patches/offline-changes.patch

diff --git a/kubernetes/appc/values.yaml b/kubernetes/appc/values.yaml
index 1c20977..4b47c63 100644
--- a/kubernetes/appc/values.yaml
+++ b/kubernetes/appc/values.yaml
@@ -29,7 +29,7 @@ global:
 #################################################################
 # application image
 repository: nexus3.onap.org:10001
-image: onap/appc-image:1.4.0-SNAPSHOT-latest
+image: onap/appc-image:1.3.0
 pullPolicy: Always

 # flag to enable debugging - application support required
@@ -37,10 +37,7 @@ debugEnabled: false

 # application configuration
 config:
-  aafExtIP: 127.0.0.1
-  aafExtFQDN: aaf-onap-beijing-test.osaaf.org
   dbRootPassword: openECOMP1.0
-  enableAAF: false
   enableClustering: true
   configDir: /opt/onap/appc/data/properties
   dmaapTopic: SUCCESS
diff --git a/kubernetes/common/dgbuilder/templates/deployment.yaml b/kubernetes/common/dgbuilder/templates/deployment.yaml
index 328e058..b359526 100644
--- a/kubernetes/common/dgbuilder/templates/deployment.yaml
+++ b/kubernetes/common/dgbuilder/templates/deployment.yaml
@@ -35,8 +35,14 @@ spec:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
-          command: ["/bin/bash"]
-          args: ["-c", "cd /opt/onap/ccsdk/dgbuilder/ && ./start.sh sdnc1.0 && wait"]
+          command:
+          - /bin/bash
+          - -c
+          - >
+            UPDATE_HOSTS_FILE >> /etc/hosts;
+            UPDATE_NPM_REGISTRY;
+            cd /opt/onap/ccsdk/dgbuilder/;
+            ./start.sh sdnc1.0 && wait
           ports:
           - containerPort: {{ .Values.service.internalPort }}
           readinessProbe:
@@ -94,3 +100,4 @@ spec:
             defaultMode: 0755
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
+
diff --git a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
index acda520..8fa35f9 100644
--- a/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
+++ b/kubernetes/dcaegen2/charts/dcae-cloudify-manager/templates/deployment.yaml
@@ -68,6 +68,8 @@ spec:
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
+          - mountPath: /etc/pki/ca-trust/source/anchors
+            name: root-ca
           securityContext:
             privileged: True
           lifecycle:
@@ -80,6 +82,8 @@ spec:
                   set -ex
                   mkdir -p /var/run/secrets/kubernetes.io/
                   ln -s /secret /var/run/secrets/kubernetes.io/serviceaccount
+                  echo -e '\nREQUESTS_CA_BUNDLE="/etc/ssl/certs/ca-bundle.crt"' >> /etc/sysconfig/cloudify-restservice
+                  update-ca-trust extract
       volumes:
         - name: {{ include "common.fullname" . }}-config
           configMap:
@@ -93,5 +97,8 @@ spec:
         - name: localtime
           hostPath:
             path: /etc/localtime
+        - name: root-ca
+          hostPath:
+            path: CERT_PATH
       imagePullSecrets:
       - name: "{{ include "common.namespace" . }}-docker-registry-key"
diff --git a/kubernetes/dmaap/charts/message-router/templates/deployment.yaml b/kubernetes/dmaap/charts/message-router/templates/deployment.yaml
index 379fc24..4802f8b 100644
--- a/kubernetes/dmaap/charts/message-router/templates/deployment.yaml
+++ b/kubernetes/dmaap/charts/message-router/templates/deployment.yaml
@@ -48,6 +48,12 @@ spec:
         name: {{ include "common.name" . }}-readiness
       containers:
         - name: {{ include "common.name" . }}
+          command:
+          - /bin/sh
+          - -c
+          - >
+            UPDATE_HOSTS_FILE >> /etc/hosts;
+            ./startup.sh
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           ports:
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index b8f15e1..fadb56e 100644
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -39,7 +39,8 @@ global:
   loggingRepository: docker.elastic.co

   # image pull policy
-  pullPolicy: Always
+  #pullPolicy: Always
+  pullPolicy: IfNotPresent

   # default mount path root directory referenced
   # by persistent volumes and log files
@@ -66,11 +67,11 @@ appc:
   config:
     openStackType: OpenStackProvider
     openStackName: OpenStack
-    openStackKeyStoneUrl: http://localhost:8181/apidoc/explorer/index.html
-    openStackServiceTenantName: default
-    openStackDomain: default
-    openStackUserName: admin
-    openStackEncryptedPassword: admin
+    openStackKeyStoneUrl: FILL-ME
+    openStackServiceTenantName: FILL-ME
+    openStackDomain: FILL-ME
+    openStackUserName: FILL-ME
+    openStackEncryptedPassword: FILL-ME
 clamp:
   enabled: true
 cli:
@@ -97,8 +98,11 @@ nbi:
   enabled: true
   config:
     # openstack configuration
-    openStackRegion: "Yolo"
-    openStackVNFTenantId: "1234"
+    openStackUserName: "FILL-ME"
+    openStackRegion: "FILL-ME"
+    openStackKeyStoneUrl: "FILL-ME"
+    openStackServiceTenantName: "FILL-ME"
+    openStackEncryptedPasswordHere: "FILL-ME"
 policy:
   enabled: true
 portal:
@@ -112,7 +116,11 @@ sdnc:

   replicaCount: 1

+  config:
+    enableClustering: false
+
   mysql:
+    disableNfsProvisioner: true
     replicaCount: 1
 so:
   enabled: true
@@ -129,11 +137,11 @@ so:
     # message router configuration
     dmaapTopic: "AUTO"
     # openstack configuration
-    openStackUserName: "vnf_user"
-    openStackRegion: "RegionOne"
-    openStackKeyStoneUrl: "http://1.2.3.4:5000"
-    openStackServiceTenantName: "service"
-    openStackEncryptedPasswordHere: "c124921a3a0efbe579782cde8227681e"
+    openStackUserName: "FILL-ME"
+    openStackRegion: "FILL-ME"
+    openStackKeyStoneUrl: "FILL-ME"
+    openStackServiceTenantName: "FILL-ME"
+    openStackEncryptedPasswordHere: "FILL-ME"

   # configure embedded mariadb
   mariadb:
diff --git a/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh b/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh
index 72f7a74..f6b3478 100644
--- a/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh
+++ b/kubernetes/policy/charts/drools/resources/config/opt/policy/config/drools/apps-install.sh
@@ -114,7 +114,7 @@ else
     url_release
 fi

-wget "${APP_URL}" -O "${DOWNLOAD_DIR}"/apps-"${APP_NAME}".zip
+wget "${APP_URL}" -O "${DOWNLOAD_DIR}"/apps-"${APP_NAME}".zip --no-check-certificate
 if [[ $? != 0 ]]; then
     echo "ERROR: cannot download ${DOWNLOAD_DIR}/apps-${APP_NAME}.zip"
     exit 1
diff --git a/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh b/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh
index a6c054d..9e48d55 100644
--- a/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh
+++ b/kubernetes/policy/charts/drools/resources/scripts/update-vfw-op-policy.sh
@@ -84,8 +84,8 @@ echo "Restarting PDP-D .."
 echo
 echo

-POD=$(kubectl --namespace onap-policy get pods | sed 's/ .*//'| grep drools)
-kubectl --namespace onap-policy exec -it ${POD} -- bash -c "source /opt/app/policy/etc/profile.d/env.sh && policy stop && sleep 5 && policy start"
+POD=$(kubectl --namespace onap get pods | sed 's/ .*//'| grep drools)
+kubectl --namespace onap exec -it ${POD} -- bash -c "source /opt/app/policy/etc/profile.d/env.sh && policy stop && sleep 1 && policy start"

 sleep 20

diff --git a/kubernetes/policy/resources/config/pe/push-policies.sh b/kubernetes/policy/resources/config/pe/push-policies.sh
index dcd3afb..21b3171 100644
--- a/kubernetes/policy/resources/config/pe/push-policies.sh
+++ b/kubernetes/policy/resources/config/pe/push-policies.sh
@@ -22,7 +22,7 @@ echo "Upload BRMS Param Template"

 sleep 2

-wget -O cl-amsterdam-template.drl https://git.onap.org/policy/drools-applications/plain/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl?h=beijing
+wget -O cl-amsterdam-template.drl https://git.onap.org/policy/drools-applications/plain/controlloop/templates/archetype-cl-amsterdam/src/main/resources/archetype-resources/src/main/resources/__closedLoopControlName__.drl?h=beijing --no-check-certificate

 sleep 2

diff --git a/kubernetes/robot/values.yaml b/kubernetes/robot/values.yaml
index aea67c8..06dc17b 100644
--- a/kubernetes/robot/values.yaml
+++ b/kubernetes/robot/values.yaml
@@ -39,49 +39,49 @@ config:
   # Password of the lighthttpd server.  Used for HTML auth for webpage access
   lightHttpdPassword: robot
   # gerrit branch where the latest heat code is checked in
-  gerritBranch: 2.0.0-ONAP
+  gerritBranch: master
   # gerrit project where the latest heat code is checked in
   gerritProject: http://gerrit.onap.org/r/demo.git


 # Demo configuration
 # Nexus demo artifact version.  Maps to GLOBAL_INJECTED_ARTIFACTS_VERSION
-demoArtifactsVersion: "1.2.0-SNAPSHOT"
+demoArtifactsVersion: "1.3.0"
 # Openstack medium sized flavour name.  Maps GLOBAL_INJECTED_VM_FLAVOR
 openStackFlavourMedium: "m1.medium"
 # Openstack keystone URL.  Maps to GLOBAL_INJECTED_KEYSTONE
-openStackKeyStoneUrl: "http://1.2.3.4:5000"
+openStackKeyStoneUrl: "FILL-ME"
 # UUID of the Openstack network that can assign floating ips.  Maps to GLOBAL_INJECTED_PUBLIC_NET_ID
-openStackPublicNetId: "e8f51958045716781ffc"
+openStackPublicNetId: "FILL-ME"
 # password for Openstack tenant where VNFs will be spawned.  Maps to GLOBAL_INJECTED_OPENSTACK_PASSWORD
-openStackPassword: "tenantPassword"
+openStackPassword: "FILL-ME"
 # Openstack region.  Maps to GLOBAL_INJECTED_REGION
 openStackRegion: "RegionOne"
 # Openstack tenant UUID where VNFs will be spawned. Maps to GLOBAL_INJECTED_OPENSTACK_TENANT_ID
-openStackTenantId: "47899782ed714295b1151681fdfd51f5"
+openStackTenantId: "FILL-ME"
 # username for Openstack tenant where VNFs will be spawned.  Maps to GLOBAL_INJECTED_OPENSTACK_USERNAME
-openStackUserName: "tenantUsername"
+openStackUserName: "FILL-ME"
 # Openstack glance image name for Ubuntu 14.  Maps to GLOBAL_INJECTED_UBUNTU_1404_IMAGE
-ubuntu14Image: "Ubuntu_14_trusty"
+ubuntu14Image: "FILL-ME"
 # Openstack glance image name for Ubuntu 16.  Maps to GLOBAL_INJECTED_UBUNTU_1604_IMAGE
-ubuntu16Image: "Ubuntu_16_xenial"
+ubuntu16Image: "FILL-ME"
 # GLOBAL_INJECTED_SCRIPT_VERSION.  Maps to GLOBAL_INJECTED_SCRIPT_VERSION
-scriptVersion: "1.2.0-SNAPSHOT"
+scriptVersion: "1.2.1"
 # Openstack network to which VNFs will bind their primary (first) interface.  Maps to GLOBAL_INJECTED_NETWORK
-openStackPrivateNetId: "e8f51956-00dd-4425-af36-045716781ffc"
+openStackPrivateNetId: "FILL-ME"

 # SDNC Preload configuration
 # Openstack subnet UUID for the network defined by openStackPrivateNetId.  Maps to onap_private_subnet_id
-openStackPrivateSubnetId: "e8f51956-00dd-4425-af36-045716781ffc"
+openStackPrivateSubnetId: "FILL-ME"
 # CIDR notation for the Openstack private network where VNFs will be spawned.  Maps to onap_private_net_cidr
-openStackPrivateNetCidr: "10.0.0.0/8"
+openStackPrivateNetCidr: "FILL-ME"
 # The first 2 octets of the private Openstack subnet where VNFs will be spawned.
 # Needed because sdnc preload templates hardcodes things like this 10.0.${ecompnet}.X
 openStackOamNetworkCidrPrefix: "10.0"
 # Override with Pub Key for access to VNF
-vnfPubKey: "FILL_IN_WITH_PUB_KEY"
-# Override with DCAE VES Collector external IP
-dcaeCollectorIp: "FILL_IN_WITH_DCAE_VES_COLLECTOR_IP"
+vnfPubKey: "FILL-ME"
+# Override with DCAE VES Collector external IP
+dcaeCollectorIp: "FILL-ME"

 # default number of instances
 replicaCount: 1
@@ -156,4 +156,4 @@ persistence:
   accessMode: ReadWriteMany
   size: 2Gi
   mountPath: /dockerdata-nfs
-  mountSubPath: robot/logs
\ No newline at end of file
+  mountSubPath: robot/logs
diff --git a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
index a19c33a..b49e2c4 100644
--- a/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
+++ b/kubernetes/sdnc/charts/sdnc-ansible-server/templates/deployment.yaml
@@ -47,8 +47,17 @@ spec:
         name: {{ include "common.name" . }}-readiness
       containers:
         - name: {{ include "common.name" . }}
-          command: ["/bin/bash"]
-          args: ["-c", "cd /opt/onap/sdnc && ./startAnsibleServer.sh"]
+          command:
+          - bash
+          - "-c"
+          - |
+            pip install /root/ansible_pkg/*.whl
+            dpkg -i /root/ansible_pkg/*.deb
+            cp /etc/ansible/ansible.cfg /etc/ansible/ansible.cfg.orig
+            cat /etc/ansible/ansible.cfg.orig | sed -e 's/#host_key_checking/host_key_checking/' > /etc/ansible/ansible.cfg
+            touch /tmp/.ansible-server-installed
+            cd /opt/onap/sdnc
+            ./startAnsibleServer.sh
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           ports:
@@ -74,6 +83,8 @@ spec:
           - mountPath: {{ .Values.config.configDir }}/RestServer_config
             name: config
             subPath: RestServer_config
+          - mountPath: /root/ansible_pkg
+            name: ansible-pkg
           resources:
 {{ toYaml .Values.resources | indent 12 }}
         {{- if .Values.nodeSelector }}
@@ -92,5 +103,9 @@ spec:
           configMap:
             name: {{ include "common.fullname" . }}
             defaultMode: 0644
+        - name: ansible-pkg
+          hostPath:
+            path: /root/ansible_pkg
       imagePullSecrets:
-      - name: "{{ include "common.namespace" . }}-docker-registry-key"
\ No newline at end of file
+      - name: "{{ include "common.namespace" . }}-docker-registry-key"
+
diff --git a/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml b/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml
index 87ed6aa..5da236d 100644
--- a/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml
+++ b/kubernetes/sdnc/charts/sdnc-portal/templates/deployment.yaml
@@ -49,8 +49,13 @@ spec:
         name: {{ include "common.name" . }}-readiness
       containers:
         - name: {{ include "common.name" . }}
-          command: ["/bin/bash"]
-          args: ["-c", "cd /opt/onap/sdnc/admportal/shell && ./start_portal.sh"]
+          command:
+          - /bin/bash
+          - -c
+          - >
+            UPDATE_HOSTS_FILE >> /etc/hosts;
+            UPDATE_NPM_REGISTRY;
+            cd /opt/onap/sdnc/admportal/shell && ./start_portal.sh
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
           ports:
diff --git a/kubernetes/uui/charts/uui-server/templates/deployment.yaml b/kubernetes/uui/charts/uui-server/templates/deployment.yaml
index accdff9..fa83daf 100644
--- a/kubernetes/uui/charts/uui-server/templates/deployment.yaml
+++ b/kubernetes/uui/charts/uui-server/templates/deployment.yaml
@@ -34,6 +34,12 @@ spec:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
           imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+          command:
+            - /bin/bash
+            - -c
+            - >
+              chown -R mysql:mysql /var/lib/mysql /var/run/mysqld;
+              /home/uui/bin/run.sh
           ports:
           - containerPort: {{ .Values.service.internalPort }}
           # disable liveness probe when breakpoints set in debugger
--- oom/kubernetes/common/common/templates/_cacert.tpl	1970-01-01 00:00:00.000000000 +0000
+++ onap-dev/install/onap-offline/resources/oom/kubernetes/common/common/templates/_cacert.tpl	2018-11-02 15:09:31.781688957 +0000
@@ -0,0 +1,62 @@
+#This template adds volume for access to ca certificate.
+#Template is ignored when cacert not set.
+{{- define "common.cacert-volume" }}
+{{- if .Values.global.cacert }}
+- name: cacert
+  configMap:
+    name: {{ include "common.namespace" . }}-root-ca-cert
+{{- end }}
+{{- end }}
+
+#This template mounts the CA certificate in an ubuntu compatible way.
+#It is mounted to /usr/local/share/ca-certificates/cacert.crt.
+#Template is ignored if cacert not set.
+{{- define "common.cacert-mount-ubuntu" }}
+{{- if .Values.global.cacert }}
+- mountPath: "/usr/local/share/ca-certificates/cacert.crt"
+  name: cacert
+  subPath: certificate
+{{- end }}
+{{- end }}
+
+#This template creates an empty volume used to store system certificates (includes java keystore).
+{{- define "common.system-ca-store-volume" }}
+{{- if .Values.global.cacert }}
+- name: system-ca-store
+  emptyDir:
+{{- end }}
+{{- end }}
+
+#This template mounts system ca store volume to /etc/ssl/certs (ubuntu specific).
+#Template is ignored in case cacert is not given.
+{{- define "common.system-ca-store-mount-ubuntu" }}
+{{- if .Values.global.cacert }}
+- mountPath: "/etc/ssl/certs"
+  name: system-ca-store
+{{- end }}
+{{- end }}
+
+#This template is a template for an init container.
+#This init container can be declared to update system's ca store for ubuntu containers.
+#It runs as root using the same image as the main one.
+#It expects /etc/ssl/certs to be mounted as a volume.
+#It has to be shared with the main container.
+#This template is ignored if cacert is not given as helm value.
+{{- define "common.update-system-ca-store-ubuntu" }}
+{{- if .Values.global.cacert }}
+- command:
+  - "/bin/bash"
+  - "-c"
+  - |
+      mkdir -p /etc/ssl/certs/java
+      update-ca-certificates
+  name: update-system-ca-store
+  imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+  image: {{ include "common.repository" . }}/{{ .Values.image }}
+  securityContext:
+    runAsUser: 0
+  volumeMounts:
+{{ include "common.cacert-mount-ubuntu" . | indent 2 }}
+{{ include "common.system-ca-store-mount-ubuntu" . | indent 2 }}
+{{- end }}
+{{- end }}
--- oom/kubernetes/onap/templates/configmap.yaml	1970-01-01 00:00:00.000000000 +0000
+++ onap-dev/install/onap-offline/resources/oom/kubernetes/onap/templates/configmap.yaml	2018-11-02 15:09:31.804689107 +0000
@@ -0,0 +1,15 @@
+{{ if .Values.global.cacert -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "common.namespace" . }}-root-ca-cert
+  namespace: {{ include "common.namespace" . }}
+  labels:
+    app: {{ include "common.name" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  certificate: |
+{{ .Values.global.cacert | indent 4 }}
+{{- end }}
--- oom/kubernetes/policy/charts/brmsgw/templates/deployment.yaml	2018-11-06 07:38:46.341849402 +0000
+++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/brmsgw/templates/deployment.yaml	2018-11-02 15:09:31.808689133 +0000
@@ -45,6 +45,7 @@
         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-readiness
+{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
       containers:
       - command:
         - /bin/bash
@@ -68,6 +69,8 @@
           initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
           periodSeconds: {{ .Values.readiness.periodSeconds }}
         volumeMounts:
+{{ include "common.cacert-mount-ubuntu" . | indent 8 }}
+{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }}
         - mountPath: /etc/localtime
           name: localtime
           readOnly: true
@@ -94,6 +97,8 @@
 {{ toYaml .Values.affinity | indent 10 }}
       {{- end }}
       volumes:
+{{ include "common.cacert-volume" . | indent 8 }}
+{{ include "common.system-ca-store-volume" . | indent 8 }}
         - name: localtime
           hostPath:
             path: /etc/localtime
--- oom/kubernetes/policy/charts/drools/templates/statefulset.yaml	2018-11-06 07:38:46.343849404 +0000
+++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/drools/templates/statefulset.yaml	2018-11-02 15:09:31.810689146 +0000
@@ -51,6 +51,8 @@
         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-readiness
+{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
+{{ include "policy.update-policy-keystore" . | indent 6 }}
       containers:
         - name: {{ include "common.name" . }}
           image: "{{ include "common.repository" . }}/{{ .Values.image }}"
@@ -78,6 +80,9 @@
           - name: REPLICAS
             value: "{{ .Values.replicaCount }}"
           volumeMounts:
+{{ include "common.cacert-mount-ubuntu" . | indent 10 }}
+{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }}
+{{ include "policy.keystore-mount" . | indent 10 }}
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
@@ -136,6 +141,9 @@
 {{ toYaml .Values.affinity | indent 10 }}
         {{- end }}
       volumes:
+{{ include "common.cacert-volume" . | indent 8 }}
+{{ include "common.system-ca-store-volume" . | indent 8 }}
+{{ include "policy.keystore-storage-volume" . | indent 8 }}
         - name: localtime
           hostPath:
             path: /etc/localtime
--- oom/kubernetes/policy/charts/pdp/templates/statefulset.yaml	2018-11-06 07:38:46.345849405 +0000
+++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/pdp/templates/statefulset.yaml	2018-11-02 15:09:31.812689159 +0000
@@ -49,6 +49,7 @@
         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-readiness
+{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
       containers:
       - command:
         - /bin/bash
@@ -72,6 +73,8 @@
           initialDelaySeconds: {{ .Values.readiness.initialDelaySeconds }}
           periodSeconds: {{ .Values.readiness.periodSeconds }}
         volumeMounts:
+{{ include "common.cacert-mount-ubuntu" . | indent 8 }}
+{{ include "common.system-ca-store-mount-ubuntu" . | indent 8 }}
         - mountPath: /etc/localtime
           name: localtime
           readOnly: true
@@ -121,6 +124,8 @@
 {{ toYaml .Values.affinity | indent 10 }}
         {{- end }}
       volumes:
+{{ include "common.cacert-volume" . | indent 6 }}
+{{ include "common.system-ca-store-volume" . | indent 6 }}
       - name: localtime
         hostPath:
           path: /etc/localtime
--- oom/kubernetes/policy/charts/policy-common/templates/_keystore.tpl	1970-01-01 00:00:00.000000000 +0000
+++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/charts/policy-common/templates/_keystore.tpl	2018-11-02 15:09:31.812689159 +0000
@@ -0,0 +1,43 @@
+#This template creates a volume for storing policy-keystore with imported ca.
+#It is ignored if cacert was not given.
+{{- define "policy.keystore-storage-volume" }}
+{{- if .Values.global.cacert }}
+- name: keystore-storage
+  emptyDir:
+{{- end }}
+{{- end }}
+
+#This template mounts policy-keystore in appropriate place for policy components to take it.
+#It is ignored if cacert is not given.
+{{- define "policy.keystore-mount" }}
+{{- if .Values.global.cacert }}
+- mountPath: "/tmp/policy-install/config/policy-keystore"
+  name: keystore-storage
+  subPath: policy-keystore
+{{- end }}
+{{- end }}
+
+#This will extract a policy keystore and then import
+#the root cacert of offline nexus into it.
+#This template expects a volume named keystore-storage where policy-keystore will be put.
+#It also expects volume named cacert where the file "certificate" will contain the cert to import.
+#Template is ignored if ca certificate not given.
+{{- define "policy.update-policy-keystore" }}
+{{- if .Values.global.cacert }}
+- command:
+  - "/bin/bash"
+  - "-c"
+  - |
+      set -e
+      tar -xzf base-*.tar.gz etc/ssl/policy-keystore
+      cp etc/ssl/policy-keystore keystore-storage/
+      keytool -import -keystore keystore-storage/policy-keystore -storepass "Pol1cy_0nap" -noprompt -file /usr/local/share/ca-certificates/cacert.crt
+  name: update-policy-keystore
+  imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
+  image: {{ include "common.repository" . }}/{{ .Values.image }}
+  volumeMounts:
+  - mountPath: "/tmp/policy-install/keystore-storage"
+    name: keystore-storage
+{{ include "common.cacert-mount-ubuntu" . | indent 2 }}
+{{- end }}
+{{- end }}
--- oom/kubernetes/policy/templates/deployment.yaml	2018-11-06 07:38:46.346849406 +0000
+++ onap-dev/install/onap-offline/resources/oom/kubernetes/policy/templates/deployment.yaml	2018-11-02 15:09:31.813689166 +0000
@@ -45,6 +45,7 @@
         image: "{{ .Values.global.readinessRepository }}/{{ .Values.global.readinessImage }}"
         imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }}
         name: {{ include "common.name" . }}-readiness
+{{ include "common.update-system-ca-store-ubuntu" . | indent 6 }}
       containers:
         - command:
           - /bin/bash
@@ -72,6 +73,8 @@
           - name: PRELOAD_POLICIES
             value: "{{ .Values.config.preloadPolicies }}"
           volumeMounts:
+{{ include "common.cacert-mount-ubuntu" . | indent 10 }}
+{{ include "common.system-ca-store-mount-ubuntu" . | indent 10 }}
           - mountPath: /etc/localtime
             name: localtime
             readOnly: true
@@ -136,6 +139,8 @@
 {{ toYaml .Values.affinity | indent 10 }}
         {{- end }}
       volumes:
+{{ include "common.cacert-volume" . | indent 8 }}
+{{ include "common.system-ca-store-volume" . | indent 8 }}
         - name: localtime
           hostPath:
             path: /etc/localtime