Hi, We have done some work where we were deploying different ONAP components into k8s namespaces other than onap.
We haven't done it for all components but I wanted to start a bit of a discussion on it. Deployment into non onap namespaces seems to have worked no problems for dmaap, sdc, policy I assume it should be possible, a quick (non exhuastive) search didn't seem to say it wasn't However when we deployed AAI into a namespace not called onap we ran into some problems. The problem seems to be that the certificates used between aai-model-service and aai-babel don't work in not onap namespaces. see the cert at the bottom of the mail. I was able to replace the certs and get the deployment to work so there isn't a hard coded problem. So the question is should the default deployment of all onap components support been deployed to non onap namespaces ? Does anybody else have any experience of this ? Thanks /Andrew keytool -list -keystore /opt/app/babel/config/auth/tomcat_keystore Enter keystore password: Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry aai, Jul 31, 2019, PrivateKeyEntry, Certificate fingerprint (SHA1): FD:31:D7:72:44:2F:2A:D2:41:C7:65:AE:83:C2:E2:C5:EF:5B:2C:42 Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/app/babel/config/auth/tomcat_keystore -destkeystore /opt/app/babel/config/auth/tomcat_keystore -deststoretype pkcs12". bash-4.4# keytool -list -v -keystore /opt/app/babel/config/auth/tomcat_keystore Enter keystore password: Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry Alias name: aai Creation date: Jul 31, 2019 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=ONAP, OU=ONAP, O=ONAP, L=Bath, ST=Somerset, C=GB Issuer: CN=ONAP, OU=ONAP, O=ONAP, L=Bath, ST=Somerset, C=GB Serial number: 5d41baf2 Valid from: Wed Jul 31 15:59:46 GMT 2019 until: Tue Jul 31 15:59:46 GMT 2029 Certificate fingerprints: MD5: AE:A4:6B:09:A3:55:C1:15:EA:37:35:4D:5A:66:59:15 SHA1: FD:31:D7:72:44:2F:2A:D2:41:C7:65:AE:83:C2:E2:C5:EF:5B:2C:42 SHA256: 48:E4:F1:91:D5:54:F8:8E:10:20:1A:51:1C:E7:E3:AE:C9:5F:7F:BB:FB:07:3F:D9:01:D7:06:B3:BA:4F:38:B2 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: *.onap DNSName: aai.api.simpledemo.onap.org DNSName: aai.elasticsearch.simpledemo.onap.org DNSName: aai.gremlinserver.simpledemo.onap.org DNSName: aai.hbase.simpledemo.onap.org DNSName: aai.searchservice.simpledemo.onap.org DNSName: aai.simpledemo.onap.org DNSName: aai.ui.simpledemo.onap.org DNSName: localhost IPAddress: 127.0.0.1 ] #2: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 9E 5E 4A 0E 38 0D 70 2D D1 9D 70 15 32 59 9A 7C .^J.8.p-..p.2Y.. 0010: D2 75 47 66 .uGf ] ] ******************************************* ******************************************* -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#20038): https://lists.onap.org/g/onap-discuss/message/20038 Mute This Topic: https://lists.onap.org/mt/71354410/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
