Joanna Jeremicz | 5b03f95 | 2021-01-27 13:15:16 +0100 | [diff] [blame] | 1 | # Copyright © 2020-2021, Nokia |
Sylvain Desbureaux | 0de302a | 2020-06-05 15:19:22 +0200 | [diff] [blame] | 2 | # Modifications Copyright © 2020, Nordix Foundation, Orange |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 3 | # Modifications Copyright © 2020 Nokia |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 4 | # |
| 5 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | # you may not use this file except in compliance with the License. |
| 7 | # You may obtain a copy of the License at |
| 8 | # |
| 9 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | # |
| 11 | # Unless required by applicable law or agreed to in writing, software |
| 12 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | # See the License for the specific language governing permissions and |
| 15 | # limitations under the License. |
| 16 | |
| 17 | # Global |
| 18 | global: |
Sylvain Desbureaux | 0de302a | 2020-06-05 15:19:22 +0200 | [diff] [blame] | 19 | nodePortPrefix: 302 |
Sylvain Desbureaux | 0de302a | 2020-06-05 15:19:22 +0200 | [diff] [blame] | 20 | persistence: |
| 21 | enabled: true |
| 22 | # Standard OOM |
| 23 | pullPolicy: "Always" |
Adam Wudzinski | 11eafc5 | 2020-10-28 11:45:20 +0100 | [diff] [blame] | 24 | repository: "nexus3.onap.org:10001" |
Sylvain Desbureaux | 0de302a | 2020-06-05 15:19:22 +0200 | [diff] [blame] | 25 | |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 26 | |
| 27 | # Service configuration |
| 28 | service: |
| 29 | type: ClusterIP |
| 30 | ports: |
| 31 | - name: http |
| 32 | port: 8443 |
| 33 | port_protocol: http |
| 34 | |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 35 | # Deployment configuration |
Adam Wudzinski | 11eafc5 | 2020-10-28 11:45:20 +0100 | [diff] [blame] | 36 | repository: "nexus3.onap.org:10001" |
Tomasz Wrobel | 1c39a90 | 2022-01-12 10:49:51 +0100 | [diff] [blame] | 37 | image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.5.0 |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 38 | pullPolicy: Always |
| 39 | replicaCount: 1 |
| 40 | |
| 41 | liveness: |
| 42 | initialDelaySeconds: 60 |
| 43 | periodSeconds: 10 |
| 44 | command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD |
| 45 | readiness: |
| 46 | initialDelaySeconds: 30 |
| 47 | periodSeconds: 10 |
| 48 | command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD |
| 49 | |
| 50 | flavor: small |
| 51 | resources: |
| 52 | small: |
| 53 | limits: |
| 54 | cpu: 0.5 |
| 55 | memory: 1Gi |
| 56 | requests: |
| 57 | cpu: 0.2 |
| 58 | memory: 512Mi |
| 59 | large: |
| 60 | limits: |
| 61 | cpu: 1 |
| 62 | memory: 2Gi |
| 63 | requests: |
| 64 | cpu: 0.4 |
| 65 | memory: 1Gi |
| 66 | unlimited: {} |
| 67 | |
| 68 | |
| 69 | # Application configuration |
| 70 | cmpServers: |
| 71 | secret: |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 72 | name: oom-cert-service-secret |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 73 | volume: |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 74 | name: oom-cert-service-volume |
| 75 | mountPath: /etc/onap/oom/certservice |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 76 | |
| 77 | tls: |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 78 | issuer: |
| 79 | selfsigning: |
| 80 | name: &selfSigningIssuer cmpv2-selfsigning-issuer |
| 81 | ca: |
farida azmy | 3748180 | 2021-04-11 15:41:32 +0200 | [diff] [blame] | 82 | name: &caIssuer cmpv2-issuer-onap |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 83 | secret: |
| 84 | name: &caKeyPairSecret cmpv2-ca-key-pair |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 85 | server: |
| 86 | secret: |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 87 | name: &serverSecret oom-cert-service-server-tls-secret |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 88 | volume: |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 89 | name: oom-cert-service-server-tls-volume |
| 90 | mountPath: /etc/onap/oom/certservice/certs/ |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 91 | client: |
| 92 | secret: |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 93 | defaultName: oom-cert-service-client-tls-secret |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 94 | |
| 95 | envs: |
| 96 | keystore: |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 97 | jksName: keystore.jks |
| 98 | p12Name: keystore.p12 |
| 99 | pemName: tls.crt |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 100 | truststore: |
| 101 | jksName: truststore.jks |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 102 | crtName: ca.crt |
| 103 | pemName: tls.crt |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 104 | httpsPort: 8443 |
| 105 | |
| 106 | # External secrets with credentials can be provided to override default credentials defined below, |
| 107 | # by uncommenting and filling appropriate *ExternalSecret value |
| 108 | credentials: |
| 109 | tls: |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 110 | certificatesPassword: secret |
| 111 | #certificatesPasswordExternalSecret: |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 112 | # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled |
| 113 | cmp: |
egernug | 2757833 | 2020-03-26 10:27:55 +0000 | [diff] [blame] | 114 | # Used only if cmpv2 testing is enabled |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 115 | clientIakExternalSecret: '{{ include "common.release" . }}-ejbca-client-iak' |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 116 | #clientRvExternalSecret: |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 117 | raIakExternalSecret: '{{ include "common.release" . }}-ejbca-ra-iak' |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 118 | #raRvExternalSecret: |
| 119 | client: {} |
| 120 | # iak: mypassword |
| 121 | # rv: unused |
| 122 | ra: {} |
| 123 | # iak: mypassword |
| 124 | # rv: unused |
| 125 | |
| 126 | secrets: |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 127 | - uid: certificates-password |
| 128 | name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}' |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 129 | type: password |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 130 | externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}' |
| 131 | password: '{{ .Values.credentials.tls.certificatesPassword }}' |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 132 | passwordPolicy: required |
| 133 | # Below values are relevant only if global addTestingComponents flag is enabled |
| 134 | - uid: ejbca-server-client-iak |
| 135 | type: password |
| 136 | externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}' |
| 137 | password: '{{ .Values.credentials.cmp.client.iak }}' |
| 138 | - uid: cmp-config-client-rv |
| 139 | type: password |
| 140 | externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}' |
| 141 | password: '{{ .Values.credentials.cmp.client.rv }}' |
| 142 | - uid: ejbca-server-ra-iak |
| 143 | type: password |
| 144 | externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}' |
| 145 | password: '{{ .Values.credentials.cmp.ra.iak }}' |
| 146 | - uid: cmp-config-ra-rv |
| 147 | type: password |
| 148 | externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}' |
| 149 | password: '{{ .Values.credentials.cmp.ra.rv }}' |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 150 | |
| 151 | # Certificates definitions |
| 152 | certificates: |
| 153 | - name: selfsigned-cert |
| 154 | secretName: *caKeyPairSecret |
| 155 | isCA: true |
| 156 | commonName: root.com |
| 157 | subject: |
| 158 | organization: Root Company |
| 159 | country: PL |
| 160 | locality: Wroclaw |
| 161 | province: Dolny Slask |
| 162 | organizationalUnit: Root Org |
| 163 | issuer: |
| 164 | name: *selfSigningIssuer |
| 165 | kind: Issuer |
| 166 | - name: cert-service-server-cert |
| 167 | secretName: *serverSecret |
| 168 | commonName: oom-cert-service |
| 169 | dnsNames: |
| 170 | - oom-cert-service |
| 171 | - localhost |
| 172 | subject: |
| 173 | organization: certServiceServer org |
| 174 | country: PL |
| 175 | locality: Wroclaw |
| 176 | province: Dolny Slask |
| 177 | organizationalUnit: certServiceServer company |
| 178 | usages: |
| 179 | - server auth |
| 180 | - client auth |
| 181 | keystore: |
| 182 | outputType: |
| 183 | - jks |
| 184 | - p12 |
| 185 | passwordSecretRef: |
| 186 | name: *certificatesPasswordSecretName |
| 187 | key: password |
| 188 | issuer: |
| 189 | name: *caIssuer |
| 190 | kind: Issuer |
| 191 | - name: cert-service-client-cert |
| 192 | secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}' |
| 193 | commonName: certServiceClient.com |
| 194 | subject: |
| 195 | organization: certServiceClient org |
| 196 | country: PL |
| 197 | locality: Wroclaw |
| 198 | province: Dolny Slask |
| 199 | organizationalUnit: certServiceClient company |
| 200 | usages: |
| 201 | - server auth |
| 202 | - client auth |
| 203 | keystore: |
| 204 | outputType: |
| 205 | - jks |
| 206 | passwordSecretRef: |
| 207 | name: *certificatesPasswordSecretName |
| 208 | key: password |
| 209 | issuer: |
| 210 | name: *caIssuer |
| 211 | kind: Issuer |