/
Mounting custom certificates to APEX-PDP with OOM deployment

Mounting custom certificates to APEX-PDP with OOM deployment

Owned by Ajith Sreekumar
Last updated: May 20, 2021
2 min read

ONAP components may have to connect with non ONAP components depending on the use cases. For example, if APEX-PDP wants to communicate with a Kafka setup external to ONAP over SSL, then the keystore/truststore file should be available within APEX-PDP container, and that path to this file need to be specified while specifying the Kafka properties in the policy itself.

Ideal way to mount custom keystore/truststore files into a container during helm deployment is to put the truststore/keystore files into a secret and mount them into the container.
This was done initially here - https://gerrit.onap.org/r/c/oom/+/121282 (abandoned)

But later it was identified that OOM already supports mounting custom certificates.

Fix made in OOM to make this working

The fix is to covert import-custom-certs.sh script from bash to sh. Details can be found here:
https://gerrit.onap.org/r/c/oom/+/121415

Steps

Once the above fix is in place, the steps below can mount custom certificates into apex-pdp

  1. Add the custom certificates to be added to this location in oom: oom/kubernetes/common/cert-wrapper/resources

  2.  Edit the override file used for the ONAP deployment with below content so that values.yaml of policy-apex-pdp component is updated properly.

policy: enabled: true policy-apex-pdp: global: importCustomCertsEnabled: true certInitializer: truststoreMountpath: /opt/app/policy/apex-pdp/etc/ssl

With these changes, after deployment, inside policy-apex-pdp container, a file called truststore.jks (default truststoreOutputFileName) will be available at /opt/app/policy/apex-pdp/etc/ssl location.

Then in the APEX-PDP policy, "ssl.truststore.location" can be specified as "/opt/app/policy/apex-pdp/etc/ssl/truststore.jks"

Similar to truststoreMountpath, truststoreOutputFileName can be updated by specifying it in the override file as below:

policy: enabled: true policy-apex-pdp: global: importCustomCertsEnabled: true certInitializer: truststoreMountpath: /opt/app/policy/apex-pdp/etc/ssl truststoreOutputFileName: test.jks

In this case, /opt/app/policy/apex-pdp/etc/ssl/test.jks will be required file.

Note:

  • Certificate files in .pem format only are supported by OOM. Certificates in other formats have to be converted to .pem first and then placed in oom/kubernetes/common/cert-wrapper/resources, otherwise they will not be mounted to the container.

for e.g. to convert cert.crt to cert.pem:    openssl x509 -in cert.crt -out cert.pem

  • All certificates kept at kubernetes/common/cert-wrapper/resources are added to a single jks file called truststore.jks in the specified location (truststoreMountpath).

  • The password for this jks file will be the default one: changeit

  • Default filename to which all certificates are added to is truststore.jks . If truststoreOutputFileName is explicitly specified as above, then only the specified name is used.

  • The functionality is same with AAF disabled or enabled.