Joanna Jeremicz | 5b03f95 | 2021-01-27 13:15:16 +0100 | [diff] [blame] | 1 | # Copyright © 2020-2021, Nokia |
Sylvain Desbureaux | 0de302a | 2020-06-05 15:19:22 +0200 | [diff] [blame] | 2 | # Modifications Copyright © 2020, Nordix Foundation, Orange |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 3 | # Modifications Copyright © 2020 Nokia |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 4 | # |
| 5 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | # you may not use this file except in compliance with the License. |
| 7 | # You may obtain a copy of the License at |
| 8 | # |
| 9 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | # |
| 11 | # Unless required by applicable law or agreed to in writing, software |
| 12 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | # See the License for the specific language governing permissions and |
| 15 | # limitations under the License. |
| 16 | |
| 17 | # Global |
| 18 | global: |
Sylvain Desbureaux | 0de302a | 2020-06-05 15:19:22 +0200 | [diff] [blame] | 19 | nodePortPrefix: 302 |
Sylvain Desbureaux | 0de302a | 2020-06-05 15:19:22 +0200 | [diff] [blame] | 20 | persistence: |
| 21 | enabled: true |
| 22 | # Standard OOM |
| 23 | pullPolicy: "Always" |
Adam Wudzinski | 11eafc5 | 2020-10-28 11:45:20 +0100 | [diff] [blame] | 24 | repository: "nexus3.onap.org:10001" |
Andreas Geissler | 9794a7b | 2022-07-26 13:51:08 +0200 | [diff] [blame] | 25 | ingress: |
| 26 | enabled: true |
| 27 | # All http requests via ingress will be redirected |
| 28 | config: |
| 29 | ssl: "redirect" |
| 30 | # you can set an own Secret containing a certificate |
| 31 | # tls: |
| 32 | # secret: 'my-ingress-cert' |
| 33 | # optional: Namespace of the Istio IngressGateway |
| 34 | namespace: &ingressNamespace istio-ingress |
Sylvain Desbureaux | 0de302a | 2020-06-05 15:19:22 +0200 | [diff] [blame] | 35 | |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 36 | |
| 37 | # Service configuration |
| 38 | service: |
| 39 | type: ClusterIP |
| 40 | ports: |
| 41 | - name: http |
| 42 | port: 8443 |
| 43 | port_protocol: http |
| 44 | |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 45 | # Deployment configuration |
Adam Wudzinski | 11eafc5 | 2020-10-28 11:45:20 +0100 | [diff] [blame] | 46 | repository: "nexus3.onap.org:10001" |
Andreas Geissler | f9f746e | 2022-09-22 17:20:13 +0200 | [diff] [blame] | 47 | image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.6.0 |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 48 | pullPolicy: Always |
| 49 | replicaCount: 1 |
| 50 | |
| 51 | liveness: |
| 52 | initialDelaySeconds: 60 |
| 53 | periodSeconds: 10 |
| 54 | command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD |
| 55 | readiness: |
| 56 | initialDelaySeconds: 30 |
| 57 | periodSeconds: 10 |
| 58 | command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD |
| 59 | |
| 60 | flavor: small |
| 61 | resources: |
| 62 | small: |
| 63 | limits: |
Andreas Geissler | 4753743 | 2024-02-27 08:55:23 +0100 | [diff] [blame] | 64 | cpu: "1" |
Andreas Geissler | 8cbb3d9 | 2024-03-12 16:44:56 +0100 | [diff] [blame] | 65 | memory: "500Mi" |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 66 | requests: |
Andreas Geissler | 4753743 | 2024-02-27 08:55:23 +0100 | [diff] [blame] | 67 | cpu: "0.5" |
Andreas Geissler | 8cbb3d9 | 2024-03-12 16:44:56 +0100 | [diff] [blame] | 68 | memory: "500Mi" |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 69 | large: |
| 70 | limits: |
Andreas Geissler | 4753743 | 2024-02-27 08:55:23 +0100 | [diff] [blame] | 71 | cpu: "2" |
| 72 | memory: "1Gi" |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 73 | requests: |
Andreas Geissler | 4753743 | 2024-02-27 08:55:23 +0100 | [diff] [blame] | 74 | cpu: "1" |
| 75 | memory: "1Gi" |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 76 | unlimited: {} |
| 77 | |
| 78 | |
| 79 | # Application configuration |
| 80 | cmpServers: |
| 81 | secret: |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 82 | name: oom-cert-service-secret |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 83 | volume: |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 84 | name: oom-cert-service-volume |
| 85 | mountPath: /etc/onap/oom/certservice |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 86 | |
| 87 | tls: |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 88 | issuer: |
| 89 | selfsigning: |
| 90 | name: &selfSigningIssuer cmpv2-selfsigning-issuer |
| 91 | ca: |
farida azmy | 3748180 | 2021-04-11 15:41:32 +0200 | [diff] [blame] | 92 | name: &caIssuer cmpv2-issuer-onap |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 93 | secret: |
| 94 | name: &caKeyPairSecret cmpv2-ca-key-pair |
Andreas Geissler | 9794a7b | 2022-07-26 13:51:08 +0200 | [diff] [blame] | 95 | ingressSelfsigned: |
| 96 | name: ingress-selfsigned-issuer |
| 97 | namespace: *ingressNamespace |
| 98 | ingressCa: |
| 99 | name: ingress-ca-issuer |
| 100 | namespace: *ingressNamespace |
| 101 | secret: |
| 102 | name: ingress-ca-key-pair |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 103 | server: |
| 104 | secret: |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 105 | name: &serverSecret oom-cert-service-server-tls-secret |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 106 | volume: |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 107 | name: oom-cert-service-server-tls-volume |
| 108 | mountPath: /etc/onap/oom/certservice/certs/ |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 109 | client: |
| 110 | secret: |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 111 | defaultName: oom-cert-service-client-tls-secret |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 112 | |
| 113 | envs: |
| 114 | keystore: |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 115 | jksName: keystore.jks |
| 116 | p12Name: keystore.p12 |
| 117 | pemName: tls.crt |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 118 | truststore: |
| 119 | jksName: truststore.jks |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 120 | crtName: ca.crt |
| 121 | pemName: tls.crt |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 122 | httpsPort: 8443 |
| 123 | |
| 124 | # External secrets with credentials can be provided to override default credentials defined below, |
| 125 | # by uncommenting and filling appropriate *ExternalSecret value |
| 126 | credentials: |
| 127 | tls: |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 128 | certificatesPassword: secret |
| 129 | #certificatesPasswordExternalSecret: |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 130 | # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled |
| 131 | cmp: |
egernug | 2757833 | 2020-03-26 10:27:55 +0000 | [diff] [blame] | 132 | # Used only if cmpv2 testing is enabled |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 133 | clientIakExternalSecret: '{{ include "common.release" . }}-ejbca-client-iak' |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 134 | #clientRvExternalSecret: |
Maciej Malewski | 955e39d | 2020-08-27 10:43:09 +0200 | [diff] [blame] | 135 | raIakExternalSecret: '{{ include "common.release" . }}-ejbca-ra-iak' |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 136 | #raRvExternalSecret: |
| 137 | client: {} |
| 138 | # iak: mypassword |
| 139 | # rv: unused |
| 140 | ra: {} |
| 141 | # iak: mypassword |
| 142 | # rv: unused |
| 143 | |
| 144 | secrets: |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 145 | - uid: certificates-password |
| 146 | name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}' |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 147 | type: password |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 148 | externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}' |
| 149 | password: '{{ .Values.credentials.tls.certificatesPassword }}' |
EmmettCox | bca68e0 | 2020-02-27 14:20:52 +0000 | [diff] [blame] | 150 | passwordPolicy: required |
| 151 | # Below values are relevant only if global addTestingComponents flag is enabled |
| 152 | - uid: ejbca-server-client-iak |
| 153 | type: password |
| 154 | externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}' |
| 155 | password: '{{ .Values.credentials.cmp.client.iak }}' |
| 156 | - uid: cmp-config-client-rv |
| 157 | type: password |
| 158 | externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}' |
| 159 | password: '{{ .Values.credentials.cmp.client.rv }}' |
| 160 | - uid: ejbca-server-ra-iak |
| 161 | type: password |
| 162 | externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}' |
| 163 | password: '{{ .Values.credentials.cmp.ra.iak }}' |
| 164 | - uid: cmp-config-ra-rv |
| 165 | type: password |
| 166 | externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}' |
| 167 | password: '{{ .Values.credentials.cmp.ra.rv }}' |
Piotr Marcinkiewicz | 3267293 | 2021-03-26 13:06:35 +0100 | [diff] [blame] | 168 | |
| 169 | # Certificates definitions |
| 170 | certificates: |
| 171 | - name: selfsigned-cert |
| 172 | secretName: *caKeyPairSecret |
| 173 | isCA: true |
| 174 | commonName: root.com |
| 175 | subject: |
| 176 | organization: Root Company |
| 177 | country: PL |
| 178 | locality: Wroclaw |
| 179 | province: Dolny Slask |
| 180 | organizationalUnit: Root Org |
| 181 | issuer: |
| 182 | name: *selfSigningIssuer |
| 183 | kind: Issuer |
| 184 | - name: cert-service-server-cert |
| 185 | secretName: *serverSecret |
| 186 | commonName: oom-cert-service |
| 187 | dnsNames: |
| 188 | - oom-cert-service |
| 189 | - localhost |
| 190 | subject: |
| 191 | organization: certServiceServer org |
| 192 | country: PL |
| 193 | locality: Wroclaw |
| 194 | province: Dolny Slask |
| 195 | organizationalUnit: certServiceServer company |
| 196 | usages: |
| 197 | - server auth |
| 198 | - client auth |
| 199 | keystore: |
| 200 | outputType: |
| 201 | - jks |
| 202 | - p12 |
| 203 | passwordSecretRef: |
| 204 | name: *certificatesPasswordSecretName |
| 205 | key: password |
| 206 | issuer: |
| 207 | name: *caIssuer |
| 208 | kind: Issuer |
| 209 | - name: cert-service-client-cert |
| 210 | secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}' |
| 211 | commonName: certServiceClient.com |
| 212 | subject: |
| 213 | organization: certServiceClient org |
| 214 | country: PL |
| 215 | locality: Wroclaw |
| 216 | province: Dolny Slask |
| 217 | organizationalUnit: certServiceClient company |
| 218 | usages: |
| 219 | - server auth |
| 220 | - client auth |
| 221 | keystore: |
| 222 | outputType: |
| 223 | - jks |
| 224 | passwordSecretRef: |
| 225 | name: *certificatesPasswordSecretName |
| 226 | key: password |
| 227 | issuer: |
| 228 | name: *caIssuer |
| 229 | kind: Issuer |