Merge "[OOM] Automate certificate generation for CMPv2 Cert Service"
diff --git a/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml b/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml
index 0d30828..a7be74a 100644
--- a/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-config-binding-service/values.yaml
@@ -44,7 +44,7 @@
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.configbinding:2.5.2
+image: onap/org.onap.dcaegen2.platform.configbinding:2.5.3
pullPolicy: Always
# probe configuration parameters
diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml
index e46901b..25e595f 100644
--- a/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/components/dcae-dashboard/templates/deployment.yaml
@@ -105,7 +105,7 @@
successThreshold: 1
timeoutSeconds: 1
volumeMounts:
- - mountPath: /usr/local/share/ca-certificates/
+ - mountPath: /opt/app/osaaf/
name: tls-info
- mountPath: /opt/logs/dcae/dashboard
name: component-log
diff --git a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml
index 884a753..7aa9b68 100644
--- a/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-dashboard/values.yaml
@@ -52,7 +52,7 @@
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.3.2
+image: onap/org.onap.ccsdk.dashboard.ccsdk-app-os:1.4.0
pullPolicy: Always
# probe configuration parameters
diff --git a/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml b/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml
index fd70549..f281f6b 100644
--- a/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-deployment-handler/values.yaml
@@ -45,7 +45,7 @@
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.deployment-handler:4.3.0
+image: onap/org.onap.dcaegen2.platform.deployment-handler:4.4.1
pullPolicy: Always
# probe configuration parameters
diff --git a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml
index ee2c03e..3fec537 100644
--- a/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml
+++ b/kubernetes/dcaegen2/components/dcae-inventory-api/values.yaml
@@ -53,7 +53,7 @@
#################################################################
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.inventory-api:3.4.1
+image: onap/org.onap.dcaegen2.platform.inventory-api:3.5.1
pullPolicy: Always
diff --git a/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml
index f373888..c717ca3 100644
--- a/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml
+++ b/kubernetes/dcaemod/components/dcaemod-distributor-api/values.yaml
@@ -35,7 +35,7 @@
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.mod.distributorapi:1.0.1
+image: onap/org.onap.dcaegen2.platform.mod.distributorapi:1.1.0
service:
type: ClusterIP
diff --git a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml b/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml
index a83770e..161b362 100644
--- a/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml
+++ b/kubernetes/dcaemod/components/dcaemod-onboarding-api/values.yaml
@@ -92,7 +92,7 @@
# application image
repository: nexus3.onap.org:10001
-image: onap/org.onap.dcaegen2.platform.mod.onboardingapi:2.12.2
+image: onap/org.onap.dcaegen2.platform.mod.onboardingapi:2.12.3
# Resource Limit flavor -By Default using small
flavor: small
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index e699581..5f44954 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -106,8 +106,8 @@
ingress:
enabled: false
virtualhost:
- enabled: true
- baseurl: "simpledemo.onap.org"
+ enabled: true
+ baseurl: "simpledemo.onap.org"
# Global Service Mesh configuration
# POC Mode, don't use it in production
@@ -141,6 +141,7 @@
requestURL: "https://oom-cert-service:8443/v1/certificate/"
requestTimeout: "30000"
keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
+ outputType: "P12"
keystorePassword: "secret"
truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
truststorePassword: "secret"
@@ -156,13 +157,12 @@
# default
centralizedLoggingEnabled: ¢ralizedLogging false
-
-# Example of specific for the components where you want to disable TLS only for
-# it:
-# if set this element will force or not tls even if global.serviceMesh.tls and
-# global.tlsEnabled is set otherwise.
-# robot:
-# tlsOverride: false
+ # Example of specific for the components where you want to disable TLS only for
+ # it:
+ # if set this element will force or not tls even if global.serviceMesh.tls and
+ # global.tlsEnabled is set otherwise.
+ # robot:
+ # tlsOverride: false
# Global storage configuration
# Set to "-" for default, or with the name of the storage class
diff --git a/kubernetes/platform/components/oom-cert-service/values.yaml b/kubernetes/platform/components/oom-cert-service/values.yaml
index 4a3a289..64ed1a3 100644
--- a/kubernetes/platform/components/oom-cert-service/values.yaml
+++ b/kubernetes/platform/components/oom-cert-service/values.yaml
@@ -117,6 +117,7 @@
#truststorePasswordExternalSecret:
# Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
cmp:
+ # Used only if cmpv2 testing is enabled
clientIakExternalSecret: '{{ include "common.release" . }}-ejbca-client-iak'
#clientRvExternalSecret:
raIakExternalSecret: '{{ include "common.release" . }}-ejbca-ra-iak'
diff --git a/kubernetes/sdnc/resources/config/bin/startODL.sh b/kubernetes/sdnc/resources/config/bin/startODL.sh
index 6aa796a..a83fc92 100755
--- a/kubernetes/sdnc/resources/config/bin/startODL.sh
+++ b/kubernetes/sdnc/resources/config/bin/startODL.sh
@@ -162,6 +162,7 @@
fi
cp /opt/opendaylight/current/certs/* /tmp
+cp /var/custom-certs/* /tmp
nohup python ${SDNC_BIN}/installCerts.py &
diff --git a/kubernetes/sdnc/templates/statefulset.yaml b/kubernetes/sdnc/templates/statefulset.yaml
index 3b36b27..8eec50e 100644
--- a/kubernetes/sdnc/templates/statefulset.yaml
+++ b/kubernetes/sdnc/templates/statefulset.yaml
@@ -1,5 +1,5 @@
{{/*
-# Copyright © 2020 Samsung Electronics, highstreet technologies GmbH
+# Copyright © 2020 Samsung Electronics
# Copyright © 2017 Amdocs, Bell Canada
#
# Licensed under the Apache License, Version 2.0 (the "License");
@@ -94,6 +94,48 @@
{{ end -}}
{{ include "common.certInitializer.initContainer" . | indent 6 }}
+ {{ if .Values.global.cmpv2Enabled }}
+ - name: certs-init
+ image: "{{ .Values.global.repository }}/{{ .Values.global.platform.certServiceClient.image }}"
+ imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+ env:
+ - name: REQUEST_URL
+ value: {{ .Values.global.platform.certServiceClient.envVariables.requestURL }}
+ - name: REQUEST_TIMEOUT
+ value: "30000"
+ - name: OUTPUT_PATH
+ value: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }}
+ - name: CA_NAME
+ value: {{ .Values.global.platform.certServiceClient.envVariables.caName }}
+ - name: COMMON_NAME
+ value: {{ .Values.global.platform.certServiceClient.envVariables.common_name }}
+ - name: ORGANIZATION
+ value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Organization }}
+ - name: ORGANIZATION_UNIT
+ value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2OrganizationalUnit }}
+ - name: LOCATION
+ value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Location }}
+ - name: STATE
+ value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2State }}
+ - name: COUNTRY
+ value: {{ .Values.global.platform.certServiceClient.envVariables.cmpv2Country }}
+ - name: KEYSTORE_PATH
+ value: {{ .Values.global.platform.certServiceClient.envVariables.keystorePath }}
+ - name: KEYSTORE_PASSWORD
+ value: {{ .Values.global.platform.certServiceClient.envVariables.keystorePassword }}
+ - name: TRUSTSTORE_PATH
+ value: {{ .Values.global.platform.certServiceClient.envVariables.truststorePath }}
+ - name: TRUSTSTORE_PASSWORD
+ value: {{ .Values.global.platform.certServiceClient.envVariables.truststorePassword }}
+ terminationMessagePath: /dev/termination-log
+ terminationMessagePolicy: File
+ volumeMounts:
+ - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }}
+ name: certs
+ - mountPath: {{ .Values.global.platform.certServiceClient.secret.mountPath }}
+ name: certservice-tls-volume
+ {{ end }}
+
- name: {{ include "common.name" . }}-chown
image: {{ .Values.global.busyboxRepository | default .Values.busyboxRepository }}/{{ .Values.global.busyboxImage | default .Values.busyboxImage }}
command:
@@ -240,6 +282,8 @@
- mountPath: {{ .Values.config.odl.etcDir }}/mountpoint-state-provider.properties
name: properties
subPath: mountpoint-state-provider.properties
+ - mountPath: {{ .Values.global.platform.certServiceClient.envVariables.cert_path }}
+ name: certs
resources:
{{ include "common.resources" . | indent 12 }}
{{- if .Values.nodeSelector }}
@@ -290,6 +334,12 @@
- name: properties
emptyDir:
medium: Memory
+ - name: certs
+ emptyDir:
+ medium: Memory
+ - name: certservice-tls-volume
+ secret:
+ secretName: {{ .Values.global.platform.certServiceClient.secret.name }}
{{ if not .Values.persistence.enabled }}
- name: {{ include "common.fullname" . }}-data
emptyDir: {}
diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml
index 0728b9b..52a21ea 100644
--- a/kubernetes/sdnc/values.yaml
+++ b/kubernetes/sdnc/values.yaml
@@ -35,6 +35,31 @@
service: mariadb-galera
internalPort: 3306
nameOverride: mariadb-galera
+ # Enabling CMPv2
+ cmpv2Enabled: true
+ platform:
+ certServiceClient:
+ image: onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.0.0
+ secret:
+ name: oom-cert-service-client-tls-secret
+ mountPath: /etc/onap/oom/certservice/certs/
+ envVariables:
+ # Certificate related
+ cert_path: /var/custom-certs
+ cmpv2Organization: "Linux-Foundation"
+ cmpv2OrganizationalUnit: "ONAP"
+ cmpv2Location: "San-Francisco"
+ cmpv2Country: "US"
+ # Client configuration related
+ caName: "RA"
+ common_name: "sdnc.simpledemo.onap.org"
+ requestURL: "https://oom-cert-service:8443/v1/certificate/"
+ requestTimeout: "30000"
+ keystorePath: "/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks"
+ outputType: "P12"
+ keystorePassword: "secret"
+ truststorePath: "/etc/onap/oom/certservice/certs/truststore.jks"
+ truststorePassword: "secret"
#################################################################
# Secrets metaconfig
@@ -412,6 +437,22 @@
mountSubPath: sdnc/mdsal
mdsalPath: /opt/opendaylight/current/daexim
+certpersistence:
+ enabled: true
+
+ ## A manually managed Persistent Volume and Claim
+ ## Requires persistence.enabled: true
+ ## If defined, PVC must be created manually before volume will be bound
+ # existingClaim:
+
+ volumeReclaimPolicy: Retain
+ accessMode: ReadWriteOnce
+ size: 50Mi
+ mountPath: /dockerdata-nfs
+ mountSubPath: sdnc/certs
+ certPath: /opt/app/osaaf
+ ##storageClass: "manual"
+
ingress:
enabled: false
service: