kubernetes/common/certInitializer/templates/_certInitializer.yaml

{{/*
# Copyright © 2020 Bell Canada, Samsung Electronics
# Copyright © 2021 Orange
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}



{{- define "common.certInitializer._aafConfigVolumeName" -}}
  {{ include "common.fullname" . }}-aaf-config
{{- end -}}

{{- define "common.certInitializer._aafAddConfigVolumeName" -}}
  {{ print "aaf-add-config" }}
{{- end -}}

{{/*
  common templates to enable cert initialization for applictaions

  In deployments/jobs/stateful include:
  initContainers:
    {{ include "common.certInitializer.initContainer" . | nindent XX }}

  containers:
    volumeMounts:
      {{- include "common.certInitializer.volumeMount" . | nindent XX }}
    volumes:
      {{- include "common.certInitializer.volume" . | nindent XX}}
*/}}
{{- define "common.certInitializer._initContainer" -}}
{{-   $dot := default . .dot -}}
{{-   $initRoot := default $dot.Values.certInitializer .initRoot -}}
{{-   $initName := default "certInitializer" -}}
{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
{{ include "common.readinessCheck.waitFor" $subchartDot }}
- name: {{ include "common.name" $dot }}-aaf-config
  image: {{ include "repositoryGenerator.repository" $subchartDot }}/{{ $subchartDot.Values.global.aafAgentImage }}
  imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
  volumeMounts:
  - mountPath: {{ $initRoot.mountPath }}
    name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
  - mountPath: /opt/app/aaf_config/cert/truststoreONAPall.jks.b64
    name: aaf-agent-certs
    subPath: truststoreONAPall.jks.b64
  - mountPath: /opt/app/aaf_config/cert/truststoreONAP.p12.b64
    name: aaf-agent-certs
    subPath: truststoreONAP.p12.b64
  - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
    mountPath: /opt/app/aaf_config/bin/retrieval_check.sh
    subPath: retrieval_check.sh
{{-     if hasKey $initRoot "ingressTlsSecret" }}
  - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
    mountPath: /opt/app/aaf_config/bin/tls_certs_configure.sh
    subPath: tls_certs_configure.sh
{{-     end }}
{{-     if $initRoot.aaf_add_config }}
  - name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
    mountPath: /opt/app/aaf_config/bin/aaf-add-config.sh
    subPath: aaf-add-config.sh
{{-     end }}
  command:
    - sh
    - -c
    - |
      /opt/app/aaf_config/bin/agent.sh
      . /opt/app/aaf_config/bin/retrieval_check.sh
{{-     if hasKey $initRoot "ingressTlsSecret" }}
      /opt/app/aaf_config/bin/tls_certs_configure.sh
{{-     end -}}
{{-     if $initRoot.aaf_add_config }}
      /opt/app/aaf_config/bin/aaf-add-config.sh
{{-     end }}
  env:
    - name: APP_FQI
      value: "{{ $initRoot.fqi }}"
    - name: aaf_locate_url
      value: "https://aaf-locate.{{ $dot.Release.Namespace}}:8095"
    - name: aaf_locator_container
      value: "oom"
    - name: aaf_locator_container_ns
      value: "{{ $dot.Release.Namespace }}"
    - name: aaf_locator_fqdn
      value: "{{ $initRoot.fqdn }}"
    - name: aaf_locator_app_ns
      value: "{{ $initRoot.app_ns }}"
    - name: DEPLOY_FQI
    {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "login") | indent 6 }}
    - name: DEPLOY_PASSWORD
    {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "deployer-creds" "key" "password") | indent 6 }}
  #Note: want to put this on Nodes, eventually
    - name: cadi_longitude
      value: "{{ default "52.3" $initRoot.cadi_longitude }}"
    - name: cadi_latitude
      value: "{{ default "13.2" $initRoot.cadi_latitude }}"
  #Hello specific.  Clients don't don't need this, unless Registering with AAF Locator
    - name: aaf_locator_public_fqdn
      value: "{{ $initRoot.public_fqdn | default "" }}"
{{- end -}}

{{/*
  This init container will import custom .pem certificates to truststoreONAPall.jks
  Custom certificates must be placed in common/certInitializer/resources directory.

  The feature is enabled by setting Values.global.importCustomCertsEnabled = true
  It can be used independently of aafEnabled, however it requires the same includes
  as describe above for _initContainer.

  When AAF is enabled the truststoreONAPAll.jks (which contains AAF CA) will be used
  to import custom certificates, otherwise the default java keystore will be used.

  The updated truststore file will be placed in /updatedTruststore and can be mounted per component
  to a specific path by defining Values.certInitializer.truststoreMountpath (see _trustStoreVolumeMount)
  The truststore file will be available to mount even if no custom certificates were imported.
*/}}
{{- define "common.certInitializer._initImportCustomCertsContainer" -}}
{{-   $dot := default . .dot -}}
{{-   $initRoot := default $dot.Values.certInitializer .initRoot -}}
{{- $subchartDot := fromJson (include "common.subChartDot" (dict "dot" $dot "initRoot" $initRoot)) }}
- name: {{ include "common.name" $dot }}-import-custom-certs
  image: {{ include "repositoryGenerator.image.jre" $subchartDot }}
  imagePullPolicy: {{ $subchartDot.Values.global.pullPolicy | default $subchartDot.Values.pullPolicy }}
  securityContext:
    runAsUser: 0
  command:
    - /bin/sh
    - -c
    - /root/import-custom-certs.sh
  env:
    - name: AAF_ENABLED
      value: "{{  $subchartDot.Values.global.aafEnabled }}"
    - name: TRUSTSTORE_OUTPUT_FILENAME
      value: "{{ $initRoot.truststoreOutputFileName }}"
    - name: TRUSTSTORE_PASSWORD
    {{- include "common.secret.envFromSecretFast" (dict "global" $subchartDot "uid" "truststore-creds" "key" "password") | indent 6 }}
  volumeMounts:
    - mountPath: /certs
      name: aaf-agent-certs
    - mountPath: /more_certs
      name: provided-custom-certs
    - mountPath: /root/import-custom-certs.sh
      name: aaf-agent-certs
      subPath: import-custom-certs.sh
    - mountPath: /updatedTruststore
      name: updated-truststore
{{- end -}}

{{- define "common.certInitializer._volumeMount" -}}
{{-   $dot := default . .dot -}}
{{-   $initRoot := default $dot.Values.certInitializer .initRoot -}}
- mountPath: {{ $initRoot.appMountPath }}
  name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
{{- end -}}

{{/*
  This is used together with _initImportCustomCertsContainer
  It mounts the updated truststore (with imported custom certificates) to the
  truststoreMountpath defined in the values file for the component.
*/}}
{{- define "common.certInitializer._trustStoreVolumeMount" -}}
{{-   $dot := default . .dot -}}
{{-   $initRoot := default $dot.Values.certInitializer .initRoot -}}
{{- if gt (len $initRoot.truststoreMountpath) 0 }}
- mountPath: {{ $initRoot.truststoreMountpath }}/{{ $initRoot.truststoreOutputFileName }}
  name: updated-truststore
  subPath: {{ $initRoot.truststoreOutputFileName }}
- mountPath: /etc/ssl/certs/ca-certificates.crt
  name: updated-truststore
  subPath: ca-certificates.crt
{{- end -}}
{{- end -}}

{{- define "common.certInitializer._volumes" -}}
{{-   $dot := default . .dot -}}
{{-   $initRoot := default $dot.Values.certInitializer .initRoot -}}
{{- $subchartDot := mergeOverwrite (deepCopy (omit $dot "Values")) (dict "Chart" (set (fromJson (toJson $dot.Chart)) "Name" $initRoot.nameOverride) "Values" (mergeOverwrite (deepCopy $initRoot) (dict "global" $dot.Values.global))) }}
- name: {{ include "common.certInitializer._aafConfigVolumeName" $dot }}
  emptyDir:
    medium: Memory
- name: aaf-agent-certs
  configMap:
    name: {{ tpl $subchartDot.Values.certsCMName $subchartDot }}
    defaultMode: 0700
{{- if $dot.Values.global.importCustomCertsEnabled }}
- name: provided-custom-certs
{{-   if $dot.Values.global.customCertsSecret }}
  secret:
    secretName: {{ $dot.Values.global.customCertsSecret }}
{{-   else }}
{{-     if $dot.Values.global.customCertsConfigMap }}
  configMap:
    name: {{ $dot.Values.global.customCertsConfigMap }}
{{-     else }}
  emptyDir:
    medium: Memory
{{-     end }}
{{-   end }}
{{- end }}
- name: {{ include "common.certInitializer._aafAddConfigVolumeName" $dot }}
  configMap:
    name: {{ include "common.fullname" $subchartDot }}-add-config
    defaultMode: 0700
{{-     if $dot.Values.global.importCustomCertsEnabled }}
- name: updated-truststore
  emptyDir: {}
{{-     end -}}
{{- end -}}

{{- define "common.certInitializer.initContainer" -}}
{{-   $dot := default . .dot -}}
  {{- if $dot.Values.global.importCustomCertsEnabled }}
    {{ include "common.certInitializer._initImportCustomCertsContainer" . }}
  {{- end -}}
  {{- if $dot.Values.global.aafEnabled }}
    {{ include "common.certInitializer._initContainer" . }}
  {{- end -}}
{{- end -}}

{{- define "common.certInitializer.volumeMount" -}}
{{-   $dot := default . .dot -}}
  {{- if $dot.Values.global.aafEnabled }}
    {{- include "common.certInitializer._volumeMount" . }}
  {{- end -}}
  {{- if $dot.Values.global.importCustomCertsEnabled }}
    {{- include "common.certInitializer._trustStoreVolumeMount" . }}
  {{- end -}}
{{- end -}}

{{- define "common.certInitializer.volumes" -}}
{{-   $dot := default . .dot -}}
  {{- if or ($dot.Values.global.aafEnabled ) ($dot.Values.global.importCustomCertsEnabled) }}
    {{- include "common.certInitializer._volumes" . }}
  {{- end -}}
{{- end -}}