From bdd881918c5045e51366530b07ac6f7ad9c149e9 Mon Sep 17 00:00:00 2001 From: techno-467 Date: Thu, 30 May 2024 17:37:40 +0530 Subject: [PATCH] [MOSIP-33380] added helm and deploy script in mosip-functional-tests --- deploy/{ => apitestrig}/README.md | 0 deploy/{ => apitestrig}/copy_cm.sh | 0 deploy/{ => apitestrig}/copy_cm_func.sh | 0 deploy/{ => apitestrig}/copy_secrets.sh | 0 deploy/{ => apitestrig}/delete.sh | 0 deploy/{ => apitestrig}/install.sh | 0 deploy/{ => apitestrig}/values.yaml | 0 deploy/authdemo/.gitignore | 1 + deploy/authdemo/README.md | 20 + deploy/authdemo/copy_cm.sh | 19 + deploy/authdemo/copy_cm_func.sh | 33 ++ deploy/authdemo/copy_secrets.sh | 18 + deploy/authdemo/delete.sh | 30 ++ deploy/authdemo/install.sh | 63 +++ deploy/authdemo/nfs-server.yaml | 64 +++ helm/authdemo/.gitignore | 1 + helm/authdemo/.helmignore | 21 + helm/authdemo/Chart.yaml | 19 + helm/authdemo/README.md | 10 + helm/authdemo/templates/NOTES.txt | 1 + helm/authdemo/templates/_helpers.tpl | 59 +++ .../templates/authdemo-authcerts-pv-pvc.yaml | 45 ++ .../templates/clusterrolebinding.yaml | 19 + helm/authdemo/templates/deployment.yaml | 146 ++++++ helm/authdemo/templates/extra-list.yaml | 4 + helm/authdemo/templates/service-account.yaml | 12 + helm/authdemo/templates/service.yaml | 29 ++ helm/authdemo/templates/servicemonitor.yaml | 36 ++ helm/authdemo/values.yaml | 416 ++++++++++++++++++ 29 files changed, 1066 insertions(+) rename deploy/{ => apitestrig}/README.md (100%) rename deploy/{ => apitestrig}/copy_cm.sh (100%) rename deploy/{ => apitestrig}/copy_cm_func.sh (100%) rename deploy/{ => apitestrig}/copy_secrets.sh (100%) rename deploy/{ => apitestrig}/delete.sh (100%) rename deploy/{ => apitestrig}/install.sh (100%) rename deploy/{ => apitestrig}/values.yaml (100%) create mode 100644 deploy/authdemo/.gitignore create mode 100644 deploy/authdemo/README.md create mode 100755 deploy/authdemo/copy_cm.sh create mode 100755 deploy/authdemo/copy_cm_func.sh create mode 100755 deploy/authdemo/copy_secrets.sh create mode 100755 deploy/authdemo/delete.sh create mode 100755 deploy/authdemo/install.sh create mode 100644 deploy/authdemo/nfs-server.yaml create mode 100644 helm/authdemo/.gitignore create mode 100644 helm/authdemo/.helmignore create mode 100644 helm/authdemo/Chart.yaml create mode 100644 helm/authdemo/README.md create mode 100644 helm/authdemo/templates/NOTES.txt create mode 100644 helm/authdemo/templates/_helpers.tpl create mode 100644 helm/authdemo/templates/authdemo-authcerts-pv-pvc.yaml create mode 100644 helm/authdemo/templates/clusterrolebinding.yaml create mode 100644 helm/authdemo/templates/deployment.yaml create mode 100644 helm/authdemo/templates/extra-list.yaml create mode 100644 helm/authdemo/templates/service-account.yaml create mode 100644 helm/authdemo/templates/service.yaml create mode 100644 helm/authdemo/templates/servicemonitor.yaml create mode 100644 helm/authdemo/values.yaml diff --git a/deploy/README.md b/deploy/apitestrig/README.md similarity index 100% rename from deploy/README.md rename to deploy/apitestrig/README.md diff --git a/deploy/copy_cm.sh b/deploy/apitestrig/copy_cm.sh similarity index 100% rename from deploy/copy_cm.sh rename to deploy/apitestrig/copy_cm.sh diff --git a/deploy/copy_cm_func.sh b/deploy/apitestrig/copy_cm_func.sh similarity index 100% rename from deploy/copy_cm_func.sh rename to deploy/apitestrig/copy_cm_func.sh diff --git a/deploy/copy_secrets.sh b/deploy/apitestrig/copy_secrets.sh similarity index 100% rename from deploy/copy_secrets.sh rename to deploy/apitestrig/copy_secrets.sh diff --git a/deploy/delete.sh b/deploy/apitestrig/delete.sh similarity index 100% rename from deploy/delete.sh rename to deploy/apitestrig/delete.sh diff --git a/deploy/install.sh b/deploy/apitestrig/install.sh similarity index 100% rename from deploy/install.sh rename to deploy/apitestrig/install.sh diff --git a/deploy/values.yaml b/deploy/apitestrig/values.yaml similarity index 100% rename from deploy/values.yaml rename to deploy/apitestrig/values.yaml diff --git a/deploy/authdemo/.gitignore b/deploy/authdemo/.gitignore new file mode 100644 index 00000000000..d8d0be2b64d --- /dev/null +++ b/deploy/authdemo/.gitignore @@ -0,0 +1 @@ +hosts.ini \ No newline at end of file diff --git a/deploy/authdemo/README.md b/deploy/authdemo/README.md new file mode 100644 index 00000000000..38d92b4c989 --- /dev/null +++ b/deploy/authdemo/README.md @@ -0,0 +1,20 @@ +# Authdemo + +## Introduction +Authdemo is used to execute IDA APIs used by Apitestrig & DSLrig. + +## Install +* Install +```sh +./install.sh +``` + +## Uninstall +* To uninstall Authdemo, run `delete.sh` script. +```sh +./delete.sh +``` +* During the execution of the `install.sh` script, a prompt appears requesting information regarding the presence of a public domain and a valid SSL certificate on the server. +* If the server lacks a public domain and a valid SSL certificate, it is advisable to select the `n` option. Opting it will enable the `init-container` with an `emptyDir` volume and include it in the deployment process. +* The init-container will proceed to download the server's self-signed SSL certificate and mount it to the specified location within the container's Java keystore (i.e., `cacerts`) file. +* This particular functionality caters to scenarios where the script needs to be employed on a server utilizing self-signed SSL certificates. diff --git a/deploy/authdemo/copy_cm.sh b/deploy/authdemo/copy_cm.sh new file mode 100755 index 00000000000..00631e53797 --- /dev/null +++ b/deploy/authdemo/copy_cm.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# Copy configmaps from other namespaces +# DST_NS: Destination namespace + +function copying_cm() { + COPY_UTIL=./copy_cm_func.sh + DST_NS=authdemo + $COPY_UTIL configmap config-server-share config-server $DST_NS + $COPY_UTIL configmap global default $DST_NS + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +copying_cm # calling function \ No newline at end of file diff --git a/deploy/authdemo/copy_cm_func.sh b/deploy/authdemo/copy_cm_func.sh new file mode 100755 index 00000000000..185ae3e5f4a --- /dev/null +++ b/deploy/authdemo/copy_cm_func.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# Copy configmap and secret from one namespace to another. +# ./copy_cm_func.sh [name] +# Parameters: +# resource: configmap|secret +# name: Optional new name of the configmap or secret in destination namespace. This may be needed if there is +# clash of names + +if [ $1 = "configmap" ] +then + RESOURCE=configmap +elif [ $1 = "secret" ] +then + RESOURCE=secret +else + echo "Incorrect resource $1. Exiting.." + exit 1 +fi + + +if [ $# -ge 5 ] +then + kubectl -n $4 delete --ignore-not-found=true $RESOURCE $5 + kubectl -n $3 get $RESOURCE $2 -o yaml | sed "s/namespace: $3/namespace: $4/g" | sed "s/name: $2/name: $5/g" | kubectl -n $4 create -f - +else + kubectl -n $4 delete --ignore-not-found=true $RESOURCE $2 + kubectl -n $3 get $RESOURCE $2 -o yaml | sed "s/namespace: $3/namespace: $4/g" | kubectl -n $4 create -f - +fi + + + + + diff --git a/deploy/authdemo/copy_secrets.sh b/deploy/authdemo/copy_secrets.sh new file mode 100755 index 00000000000..25f70de5488 --- /dev/null +++ b/deploy/authdemo/copy_secrets.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# Copy secrets from other namespaces +# DST_NS: Destination namespace + +function copying_secrets() { + COPY_UTIL=./copy_cm_func.sh + DST_NS=authdemo + $COPY_UTIL secret keycloak-client-secrets keycloak $DST_NS + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +copying_secrets # calling function \ No newline at end of file diff --git a/deploy/authdemo/delete.sh b/deploy/authdemo/delete.sh new file mode 100755 index 00000000000..041a9880b74 --- /dev/null +++ b/deploy/authdemo/delete.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# Uninstalls authdemo +## Usage: ./delete.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function deleting_authdemo() { + NS=authdemo + while true; do + read -p "Are you sure you want to delete authdemo helm charts?(Y/n) " yn + if [ $yn = "Y" ] + then + helm -n $NS delete authdemo + break + else + break + fi + done + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +deleting_authdemo # calling function diff --git a/deploy/authdemo/install.sh b/deploy/authdemo/install.sh new file mode 100755 index 00000000000..d16d72b3a2d --- /dev/null +++ b/deploy/authdemo/install.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# Installs authdemo +## Usage: ./install.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +NS=authdemo +CHART_VERSION=12.1.0 + +echo Create $NS namespace +kubectl create ns $NS + + +function installing_authdemo() { + echo Istio label + kubectl label ns $NS istio-injection=enabled --overwrite + helm repo update + + echo Copy configmaps + ./copy_cm.sh + + echo Copy secrets + ./copy_secrets.sh + + echo "Do you have public domain & valid SSL? (Y/n) " + echo "Y: if you have public domain & valid ssl certificate" + echo "n: If you don't have a public domain and a valid SSL certificate. Note: It is recommended to use this option only in development environments." + read -p "" flag + + if [ -z "$flag" ]; then + echo "'flag' was provided; EXITING;" + exit 1; + fi + ENABLE_INSECURE='' + if [ "$flag" = "n" ]; then + ENABLE_INSECURE='--set enable_insecure=true'; + fi + + read -p "Please provide NFS host : " NFS_HOST + read -p "Please provide NFS pem file for SSH login : " NFS_PEM_FILE + read -p "Please provide user for SSH login : " NFS_USER + echo -e "[nfs_server]\nnfsserver ansible_user=$NFS_USER ansible_host=$NFS_HOST ansible_ssh_private_key_file=$NFS_PEM_FILE" > hosts.ini + ansible-playbook -i hosts.ini nfs-server.yaml + + + echo Installing authdemo + helm -n $NS install authdemo mosip/authdemo $ENABLE_INSECURE \ + --set persistence.nfs.server="$NFS_HOST" \ + --version $CHART_VERSION --wait + + echo Installed authdemo. + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +installing_authdemo # calling function diff --git a/deploy/authdemo/nfs-server.yaml b/deploy/authdemo/nfs-server.yaml new file mode 100644 index 00000000000..c1da5f51d0e --- /dev/null +++ b/deploy/authdemo/nfs-server.yaml @@ -0,0 +1,64 @@ +--- +- name: Install NFS server setup for authdemo + hosts: "nfs_server" + become: yes + become_method: sudo + vars: + nfs_directories: + - name: /srv/nfs/mosip/packetcreator-authdemo-authcerts + nfs_exports: + "*(rw,sync,no_root_squash,no_all_squash,insecure,subtree_check)" + + tasks: + - name: Install NFS server + apt: + name: nfs-kernel-server + state: present + + - name: Enable necessary TCP ports for NFS + ufw: + rule: allow + port: "{{ item }}" + proto: tcp + state: enabled + with_items: + - '111' + - '2049' + + - name: Enable necessary UDP ports for NFS + ufw: + rule: allow + port: "{{ item }}" + proto: udp + state: enabled + with_items: + - '111' + - '2049' + + - name: Enable nfs server + command: 'systemctl enable nfs-server' + + - name: Start nfs server + command: 'systemctl start nfs-server' + + - name: Add user mosip + user: + name: mosip + + - name: Create nfs mount folder + file: + path: '{{ item.name }}' + state: directory + owner: mosip + group: mosip + with_items: "{{ nfs_directories }}" + + - name: Export NFS directories + lineinfile: + path: /etc/exports + line: "{{ item.name }} {{ nfs_exports }}" + state: present + with_items: "{{ nfs_directories }}" + + - name: exportfs + command: 'exportfs -rav' diff --git a/helm/authdemo/.gitignore b/helm/authdemo/.gitignore new file mode 100644 index 00000000000..ee3892e8794 --- /dev/null +++ b/helm/authdemo/.gitignore @@ -0,0 +1 @@ +charts/ diff --git a/helm/authdemo/.helmignore b/helm/authdemo/.helmignore new file mode 100644 index 00000000000..f0c13194444 --- /dev/null +++ b/helm/authdemo/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/helm/authdemo/Chart.yaml b/helm/authdemo/Chart.yaml new file mode 100644 index 00000000000..54cac9aa2e2 --- /dev/null +++ b/helm/authdemo/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: authdemo +description: A Helm chart to deploy authdemo for MOSIP modules +type: application +version: 12.1.0 +appVersion: "" +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +home: https://mosip.io +keywords: + - mosip + - authdemo +maintainers: + - email: info@mosip.io + name: MOSIP diff --git a/helm/authdemo/README.md b/helm/authdemo/README.md new file mode 100644 index 00000000000..6d81db8268d --- /dev/null +++ b/helm/authdemo/README.md @@ -0,0 +1,10 @@ +# authdemo + +Helm chart to deploy authdemo for `MOSIP` modules + +## TL;DR + +```console +$ helm repo add mosip https://mosip.github.io +$ helm install my-release mosip/authdemo +``` diff --git a/helm/authdemo/templates/NOTES.txt b/helm/authdemo/templates/NOTES.txt new file mode 100644 index 00000000000..8b137891791 --- /dev/null +++ b/helm/authdemo/templates/NOTES.txt @@ -0,0 +1 @@ + diff --git a/helm/authdemo/templates/_helpers.tpl b/helm/authdemo/templates/_helpers.tpl new file mode 100644 index 00000000000..c1dc2902fa0 --- /dev/null +++ b/helm/authdemo/templates/_helpers.tpl @@ -0,0 +1,59 @@ +{{/* +Return the proper image name +*/}} +{{- define "authdemo.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "authdemo.volumePermissions.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.volumePermissions.image "global" .Values.global ) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "authdemo.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "authdemo.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (printf "%s-foo" (include "common.names.fullname" .)) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message. +*/}} +{{- define "authdemo.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "authdemo.validateValues.foo" .) -}} +{{- $messages := append $messages (include "authdemo.validateValues.bar" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message -}} +{{- end -}} +{{- end -}} + +{{/* +Return podAnnotations +*/}} +{{- define "authdemo.podAnnotations" -}} +{{- if .Values.podAnnotations }} +{{ include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) }} +{{- end }} +{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} +{{ include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) }} +{{- end }} +{{- end -}} diff --git a/helm/authdemo/templates/authdemo-authcerts-pv-pvc.yaml b/helm/authdemo/templates/authdemo-authcerts-pv-pvc.yaml new file mode 100644 index 00000000000..82118a676ca --- /dev/null +++ b/helm/authdemo/templates/authdemo-authcerts-pv-pvc.yaml @@ -0,0 +1,45 @@ +{{- if .Values.persistence.enabled }} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ template "common.names.fullname" . }}-authcerts-pv +spec: + accessModes: + {{- if not (empty .Values.persistence.accessModes) }} + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- else }} + - {{ .Values.persistence.accessMode | quote }} + {{- end }} + capacity: + storage: {{ .Values.persistence.size | quote }} + nfs: + path: {{ .Values.persistence.nfs.path }} + server: {{ .Values.persistence.nfs.server }} + persistentVolumeReclaimPolicy: Retain + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + annotations: + pv.kubernetes.io/bind-completed: "yes" + name: {{ template "common.names.fullname" . }}-authcerts-pvc + namespace: {{ .Release.namespace }} +spec: + accessModes: + {{- if not (empty .Values.persistence.accessModes) }} + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- else }} + - {{ .Values.persistence.accessMode | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + storageClassName: "" + volumeMode: Filesystem + volumeName: {{ template "common.names.fullname" . }}-authcerts-pv +{{- end }} \ No newline at end of file diff --git a/helm/authdemo/templates/clusterrolebinding.yaml b/helm/authdemo/templates/clusterrolebinding.yaml new file mode 100644 index 00000000000..d212cc598ef --- /dev/null +++ b/helm/authdemo/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +kind: ClusterRoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "common.names.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "authdemo.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/helm/authdemo/templates/deployment.yaml b/helm/authdemo/templates/deployment.yaml new file mode 100644 index 00000000000..4fbddb3decb --- /dev/null +++ b/helm/authdemo/templates/deployment.yaml @@ -0,0 +1,146 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + {{- if .Values.updateStrategy }} + strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" $ | nindent 6 }} + template: + metadata: + annotations: + {{- if or .Values.podAnnotations .Values.metrics.enabled }} + {{- include "authdemo.podAnnotations" $ | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" $ | nindent 8 }} + {{- if .Values.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "authdemo.serviceAccountName" $ }} + {{- include "authdemo.imagePullSecrets" $ | nindent 6 }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + initContainers: + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ template "authdemo.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -c + - chown -R mosip:mosip {{ .Values.persistence.mountDir }} + securityContext: + runAsUser: 0 + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: {{ template "common.names.fullname" . }}-authcerts + mountPath: {{ .Values.persistence.mountDir }} + {{- end }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: {{ template "common.names.fullname" . }} + image: {{ template "authdemo.image" $ }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: container_user + value: {{ .Values.containerSecurityContext.runAsUser }} + - name: JDK_JAVA_OPTIONS + value: {{ .Values.additionalResources.javaOpts }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + {{- range .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + {{- range .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ . }} + {{- end }} + {{- end }} + ports: + - name: spring-service + containerPort: {{ .Values.service.springServicePort }} + volumeMounts: + - name: {{ template "common.names.fullname" . }}-authcerts + mountPath: {{ .Values.persistence.mountDir }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: {{ template "common.names.fullname" . }}-authcerts + {{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ template "common.names.fullname" . }}-authcerts-pvc + {{ end }} diff --git a/helm/authdemo/templates/extra-list.yaml b/helm/authdemo/templates/extra-list.yaml new file mode 100644 index 00000000000..9ac65f9e16f --- /dev/null +++ b/helm/authdemo/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/helm/authdemo/templates/service-account.yaml b/helm/authdemo/templates/service-account.yaml new file mode 100644 index 00000000000..14def0d478d --- /dev/null +++ b/helm/authdemo/templates/service-account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "authdemo.serviceAccountName" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} diff --git a/helm/authdemo/templates/service.yaml b/helm/authdemo/templates/service.yaml new file mode 100644 index 00000000000..e1b9e857e60 --- /dev/null +++ b/helm/authdemo/templates/service.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{ if eq .Values.service.type "LoadBalancer" }} + loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }} + {{ end }} + {{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: {{ template "common.names.fullname" . }} + port: {{ .Values.service.port }} + protocol: TCP + targetPort: {{ .Values.service.springServicePort }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/helm/authdemo/templates/servicemonitor.yaml b/helm/authdemo/templates/servicemonitor.yaml new file mode 100644 index 00000000000..15f48fdeecf --- /dev/null +++ b/helm/authdemo/templates/servicemonitor.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "common.names.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }} + {{- end }} +spec: + endpoints: + - targetPort: {{ .Values.springServicePort }} + path: {{ .Values.metrics.endpointPath }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabellings }} + metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.relabellings | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/helm/authdemo/values.yaml b/helm/authdemo/values.yaml new file mode 100644 index 00000000000..3396e727f6e --- /dev/null +++ b/helm/authdemo/values.yaml @@ -0,0 +1,416 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Add labels to all the deployed resources +## +commonLabels: + app.kubernetes.io/component: mosip + +## Add annotations to all the deployed resources +## +commonAnnotations: {} + +## Kubernetes Cluster Domain +## +clusterDomain: cluster.local + +## Extra objects to deploy (value evaluated as a template) +## +extraDeploy: [] + +## Number of nodes +## +replicaCount: 1 + +service: + type: ClusterIP + port: 80 + ## loadBalancerIP for the SuiteCRM Service (optional, cloud specific) + ## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## + ## loadBalancerIP: + ## + ## nodePorts: + ## http: + ## https: + ## + nodePorts: + http: "" + https: "" + ## Enable client source IP preservation + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## Port on which this particular spring service module is running. + springServicePort: 8082 + +image: + registry: docker.io + repository: mosipid/authentication-demo-service + tag: 1.2.1.0 + + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## +startupProbe: + enabled: true + httpGet: + path: '/v1/identity/actuator/health' + port: 8082 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 30 + successThreshold: 1 + +livenessProbe: + enabled: true + httpGet: + path: '/v1/identity/actuator/health' + port: 8082 + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + httpGet: + path: '/v1/identity/actuator/health' + port: 8082 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## +# existingConfigmap: + +## Command and args for running the container (set to default if not set). Use array form +## +command: [] +args: [] + +## Deployment pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] + +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 500m + memory: 2800Mi + requests: + cpu: 500m + memory: 2800Mi + +additionalResources: + ## Specify any JAVA_OPTS string here. These typically will be specified in conjunction with above resources + ## Example: java_opts: "-Xms500M -Xmx500M" + javaOpts: "-Xms2000M -Xmx2000M" + +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## Clamav container already runs as 'mosip' user, so we may not need to enable this +containerSecurityContext: + enabled: false + runAsUser: mosip + runAsNonRoot: true + +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## +podSecurityContext: + enabled: false + fsGroup: 1001 + +## Pod affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAffinityPreset: "" + +## Pod anti-affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAntiAffinityPreset: soft + +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## Allowed values: soft, hard +## +nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + ## + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## Affinity for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## Node labels for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## Tolerations for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Pod extra labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} + +## Annotations for server pods. +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} + +## pods' priority. +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +# priorityClassName: "" + +## lifecycleHooks for the container to automate configuration before or after startup. +## +lifecycleHooks: {} + +## Custom Liveness probes for +## +customLivenessProbe: {} + +## Custom Rediness probes +## +customReadinessProbe: {} + +## Update strategy - only really applicable for deployments with RWO PVs attached +## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the +## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will +## terminate the single previous pod, so that the new, incoming pod can attach to the PV +## +updateStrategy: + type: RollingUpdate + +## Additional environment variables to set +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] + +## ConfigMap with extra environment variables +## +extraEnvVarsCM: + - config-server-share + + +## Secret with extra environment variables +## +extraEnvVarsSecret: + - keycloak-client-secrets + +## Extra volumes to add to the deployment +## +extraVolumes: [] + +## Extra volume mounts to add to the container +## +extraVolumeMounts: [] + +## Add init containers to the pods. +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: {} + +## Add sidecars to the pods. +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: {} + +persistence: + enabled: true + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack). + ## + # storageClass: "-" + ## + ## If you want to reuse an existing claim, you can pass the name of the PVC using + ## the existingClaim variable + # existingClaim: your-claim + ## ReadWriteMany not supported by AWS gp2 + storageClass: + accessModes: + - ReadWriteOnce + size: 50G + existingClaim: + + nfs: + path: '/srv/nfs/mosip/packetcreator-authdemo-authcerts' + server: '' + # Dir where config and keys are written inside container + mountDir: '/home/mosip/authcerts' + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + enabled: enable + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + pullSecrets: [] + ## - myRegistryKeySecretName + ## Init containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## + limits: {} + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## cpu: 100m + ## memory: 128Mi + ## + +## Specifies whether RBAC resources should be created +## +rbac: + create: true + +## Specifies whether a ServiceAccount should be created +## +serviceAccount: + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: + +## Prometheus Metrics +## +metrics: + enabled: false + ## Prometheus pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + + endpointPath: + + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## + serviceMonitor: + ## If the operator is installed in your cluster, set to true to create a Service Monitor Entry + ## + enabled: true + ## Specify the namespace in which the serviceMonitor resource will be created + ## + # namespace: "" + ## Specify the interval at which metrics should be scraped + ## + interval: 10s + ## Specify the timeout after which the scrape is ended + ## + # scrapeTimeout: 30s + ## Specify Metric Relabellings to add to the scrape endpoint + ## + # relabellings: + ## Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + additionalLabels: {} + + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + enabled: false + additionalLabels: {} + namespace: '' + ## List of rules, used as template by Helm. + ## These are just examples rules inspired from https://awesome-prometheus-alerts.grep.to/rules.html + # rules: + # - alert: RabbitmqDown + # expr: rabbitmq_up{service="{{ template "rabbitmq.fullname" . }}"} == 0 + # for: 5m + # labels: + # severity: error + rules: []