POLICY-510 reports a problem that OOM experienced when pdp-d deals with AAI certificates, this is due to the dynamic nature of the "hosts" in kubernates.    A weakening therefore in the certificate validation has been introduced to deal with this problem.

See the discussion at https://gerrit.onap.org/r/#/c/29529/ :

AAI comes with a certificate that has a CN being aai.simpledemo.onap.org. But in OOM, the hostname of AAI is aai-service.onap-aai hence the hostname validation failure.

To solve this issue, we could levrage Subject Alternative Name in the certificate, but that wouldn't work well neither. Because in OOM, the goal is to be able to deploy ONAP multiple time, and a deployment is segregated using its namespace. Basically, for aai it would be aai-service.<namespace>-aai So as you see, hostname is very dynamic.

Finally, the overall certificate mgnt issue in ONAP beings other requirement, like the ability to substitute ONAP's certs by proprietaries' ones, e.g. when you go on production with ONAP, you want to reference your own certs, not the ONAP's one.

The task here is to try to figure out a way where OOM and stronger certificate validation takes place.

Note that there may be other ONAP activities related to the certificate management that could alter how this issue is resolved.