diff --git a/.github/workflows/chart-lint-publish.yml b/.github/workflows/chart-lint-publish.yml new file mode 100644 index 00000000..c8d6ba3b --- /dev/null +++ b/.github/workflows/chart-lint-publish.yml @@ -0,0 +1,62 @@ +name: Validate / Publish helm charts + +on: + release: + types: [published] + pull_request: + types: [opened, reopened, synchronize] + paths: + - 'helm/**' + workflow_dispatch: + inputs: + IGNORE_CHARTS: + description: 'Provide list of charts to be ignored separated by pipe(|)' + required: false + default: '""' + type: string + CHART_PUBLISH: + description: 'Chart publishing to gh-pages branch' + required: false + default: 'NO' + type: string + options: + - YES + - NO + INCLUDE_ALL_CHARTS: + description: 'Include all charts for Linting/Publishing (YES/NO)' + required: false + default: 'NO' + type: string + options: + - YES + - NO + push: + branches: + - '!release-branch' + - '!master' + - 1.* + - 0.* + - develop + - release* + paths: + - 'helm/**' + +jobs: + chart-lint-publish: + uses: mosip/kattu/.github/workflows/chart-lint-publish.yml@master + with: + CHARTS_DIR: ./helm + CHARTS_URL: https://mosip.github.io/mosip-helm + REPOSITORY: mosip-helm + BRANCH: gh-pages + INCLUDE_ALL_CHARTS: "${{ inputs.INCLUDE_ALL_CHARTS || 'NO' }}" + IGNORE_CHARTS: "${{ inputs.IGNORE_CHARTS || '\"\"' }}" + CHART_PUBLISH: "${{ inputs.CHART_PUBLISH || 'YES' }}" + LINTING_CHART_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-schema.yaml" + LINTING_LINTCONF_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/lintconf.yaml" + LINTING_CHART_TESTING_CONFIG_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-testing-config.yaml" + LINTING_HEALTH_CHECK_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/health-check-schema.yaml" + DEPENDENCIES: "mosip,https://mosip.github.io/mosip-helm;" + secrets: + TOKEN: ${{ secrets.ACTION_PAT }} + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} diff --git a/.github/workflows/release-changes.yml b/.github/workflows/release-changes.yml deleted file mode 100644 index c10da751..00000000 --- a/.github/workflows/release-changes.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: Release/pre-release Preparation. - -on: - workflow_dispatch: - inputs: - MESSAGE: - description: 'Triggered for release or pe-release' - required: false - default: 'Release Preparation' - RELEASE_TAG: - description: 'tag to update' - required: true - SNAPSHOT_TAG: - description: 'tag to be replaced' - required: true - BASE: - description: 'base branch for PR' - required: true -jobs: - maven-release-preparation: - uses: mosip/kattu/.github/workflows/release-changes.yml@master - with: - MESSAGE: ${{ inputs.MESSAGE }} - RELEASE_TAG: ${{ inputs.RELEASE_TAG }} - SNAPSHOT_TAG: ${{ inputs.SNAPSHOT_TAG }} - BASE: ${{ inputs.BASE }} - secrets: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} - ACTION_PAT: ${{ secrets.ACTION_PAT }} diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml deleted file mode 100644 index c131f5aa..00000000 --- a/.github/workflows/tag.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: Tagging of repos - -on: - workflow_dispatch: - inputs: - TAG: - description: 'Tag to be published' - required: true - type: string - BODY: - description: 'Release body message' - required: true - default: 'Changes in this Release' - type: string - PRE_RELEASE: - description: 'Pre-release? True/False' - required: true - default: False - type: string - DRAFT: - description: 'Draft? True/False' - required: false - default: False - type: string - -jobs: - tag-branch: - uses: mosip/kattu/.github/workflows/tag.yml@master - with: - TAG: ${{ inputs.TAG }} - BODY: ${{ inputs.BODY }} - PRE_RELEASE: ${{ inputs.PRE_RELEASE }} - DRAFT: ${{ inputs.DRAFT }} - secrets: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} diff --git a/README.md b/README.md index 78362833..f51856e9 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,29 @@ Run `ng test` to execute the unit tests via [Karma](https://karma-runner.github. Run `ng e2e` to execute the end-to-end tests via [Protractor](http://www.protractortest.org/). +## Deployment in K8 cluster with other MOSIP services: +### Pre-requisites +* Set KUBECONFIG variable to point to existing K8 cluster kubeconfig file: + * ``` + export KUBECONFIG=~/.kube/ + ``` +### Install + ``` + $ cd deploy + $ ./install.sh + ``` +### Delete + ``` + $ cd deploy + $ ./delete.sh + ``` +### Restart + ``` + $ cd deploy + $ ./restart.sh + ``` + + ## Further help To get more help on the Angular CLI use `ng help` or go check out the [Angular CLI README](https://github.com/angular/angular-cli/blob/master/README.md). diff --git a/deploy/README.md b/deploy/README.md new file mode 100644 index 00000000..23d6e4aa --- /dev/null +++ b/deploy/README.md @@ -0,0 +1,37 @@ +# Admin module + +## Install +``` +./install.sh +``` +## Admin proxy +Admin service accesses other services like Materdata and Keymanager and currently there is only one URL that is used to connect to both these services. This will get fixed in future versions, but as a an interim solution, Admin Proxy docker has been created, which is basically an Nginx proxy connecting to the above services with these URLs: +``` +http://admin-proxy/v1/masterdata +http://admin-proxy/v1/keymanager +``` +The proxy is installed as part of `install.sh` script. + +## Admin user +1. In Keycloak, create a user in `mosip` realm called `globaladmin` and assign role `GLOBAL_ADMIN`. Make sure this user has strong credentials. +2. Use this user to login into Admin portal via Keycloak. (Note that this user is already on-boarded as default user while uploading masterdata XLS in Kernel module) +3. _Strongly Recommended_: Create another user in keycloak with authentic name, email, details, strong password and `GLOBAL_ADMIN` role. Assign global zone to this user via Admin portal, and then delete `globaladmin` from Keycloak and masterdata DB. + +## Admin portal +Access the portal with following URL: +``` +https:///admin-ui/ + +Example: +https://api-internal.sandbox.xyz.net/admin-ui/ +``` +Your wireguard client must be running for this access. + +## Onboarding +Use the portal to onboard user, machine, center. + +Note that for onboarding a user (like a Zonal Admin or Registration Officer), +1. Create user in Keycloak with appropriate role. +1. Map the user to a Zone using Admin portal. +1. Map user to a registration center (in case of Registration Officer/Supervisor) using Admin portal. + diff --git a/deploy/copy_cm.sh b/deploy/copy_cm.sh new file mode 100755 index 00000000..fb2d70a6 --- /dev/null +++ b/deploy/copy_cm.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# Copy configmaps from other namespaces +# DST_NS: Destination namespace + +function copying_cm() { + UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh + COPY_UTIL=./copy_cm_func.sh + DST_NS=admin + + wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh + + $COPY_UTIL configmap global default $DST_NS + $COPY_UTIL configmap artifactory-share artifactory $DST_NS + $COPY_UTIL configmap config-server-share config-server $DST_NS + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +copying_cm # calling function + diff --git a/deploy/delete.sh b/deploy/delete.sh new file mode 100755 index 00000000..681f1b69 --- /dev/null +++ b/deploy/delete.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# Uninstalls all admin-ui helm charts +## Usage: ./delete.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function deleting_admin_ui() { + NS=admin + while true; do + read -p "Are you sure you want to delete ALL Admin-ui helm charts?(Y/n) " yn + if [ $yn = "Y" ] + then + helm -n $NS delete admin-ui + break + else + break + fi + done + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +deleting_admin_ui # calling function diff --git a/deploy/install.sh b/deploy/install.sh new file mode 100755 index 00000000..ea585a6a --- /dev/null +++ b/deploy/install.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# Installs the admin-ui module +# Make sure you have updated ui_values.yaml +## Usage: ./install.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +NS=admin +CHART_VERSION=0.0.1-develop + +echo Create $NS namespace +kubectl create ns $NS + +function installing_admin_ui() { + echo Istio label + kubectl label ns $NS istio-injection=enabled --overwrite + helm repo update + + echo Copy configmaps + sed -i 's/\r$//' copy_cm.sh + ./copy_cm.sh + + API_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-api-internal-host}) + ADMIN_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-admin-host}) + + echo Installing admin-ui + helm -n $NS install admin-ui mosip/admin-ui --set admin.apiUrl=https://$API_HOST/v1/ --set istio.hosts\[0\]=$ADMIN_HOST --version $CHART_VERSION + + kubectl -n $NS get deploy -o name | xargs -n1 -t kubectl -n $NS rollout status + + echo Installed admin services + + echo "Admin portal URL: https://$ADMIN_HOST/admin-ui/" + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +installing_admin_ui # calling function \ No newline at end of file diff --git a/deploy/restart.sh b/deploy/restart.sh new file mode 100755 index 00000000..75cc5cc9 --- /dev/null +++ b/deploy/restart.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# Restarts the admin_ui +## Usage: ./restart.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function Restarting_admin_ui() { + NS=admin + kubectl -n $NS rollout restart deploy + + kubectl -n $NS get deploy -o name | xargs -n1 -t kubectl -n $NS rollout status + + echo Restarted admin_ui + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +Restarting_admin_ui # calling function \ No newline at end of file diff --git a/helm/admin-ui/.gitignore b/helm/admin-ui/.gitignore new file mode 100644 index 00000000..ee3892e8 --- /dev/null +++ b/helm/admin-ui/.gitignore @@ -0,0 +1 @@ +charts/ diff --git a/helm/admin-ui/.helmignore b/helm/admin-ui/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/helm/admin-ui/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/helm/admin-ui/Chart.yaml b/helm/admin-ui/Chart.yaml new file mode 100644 index 00000000..77134868 --- /dev/null +++ b/helm/admin-ui/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +name: admin-ui +description: A Helm chart for MOSIP Admin UI module +type: application +version: 0.0.1-develop +appVersion: "" +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +home: https://mosip.io +keywords: + - mosip + - admin + - kernel +maintainers: + - email: info@mosip.io + name: MOSIP diff --git a/helm/admin-ui/README.md b/helm/admin-ui/README.md new file mode 100644 index 00000000..ab0f1219 --- /dev/null +++ b/helm/admin-ui/README.md @@ -0,0 +1,10 @@ +# Admin-ui + +Helm chart for installing MOSIP Admin UI module + +## TL;DR + +```console +$ helm repo add mosip https://mosip.github.io +$ helm install my-release mosip/admin-ui +``` diff --git a/helm/admin-ui/templates/NOTES.txt b/helm/admin-ui/templates/NOTES.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/helm/admin-ui/templates/NOTES.txt @@ -0,0 +1 @@ + diff --git a/helm/admin-ui/templates/_helpers.tpl b/helm/admin-ui/templates/_helpers.tpl new file mode 100644 index 00000000..318af447 --- /dev/null +++ b/helm/admin-ui/templates/_helpers.tpl @@ -0,0 +1,58 @@ +{{/* +Return the proper image name +*/}} +{{- define "admin-ui.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "admin-ui.volumePermissions.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.volumePermissions.image "global" .Values.global ) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "admin-ui.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "admin-ui.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (printf "%s-foo" (include "common.names.fullname" .)) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message. +*/}} +{{- define "admin-ui.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "admin-ui.validateValues.foo" .) -}} +{{- $messages := append $messages (include "admin-ui.validateValues.bar" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message -}} +{{- end -}} +{{- end -}} + +{{/* +Return podAnnotations +*/}} +{{- define "admin-ui.podAnnotations" -}} +{{- if .Values.podAnnotations }} +{{ include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) }} +{{- end }} +{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} +{{ include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) }} +{{- end }} +{{- end -}} diff --git a/helm/admin-ui/templates/configmap.yaml b/helm/admin-ui/templates/configmap.yaml new file mode 100644 index 00000000..596a240f --- /dev/null +++ b/helm/admin-ui/templates/configmap.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + config.json: |- + {"baseUrl":"{{ tpl .Values.admin.apiUrl . }}", "adminUrl" : "/", "primaryLangCode": "eng", "secondaryLangCode": "fra", "validateToken": "authmanager/authorize/admin/validateToken", "login": "admin/login/", "logout": "admin/logout/user", "templateRepoUrl": "/templates/" } + + default.conf: |- + server { + listen 8080; + server_name localhost; + add_header X-Frame-Options DENY; + + #charset koi8-r; + #access_log /var/log/nginx/host.access.log main; + + index index.html index.htm; + + location ^~ /templates/ { + if ($uri !~ \.(csv|xlsx)$ ) { return 403; } + + autoindex on; + default_type application/octet-stream; + #add_header Content-disposition "attachment; filename=$1"; + index index.html index.php; + alias /usr/share/nginx/html/templates/; + } + + location / { + alias /usr/share/nginx/html/; + } + } + diff --git a/helm/admin-ui/templates/deployment.yaml b/helm/admin-ui/templates/deployment.yaml new file mode 100644 index 00000000..3e2e2054 --- /dev/null +++ b/helm/admin-ui/templates/deployment.yaml @@ -0,0 +1,154 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + {{- if .Values.updateStrategy }} + strategy: {{- toYaml .Values.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + template: + metadata: + annotations: + {{- if or .Values.podAnnotations .Values.metrics.enabled }} + {{- include "admin-ui.podAnnotations" . | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + {{- if .Values.podLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "admin-ui.serviceAccountName" . }} + {{- include "admin-ui.imagePullSecrets" . | nindent 6 }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName | quote }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + initContainers: + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ include "admin-ui.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - %%commands%% + securityContext: + runAsUser: 0 + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: foo + mountPath: bar + {{- end }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} + containers: + - name: admin-ui + image: {{ template "admin-ui.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: container_user + value: {{ .Values.containerSecurityContext.runAsUser }} + - name: JDK_JAVA_OPTIONS + value: {{ .Values.additionalResources.javaOpts }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + {{- range .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} + volumeMounts: + - name: conf-file + mountPath: /usr/share/nginx/html/assets/config.json + subPath: config.json + - name: nginx-config + mountPath: /etc/nginx/conf.d/default.conf + subPath: default.conf + ports: + - name: spring-service + containerPort: {{ .Values.springServicePort }} + {{- if .Values.resources }} + resources: {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} + {{- end }} + volumes: + - name: conf-file + configMap: + name: {{ template "common.names.fullname" . }} + items: + - key: config.json + path: config.json + + - name: nginx-config + configMap: + name: {{ template "common.names.fullname" . }} + items: + - key: default.conf + path: default.conf diff --git a/helm/admin-ui/templates/extra-list.yaml b/helm/admin-ui/templates/extra-list.yaml new file mode 100644 index 00000000..9ac65f9e --- /dev/null +++ b/helm/admin-ui/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/helm/admin-ui/templates/gateway.yaml b/helm/admin-ui/templates/gateway.yaml new file mode 100644 index 00000000..4742a301 --- /dev/null +++ b/helm/admin-ui/templates/gateway.yaml @@ -0,0 +1,16 @@ +{{- if .Values.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: admin-gateway +spec: + selector: + istio: {{ .Values.istio.ingressController.name }} + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + {{- include "common.tplvalues.render" ( dict "value" .Values.istio.hosts "context" $ ) | nindent 6 }} +{{- end }} diff --git a/helm/admin-ui/templates/service-account.yaml b/helm/admin-ui/templates/service-account.yaml new file mode 100644 index 00000000..ba6e97b2 --- /dev/null +++ b/helm/admin-ui/templates/service-account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "admin-ui.serviceAccountName" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} diff --git a/helm/admin-ui/templates/service.yaml b/helm/admin-ui/templates/service.yaml new file mode 100644 index 00000000..93fdc92b --- /dev/null +++ b/helm/admin-ui/templates/service.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }} + {{- end }} + {{ if eq .Values.service.type "LoadBalancer" }} + loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }} + {{ end }} + {{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + port: {{ .Values.service.port }} + protocol: TCP + targetPort: {{ .Values.springServicePort }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} diff --git a/helm/admin-ui/templates/servicemonitor.yaml b/helm/admin-ui/templates/servicemonitor.yaml new file mode 100644 index 00000000..15f48fde --- /dev/null +++ b/helm/admin-ui/templates/servicemonitor.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "common.names.fullname" . }} + {{- if .Values.metrics.serviceMonitor.namespace }} + namespace: {{ .Values.metrics.serviceMonitor.namespace }} + {{- else }} + namespace: {{ .Release.Namespace | quote }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.metrics.serviceMonitor.additionalLabels }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }} + {{- end }} +spec: + endpoints: + - targetPort: {{ .Values.springServicePort }} + path: {{ .Values.metrics.endpointPath }} + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabellings }} + metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.relabellings | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} +{{- end }} diff --git a/helm/admin-ui/templates/virtualservice.yaml b/helm/admin-ui/templates/virtualservice.yaml new file mode 100644 index 00000000..17a2ca4d --- /dev/null +++ b/helm/admin-ui/templates/virtualservice.yaml @@ -0,0 +1,32 @@ +{{- if .Values.istio.enabled }} +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + hosts: + - "*" + gateways: + {{- include "common.tplvalues.render" ( dict "value" .Values.istio.gateways "context" $ ) | nindent 4 }} + http: + - match: + - uri: + prefix: {{ .Values.istio.prefix }} + route: + - destination: + host: {{ template "common.names.fullname" . }} + port: + number: {{ .Values.service.port }} + headers: + request: + set: + x-forwarded-proto: https +{{- end }} diff --git a/helm/admin-ui/values.yaml b/helm/admin-ui/values.yaml new file mode 100644 index 00000000..1e412fe3 --- /dev/null +++ b/helm/admin-ui/values.yaml @@ -0,0 +1,432 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Add labels to all the deployed resources +## +commonLabels: + app.kubernetes.io/component: mosip + +## Add annotations to all the deployed resources +## +commonAnnotations: {} + +## Kubernetes Cluster Domain +## +clusterDomain: cluster.local + +## Extra objects to deploy (value evaluated as a template) +## +extraDeploy: [] + +## Number of nodes +## +replicaCount: 1 + +service: + type: ClusterIP + port: 80 + ## loadBalancerIP for the SuiteCRM Service (optional, cloud specific) + ## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## + ## loadBalancerIP: + ## + ## nodePorts: + ## http: + ## https: + ## + nodePorts: + http: "" + https: "" + ## Enable client source IP preservation + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + +image: + registry: docker.io + repository: mosipqa/admin-ui + tag: develop + + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## Port on which this particular spring service module is running. +springServicePort: 8080 + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## +## TODO: health probes don't exist. Check. +startupProbe: + enabled: true + httpGet: + path: / + port: 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 30 + successThreshold: 1 + +livenessProbe: + enabled: true + httpGet: + path: / + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + httpGet: + path: / + port: 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +## +# existingConfigmap: + +## Command and args for running the container (set to default if not set). Use array form +## +command: [] +args: [] + +## Deployment pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] + +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 300m + memory: 1500Mi + requests: + cpu: 100m + memory: 500Mi + +additionalResources: + ## Specify any JAVA_OPTS string here. These typically will be specified in conjunction with above resources + ## Example: java_opts: "-Xms500M -Xmx500M" + javaOpts: "-Xms750M -Xmx750M" + +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## Clamav container already runs as 'mosip' user, so we may not need to enable this +containerSecurityContext: + enabled: false + runAsUser: mosip + runAsNonRoot: true + +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## +podSecurityContext: + enabled: false + fsGroup: 1001 + +## Pod affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAffinityPreset: "" + +## Pod anti-affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAntiAffinityPreset: soft + +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## Allowed values: soft, hard +## +nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + ## + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## Affinity for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## Node labels for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## Tolerations for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Pod extra labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} + +## Annotations for server pods. +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} + +## pods' priority. +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +# priorityClassName: "" + +## lifecycleHooks for the container to automate configuration before or after startup. +## +lifecycleHooks: {} + +## Custom Liveness probes for +## +customLivenessProbe: {} + +## Custom Rediness probes +## +customReadinessProbe: {} + +## Update strategy - only really applicable for deployments with RWO PVs attached +## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the +## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will +## terminate the single previous pod, so that the new, incoming pod can attach to the PV +## +updateStrategy: + type: RollingUpdate + +## Additional environment variables to set +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] + +## ConfigMap with extra environment variables +## +extraEnvVarsCM: + - global + - config-server-share + - artifactory-share + +## Secret with extra environment variables +## +extraEnvVarsSecret: + +## Extra volumes to add to the deployment +## +extraVolumes: [] + +## Extra volume mounts to add to the container +## +extraVolumeMounts: [] + +## Add init containers to the pods. +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: {} + +## Add sidecars to the pods. +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: {} + +persistence: + enabled: false + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack). + ## + # storageClass: "-" + ## + ## If you want to reuse an existing claim, you can pass the name of the PVC using + ## the existingClaim variable + # existingClaim: your-claim + ## ReadWriteMany not supported by AWS gp2 + storageClass: + accessModes: + - ReadWriteOnce + size: 10M + existingClaim: + # Dir where config and keys are written inside container + mountDir: + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + pullSecrets: [] + ## - myRegistryKeySecretName + ## Init containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## + limits: {} + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## cpu: 100m + ## memory: 128Mi + ## + +## Specifies whether RBAC resources should be created +## +rbac: + create: true + +## Specifies whether a ServiceAccount should be created +## +serviceAccount: + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: + +## Prometheus Metrics +## +metrics: + enabled: false + ## Prometheus pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + + endpointPath: /v1/admin/actuator/prometheus + + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## + serviceMonitor: + ## If the operator is installed in your cluster, set to true to create a Service Monitor Entry + ## + enabled: true + ## Specify the namespace in which the serviceMonitor resource will be created + ## + # namespace: "" + ## Specify the interval at which metrics should be scraped + ## + interval: 10s + ## Specify the timeout after which the scrape is ended + ## + # scrapeTimeout: 30s + ## Specify Metric Relabellings to add to the scrape endpoint + ## + # relabellings: + ## Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + additionalLabels: {} + + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + enabled: false + additionalLabels: {} + namespace: '' + ## List of rules, used as template by Helm. + ## These are just examples rules inspired from https://awesome-prometheus-alerts.grep.to/rules.html + # rules: + # - alert: RabbitmqDown + # expr: rabbitmq_up{service="{{ template "rabbitmq.fullname" . }}"} == 0 + # for: 5m + # labels: + # severity: error + rules: [] + +## The url below is to access Admin API services. +## CAUTION: Domain name to acess Admin UI must be secure/internal/over vpn. +## Slash is important! +admin: + apiUrl: https://api-internal.sandbox.mosip.net/v1/ + +## Admin UI swagger should have only internal access. Hence linked to internal gateway +## We create a gateway for admin specific URL(s) listed under `hosts` +istio: + enabled: true + ingressController: + name: ingressgateway-internal + gateways: + - admin-gateway + hosts: + - admin.sandbox.xyz.net + prefix: /