Remigiusz Janeczek | 42177a1 | 2020-12-10 13:10:15 +0100 | [diff] [blame] | 1 | {{/* |
| 2 | # Copyright © 2021 Nokia |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. |
| 6 | # You may obtain a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | # See the License for the specific language governing permissions and |
| 14 | # limitations under the License. |
| 15 | */}} |
| 16 | |
| 17 | {{/* |
| 18 | In order to use certServiceClient it is needed do define certificates array in target component values.yaml. Each |
| 19 | certificate will be requested from separate init container |
| 20 | |
| 21 | Minimum example of array in target component values.yaml: |
| 22 | certificates: |
| 23 | - mountPath: /var/custom-certs |
| 24 | commonName: common-name |
| 25 | |
| 26 | Full example (other fields are ignored): |
| 27 | certificates: |
| 28 | - mountPath: /var/custom-certs |
| 29 | caName: RA |
| 30 | outputType: JKS |
| 31 | commonName: common-name |
| 32 | dnsNames: |
| 33 | - dns-name-1 |
| 34 | - dns-name-2 |
| 35 | ipAddresses: |
| 36 | - 192.168.0.1 |
| 37 | - 192.168.0.2 |
| 38 | emailAddresses: |
| 39 | - email-1@onap.org |
| 40 | - email-2@onap.org |
| 41 | uris: |
| 42 | - http://uri-1.onap.org |
| 43 | - http://uri-2.onap.org |
| 44 | subject: |
| 45 | organization: Linux-Foundation |
| 46 | country: US |
| 47 | locality: San Francisco |
| 48 | province: California |
| 49 | organizationalUnit: ONAP |
| 50 | |
| 51 | There also need to be some includes used in a target component deployment (indent values may need to be adjusted): |
| 52 | 1. In initContainers section: |
| 53 | {{ include "common.certServiceClient.initContainer" . | indent 6 }} |
| 54 | 2. In volumeMounts section of container using certificates: |
| 55 | {{ include "common.certServiceClient.volumeMounts" . | indent 10 }} |
| 56 | 3. In volumes section: |
| 57 | {{ include "common.certServiceClient.volumes" . | indent 8 }} |
| 58 | |
| 59 | */}} |
| 60 | |
| 61 | {{- define "common.certServiceClient.initContainer" -}} |
| 62 | {{- $dot := default . .dot -}} |
| 63 | {{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} |
| 64 | {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} |
| 65 | {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} |
| 66 | {{- range $index, $certificate := $dot.Values.certificates -}} |
| 67 | {{/*# General certifiacate attributes #*/}} |
| 68 | {{- $commonName := $certificate.commonName -}} |
| 69 | {{/*# SAN's #*/}} |
| 70 | {{- $dnsNames := default (list) $certificate.dnsNames -}} |
| 71 | {{- $ipAddresses := default (list) $certificate.ipAddresses -}} |
| 72 | {{- $uris := default (list) $certificate.uris -}} |
| 73 | {{- $emailAddresses := default (list) $certificate.emailAddresses -}} |
| 74 | {{- $sansList := concat $dnsNames $ipAddresses $uris $emailAddresses -}} |
| 75 | {{- $sans := join "," $sansList }} |
| 76 | {{/*# Subject #*/}} |
| 77 | {{- $organization := $subchartGlobal.certificate.default.subject.organization -}} |
| 78 | {{- $country := $subchartGlobal.certificate.default.subject.country -}} |
| 79 | {{- $locality := $subchartGlobal.certificate.default.subject.locality -}} |
| 80 | {{- $province := $subchartGlobal.certificate.default.subject.province -}} |
| 81 | {{- $orgUnit := $subchartGlobal.certificate.default.subject.organizationalUnit -}} |
| 82 | {{- if $certificate.subject -}} |
| 83 | {{- $organization := $certificate.subject.organization -}} |
| 84 | {{- $country := $certificate.subject.country -}} |
| 85 | {{- $locality := $certificate.subject.locality -}} |
| 86 | {{- $province := $certificate.subject.province -}} |
| 87 | {{- $orgUnit := $certificate.subject.organizationalUnit -}} |
| 88 | {{- end -}} |
| 89 | {{- $caName := default $subchartGlobal.platform.certServiceClient.envVariables.caName $certificate.caName -}} |
| 90 | {{- $outputType := default $subchartGlobal.platform.certServiceClient.envVariables.outputType $certificate.outputType -}} |
| 91 | {{- $requestUrl := $subchartGlobal.platform.certServiceClient.envVariables.requestURL -}} |
| 92 | {{- $certPath := $subchartGlobal.platform.certServiceClient.envVariables.certPath -}} |
| 93 | {{- $requestTimeout := $subchartGlobal.platform.certServiceClient.envVariables.requestTimeout -}} |
| 94 | {{- $certificatesSecretMountPath := $subchartGlobal.platform.certServiceClient.secret.mountPath -}} |
| 95 | {{- $keystorePath := $subchartGlobal.platform.certServiceClient.envVariables.keystorePath -}} |
| 96 | {{- $keystorePassword := $subchartGlobal.platform.certServiceClient.envVariables.keystorePassword -}} |
| 97 | {{- $truststorePath := $subchartGlobal.platform.certServiceClient.envVariables.truststorePath -}} |
| 98 | {{- $truststorePassword := $subchartGlobal.platform.certServiceClient.envVariables.truststorePassword -}} |
| 99 | - name: certs-init-{{ $index }} |
| 100 | image: {{ include "repositoryGenerator.image.certserviceclient" $dot }} |
| 101 | imagePullPolicy: {{ $dot.Values.global.pullPolicy | default $dot.Values.pullPolicy }} |
| 102 | env: |
| 103 | - name: REQUEST_URL |
| 104 | value: {{ $requestUrl | quote }} |
| 105 | - name: REQUEST_TIMEOUT |
| 106 | value: {{ $requestTimeout | quote }} |
| 107 | - name: OUTPUT_PATH |
| 108 | value: {{ $certPath | quote }} |
| 109 | - name: OUTPUT_TYPE |
| 110 | value: {{ $outputType | quote }} |
| 111 | - name: CA_NAME |
| 112 | value: {{ $caName | quote }} |
| 113 | - name: COMMON_NAME |
| 114 | value: {{ $commonName | quote }} |
| 115 | - name: SANS |
| 116 | value: {{ $sans | quote }} |
| 117 | - name: ORGANIZATION |
| 118 | value: {{ $organization | quote }} |
| 119 | - name: ORGANIZATION_UNIT |
| 120 | value: {{ $orgUnit | quote }} |
| 121 | - name: LOCATION |
| 122 | value: {{ $locality | quote }} |
| 123 | - name: STATE |
| 124 | value: {{ $province | quote }} |
| 125 | - name: COUNTRY |
| 126 | value: {{ $country | quote }} |
| 127 | - name: KEYSTORE_PATH |
| 128 | value: {{ $keystorePath | quote }} |
| 129 | - name: KEYSTORE_PASSWORD |
| 130 | value: {{ $keystorePassword | quote }} |
| 131 | - name: TRUSTSTORE_PATH |
| 132 | value: {{ $truststorePath | quote }} |
| 133 | - name: TRUSTSTORE_PASSWORD |
| 134 | value: {{ $truststorePassword | quote }} |
| 135 | terminationMessagePath: /dev/termination-log |
| 136 | terminationMessagePolicy: File |
| 137 | volumeMounts: |
| 138 | - mountPath: {{ $certPath }} |
| 139 | name: cmpv2-certs-volume-{{ $index }} |
| 140 | - mountPath: {{ $certificatesSecretMountPath }} |
| 141 | name: certservice-tls-volume |
| 142 | {{- end -}} |
| 143 | {{- end -}} |
| 144 | {{- end -}} |
| 145 | |
| 146 | {{- define "common.certServiceClient.volumes" -}} |
| 147 | {{- $dot := default . .dot -}} |
| 148 | {{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} |
| 149 | {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} |
| 150 | {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} |
| 151 | {{- $certificatesSecretName := $subchartGlobal.platform.certServiceClient.secret.name -}} |
| 152 | - name: certservice-tls-volume |
| 153 | secret: |
| 154 | secretName: {{ $certificatesSecretName }} |
| 155 | {{ range $index, $certificate := $dot.Values.certificates -}} |
| 156 | - name: cmpv2-certs-volume-{{ $index }} |
| 157 | emptyDir: |
| 158 | medium: Memory |
| 159 | {{- end -}} |
| 160 | {{- end -}} |
| 161 | {{- end -}} |
| 162 | |
| 163 | {{- define "common.certServiceClient.volumeMounts" -}} |
| 164 | {{- $dot := default . .dot -}} |
| 165 | {{- $initRoot := default $dot.Values.cmpv2Certificate .initRoot -}} |
| 166 | {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} |
| 167 | {{- if and $subchartGlobal.cmpv2Enabled (not $subchartGlobal.CMPv2CertManagerIntegration) -}} |
| 168 | {{- range $index, $certificate := $dot.Values.certificates -}} |
| 169 | {{- $mountPath := $certificate.mountPath -}} |
| 170 | - mountPath: {{ $mountPath }} |
| 171 | name: cmpv2-certs-volume-{{ $index }} |
| 172 | {{ end -}} |
| 173 | {{- end -}} |
| 174 | {{- end -}} |