources/config/etc/ajsc-jetty.xml
@@ -0,0 +1,138 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- {{/*
+    ============LICENSE_START=======================================================
+    org.onap.dmaap
+    ================================================================================
+    Copyright © 2017-2021 AT&T Intellectual Property. All rights reserved.
+    Copyright © 2021 Orange Intellectual Property. All rights reserved.
+    ================================================================================
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+          http://www.apache.org/licenses/LICENSE-2.0
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+    ============LICENSE_END=========================================================
+    ECOMP is a trademark and service mark of AT&T Intellectual Property.
+*/}}
+-->
+
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
+<Configure id="ajsc-server" class="org.eclipse.jetty.server.Server">
+  <!-- DO NOT REMOVE!!!! This is setting up the AJSC Context -->
+  <New id="ajscContext" class="org.eclipse.jetty.webapp.WebAppContext">
+    <Set name="contextPath"><SystemProperty name="AJSC_CONTEXT_PATH" /></Set>
+    <Set name="extractWAR">true</Set>
+    <Set name="tempDirectory"><SystemProperty name="AJSC_TEMP_DIR" /></Set>
+    <Set name="war"><SystemProperty name="AJSC_WAR_PATH" /></Set>
+    <Set name="descriptor"><SystemProperty name="AJSC_HOME" />/etc/runner-web.xml</Set>
+    <Set name="overrideDescriptor"><SystemProperty name="AJSC_HOME" />/etc/ajsc-override-web.xml</Set>
+    <Set name="throwUnavailableOnStartupException">true</Set>
+    <Set name="extraClasspath"><SystemProperty name="AJSC_HOME" />/extJars/json-20131018.jar</Set>
+    <Set name="servletHandler">
+      <New class="org.eclipse.jetty.servlet.ServletHandler">
+        <Set name="startWithUnavailable">false</Set>
+      </New>
+    </Set>
+  </New>
+
+  <Set name="handler">
+    <New id="Contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
+      <Set name="Handlers">
+        <Array type="org.eclipse.jetty.webapp.WebAppContext">
+          <Item>
+            <Ref refid="ajscContext" />
+          </Item>
+        </Array>
+      </Set>
+    </New>
+  </Set>
+
+  <Call name="addBean">
+    <Arg>
+      <New id="DeploymentManager" class="org.eclipse.jetty.deploy.DeploymentManager">
+        <Set name="contexts">
+          <Ref refid="Contexts" />
+        </Set>
+        <Call id="extAppHotDeployProvider" name="addAppProvider">
+          <Arg>
+            <New class="org.eclipse.jetty.deploy.providers.WebAppProvider">
+              <Set name="monitoredDirName"><SystemProperty name="AJSC_HOME" />/extApps</Set>
+              <Set name="scanInterval">10</Set>
+              <Set name="extractWars">true</Set>
+            </New>
+          </Arg>
+        </Call>
+      </New>
+    </Arg>
+  </Call>
+
+  <Call name="addConnector">
+    <Arg>
+      <New class="org.eclipse.jetty.server.ServerConnector">
+        <Arg name="server">
+          <Ref refid="ajsc-server" />
+        </Arg>
+        <Set name="port"><SystemProperty name="AJSC_HTTP_PORT" default="8080" /></Set>
+      </New>
+    </Arg>
+  </Call>
+
+
+  <!-- SSL Keystore configuration -->
+
+  <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+    <Set name="KeyStorePath">{{.Values.certInitializer.appMountPath}}/local/{{.Values.certInitializer.fqi_namespace}}.jks</Set>
+    <Set name="KeyStorePassword">${KEYSTORE_PASSWORD}</Set>
+    <Set name="KeyManagerPassword">${KEYSTORE_PASSWORD}</Set>
+    <Set name="WantClientAuth">true</Set>
+  </New>
+  <Call id="sslConnector" name="addConnector">
+    <Arg>
+      <New class="org.eclipse.jetty.server.ServerConnector">
+        <Arg name="server">
+          <Ref refid="ajsc-server" />
+        </Arg>
+        <Arg name="factories">
+          <Array type="org.eclipse.jetty.server.ConnectionFactory">
+            <Item>
+              <New class="org.eclipse.jetty.server.SslConnectionFactory">
+                <Arg name="next">http/1.1</Arg>
+                <Arg name="sslContextFactory">
+                  <Ref refid="sslContextFactory" />
+                </Arg>
+              </New>
+            </Item>
+            <Item>
+              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
+                <Arg name="config">
+                  <New class="org.eclipse.jetty.server.HttpConfiguration">
+                    <Call name="addCustomizer">
+                      <Arg>
+                        <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
+                      </Arg>
+                    </Call>
+                  </New>
+                </Arg>
+              </New>
+            </Item>
+          </Array>
+        </Arg>
+        <Set name="port"><SystemProperty name="AJSC_HTTPS_PORT" default="0" /></Set>
+        <Set name="idleTimeout">30000</Set>
+      </New>
+    </Arg>
+  </Call>
+
+
+  <Get name="ThreadPool">
+    <Set name="minThreads"><SystemProperty name="AJSC_JETTY_ThreadCount_MIN" /></Set>
+    <Set name="maxThreads"><SystemProperty name="AJSC_JETTY_ThreadCount_MAX" /></Set>
+    <Set name="idleTimeout"><SystemProperty name="AJSC_JETTY_IDLETIME_MAX" /></Set>
+    <Set name="detailedDump">false</Set>
+  </Get>
+
+</Configure>
diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties b/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties
new file mode 100644
index 0000000..596a316
--- /dev/null
+++ b/kubernetes/dmaap/components/message-router/resources/config/etc/cadi.properties
@@ -0,0 +1,19 @@
+aaf_locate_url=https://aaf-locate.onap:8095
+aaf_url=https://AAF_LOCATE_URL/onap.org.osaaf.aaf.service:2.1
+aaf_env=DEV
+aaf_lur=org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm
+
+cadi_truststore={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.trust.jks
+cadi_truststore_password=${TRUSTSTORE_PASSWORD}
+
+cadi_keyfile={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.keyfile
+
+cadi_alias={{ .Values.certInitializer.fqi }}
+cadi_keystore={{ .Values.certInitializer.appMountPath }}/local/{{ .Values.certInitializer.fqi_namespace }}.p12
+cadi_keystore_password=${KEYSTORE_PASSWORD_P12}
+cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US
+
+cadi_loglevel=INFO
+cadi_protocols=TLSv1.1,TLSv1.2
+cadi_latitude=37.78187
+cadi_longitude=-122.26147
diff --git a/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml b/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml
new file mode 100644
index 0000000..116c524
--- /dev/null
+++ b/kubernetes/dmaap/components/message-router/resources/config/etc/runner-web.xml
@@ -0,0 +1,108 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--{{/*
+    ============LICENSE_START=======================================================
+    org.onap.dmaap
+    ================================================================================
+    Copyright c 2017 AT&T Intellectual Property. All rights reserved.
+    Copyright c 2021 Orange Intellectual Property. All rights reserved.
+    ================================================================================
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+          http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+    ============LICENSE_END=========================================================
+
+    ECOMP is a trademark and service mark of AT&T Intellectual Property.*/}}
+-->
+<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" metadata-complete="false" version="3.0">
+
+  <context-param>
+    <param-name>contextConfigLocation</param-name>
+    <param-value>/WEB-INF/spring-servlet.xml,
+          classpath:applicationContext.xml
+</param-value>
+  </context-param>
+
+  <context-param>
+    <param-name>spring.profiles.default</param-name>
+    <param-value>nooauth</param-value>
+  </context-param>
+
+  <listener>
+    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+  </listener>
+
+  <servlet>
+    <servlet-name>ManagementServlet</servlet-name>
+    <servlet-class>ajsc.ManagementServlet</servlet-class>
+  </servlet>
+
+  <filter>
+    <filter-name>WriteableRequestFilter</filter-name>
+    <filter-class>com.att.ajsc.csi.writeablerequestfilter.WriteableRequestFilter</filter-class>
+  </filter>
+
+  <filter>
+    <filter-name>InterceptorFilter</filter-name>
+    <filter-class>ajsc.filters.InterceptorFilter</filter-class>
+    <init-param>
+      <param-name>preProcessor_interceptor_config_file</param-name>
+      <param-value>/etc/PreProcessorInterceptors.properties</param-value>
+    </init-param>
+    <init-param>
+      <param-name>postProcessor_interceptor_config_file</param-name>
+      <param-value>/etc/PostProcessorInterceptors.properties</param-value>
+    </init-param>
+
+  </filter>
+
+  <!-- Content length filter for Msgrtr -->
+  <filter>
+    <display-name>DMaaPAuthFilter</display-name>
+    <filter-name>DMaaPAuthFilter</filter-name>
+    <filter-class>org.onap.dmaap.util.DMaaPAuthFilter</filter-class>
+    <init-param>
+      <param-name>cadi_prop_files</param-name>
+      <param-value>{{.Values.certInitializer.appMountPath}}/local/cadi.properties</param-value>
+    </init-param>
+  </filter>
+
+  <!-- End Content length filter for Msgrtr -->
+  <servlet>
+    <servlet-name>RestletServlet</servlet-name>
+    <servlet-class>ajsc.restlet.RestletSpringServlet</servlet-class>
+    <init-param>
+      <param-name>org.restlet.component</param-name>
+      <param-value>restletComponent</param-value>
+    </init-param>
+  </servlet>
+
+  <servlet>
+    <servlet-name>CamelServlet</servlet-name>
+    <servlet-class>ajsc.servlet.AjscCamelServlet</servlet-class>
+  </servlet>
+
+
+  <filter>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+  </filter>
+
+  <servlet>
+    <servlet-name>spring</servlet-name>
+    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
+    <load-on-startup>1</load-on-startup>
+  </servlet>
+
+  <servlet-mapping>
+    <servlet-name>spring</servlet-name>
+    <url-pattern>/</url-pattern>
+  </servlet-mapping>
+
+</web-app>
diff --git a/kubernetes/dmaap/components/message-router/templates/configmap.yaml b/kubernetes/dmaap/components/message-router/templates/configmap.yaml
index a253c51..75a5e22 100644
--- a/kubernetes/dmaap/components/message-router/templates/configmap.yaml
+++ b/kubernetes/dmaap/components/message-router/templates/configmap.yaml
@@ -30,20 +30,6 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "common.fullname" . }}-cadi-prop-configmap
-  namespace: {{ include "common.namespace" . }}
-  labels:
-    app: {{ include "common.name" . }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
-    release: {{ include "common.release" . }}
-    heritage: {{ .Release.Service }}
-data:
-{{ tpl (.Files.Glob "resources/config/dmaap/cadi.properties").AsConfig . | indent 2 }}
----
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
   name: {{ include "common.fullname" . }}-logback-xml-configmap
   namespace: {{ include "common.namespace" . }}
   labels:
@@ -54,7 +40,19 @@
 data:
 {{ tpl (.Files.Glob "resources/config/dmaap/logback.xml").AsConfig . | indent 2 }}
 ---
-
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-etc
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ include "common.release" . }}
+    heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/config/etc/*").AsConfig . | indent 2 }}
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -81,6 +79,19 @@
 data:
 {{ tpl (.Files.Glob "resources/topics/*.json").AsConfig . | indent 2 }}
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.fullname" . }}-sys-props
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ include "common.release" . }}
+    heritage: {{ .Release.Service }}
+data:
+{{ tpl (.Files.Glob "resources/config/dmaap/sys-props.properties").AsConfig . | indent 2 }}
+---
 {{- if  .Values.prometheus.jmx.enabled }}
 apiVersion: v1
 kind: ConfigMap
@@ -96,5 +107,3 @@
 {{ tpl (.Files.Glob "resources/config/dmaap/jmx-mrservice-prometheus.yml").AsConfig . | indent 2 }}
 ---
 {{ end }}
-
-
diff --git a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml
index e936ed2..706fe29 100644
--- a/kubernetes/dmaap/components/message-router/templates/statefulset.yaml
+++ b/kubernetes/dmaap/components/message-router/templates/statefulset.yaml
@@ -42,6 +42,24 @@
         image: {{ include "repositoryGenerator.image.readiness" . }}
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-readiness
+      {{ include "common.certInitializer.initContainer" . | indent 6 | trim }}
+      {{- if  .Values.global.aafEnabled }}
+      - name: {{ include "common.name" . }}-update-config
+        command:
+        - sh
+        args:
+        - -c
+        - |
+          export $(cat {{ .Values.certInitializer.appMountPath }}/local/mycreds.prop | xargs -0);
+          cd /config-input  && for PFILE in `ls -1 .`; do envsubst <${PFILE} >/config/${PFILE}; done
+        volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 8 }}
+        - mountPath: /config
+          name: jetty
+        - mountPath: /config-input
+          name: etc
+        image: {{ include "repositoryGenerator.image.envsubst" . }}
+        imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+      {{- end }}
       containers:
       {{- if .Values.prometheus.jmx.enabled }}
         - name: prometheus-jmx-exporter
@@ -67,6 +85,16 @@
         - name: {{ include "common.name" . }}
           image: {{ include "repositoryGenerator.repository" . }}/{{ .Values.image }}
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          {{- if  .Values.global.aafEnabled }}
+          command:
+          - sh
+          args:
+          - -c
+          - |
+            cp /jetty-config/ajsc-jetty.xml /appl/dmaapMR1/etc/
+            cp /jetty-config/cadi.properties {{ .Values.certInitializer.appMountPath }}/local/cadi.properties
+            /bin/sh /appl/startup.sh
+          {{- end }}
           ports: {{ include "common.containerPorts" . | nindent 10  }}
           {{- if eq .Values.liveness.enabled true }}
           livenessProbe:
@@ -85,7 +113,7 @@
           env:
           - name: enableCadi
             value: "{{ .Values.global.aafEnabled }}"
-          volumeMounts:
+          volumeMounts: {{ include "common.certInitializer.volumeMount" . | nindent 10 }}
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
@@ -95,26 +123,31 @@
           - mountPath: /appl/dmaapMR1/bundleconfig/etc/logback.xml
             subPath: logback.xml
             name: logback
-          - mountPath: /appl/dmaapMR1/etc/cadi.properties
-            subPath: cadi.properties
-            name: cadi
           - mountPath: /appl/dmaapMR1/etc/keyfile
             subPath: mykey
             name: mykey
+          - mountPath: /appl/dmaapMR1/etc/runner-web.xml
+            subPath: runner-web.xml
+            name: etc
+          - mountPath: /appl/dmaapMR1/bundleconfig/etc/sysprops/sys-props.properties
+            subPath: sys-props.properties
+            name: sys-props
+          - mountPath: /jetty-config
+            name: jetty
           resources: {{ include "common.resources" . | nindent 12 }}
-      volumes:
+      volumes: {{ include "common.certInitializer.volumes" . | nindent 8 }}
         - name: localtime
           hostPath:
             path: /etc/localtime
         - name: appprops
           configMap:
             name: {{ include "common.fullname" . }}-msgrtrapi-prop-configmap
+        - name: etc
+          configMap:
+            name: {{ include "common.fullname" . }}-etc
         - name: logback
           configMap:
             name: {{ include "common.fullname" . }}-logback-xml-configmap
-        - name: cadi
-          configMap:
-            name: {{ include "common.fullname" . }}-cadi-prop-configmap
         {{- if .Values.prometheus.jmx.enabled }}
         - name: jmx-config
           configMap:
@@ -123,5 +156,10 @@
         - name: mykey
           secret:
             secretName: {{ include "common.fullname" . }}-secret
+        - name: sys-props
+          configMap:
+            name: {{ include "common.fullname" . }}-sys-props
+        - name: jetty
+          emptyDir: {}
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dmaap/components/message-router/values.yaml b/kubernetes/dmaap/components/message-router/values.yaml
index c4bab23..daca621 100644
--- a/kubernetes/dmaap/components/message-router/values.yaml
+++ b/kubernetes/dmaap/components/message-router/values.yaml
@@ -19,6 +19,43 @@
 global:
   nodePortPrefix: 302
 
+
+#################################################################
+# AAF part
+#################################################################
+certInitializer:
+  nameOverride: dmaap-mr-cert-initializer
+  aafDeployFqi: deployer@people.osaaf.org
+  aafDeployPass: demo123456!
+  # aafDeployCredsExternalSecret: some secret
+  fqdn: dmaap-mr
+  fqi: dmaapmr@mr.dmaap.onap.org
+  public_fqdn: mr.dmaap.onap.org
+  cadi_longitude: "-122.26147"
+  cadi_latitude: "37.78187"
+  app_ns: org.osaaf.aaf
+  credsPath: /opt/app/osaaf/local
+  appMountPath: /appl/dmaapMR1/bundleconfig/etc/sysprops
+  fqi_namespace: org.onap.dmaap.mr
+  aaf_add_config: |
+    cd {{ .Values.credsPath }}
+    echo "*** change jks password into shell safe one"
+    export KEYSTORE_PASSWD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)
+    keytool -storepasswd -new "${KEYSTORE_PASSWD}" \
+      -storepass "${cadi_keystore_password_jks}" \
+      -keystore {{ .Values.fqi_namespace }}.jks
+    echo "*** set key password as same password as jks keystore password"
+      keytool -keypasswd -new "${KEYSTORE_PASSWD}" \
+        -keystore {{ .Values.fqi_namespace }}.jks \
+        -keypass "${cadi_keystore_password_jks}" \
+        -storepass "${KEYSTORE_PASSWD}" -alias {{ .Values.fqi }}
+    echo "*** store the passwords"
+    echo "KEYSTORE_PASSWORD=${KEYSTORE_PASSWD}" > mycreds.prop
+    echo "KEYSTORE_PASSWORD_P12=${cadi_keystore_password_p12}" >> mycreds.prop
+    echo "TRUSTSTORE_PASSWORD=${cadi_truststore_password}" >> mycreds.prop
+    echo "*** give ownership of files to the user"
+    chown -R 1000 .
+
 #################################################################
 # Application configuration defaults.
 #################################################################