...
How to run CertService Client
As standalone docker:
You need certificate and trust anchors to connect to CertService API via HTTPS. Information how to generate truststore and keystore files you can find in project repository README Gerrit GitWeb
Create certificate for HTTPS connection.
Create file with environments as in example below.
Code Block |
---|
|
#Client envs
REQUEST_URL=http://aaf-cert-service-service:8080/v1/certificate/
REQUEST_TIMEOUT=1000
OUTPUT_PATH=/var/certs
CA_NAME=RA
#Csr<URL to CertService API>
REQUEST_TIMEOUT=10000
OUTPUT_PATH=/var/certs
CA_NAME=RA
OUTPUT_TYPE=P12
#CSR config envs
COMMON_NAME=onap.org
ORGANIZATION=Linux-Foundation
ORGANIZATION_UNIT=ONAP
LOCATION=San-Francisco
STATE=California
COUNTRY=US
SANS=test.onap.org:onap.com |
Run docker container with environments file and docker network (API and client must be running in same network).
Code Block |
---|
AAFCERT_CLIENT_IMAGE=nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
DOCKER_ENV_FILE= <path to environment file>
NETWORK_CERT_SERVICE= <docker network of cert service>
DOCKER_VOLUME="<absolute path to local dir>:<output path>"
docker run --env-file $DOCKER_ENV_FILE --network $NETWORK_CERT_SERVICE --volume $DOCKER_VOLUME $AAFCERT_CLIENT_IMAGE |
As init container for K8s:
#TLS config envs
KEYSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
KEYSTORE_PASSWORD=<password to certServiceClient-keystore.jks>
TRUSTSTORE_PATH=/etc/onap/aaf/certservice/certs/certServiceClient-truststore.jks
TRUSTSTORE_PASSWORD=<password to certServiceClient-truststore.jks> |
Run docker container with environments file and docker network (API and client must be running in same network).
Code Block |
---|
docker run \
--rm \
--name aafcert-client \
--env-file <path to client env> \
--network <docker network of cert service> \
--mount type=bind,src=<path to local host directory where certificate and trust anchor will be created>,dst=<OUTPUT_PATH (same as in step 1)> \
--volume <local path to keystore in JKS format>:<KEYSTORE_PATH> \
--volume <local path to truststore in JKS format>:<TRUSTSTORE_PATH> \
nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:$VERSION |
As init container for K8s:
Code Block |
---|
|
...
kind: Deployment
metadata:
...
spec:
...
template:
...
spec:
containers:
- image: sample.image
name: sample.name
...
volumeMounts:
- mountPath: /var/certs #CERTS CAN BE FOUND IN THIS DIRECTORY
name: certs
...
initContainers:
- name: cert-service-client
image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
imagePullPolicy: Always
env:
- name: REQUEST_URL
value: https://aaf-cert-service:8443/v1/certificate/
- name: REQUEST_TIMEOUT
value: "1000"
- name: OUTPUT_PATH
value: /var/certs
- name: CA_NAME
value: RA
- name: OUTPUT_TYPE
value: P12
- name: COMMON_NAME
value: onap.org
- name: ORGANIZATION
|
Code Block |
---|
|
...
kind: Deployment
metadata:
...
spec:
...
template:
...
spec:
initContainers:
- namevalue: certLinux-service-clientFoundation
image: nexus3.onap.org:10001/onap/org.onap.aaf.certservice.aaf-certservice-client:latest
- name: ORGANIZATION_UNIT
value: ONAP
imagePullPolicy- name: AlwaysLOCATION
env: value: San-Francisco
- name: REQUEST_URLSTATE
value: http://aaf-cert-service-service:8080/v1/certificate/California
- name: REQUEST_TIMEOUTCOUNTRY
value: "1000"US
- name: OUTPUT_PATHSANS
value: /var/certstest.onap.org:onap.com
- name: CAKEYSTORE_NAMEPATH
value: RA/etc/onap/aaf/certservice/certs/certServiceClient-keystore.jks
- name: COMMONKEYSTORE_NAMEPASSWORD
value: onap.orgsecret
- name: ORGANIZATIONTRUSTSTORE_PATH
value: Linux-Foundation/etc/onap/aaf/certservice/certs/truststore.jks
- name: ORGANIZATIONTRUSTSTORE_UNITPASSWORD
value: ONAPsecret
- name: LOCATIONvolumeMounts:
- valuemountPath: San-Francisco/var/certs
- name: STATEcerts
- value: California
mountPath: /etc/onap/aaf/certservice/certs/
- name: COUNTRYtls-volume
...
valuevolumes: US
- name: SANScerts
emptyDir: {}
value: test.onap.org:onap.com
- name tls-volume
volumeMountssecret:
- mountPath: /var/certs
secretName: aaf-cert-service-client-tls-secret # Value of global.aaf.certService.client.secret.name
name: certs
...
|
Client's exiting codes:
Code | Information |
---|
0 | Success |
1 | Invalid client configuration |
2 | Invalid CSR configuration |
3 | Fail in key pair generation |
4 | Fail in CSR generation |
5 | CertService HTTP unsuccessful response |
6 | Internal HTTP Client connection problem |
7 | Fail in PKCS12 PEM conversion |
8 | Fail in Private Key to PEM Encoding |
9 | Wrong TLS configuration |
10 | File could not be created |