ONAP is expected to be central entity across multiple K8S clusters. We know that ONAP is expected to deploy workloads across K8S clusters. Since ONAP is a central entity, we expect ONAP to keep the K8S clusters (Edge location) be ready to take up workloads. Each Edge (k8s cluster) is assumed to come up with the ISTIO for each tenant. Distributed cloud manager(DCM) and user, using the key distribution API will generate intermediate CA key for each edge and configure ISTIO Citadel of that edge. Essentially, ONAP would have its own root or intermediate CA and ONAP is expected to monitor for new edges, generate next level of intermediate CA key and populate.
This controller runs as a micro-service exposing API's. This controller will generate intermediate CA key for each edge which is signed by an root or intermediate key. The controller comes up and register's with DCM and brings up the backend with given root or intermediate key. Updates the database with bundle containing signed intermediate key, cert and chain. This bundle is later used to configure Citadel to bring up with intermediate key and cert and chain for issuing workload certs.
High level Design