blob: c74fe9b2c056ebfa5766094b1005263ddde72fae [file] [log] [blame]
Joanna Jeremicz5b03f952021-01-27 13:15:16 +01001# Copyright © 2020-2021, Nokia
Sylvain Desbureaux0de302a2020-06-05 15:19:22 +02002# Modifications Copyright © 2020, Nordix Foundation, Orange
Maciej Malewski955e39d2020-08-27 10:43:09 +02003# Modifications Copyright © 2020 Nokia
EmmettCoxbca68e02020-02-27 14:20:52 +00004#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17# Global
18global:
Sylvain Desbureaux0de302a2020-06-05 15:19:22 +020019 nodePortPrefix: 302
Sylvain Desbureaux0de302a2020-06-05 15:19:22 +020020 persistence:
21 enabled: true
22 # Standard OOM
23 pullPolicy: "Always"
Adam Wudzinski11eafc52020-10-28 11:45:20 +010024 repository: "nexus3.onap.org:10001"
Sylvain Desbureaux0de302a2020-06-05 15:19:22 +020025
EmmettCoxbca68e02020-02-27 14:20:52 +000026
27# Service configuration
28service:
29 type: ClusterIP
30 ports:
31 - name: http
32 port: 8443
33 port_protocol: http
34
EmmettCoxbca68e02020-02-27 14:20:52 +000035# Deployment configuration
Adam Wudzinski11eafc52020-10-28 11:45:20 +010036repository: "nexus3.onap.org:10001"
Tomasz Wrobel1c39a902022-01-12 10:49:51 +010037image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.5.0
EmmettCoxbca68e02020-02-27 14:20:52 +000038pullPolicy: Always
39replicaCount: 1
40
41liveness:
42 initialDelaySeconds: 60
43 periodSeconds: 10
44 command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
45readiness:
46 initialDelaySeconds: 30
47 periodSeconds: 10
48 command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
49
50flavor: small
51resources:
52 small:
53 limits:
54 cpu: 0.5
55 memory: 1Gi
56 requests:
57 cpu: 0.2
58 memory: 512Mi
59 large:
60 limits:
61 cpu: 1
62 memory: 2Gi
63 requests:
64 cpu: 0.4
65 memory: 1Gi
66 unlimited: {}
67
68
69# Application configuration
70cmpServers:
71 secret:
Maciej Malewski955e39d2020-08-27 10:43:09 +020072 name: oom-cert-service-secret
EmmettCoxbca68e02020-02-27 14:20:52 +000073 volume:
Maciej Malewski955e39d2020-08-27 10:43:09 +020074 name: oom-cert-service-volume
75 mountPath: /etc/onap/oom/certservice
EmmettCoxbca68e02020-02-27 14:20:52 +000076
77tls:
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +010078 issuer:
79 selfsigning:
80 name: &selfSigningIssuer cmpv2-selfsigning-issuer
81 ca:
farida azmy37481802021-04-11 15:41:32 +020082 name: &caIssuer cmpv2-issuer-onap
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +010083 secret:
84 name: &caKeyPairSecret cmpv2-ca-key-pair
EmmettCoxbca68e02020-02-27 14:20:52 +000085 server:
86 secret:
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +010087 name: &serverSecret oom-cert-service-server-tls-secret
EmmettCoxbca68e02020-02-27 14:20:52 +000088 volume:
Maciej Malewski955e39d2020-08-27 10:43:09 +020089 name: oom-cert-service-server-tls-volume
90 mountPath: /etc/onap/oom/certservice/certs/
EmmettCoxbca68e02020-02-27 14:20:52 +000091 client:
92 secret:
Maciej Malewski955e39d2020-08-27 10:43:09 +020093 defaultName: oom-cert-service-client-tls-secret
EmmettCoxbca68e02020-02-27 14:20:52 +000094
95envs:
96 keystore:
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +010097 jksName: keystore.jks
98 p12Name: keystore.p12
99 pemName: tls.crt
EmmettCoxbca68e02020-02-27 14:20:52 +0000100 truststore:
101 jksName: truststore.jks
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100102 crtName: ca.crt
103 pemName: tls.crt
EmmettCoxbca68e02020-02-27 14:20:52 +0000104 httpsPort: 8443
105
106# External secrets with credentials can be provided to override default credentials defined below,
107# by uncommenting and filling appropriate *ExternalSecret value
108credentials:
109 tls:
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100110 certificatesPassword: secret
111 #certificatesPasswordExternalSecret:
EmmettCoxbca68e02020-02-27 14:20:52 +0000112 # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
113 cmp:
egernug27578332020-03-26 10:27:55 +0000114 # Used only if cmpv2 testing is enabled
Maciej Malewski955e39d2020-08-27 10:43:09 +0200115 clientIakExternalSecret: '{{ include "common.release" . }}-ejbca-client-iak'
EmmettCoxbca68e02020-02-27 14:20:52 +0000116 #clientRvExternalSecret:
Maciej Malewski955e39d2020-08-27 10:43:09 +0200117 raIakExternalSecret: '{{ include "common.release" . }}-ejbca-ra-iak'
EmmettCoxbca68e02020-02-27 14:20:52 +0000118 #raRvExternalSecret:
119 client: {}
120 # iak: mypassword
121 # rv: unused
122 ra: {}
123 # iak: mypassword
124 # rv: unused
125
126secrets:
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100127 - uid: certificates-password
128 name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}'
EmmettCoxbca68e02020-02-27 14:20:52 +0000129 type: password
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100130 externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}'
131 password: '{{ .Values.credentials.tls.certificatesPassword }}'
EmmettCoxbca68e02020-02-27 14:20:52 +0000132 passwordPolicy: required
133 # Below values are relevant only if global addTestingComponents flag is enabled
134 - uid: ejbca-server-client-iak
135 type: password
136 externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}'
137 password: '{{ .Values.credentials.cmp.client.iak }}'
138 - uid: cmp-config-client-rv
139 type: password
140 externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}'
141 password: '{{ .Values.credentials.cmp.client.rv }}'
142 - uid: ejbca-server-ra-iak
143 type: password
144 externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}'
145 password: '{{ .Values.credentials.cmp.ra.iak }}'
146 - uid: cmp-config-ra-rv
147 type: password
148 externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
149 password: '{{ .Values.credentials.cmp.ra.rv }}'
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100150
151# Certificates definitions
152certificates:
153 - name: selfsigned-cert
154 secretName: *caKeyPairSecret
155 isCA: true
156 commonName: root.com
157 subject:
158 organization: Root Company
159 country: PL
160 locality: Wroclaw
161 province: Dolny Slask
162 organizationalUnit: Root Org
163 issuer:
164 name: *selfSigningIssuer
165 kind: Issuer
166 - name: cert-service-server-cert
167 secretName: *serverSecret
168 commonName: oom-cert-service
169 dnsNames:
170 - oom-cert-service
171 - localhost
172 subject:
173 organization: certServiceServer org
174 country: PL
175 locality: Wroclaw
176 province: Dolny Slask
177 organizationalUnit: certServiceServer company
178 usages:
179 - server auth
180 - client auth
181 keystore:
182 outputType:
183 - jks
184 - p12
185 passwordSecretRef:
186 name: *certificatesPasswordSecretName
187 key: password
188 issuer:
189 name: *caIssuer
190 kind: Issuer
191 - name: cert-service-client-cert
192 secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}'
193 commonName: certServiceClient.com
194 subject:
195 organization: certServiceClient org
196 country: PL
197 locality: Wroclaw
198 province: Dolny Slask
199 organizationalUnit: certServiceClient company
200 usages:
201 - server auth
202 - client auth
203 keystore:
204 outputType:
205 - jks
206 passwordSecretRef:
207 name: *certificatesPasswordSecretName
208 key: password
209 issuer:
210 name: *caIssuer
211 kind: Issuer