...
| Group | Parameter name | ENV variable name | Required | Default | Syntax | Description | Origin |
|---|---|---|---|---|---|---|---|
| Url | REQUEST_URL | No | http(s)://cert-service:8080/certificate/ | URL | URL to Cert Service. Default value will be aligned with ONAP K8s deployment (Cert Service's K8s service name and port). Needs to be changed for plain docker deployment. | Application helm chart | |
| Timeout | REQUEST_TIMEOUT | No | 3030s | 0-600 | Timeout for REST API calls. In seconds | Application helm chart | |
| Path | OUTPUT_PATH | Yes | /certificates | Path where client will output generated keystore and truststore. Normally this path should be on a volume which is used to transfer keystore and truststore between CertService's client and end component | Application helm chart | ||
| CA name | CA_NAME | Yes | Name of CA which will enroll certificate. Must be same as configured on server side. Used in REST API calls | OOM global value | |||
CSR details | Common Name | COMMON_NAME | Yes | Common name for which certificate from CMPv2 server should be issued | Application helm chart | ||
| Organization | ORGANIZATION | Yes | Organization for which certificate from CMPv2 server should be issued | OOM global value | |||
| Organization Unit | ORGANIZATION_UNIT | No | Organization unit for which certificate from CMPv2 server should be issued | OOM global value | |||
| Location | LOCATION | No | Location for which certificate from CMPv2 server should be issued | OOM global value | |||
| State | STATE | Yes | State for which certificate from CMPv2 server should be issued | OOM global value | |||
| Country | COUNTRY | Yes | Country for which certificate from CMPv2 server should be issued | OOM global value | |||
| SANs | SANS | No | Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued | Application helm chart |
...
Volume to transfer generated artifacts should be mounted to application container :(lines ). Within K8s workload, CertService's client as init container should be added (lines ). All needed ENV variables should be passed to CertService's client (lines ). CertService's client should mount the same volume as application container (lines ).
| Code Block | ||
|---|---|---|
| ||
...
kind: | ||
| Code Block | ||
... kind: Deployment metadata: ... spec: ... template: ... spec: initContainers: ... - name: cert-service-client containers: - nameimage: {{ include "common.name" . }} image: "{{ include "common.repository" . }}.Values.global.csClientRepository }}/{{ .Values.global.imagecsClientImage }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resourcesenv: {{ include "common.resources" . | indent 12 }} - name: REQUEST_URL volumeMounts: value: {{ .Values.certService.url }} - mountPathname: /certificates/externalREQUEST_TIMEOUT namevalue: {{ include "common.fullname" ..Values.certService.timeout }}-cmpv2-certs - readOnlyname: trueOUTPUT_PATH value: {{ .Values.certService.outputPath }} volumes: - name: CA_NAME - namevalue: {{ include "common.fullname" ..Values.global.certService.caName }}-cmpv2-certs - emptyDir: {} |
Within K8s workload, CertService's client as init container should be added:
| Code Block |
|---|
... kind: Deployment metadata: ... spec: ... template: ... spec:name: COMMON_NAME value: {{ .Values.certService.commonName }} - name: ORGANIZATION value: {{ .Values.global.certService.organization }} - name: ORGANIZATION_UNIT value: {{ .Values.global.certService.organizationUnit }} - name: LOCATION value: {{ .Values.global.certService.location }} - name: STATE value: {{ .Values.global.certService.state }} - name: COUNTRY value: {{ .Values.global.certService.country }} - name: SANS value: {{ .Values.certService.sans }} volumeMounts: - mountPath: {{ .Values.certService.outputPath }} initContainers: - name: cert-service-client {{ include "common.fullname" . }}-cmpv2-certs containers: - name: {{ include "common.name" . }} image: "{{ include "common.repository" . }}/{{ .Values.image }}" imagePullPolicy: {{ .Values.global.pullPolicy | default .Values.pullPolicy }} resources: {{ include "common.resources" . | indent 12 }} volumeMounts: - mountPath: /certificates/external name: {{ include "common.fullname" . }}-cmpv2-certs readOnly: true ... volumes: - name: {{ include "common.fullname" . }}-cmpv2-certs emptyDir: {} |
Make sure you pass as ENV variables all required parameters.
...
CMPv2 server
For testing purpose EJBCA is set up. It is configured with 2 layer CA hierarchy (root CA and intermediate CA).
...