Versions Compared

Old Version 4

changes.mady.by.user Pawel Baniewski

Saved on

compared with

New Version 5

changes.mady.by.user Pawel Baniewski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Legacy AAF CertMan which uses SCEP protocol or own internal Certificate Authority
  • New CertService which uses CMPv2 to enroll certificates
  • K8s native certCert-manager Manager which is OOM way forward to enroll certificates for ONAP components

...

CertService was implemented some time back. It provides basic certificate enrollment functionality using CMPv2 over HTTP. Cause in ONAP we have a lot of components which issue certificates, it is wise to harmonize them and use forward just one of them. As a way forward, CertService should be a backend proxy service for K8s Cert-Manager. The same functionality which is currently implemented in CertService client should be implemented in Cert-Manager's external provider, except parts which are already implemented in Cert-Manager and are generic for all  providers (e.g. input parameters validation, conversion to different format, etc). If possible the same input parameters which nowadays are used by CertService client should be used also by Certificate CRD. Following diagram presents new setup.

...

As a consequence, all existing usages should be adjusted to use new way and create Certificate CRD instead of calling CertService client as init container.

...

Future

There is an open feature request (FR) to support CMPv2 natively in Cert-Manager - https://github.com/jetstack/cert-manager/issues/2619

...