Oom Onap helm charts patches needed to Beijing.

For old bash solution how it got working with Beijing release of
ONAP, some of the Helm charts needs to be patched to work offline.

This file is tracking what changes are done and these changes are
applied by installer on top of cloned Helm charts.

Change-Id: Ic2265773de3bcfdb9d6aca19c2bcb4b5852966ba
Issue-ID: OOM-1551
Signed-off-by: Samuli Silvius <s.silvius@partner.samsung.com>
diff --git a/patches/offline-changes.patch b/patches/offline-changes.patch
new file mode 100644
index 0000000..5238da4
--- /dev/null
+++ b/patches/offline-changes.patch
@@ -0,0 +1,616 @@
+diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml
+index 1c20977..4b47c63 100644
+--- a/kubernetes/appc/values.yaml
++++ b/kubernetes/appc/values.yaml
+@@ -29,7 +29,7 @@ global:
+ #################################################################
+ # application image
+ repository: nexus3.onap.org:10001
+-image: onap/appc-image:1.4.0-SNAPSHOT-latest
++image: onap/appc-image:1.3.0
+ pullPolicy: Always
+
+ # flag to enable debugging - application support required
+@@ -37,10 +37,7 @@ debugEnabled: false
+
+ # application configuration
+ config:
+-  aafExtIP: 127.0.0.1
+-  aafExtFQDN: aaf-onap-beijing-test.osaaf.org
+   dbRootPassword: openECOMP1.0
+-  enableAAF: false
+   enableClustering: true
+   configDir: /opt/onap/appc/data/properties
+   dmaapTopic: SUCCESS
+diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml
+index 328e058..b359526 100644
+--- a/kubernetes/common/dgbuilder/templates/deployment.yaml
++++ b/kubernetes/common/dgbuilder/templates/deployment.yaml
+@@ -35,8 +35,14 @@ spec:
+         - name: {{ include "common.name" . }}
+           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+-          command: ["/bin/bash"]
+-          args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && ./start.sh sdnc1.0 && wait"]
++          command:
++          - /bin/bash
++          - -c
++          - >
++            UPDATE_HOSTS_FILE >> /etc/hosts;
++            UPDATE_NPM_REGISTRY;
++            cd /opt/onap/ccsdk/dgbuilder/;
++            ./start.sh sdnc1.0 && wait
+           ports:
+           - containerPort: {{ .Values.service.internalPort }}
+           readinessProbe:
+@@ -94,3 +100,4 @@ spec:
+             defaultMode: 0755
+       imagePullSecrets:
+       - name: "{{ include "common.namespace" . }}-docker-registry-key"
++
+diff --git a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
+index acda520..8fa35f9 100644
+--- a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
++++ b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
+@@ -68,6 +68,8 @@ spec:
+           - mountPath: /etc/localtime
+             name: localtime
+             readOnly: true
++          - mountPath: /etc/pki/ca-trust/source/anchors
++            name: root-ca
+           securityContext:
+             privileged: True
+           lifecycle:
+@@ -80,6 +82,8 @@ spec:
+                   set -ex
+                   mkdir -p /var/run/secrets/kubernetes.io/
+                   ln -s /secret /var/run/secrets/kubernetes.io/serviceaccount
++                  echo -e '\nREQUESTS_CA_BUNDLE="/etc/ssl/certs/ca-bundle.crt"' >> /etc/sysconfig/cloudify-restservice
++                  update-ca-trust extract
+       volumes:
+         - name: {{ include "common.fullname" . }}-config
+           configMap:
+@@ -93,5 +97,8 @@ spec:
+         - name: localtime
+           hostPath:
+             path: /etc/localtime
++        - name: root-ca
++          hostPath:
++            path: CERT_PATH
+       imagePullSecrets:
+       - name: "{{ include "common.namespace" . }}-docker-registry-key"
+diff --git a/kubernetes/dmaap/charts/message-router/templates/deployment.yaml b/kubernetes/dmaap/charts/message-router/templates/deployment.yaml
+index 379fc24..4802f8b 100644
+--- a/kubernetes/dmaap/charts/message-router/templates/deployment.yaml
++++ b/kubernetes/dmaap/charts/message-router/templates/deployment.yaml
+@@ -48,6 +48,12 @@ spec:
+         name: {{ include "common.name" . }}-readiness
+       containers:
+         - name: {{ include "common.name" . }}
++          command:
++          - /bin/sh
++          - -c
++          - >
++            UPDATE_HOSTS_FILE >> /etc/hosts;
++            ./startup.sh
+           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+           ports:
+diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
+index b8f15e1..fadb56e 100644
+--- a/kubernetes/onap/values.yaml
++++ b/kubernetes/onap/values.yaml
+@@ -39,7 +39,8 @@ global:
+   loggingRepository: docker.elastic.co
+
+   # image pull policy
+-  pullPolicy: Always
++  #pullPolicy: Always
++  pullPolicy: IfNotPresent
+
+   # default mount path root directory referenced
+   # by persistent volumes and log files
+@@ -66,11 +67,11 @@ appc:
+   config:
+     openStackType: OpenStackProvider
+     openStackName: OpenStack
+-    openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html
+-    openStackServiceTenantName: default
+-    openStackDomain: default
+-    openStackUserName: admin
+-    openStackEncryptedPassword: admin
++    openStackKeyStoneUrl: FILL-ME
++    openStackServiceTenantName: FILL-ME
++    openStackDomain: FILL-ME
++    openStackUserName: FILL-ME
++    openStackEncryptedPassword: FILL-ME
+ clamp:
+   enabled: true
+ cli:
+@@ -97,8 +98,11 @@ nbi:
+   enabled: true
+   config:
+     # openstack configuration
+-    openStackRegion: "Yolo"
+-    openStackVNFTenantId: "1234"
++    openStackUserName: "FILL-ME"
++    openStackRegion: "FILL-ME"
++    openStackKeyStoneUrl: "FILL-ME"
++    openStackServiceTenantName: "FILL-ME"
++    openStackEncryptedPasswordHere: "FILL-ME"
+ policy:
+   enabled: true
+ portal:
+@@ -112,7 +116,11 @@ sdnc:
+
+   replicaCount: 1
+
++  config:
++    enableClustering: false
++
+   mysql:
++    disableNfsProvisioner: true
+     replicaCount: 1
+ so:
+   enabled: true
+@@ -129,11 +137,11 @@ so:
+     # message router configuration
+     dmaapTopic: "AUTO"
+     # openstack configuration
+-    openStackUserName: "vnf_user"
+-    openStackRegion: "RegionOne"
+-    openStackKeyStoneUrl: "http://1.2.3.4:5000"
+-    openStackServiceTenantName: "service"
+-    openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e"
++    openStackUserName: "FILL-ME"
++    openStackRegion: "FILL-ME"
++    openStackKeyStoneUrl: "FILL-ME"
++    openStackServiceTenantName: "FILL-ME"
++    openStackEncryptedPasswordHere: "FILL-ME"
+
+   # configure embedded mariadb
+   mariadb:
+diff --git a/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh b/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh
+index 72f7a74..f6b3478 100644
+--- a/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh
++++ b/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh
+@@ -114,7 +114,7 @@ else
+     url_release
+ fi
+
+-wget "${APP_URL}" -O "${DOWNLOAD_DIR}"/apps-"${APP_NAME}".zip
++wget "${APP_URL}" -O "${DOWNLOAD_DIR}"/apps-"${APP_NAME}".zip --no-check-certificate
+ if [[ $? != 0 ]]; then
+     echo "ERROR: cannot download ${DOWNLOAD_DIR}/apps-${APP_NAME}.zip"
+     exit 1
+diff --git a/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh b/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh
+index a6c054d..9e48d55 100644
+--- a/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh
++++ b/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh
+@@ -84,8 +84,8 @@ echo "Restarting PDP-D .."
+ echo
+ echo
+
+-POD=$(kubectl --namespace onap-policy get pods | sed 's/ .*//'| grep drools)
+-kubectl --namespace onap-policy exec -it ${POD} -- bash -c "source /opt/app/policy/etc/profile.d/env.sh && policy stop && sleep 5 && policy start"
++POD=$(kubectl --namespace onap get pods | sed 's/ .*//'| grep drools)
++kubectl --namespace onap exec -it ${POD} -- bash -c "source /opt/app/policy/etc/profile.d/env.sh && policy stop && sleep 1 && policy start"
+
+ sleep 20
+
+diff --git a/kubernetes/policy/resources/config/pe/push-policies.sh b/kubernetes/policy/resources/config/pe/push-policies.sh
+index dcd3afb..21b3171 100644
+--- a/kubernetes/policy/resources/config/pe/push-policies.sh
++++ b/kubernetes/policy/resources/config/pe/push-policies.sh
+@@ -22,7 +22,7 @@ echo "Upload BRMS Param Template"
+
+ sleep 2
+
+-wget -O cl-amsterdam-template.drl https://git.onap.org/policy/drools-applications/plain/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl?h=beijing
++wget -O cl-amsterdam-template.drl https://git.onap.org/policy/drools-applications/plain/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl?h=beijing --no-check-certificate
+
+ sleep 2
+
+diff --git a/kubernetes/robot/values.yaml b/kubernetes/robot/values.yaml
+index aea67c8..06dc17b 100644
+--- a/kubernetes/robot/values.yaml
++++ b/kubernetes/robot/values.yaml
+@@ -39,49 +39,49 @@ config:
+   # Password of the lighthttpd server.  Used for HTML auth for webpage access
+   lightHttpdPassword: robot
+   # gerrit branch where the latest heat code is checked in
+-  gerritBranch: 2.0.0-ONAP
++  gerritBranch: master
+   # gerrit project where the latest heat code is checked in
+   gerritProject: http://gerrit.onap.org/r/demo.git
+
+
+ # Demo configuration
+ # Nexus demo artifact version.  Maps to GLOBAL_INJECTED_ARTIFACTS_VERSION
+-demoArtifactsVersion: "1.2.0-SNAPSHOT"
++demoArtifactsVersion: "1.3.0"
+ # Openstack medium sized flavour name.  Maps GLOBAL_INJECTED_VM_FLAVOR
+ openStackFlavourMedium: "m1.medium"
+ # Openstack keystone URL.  Maps to GLOBAL_INJECTED_KEYSTONE
+-openStackKeyStoneUrl: "http://1.2.3.4:5000"
++openStackKeyStoneUrl: "FILL-ME"
+ # UUID of the Openstack network that can assign floating ips.  Maps to GLOBAL_INJECTED_PUBLIC_NET_ID
+-openStackPublicNetId: "e8f51958045716781ffc"
++openStackPublicNetId: "FILL-ME"
+ # password for Openstack tenant where VNFs will be spawned.  Maps to GLOBAL_INJECTED_OPENSTACK_PASSWORD
+-openStackPassword: "tenantPassword"
++openStackPassword: "FILL-ME"
+ # Openstack region.  Maps to GLOBAL_INJECTED_REGION
+ openStackRegion: "RegionOne"
+ # Openstack tenant UUID where VNFs will be spawned. Maps to GLOBAL_INJECTED_OPENSTACK_TENANT_ID
+-openStackTenantId: "47899782ed714295b1151681fdfd51f5"
++openStackTenantId: "FILL-ME"
+ # username for Openstack tenant where VNFs will be spawned.  Maps to GLOBAL_INJECTED_OPENSTACK_USERNAME
+-openStackUserName: "tenantUsername"
++openStackUserName: "FILL-ME"
+ # Openstack glance image name for Ubuntu 14.  Maps to GLOBAL_INJECTED_UBUNTU_1404_IMAGE
+-ubuntu14Image: "Ubuntu_14_trusty"
++ubuntu14Image: "FILL-ME"
+ # Openstack glance image name for Ubuntu 16.  Maps to GLOBAL_INJECTED_UBUNTU_1604_IMAGE
+-ubuntu16Image: "Ubuntu_16_xenial"
++ubuntu16Image: "FILL-ME"
+ # GLOBAL_INJECTED_SCRIPT_VERSION.  Maps to GLOBAL_INJECTED_SCRIPT_VERSION
+-scriptVersion: "1.2.0-SNAPSHOT"
++scriptVersion: "1.2.1"
+ # Openstack network to which VNFs will bind their primary (first) interface.  Maps to GLOBAL_INJECTED_NETWORK
+-openStackPrivateNetId: "e8f51956-00dd-4425-af36-045716781ffc"
++openStackPrivateNetId: "FILL-ME"
+
+ # SDNC Preload configuration
+ # Openstack subnet UUID for the network defined by openStackPrivateNetId.  Maps to onap_private_subnet_id
+-openStackPrivateSubnetId: "e8f51956-00dd-4425-af36-045716781ffc"
++openStackPrivateSubnetId: "FILL-ME"
+ # CIDR notation for the Openstack private network where VNFs will be spawned.  Maps to onap_private_net_cidr
+-openStackPrivateNetCidr: "10.0.0.0/8"
++openStackPrivateNetCidr: "FILL-ME"
+ # The first 2 octets of the private Openstack subnet where VNFs will be spawned.
+ # Needed because sdnc preload templates hardcodes things like this 10.0.${ecompnet}.X
+ openStackOamNetworkCidrPrefix: "10.0"
+ # Override with Pub Key for access to VNF
+-vnfPubKey: "FILL_IN_WITH_PUB_KEY"
+-# Override with DCAE VES Collector external IP
+-dcaeCollectorIp: "FILL_IN_WITH_DCAE_VES_COLLECTOR_IP"
++vnfPubKey: "FILL-ME"
++# Override with DCAE VES Collector external IP
++dcaeCollectorIp: "FILL-ME"
+
+ # default number of instances
+ replicaCount: 1
+@@ -156,4 +156,4 @@ persistence:
+   accessMode: ReadWriteMany
+   size: 2Gi
+   mountPath: /dockerdata-nfs
+-  mountSubPath: robot/logs
+\ No newline at end of file
++  mountSubPath: robot/logs
+diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
+index a19c33a..b49e2c4 100644
+--- a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
++++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
+@@ -47,8 +47,17 @@ spec:
+         name: {{ include "common.name" . }}-readiness
+       containers:
+         - name: {{ include "common.name" . }}
+-          command: ["/bin/bash"]
+-          args: ["-c", "cd /opt/onap/sdnc && ./startAnsibleServer.sh"]
++          command:
++          - bash
++          - "-c"
++          - |
++            pip install /root/ansible_pkg/*.whl
++            dpkg -i /root/ansible_pkg/*.deb
++            cp /etc/ansible/ansible.cfg /etc/ansible/ansible.cfg.orig
++            cat /etc/ansible/ansible.cfg.orig | sed -e 's/#host_key_checking/host_key_checking/' > /etc/ansible/ansible.cfg
++            touch /tmp/.ansible-server-installed
++            cd /opt/onap/sdnc
++            ./startAnsibleServer.sh
+           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+           ports:
+@@ -74,6 +83,8 @@ spec:
+           - mountPath: {{ .Values.config.configDir }}/RestServer_config
+             name: config
+             subPath: RestServer_config
++          - mountPath: /root/ansible_pkg
++            name: ansible-pkg
+           resources:
+ {{ toYaml .Values.resources | indent 12 }}
+         {{- if .Values.nodeSelector }}
+@@ -92,5 +103,9 @@ spec:
+           configMap:
+             name: {{ include "common.fullname" . }}
+             defaultMode: 0644
++        - name: ansible-pkg
++          hostPath:
++            path: /root/ansible_pkg
+       imagePullSecrets:
+-      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+\ No newline at end of file
++      - name: "{{ include "common.namespace" . }}-docker-registry-key"
++
+diff --git a/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml b/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml
+index 87ed6aa..5da236d 100644
+--- a/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml
++++ b/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml
+@@ -49,8 +49,13 @@ spec:
+         name: {{ include "common.name" . }}-readiness
+       containers:
+         - name: {{ include "common.name" . }}
+-          command: ["/bin/bash"]
+-          args: ["-c", "cd /opt/onap/sdnc/admportal/shell && ./start_portal.sh"]
++          command:
++          - /bin/bash
++          - -c
++          - >
++            UPDATE_HOSTS_FILE >> /etc/hosts;
++            UPDATE_NPM_REGISTRY;
++            cd /opt/onap/sdnc/admportal/shell && ./start_portal.sh
+           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+           ports:
+diff --git a/kubernetes/uui/charts/uui-server/templates/deployment.yaml b/kubernetes/uui/charts/uui-server/templates/deployment.yaml
+index accdff9..fa83daf 100644
+--- a/kubernetes/uui/charts/uui-server/templates/deployment.yaml
++++ b/kubernetes/uui/charts/uui-server/templates/deployment.yaml
+@@ -34,6 +34,12 @@ spec:
+         - name: {{ include "common.name" . }}
+           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
++          command:
++            - /bin/bash
++            - -c
++            - >
++              chown -R mysql:mysql /var/lib/mysql /var/run/mysqld;
++              /home/uui/bin/run.sh
+           ports:
+           - containerPort: {{ .Values.service.internalPort }}
+           # disable liveness probe when breakpoints set in debugger
+--- oom/kubernetes/common/common/templates/_cacert.tpl	1970-01-01 00:00:00.000000000 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/common/common/templates/_cacert.tpl	2018-11-02 15:09:31.781688957 +0000
+@@ -0,0 +1,62 @@
++#This template adds volume for access to ca certificate.
++#Template is ignored when cacert not set.
++{{- define "common.cacert-volume" }}
++{{- if .Values.global.cacert }}
++- name: cacert
++  configMap:
++    name: {{ include "common.namespace" . }}-root-ca-cert
++{{- end }}
++{{- end }}
++
++#This template mounts the CA certificate in an ubuntu compatible way.
++#It is mounted to /usr/local/share/ca-certificates/cacert.crt.
++#Template is ignored if cacert not set.
++{{- define "common.cacert-mount-ubuntu" }}
++{{- if .Values.global.cacert }}
++- mountPath: "/usr/local/share/ca-certificates/cacert.crt"
++  name: cacert
++  subPath: certificate
++{{- end }}
++{{- end }}
++
++#This template creates an empty volume used to store system certificates (includes java keystore).
++{{- define "common.system-ca-store-volume" }}
++{{- if .Values.global.cacert }}
++- name: system-ca-store
++  emptyDir:
++{{- end }}
++{{- end }}
++
++#This template mounts system ca store volume to /etc/ssl/certs (ubuntu specific).
++#Template is ignored in case cacert is not given.
++{{- define "common.system-ca-store-mount-ubuntu" }}
++{{- if .Values.global.cacert }}
++- mountPath: "/etc/ssl/certs"
++  name: system-ca-store
++{{- end }}
++{{- end }}
++
++#This template is a template for an init container.
++#This init container can be declared to update system's ca store for ubuntu containers.
++#It runs as root using the same image as the main one.
++#It expects /etc/ssl/certs to be mounted as a volume.
++#It has to be shared with the main container.
++#This template is ignored if cacert is not given as helm value.
++{{- define "common.update-system-ca-store-ubuntu" }}
++{{- if .Values.global.cacert }}
++- command:
++  - "/bin/bash"
++  - "-c"
++  - |
++      mkdir -p /etc/ssl/certs/java
++      update-ca-certificates
++  name: update-system-ca-store
++  imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
++  image: {{ include "common.repository" . }}/{{ .Values.image }}
++  securityContext:
++    runAsUser: 0
++  volumeMounts:
++{{ include "common.cacert-mount-ubuntu" . | indent 2 }}
++{{ include "common.system-ca-store-mount-ubuntu" . | indent 2 }}
++{{- end }}
++{{- end }}
+--- oom/kubernetes/onap/templates/configmap.yaml	1970-01-01 00:00:00.000000000 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/onap/templates/configmap.yaml	2018-11-02 15:09:31.804689107 +0000
+@@ -0,0 +1,15 @@
++{{ if .Values.global.cacert -}}
++apiVersion: v1
++kind: ConfigMap
++metadata:
++  name: {{ include "common.namespace" . }}-root-ca-cert
++  namespace: {{ include "common.namespace" . }}
++  labels:
++    app: {{ include "common.name" . }}
++    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
++    release: {{ .Release.Name }}
++    heritage: {{ .Release.Service }}
++data:
++  certificate: |
++{{ .Values.global.cacert | indent 4 }}
++{{- end }}
+--- oom/kubernetes/policy/charts/brmsgw/templates/deployment.yaml	2018-11-06 07:38:46.341849402 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/brmsgw/templates/deployment.yaml	2018-11-02 15:09:31.808689133 +0000
+@@ -45,6 +45,7 @@
+         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+         name: {{ include "common.name" . }}-readiness
++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
+       containers:
+       - command:
+         - /bin/bash
+@@ -68,6 +69,8 @@
+           initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+           periodSeconds: {{ .Values.readiness.periodSeconds }}
+         volumeMounts:
++{{ include "common.cacert-mount-ubuntu" . | indent 8 }}
++{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }}
+         - mountPath: /etc/localtime
+           name: localtime
+           readOnly: true
+@@ -94,6 +97,8 @@
+ {{ toYaml .Values.affinity | indent 10 }}
+       {{- end }}
+       volumes:
++{{ include "common.cacert-volume" . | indent 8 }}
++{{ include "common.system-ca-store-volume" . | indent 8 }}
+         - name: localtime
+           hostPath:
+             path: /etc/localtime
+--- oom/kubernetes/policy/charts/drools/templates/statefulset.yaml	2018-11-06 07:38:46.343849404 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/drools/templates/statefulset.yaml	2018-11-02 15:09:31.810689146 +0000
+@@ -51,6 +51,8 @@
+         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+         name: {{ include "common.name" . }}-readiness
++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
++{{ include "policy.update-policy-keystore" . | indent 6 }}
+       containers:
+         - name: {{ include "common.name" . }}
+           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
+@@ -78,6 +80,9 @@
+           - name: REPLICAS
+             value: "{{ .Values.replicaCount }}"
+           volumeMounts:
++{{ include "common.cacert-mount-ubuntu" . | indent 10 }}
++{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }}
++{{ include "policy.keystore-mount" . | indent 10 }}
+           - mountPath: /etc/localtime
+             name: localtime
+             readOnly: true
+@@ -136,6 +141,9 @@
+ {{ toYaml .Values.affinity | indent 10 }}
+         {{- end }}
+       volumes:
++{{ include "common.cacert-volume" . | indent 8 }}
++{{ include "common.system-ca-store-volume" . | indent 8 }}
++{{ include "policy.keystore-storage-volume" . | indent 8 }}
+         - name: localtime
+           hostPath:
+             path: /etc/localtime
+--- oom/kubernetes/policy/charts/pdp/templates/statefulset.yaml	2018-11-06 07:38:46.345849405 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/pdp/templates/statefulset.yaml	2018-11-02 15:09:31.812689159 +0000
+@@ -49,6 +49,7 @@
+         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+         name: {{ include "common.name" . }}-readiness
++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
+       containers:
+       - command:
+         - /bin/bash
+@@ -72,6 +73,8 @@
+           initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
+           periodSeconds: {{ .Values.readiness.periodSeconds }}
+         volumeMounts:
++{{ include "common.cacert-mount-ubuntu" . | indent 8 }}
++{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }}
+         - mountPath: /etc/localtime
+           name: localtime
+           readOnly: true
+@@ -121,6 +124,8 @@
+ {{ toYaml .Values.affinity | indent 10 }}
+         {{- end }}
+       volumes:
++{{ include "common.cacert-volume" . | indent 6 }}
++{{ include "common.system-ca-store-volume" . | indent 6 }}
+       - name: localtime
+         hostPath:
+           path: /etc/localtime
+--- oom/kubernetes/policy/charts/policy-common/templates/_keystore.tpl	1970-01-01 00:00:00.000000000 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/policy-common/templates/_keystore.tpl	2018-11-02 15:09:31.812689159 +0000
+@@ -0,0 +1,43 @@
++#This template creates a volume for storing policy-keystore with imported ca.
++#It is ignored if cacert was not given.
++{{- define "policy.keystore-storage-volume" }}
++{{- if .Values.global.cacert }}
++- name: keystore-storage
++  emptyDir:
++{{- end }}
++{{- end }}
++
++#This template mounts policy-keystore in appropriate place for policy components to take it.
++#It is ignored if cacert is not given.
++{{- define "policy.keystore-mount" }}
++{{- if .Values.global.cacert }}
++- mountPath: "/tmp/policy-install/config/policy-keystore"
++  name: keystore-storage
++  subPath: policy-keystore
++{{- end }}
++{{- end }}
++
++#This will extract a policy keystore and then import
++#the root cacert of offline nexus into it.
++#This template expects a volume named keystore-storage where policy-keystore will be put.
++#It also expects volume named cacert where the file "certificate" will contain the cert to import.
++#Template is ignored if ca certificate not given.
++{{- define "policy.update-policy-keystore" }}
++{{- if .Values.global.cacert }}
++- command:
++  - "/bin/bash"
++  - "-c"
++  - |
++      set -e
++      tar -xzf base-*.tar.gz etc/ssl/policy-keystore
++      cp etc/ssl/policy-keystore keystore-storage/
++      keytool -import -keystore keystore-storage/policy-keystore -storepass "Pol1cy_0nap" -noprompt -file /usr/local/share/ca-certificates/cacert.crt
++  name: update-policy-keystore
++  imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
++  image: {{ include "common.repository" . }}/{{ .Values.image }}
++  volumeMounts:
++  - mountPath: "/tmp/policy-install/keystore-storage"
++    name: keystore-storage
++{{ include "common.cacert-mount-ubuntu" . | indent 2 }}
++{{- end }}
++{{- end }}
+--- oom/kubernetes/policy/templates/deployment.yaml	2018-11-06 07:38:46.346849406 +0000
++++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/templates/deployment.yaml	2018-11-02 15:09:31.813689166 +0000
+@@ -45,6 +45,7 @@
+         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
+         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+         name: {{ include "common.name" . }}-readiness
++{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
+       containers:
+         - command:
+           - /bin/bash
+@@ -72,6 +73,8 @@
+           - name: PRELOAD_POLICIES
+             value: "{{ .Values.config.preloadPolicies }}"
+           volumeMounts:
++{{ include "common.cacert-mount-ubuntu" . | indent 10 }}
++{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }}
+           - mountPath: /etc/localtime
+             name: localtime
+             readOnly: true
+@@ -136,6 +139,8 @@
+ {{ toYaml .Values.affinity | indent 10 }}
+         {{- end }}
+       volumes:
++{{ include "common.cacert-volume" . | indent 8 }}
++{{ include "common.system-ca-store-volume" . | indent 8 }}
+         - name: localtime
+           hostPath:
+             path: /etc/localtime