blob: 52e7649d6f6e109a8c6eb99e8de39a4068def6dd [file] [log] [blame]
Joanna Jeremicz5b03f952021-01-27 13:15:16 +01001# Copyright © 2020-2021, Nokia
Sylvain Desbureaux0de302a2020-06-05 15:19:22 +02002# Modifications Copyright © 2020, Nordix Foundation, Orange
Maciej Malewski955e39d2020-08-27 10:43:09 +02003# Modifications Copyright © 2020 Nokia
EmmettCoxbca68e02020-02-27 14:20:52 +00004#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16
17# Global
18global:
Sylvain Desbureaux0de302a2020-06-05 15:19:22 +020019 nodePortPrefix: 302
Sylvain Desbureaux0de302a2020-06-05 15:19:22 +020020 persistence:
21 enabled: true
22 # Standard OOM
23 pullPolicy: "Always"
Adam Wudzinski11eafc52020-10-28 11:45:20 +010024 repository: "nexus3.onap.org:10001"
Andreas Geissler9794a7b2022-07-26 13:51:08 +020025 ingress:
26 enabled: true
27 # All http requests via ingress will be redirected
28 config:
29 ssl: "redirect"
30 # you can set an own Secret containing a certificate
31 # tls:
32 # secret: 'my-ingress-cert'
33 # optional: Namespace of the Istio IngressGateway
34 namespace: &ingressNamespace istio-ingress
Sylvain Desbureaux0de302a2020-06-05 15:19:22 +020035
EmmettCoxbca68e02020-02-27 14:20:52 +000036
37# Service configuration
38service:
39 type: ClusterIP
40 ports:
41 - name: http
42 port: 8443
43 port_protocol: http
44
EmmettCoxbca68e02020-02-27 14:20:52 +000045# Deployment configuration
Adam Wudzinski11eafc52020-10-28 11:45:20 +010046repository: "nexus3.onap.org:10001"
Andreas Geisslerf9f746e2022-09-22 17:20:13 +020047image: onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.6.0
EmmettCoxbca68e02020-02-27 14:20:52 +000048pullPolicy: Always
49replicaCount: 1
50
51liveness:
52 initialDelaySeconds: 60
53 periodSeconds: 10
54 command: curl https://localhost:$HTTPS_PORT/actuator/health --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
55readiness:
56 initialDelaySeconds: 30
57 periodSeconds: 10
58 command: curl https://localhost:$HTTPS_PORT/ready --cacert $ROOT_CERT --cert-type p12 --cert $KEYSTORE_P12_PATH --pass $KEYSTORE_PASSWORD
59
60flavor: small
61resources:
62 small:
63 limits:
Andreas Geissler47537432024-02-27 08:55:23 +010064 cpu: "1"
Andreas Geissler8cbb3d92024-03-12 16:44:56 +010065 memory: "500Mi"
EmmettCoxbca68e02020-02-27 14:20:52 +000066 requests:
Andreas Geissler47537432024-02-27 08:55:23 +010067 cpu: "0.5"
Andreas Geissler8cbb3d92024-03-12 16:44:56 +010068 memory: "500Mi"
EmmettCoxbca68e02020-02-27 14:20:52 +000069 large:
70 limits:
Andreas Geissler47537432024-02-27 08:55:23 +010071 cpu: "2"
72 memory: "1Gi"
EmmettCoxbca68e02020-02-27 14:20:52 +000073 requests:
Andreas Geissler47537432024-02-27 08:55:23 +010074 cpu: "1"
75 memory: "1Gi"
EmmettCoxbca68e02020-02-27 14:20:52 +000076 unlimited: {}
77
78
79# Application configuration
80cmpServers:
81 secret:
Maciej Malewski955e39d2020-08-27 10:43:09 +020082 name: oom-cert-service-secret
EmmettCoxbca68e02020-02-27 14:20:52 +000083 volume:
Maciej Malewski955e39d2020-08-27 10:43:09 +020084 name: oom-cert-service-volume
85 mountPath: /etc/onap/oom/certservice
EmmettCoxbca68e02020-02-27 14:20:52 +000086
87tls:
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +010088 issuer:
89 selfsigning:
90 name: &selfSigningIssuer cmpv2-selfsigning-issuer
91 ca:
farida azmy37481802021-04-11 15:41:32 +020092 name: &caIssuer cmpv2-issuer-onap
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +010093 secret:
94 name: &caKeyPairSecret cmpv2-ca-key-pair
Andreas Geissler9794a7b2022-07-26 13:51:08 +020095 ingressSelfsigned:
96 name: ingress-selfsigned-issuer
97 namespace: *ingressNamespace
98 ingressCa:
99 name: ingress-ca-issuer
100 namespace: *ingressNamespace
101 secret:
102 name: ingress-ca-key-pair
EmmettCoxbca68e02020-02-27 14:20:52 +0000103 server:
104 secret:
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100105 name: &serverSecret oom-cert-service-server-tls-secret
EmmettCoxbca68e02020-02-27 14:20:52 +0000106 volume:
Maciej Malewski955e39d2020-08-27 10:43:09 +0200107 name: oom-cert-service-server-tls-volume
108 mountPath: /etc/onap/oom/certservice/certs/
EmmettCoxbca68e02020-02-27 14:20:52 +0000109 client:
110 secret:
Maciej Malewski955e39d2020-08-27 10:43:09 +0200111 defaultName: oom-cert-service-client-tls-secret
EmmettCoxbca68e02020-02-27 14:20:52 +0000112
113envs:
114 keystore:
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100115 jksName: keystore.jks
116 p12Name: keystore.p12
117 pemName: tls.crt
EmmettCoxbca68e02020-02-27 14:20:52 +0000118 truststore:
119 jksName: truststore.jks
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100120 crtName: ca.crt
121 pemName: tls.crt
EmmettCoxbca68e02020-02-27 14:20:52 +0000122 httpsPort: 8443
123
124# External secrets with credentials can be provided to override default credentials defined below,
125# by uncommenting and filling appropriate *ExternalSecret value
126credentials:
127 tls:
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100128 certificatesPassword: secret
129 #certificatesPasswordExternalSecret:
EmmettCoxbca68e02020-02-27 14:20:52 +0000130 # Below cmp values contain credentials for EJBCA test instance and are relevant only if global addTestingComponents flag is enabled
131 cmp:
egernug27578332020-03-26 10:27:55 +0000132 # Used only if cmpv2 testing is enabled
Maciej Malewski955e39d2020-08-27 10:43:09 +0200133 clientIakExternalSecret: '{{ include "common.release" . }}-ejbca-client-iak'
EmmettCoxbca68e02020-02-27 14:20:52 +0000134 #clientRvExternalSecret:
Maciej Malewski955e39d2020-08-27 10:43:09 +0200135 raIakExternalSecret: '{{ include "common.release" . }}-ejbca-ra-iak'
EmmettCoxbca68e02020-02-27 14:20:52 +0000136 #raRvExternalSecret:
137 client: {}
138 # iak: mypassword
139 # rv: unused
140 ra: {}
141 # iak: mypassword
142 # rv: unused
143
144secrets:
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100145 - uid: certificates-password
146 name: &certificatesPasswordSecretName '{{ .Values.cmpv2Config.global.platform.certificates.keystorePasswordSecretName }}'
EmmettCoxbca68e02020-02-27 14:20:52 +0000147 type: password
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100148 externalSecret: '{{ tpl (default "" .Values.credentials.tls.certificatesPasswordExternalSecret) . }}'
149 password: '{{ .Values.credentials.tls.certificatesPassword }}'
EmmettCoxbca68e02020-02-27 14:20:52 +0000150 passwordPolicy: required
151 # Below values are relevant only if global addTestingComponents flag is enabled
152 - uid: ejbca-server-client-iak
153 type: password
154 externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientIakExternalSecret) . }}'
155 password: '{{ .Values.credentials.cmp.client.iak }}'
156 - uid: cmp-config-client-rv
157 type: password
158 externalSecret: '{{ tpl (default "" .Values.credentials.cmp.clientRvExternalSecret) . }}'
159 password: '{{ .Values.credentials.cmp.client.rv }}'
160 - uid: ejbca-server-ra-iak
161 type: password
162 externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raIakExternalSecret) . }}'
163 password: '{{ .Values.credentials.cmp.ra.iak }}'
164 - uid: cmp-config-ra-rv
165 type: password
166 externalSecret: '{{ tpl (default "" .Values.credentials.cmp.raRvExternalSecret) . }}'
167 password: '{{ .Values.credentials.cmp.ra.rv }}'
Piotr Marcinkiewicz32672932021-03-26 13:06:35 +0100168
169# Certificates definitions
170certificates:
171 - name: selfsigned-cert
172 secretName: *caKeyPairSecret
173 isCA: true
174 commonName: root.com
175 subject:
176 organization: Root Company
177 country: PL
178 locality: Wroclaw
179 province: Dolny Slask
180 organizationalUnit: Root Org
181 issuer:
182 name: *selfSigningIssuer
183 kind: Issuer
184 - name: cert-service-server-cert
185 secretName: *serverSecret
186 commonName: oom-cert-service
187 dnsNames:
188 - oom-cert-service
189 - localhost
190 subject:
191 organization: certServiceServer org
192 country: PL
193 locality: Wroclaw
194 province: Dolny Slask
195 organizationalUnit: certServiceServer company
196 usages:
197 - server auth
198 - client auth
199 keystore:
200 outputType:
201 - jks
202 - p12
203 passwordSecretRef:
204 name: *certificatesPasswordSecretName
205 key: password
206 issuer:
207 name: *caIssuer
208 kind: Issuer
209 - name: cert-service-client-cert
210 secretName: '{{ .Values.cmpv2Config.global.platform.certificates.clientSecretName | default .Values.tls.client.secret.defaultName }}'
211 commonName: certServiceClient.com
212 subject:
213 organization: certServiceClient org
214 country: PL
215 locality: Wroclaw
216 province: Dolny Slask
217 organizationalUnit: certServiceClient company
218 usages:
219 - server auth
220 - client auth
221 keystore:
222 outputType:
223 - jks
224 passwordSecretRef:
225 name: *certificatesPasswordSecretName
226 key: password
227 issuer:
228 name: *caIssuer
229 kind: Issuer