R1 vpc updates (#136)

* vpc updates

* Test files updated to run in VPC environment

* Updates to expected results for failing fvt rest api tests in new VPC environment.

* Change test to check for 400 error returned by version of HAPI
dependency referenced by R1

Co-authored-by: Jai D Goradia <[email protected]>

chart/cohort/values.yaml

@@ -20,7 +20,10 @@ annotations:
 image:
   repository: <helm-repo>
   tag: <helm-tag>
-  pullSecret: regsecret
+#  pullSecret: regsecret
+  #changed based on instructions in https://github.ibm.com/whc-toolchain/whc-commons/blob/stable-3.3.2/docs/ready/common-services-integration.md#access
+  #didn't hardcode it in deployment.yaml, because it caused an error/warning in the toolchain insights console
+  pullsecret: ibmcloud-toolchain-common-services-registry
   pullPolicy: IfNotPresent
   imageName: cohort-app
 
@@ -31,11 +34,14 @@ service:
     - 9080
     - 9443
 
-internalTlsCertSecretName: cohort-services-tls-secret
+#overriden in config repo
+internalTlsCertSecretName: cohort-services-cohort-cohort-tls
+
 # enableDarkFeatures is used to enable or disable REST endpoints depending on the env. we are deploying to
 # there are some REST endpoints we only want enabled in a development environment. The value ends up
 # in the jvm.options file the liberty server. Set to "all" "none" (no quotes) 
 # or the specific feature value you want to enable
+#overriden in config repo
 enableDarkFeatures: none
 
 libertyInitialHeapSize: 1G

pipeline.config

@@ -8,7 +8,7 @@ INSIGHTS:
 CI:
   DOCKER_IMAGE_NAME: "cohorting-app"
   UMBRELLA_REPO_PATH: "https://github.ibm.com/watson-health-cohorting/wh-cohorting-umbrella.git"
-  REGISTRY_NAMESPACE: "cdt-provider-cohort-rns"
+  REGISTRY_NAMESPACE: "vpc-dev-cohort-rns"
   POLICY_NAME: "CI"
   NOLATEST: "true"
   REPORT_PATH: "lcov.info"

terraform/main.tf

@@ -0,0 +1,70 @@
+# *****************************************************************
+#
+# Licensed Materials - Property of IBM
+#
+# (C) Copyright IBM Corp. 2021. All Rights Reserved.
+#
+# US Government Users Restricted Rights - Use, duplication or
+# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
+#
+# *****************************************************************
+
+# key used to generate Certificate Request
+resource "tls_private_key" "private_key" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P384"
+}
+
+locals {
+  dns_names = concat([for service in var.service_names : [service, "${service}.${var.namespace}", "${service}.${var.namespace}.svc"]]...)
+}
+
+# Construct the CSR
+resource "tls_cert_request" "cert_request" {
+  for_each = toset(var.service_names)
+
+  key_algorithm   = "ECDSA"
+  private_key_pem = tls_private_key.private_key.private_key_pem
+  dns_names       = [each.key, "${each.key}.${var.namespace}", "${each.key}.${var.namespace}.svc"]
+
+  subject {
+    common_name  = each.key
+    organization = var.organization
+  }
+}
+
+# Issue the certificate signing request
+resource "kubernetes_certificate_signing_request" "csr" {
+  for_each = toset(var.service_names)
+
+  metadata {
+    generate_name = "${each.key}-csr"
+  }
+
+  spec {
+    usages  = ["client auth", "server auth"]
+    request = tls_cert_request.cert_request[each.key].cert_request_pem
+  }
+  auto_approve = true
+}
+
+data "kubernetes_namespace" "namespace" {
+  metadata {
+    name = var.namespace
+  }
+}
+
+# Get the signed certificate from the request and save it in the secret
+resource "kubernetes_secret" "secret" {
+  for_each = toset(var.service_names)
+
+  metadata {
+    name      = "${each.key}-tls"
+    namespace = data.kubernetes_namespace.namespace.metadata[0].name
+  }
+  data = {
+    "tls.crt" = kubernetes_certificate_signing_request.csr[each.key].certificate
+    "tls.key" = tls_private_key.private_key.private_key_pem
+  }
+  type = "kubernetes.io/tls"
+}

terraform/outputs.tf

@@ -0,0 +1,14 @@
+# *****************************************************************
+#
+# Licensed Materials - Property of IBM
+#
+# (C) Copyright IBM Corp. 2021. All Rights Reserved.
+#
+# US Government Users Restricted Rights - Use, duplication or
+# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
+#
+# *****************************************************************
+output "certificates" {
+  description = "The public certificates for each service."
+  value       = { for key, value in kubernetes_certificate_signing_request.csr : (key) => value.certificate }
+}

terraform/variables.tf

@@ -0,0 +1,34 @@
+# *****************************************************************
+#
+# Licensed Materials - Property of IBM
+#
+# (C) Copyright IBM Corp. 2021. All Rights Reserved.
+#
+# US Government Users Restricted Rights - Use, duplication or
+# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
+#
+# *****************************************************************
+variable "namespace" {
+  description = "Kubernetes namespace to deploy to."
+  type        = string
+}
+
+variable "service_names" {
+  description = "List of services names (DNS names) include as ALT names in generated TLS certificate."
+  type        = list(string)
+}
+
+variable "organization" {
+  description = "Organization name (OU) for TLS certificate"
+  type        = string
+}
+
+variable "resource_group" {
+  description = "Resource group"
+  type = string
+}
+
+variable "kubernetes_config_context" {
+  description = "k8s cluster config context used by the k8s terraform provider"
+  type = string
+}

terraform/versions.tf

@@ -0,0 +1,28 @@
+# *****************************************************************
+#
+# Licensed Materials - Property of IBM
+#
+# (C) Copyright IBM Corp. 2021. All Rights Reserved.
+#
+# US Government Users Restricted Rights - Use, duplication or
+# disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
+#
+# *****************************************************************
+
+terraform {
+  required_version = "0.13.6"
+  required_providers {
+    ibm = {
+      source  = "ibm-cloud/ibm"
+      version = "~> 1.21.1"
+    }
+  }
+}
+
+provider "ibm" {
+}
+
+provider "kubernetes" {
+    config_path = "~/.kube/config"
+    config_context = var.kubernetes_config_context
+}

tests/create-taurus-pod.sh

@@ -40,6 +40,12 @@ sed -i "/\"password\"/s|:.*$|: \"${FHIR_USER_PASS}\",|" ${CONFIG_DIR}/fhirconfig
 sed -i "/\"tenantId\"/s|:.*$|: \"default\",|" ${CONFIG_DIR}/fhirconfig-default-tenant.json
 sed -i "/\"endpoint\"/s|:.*$|: \"${FHIR_ENDPOINT}\",|" ${CONFIG_DIR}/fhirconfig-default-tenant.json
 
+# Generate fhir config json file for knowledge tenant
+cp ${CONFIG_DIR}/local-ibm-fhir.json ${CONFIG_DIR}/fhirconfig-knowledge-tenant.json
+sed -i "/\"password\"/s|:.*$|: \"${FHIR_USER_PASS}\",|" ${CONFIG_DIR}/fhirconfig-knowledge-tenant.json
+sed -i "/\"tenantId\"/s|:.*$|: \"knowledge\",|" ${CONFIG_DIR}/fhirconfig-knowledge-tenant.json
+sed -i "/\"endpoint\"/s|:.*$|: \"${FHIR_ENDPOINT}\",|" ${CONFIG_DIR}/fhirconfig-knowledge-tenant.json
+
 # Spin off the pod in which the taurus image will be executed
 kubectl apply -f ${TEST_DIR}/run-engine-taurus-deploy-with-replaced-values.yaml
 

tests/run-engine-taurus-deploy.yaml

@@ -16,7 +16,7 @@ spec:
     - name: all-icr-io
   containers:
   - name: engine-test-app
-    image: us.icr.io/cdt-provider-cohort-rns/taurus-javabridge:1
+    image: us.icr.io/vpc-dev-cohort-rns/taurus-javabridge:1
     imagePullPolicy: Always
     command: ["sleep"]
     args: ["28800"]

tests/run-fvttests.sh

@@ -28,7 +28,7 @@ populateRestApiTestYaml() {
   yamlfile=$1
   xmlfile=$2
 
-  sed -i "/FHIR_SERVER_DETAILS_JSON/s|:.*$|: \"${DEFAULT_TENANT}\"|" ${yamlfile}
+  sed -i "/FHIR_SERVER_DETAILS_JSON/s|:.*$|: \"${KNOWLEDGE_TENANT}\"|" ${yamlfile}
   sed -i "/filename/s|:.*$|: \"${xmlfile}\"|" ${yamlfile}
 }
 . tests/setupEnvironmentVariables.sh
@@ -62,7 +62,7 @@ populateTaurusYaml ${SCENARIOS_DIR}/lungCancerTestScenarios.yaml ${LUNG_XMLFILE}
 
 # measureCLIExample-separate-measure-server.yaml and accompanying json file
 populateTaurusYaml ${SCENARIOS_DIR}/measureCLIExample-separate-measure-server.yaml ${MEASURECLI_XMLFILE}
-sed -i "s|\"cohort-cli/config/local-ibm-fhir.json\"|\"${DEFAULT_TENANT}\"|g" ${TEST_DIR}/src/main/resources/measureCLIExample-separate-measure-server.json
+sed -i "s|\"cohort-cli/config/local-ibm-fhir.json\"|\"${KNOWLEDGE_TENANT}\"|g" ${TEST_DIR}/src/main/resources/measureCLIExample-separate-measure-server.json
 
 # Update yaml files for REST API test scenarios 
 populateRestApiTestYaml ${SCENARIOS_DIR}/rest/getMeasureParametersByMeasureIdAPITests.yaml ${GET_PARAMETERS_BY_MEASURE_ID_XMLFILE}

tests/run-performancetests.sh

@@ -14,7 +14,7 @@ populateTaurusYaml() {
 
   sed -i \
   -e "/JAR/s|:.*$|: \"${SHADED_JAR}\"|" \
-  -e "/MEASURE_FHIR_SERVER_DETAILS/s|:.*$|: \"${DEFAULT_TENANT}\"|" \
+  -e "/MEASURE_FHIR_SERVER_DETAILS/s|:.*$|: \"${KNOWLEDGE_TENANT}\"|" \
   -e "/DATA_FHIR_SERVER_DETAILS/s|:.*$|: \"${TESTFVT_TENANT}\"|" ${yamlfile}
 }
 
@@ -51,7 +51,7 @@ runTest "/bzt-configs/tests/scenarios/performance/performanceCTScenarios.yaml"
 
 PERF_REG_RESULTS="${OUTPUT_DIR}/ct-perf-results"
 mkdir -p ${PERF_REG_RESULTS}
-checkForTestResults "${PERF_REG_RESULTS}" "performanceCTTests.xml" 60 30
+checkForTestResults "${PERF_REG_RESULTS}" "performanceCTTests.xml" 60 80
 
 # Make sure results are displayed to stdout even if the previous exec command returns early
 kubectl exec -it ${POD_NAME} -n ${CLUSTER_NAMESPACE} -- bash -c "cat /tmp/artifacts/*.ldjson"

tests/run-perfreg.sh

@@ -15,7 +15,7 @@ populateTaurusYaml() {
 
   sed -i \
   -e "/JAR/s|:.*$|: \"${SHADED_JAR}\"|" \
-  -e "/MEASURE_FHIR_SERVER_DETAILS/s|:.*$|: \"${DEFAULT_TENANT}\"|" \
+  -e "/MEASURE_FHIR_SERVER_DETAILS/s|:.*$|: \"${KNOWLEDGE_TENANT}\"|" \
   -e "/DATA_FHIR_SERVER_DETAILS/s|:.*$|: \"${TESTFVT_TENANT}\"|" ${yamlfile}
 }
 

tests/scenarios/performance/performanceCTScenarios.yaml

@@ -19,9 +19,9 @@ scenarios:
     criteria:
       - subject: p99.9
         condition: '>'
-        threshold: 1800s
+        threshold: 4800s
         label: 'test[tests/src/main/resources/measure-parameters/performance/fivePerformanceMeasures.json-targets0-1000 Patients 5 Measures]'
-        message: One thousand patients, 5 measures took longer than 1800 seconds
+        message: One thousand patients, 5 measures took longer than 4800 seconds
 
 modules:
   local:

tests/scenarios/performance/performanceRegression.yaml

@@ -48,36 +48,36 @@ scenarios:
     criteria:
       - subject: p99.9
         condition: '>'
-        threshold: 13s
+        threshold: 18s
         label: 'test[tests/src/main/resources/measure-parameters/performance/fivePerformanceMeasures.json-targets0-1 Patient 5 Measures]'
-        message: One patient, 5 measures took longer than 13 seconds
+        message: One patient, 5 measures took longer than 18 seconds
 
   hundred-patients-one-measure:
     script: /bzt-configs/tests/src/main/python/TestDriver_MeasurePerformance.py
     criteria:
       - subject: p99.9
         condition: '>'
-        threshold: 31s
+        threshold: 36s
         label: 'test[tests/src/main/resources/measure-parameters/performance/singlePerformanceMeasure.json-targets0-100 Patients 1 Measure]'
-        message: One hundred patients, 1 measure took longer than 31 seconds
+        message: One hundred patients, 1 measure took longer than 36 seconds
 
   thousand-patients-one-measure:
     script: /bzt-configs/tests/src/main/python/TestDriver_MeasurePerformance.py
     criteria:
       - subject: p99.9
         condition: '>'
-        threshold: 218s
+        threshold: 260s
         label: 'test[tests/src/main/resources/measure-parameters/performance/singlePerformanceMeasure.json-targets0-1000 Patients 1 Measure]'
-        message: One thousand patients, 1 measure took longer than 218 seconds
+        message: One thousand patients, 1 measure took longer than 260 seconds
 
   hundred-patients-five-measures:
     script: /bzt-configs/tests/src/main/python/TestDriver_MeasurePerformance.py
     criteria:
       - subject: p99.9
         condition: '>'
-        threshold: 273s
+        threshold: 480s
         label: 'test[tests/src/main/resources/measure-parameters/performance/fivePerformanceMeasures.json-targets0-100 Patients 5 Measures]'
-        message: One hundred patients, 5 measure took longer than 273 seconds
+        message: One hundred patients, 5 measure took longer than 480 seconds
 
 modules:
   local:

tests/setup-config-files-for-api-tests.sh

@@ -20,13 +20,13 @@ sed -i "/\"endpoint\"/s|:.*$|: \"${FHIR_ENDPOINT}\",|" ${CONFIG_DIR}/fhirconfig-
 # Generate a fhir config json file where the endpoint points to the wrong port (9444)
 cp ${CONFIG_DIR}/local-ibm-fhir.json ${CONFIG_DIR}/fhirconfig-badendpoint-port.json
 sed -i "/\"password\"/s|:.*$|: \"${FHIR_USER_PASS}\",|" ${CONFIG_DIR}/fhirconfig-badendpoint-port.json
-sed -i "/\"tenantId\"/s|:.*$|: \"default\",|" ${CONFIG_DIR}/fhirconfig-badendpoint-port.json
+sed -i "/\"tenantId\"/s|:.*$|: \"knowledge\",|" ${CONFIG_DIR}/fhirconfig-badendpoint-port.json
 sed -i "/\"endpoint\"/s|:.*$|: \"${FHIR_ENDPOINT_BADPORT}\",|" ${CONFIG_DIR}/fhirconfig-badendpoint-port.json
 
 # Generate a fhir config json file with the wrong password for fhiruser. (fhir user password = 'change-password')
-cp ${CONFIG_DIR}/local-ibm-fhir.json ${CONFIG_DIR}/fhirconfig-default-tenant-wrong-password.json
-sed -i "/\"tenantId\"/s|:.*$|: \"default\",|" ${CONFIG_DIR}/fhirconfig-default-tenant-wrong-password.json
-sed -i "/\"endpoint\"/s|:.*$|: \"${FHIR_ENDPOINT}\",|" ${CONFIG_DIR}/fhirconfig-default-tenant-wrong-password.json
+cp ${CONFIG_DIR}/local-ibm-fhir.json ${CONFIG_DIR}/fhirconfig-knowledge-tenant-wrong-password.json
+sed -i "/\"tenantId\"/s|:.*$|: \"knowledge\",|" ${CONFIG_DIR}/fhirconfig-knowledge-tenant-wrong-password.json
+sed -i "/\"endpoint\"/s|:.*$|: \"${FHIR_ENDPOINT}\",|" ${CONFIG_DIR}/fhirconfig-knowledge-tenant-wrong-password.json
 
 # Generate the following variations of request data json files for use by the tests specific to Measure Evaluation REST API endpoint. The json files
 # are unique in terms of the measureId and/or patientId referenced in them. Some are used for negative tests as the name of the file implies.

tests/setupEnvironmentVariables.sh

@@ -23,6 +23,7 @@ export OUTPUT_DIR=tests/output
 # environment. 
 export DEFAULT_TENANT="tests/src/main/resources/config/fhirconfig-default-tenant.json"
 export TESTFVT_TENANT="tests/src/main/resources/config/fhirconfig-testfvt-tenant.json"
+export KNOWLEDGE_TENANT="tests/src/main/resources/config/fhirconfig-knowledge-tenant.json"
 
 # check if FHIR_CLUSTER_NAMESPACE has been set in the toolchain
 # properties and use it if it is there, otherwise assume fhir will be
@@ -34,5 +35,6 @@ then
 fi
 
 export FHIR_ENDPOINT="https://fhir-internal.${FHIR_CLUSTER_NAMESPACE}.svc:9443/fhir-server/api/v4"
+export FHIR_ENDPOINT_BADPORT="https://fhir-internal.${FHIR_CLUSTER_NAMESPACE}.svc:9444/fhir-server/api/v4"
 export REST_SERVER_ENDPOINT="https://cohort-services-cohort-cohort.${CLUSTER_NAMESPACE}:9443/services/cohort/api"
 export SHADED_JAR="/bzt-configs/tests/src/main/resources/libraries/cohort-cli-shaded.jar"

tests/src/main/python/rest/tests/MeasureParametersByIdentifierAPITests.py

@@ -167,7 +167,7 @@ def test_getMeasureParametersByIdentifierWithWrongFHIRUserPassword(self):
         result = None
         version = "2021-04-12"
         measure_identifier = "999"
-        fhir_data_server_config = config_path + "fhirconfig-default-tenant-wrong-password.json"
+        fhir_data_server_config = config_path + "fhirconfig-knowledge-tenant-wrong-password.json"
         measure_identifier_system = "http://fakesystem.org"
         measure_version = "3.0.0"
         try:

tests/src/main/python/rest/tests/MeasureParametersByMeasureIdAPITests.py

@@ -118,17 +118,17 @@ def test_getMeasureParametersByIdWithWrongFHIREndpointPort(self):
             print("Exception received in test_getMeasureParametersByIdWithWrongFHIREndpointPort is: " + result)
         assert '400' in result, 'Should contain 400 error message stating: Connect to fhir-internal.dev.svc:9444 failed.'
 
-    def test_getMeasureParametersByIdWithInvalidFHIRUserPassword(self):
+    def test_getMeasureParametersByIdWithWrongFHIRUserPassword(self):
         fhirMeasuresApi = FHIRMeasuresApi(swagger_client.ApiClient(self.configuration))
         result = None
         version = date.today()
-        fhir_data_server_config = config_path + "fhirconfig-badendpoint-port.json"
+        fhir_data_server_config = config_path + "fhirconfig-knowledge-tenant-wrong-password.json"
         measure_id = '178378911bd-e8a3413b-27da-45b3-bc28-d079f0ef0d38'
         try:
             resp = fhirMeasuresApi.get_measure_parameters_by_id(version, measure_id, fhir_data_server_config, _preload_content=False)
             result = resp.read()
         except ApiException as e: 
             print("Exception when calling FHIRMeasureApi->get_measure_parameters_by_id: %s\n" % e)
             result = str(e)
-            print("Exception received in test_getMeasureParametersByIdWithInvalidFHIRUserPassword is: " + result)
+            print("Exception received in test_getMeasureParametersByIdWithWrongFHIRUserPassword is: " + result)
         assert '400' in result, 'Should contain 400 error message stating: HTTP 401 Unauthorized.'