From be182e916f3bcf4466eb2f20d411ff841859a64f Mon Sep 17 00:00:00 2001 From: Dominik Pinsel Date: Thu, 10 Aug 2023 01:20:28 +0200 Subject: [PATCH] feat(ci): make chart standalone runnable Signed-off-by: Dominik Pinsel --- charts/managed-identity-wallet/Chart.lock | 9 +- .../templates/backup/cronjob.yaml | 56 ------ .../backup/persistentvolumeclaim.yaml | 38 ---- .../templates/deployment.yaml | 36 +++- .../templates/job-keycloak-db.yaml | 43 ++++ .../templates/job-miw-db.yaml | 40 ++++ charts/managed-identity-wallet/values.yaml | 187 ++++++++++-------- 7 files changed, 231 insertions(+), 178 deletions(-) delete mode 100644 charts/managed-identity-wallet/templates/backup/cronjob.yaml delete mode 100644 charts/managed-identity-wallet/templates/backup/persistentvolumeclaim.yaml create mode 100644 charts/managed-identity-wallet/templates/job-keycloak-db.yaml create mode 100644 charts/managed-identity-wallet/templates/job-miw-db.yaml diff --git a/charts/managed-identity-wallet/Chart.lock b/charts/managed-identity-wallet/Chart.lock index 5fc01384b..9b1fbd612 100644 --- a/charts/managed-identity-wallet/Chart.lock +++ b/charts/managed-identity-wallet/Chart.lock @@ -4,6 +4,9 @@ dependencies: version: 15.1.6 - name: common repository: https://charts.bitnami.com/bitnami - version: 2.6.0 -digest: sha256:0513338c0e9b39ffac3ae31802f3122e62eb2e1c457159e8445f3c4f40ff1fb9 -generated: "2023-07-14T13:56:04.369372589+02:00" + version: 2.8.0 +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 11.9.13 +digest: sha256:27875e671c8f4b84ec45dc253d23ad42161422f96417aa4b257599575410ceda +generated: "2023-08-09T16:17:43.65852891+02:00" diff --git a/charts/managed-identity-wallet/templates/backup/cronjob.yaml b/charts/managed-identity-wallet/templates/backup/cronjob.yaml deleted file mode 100644 index 9c6108fc5..000000000 --- a/charts/managed-identity-wallet/templates/backup/cronjob.yaml +++ /dev/null @@ -1,56 +0,0 @@ -# /******************************************************************************** -# * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation -# * -# * See the NOTICE file(s) distributed with this work for additional -# * information regarding copyright ownership. -# * -# * This program and the accompanying materials are made available under the -# * terms of the Apache License, Version 2.0 which is available at -# * https://www.apache.org/licenses/LICENSE-2.0. -# * -# * Unless required by applicable law or agreed to in writing, software -# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# * License for the specific language governing permissions and limitations -# * under the License. -# * -# * SPDX-License-Identifier: Apache-2.0 -# ********************************************************************************/ - -{{ if .Values.backup.database.enabled -}} -apiVersion: batch/v1 -kind: CronJob -metadata: - name: {{ include "managed-identity-wallet.fullname" . }}-backup - labels: - {{- include "managed-identity-wallet.labels" . | nindent 4 }} -spec: - schedule: {{ .Values.backup.database.cron | quote }} - jobTemplate: - spec: - backoffLimit: 0 - template: - spec: - containers: - - name: dump - image: postgres:14.5-alpine - volumeMounts: - - name: data - mountPath: /backup - command: - - "/bin/sh" - args: - - "-c" - - 'pg_dump -v -Fc -U {{ .Values.secrets.DB_USER_NAME }} -h {{ .Values.envs.DB_HOST }} miw > /backup/miw-postgres-$(date +"%m-%d-%Y-%H:%M:%S").pgdump' - env: - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: {{ include "managed-identity-wallet.fullname" . }} - key: DB_PASSWORD - restartPolicy: Never - volumes: - - name: data - persistentVolumeClaim: - claimName: {{ include "managed-identity-wallet.fullname" . }}-backup -{{- end }} diff --git a/charts/managed-identity-wallet/templates/backup/persistentvolumeclaim.yaml b/charts/managed-identity-wallet/templates/backup/persistentvolumeclaim.yaml deleted file mode 100644 index a436d4e1f..000000000 --- a/charts/managed-identity-wallet/templates/backup/persistentvolumeclaim.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# /******************************************************************************** -# * Copyright (c) 2021,2023 Contributors to the Eclipse Foundation -# * -# * See the NOTICE file(s) distributed with this work for additional -# * information regarding copyright ownership. -# * -# * This program and the accompanying materials are made available under the -# * terms of the Apache License, Version 2.0 which is available at -# * https://www.apache.org/licenses/LICENSE-2.0. -# * -# * Unless required by applicable law or agreed to in writing, software -# * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# * License for the specific language governing permissions and limitations -# * under the License. -# * -# * SPDX-License-Identifier: Apache-2.0 -# ********************************************************************************/ - -{{ if .Values.backup.database.enabled -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "managed-identity-wallet.fullname" . }}-backup - labels: - {{- include "managed-identity-wallet.labels" . | nindent 4 }} - {{ if .Values.backup.database.storage.keepStorage -}} - annotations: - helm.sh/resource-policy: keep - {{- end }} -spec: - accessModes: - - ReadWriteOnce - storageClassName: {{ .Values.backup.database.storage.storageClassName | quote }} - resources: - requests: - storage: {{ .Values.backup.database.storage.diskSize }} -{{- end }} diff --git a/charts/managed-identity-wallet/templates/deployment.yaml b/charts/managed-identity-wallet/templates/deployment.yaml index 433ceb480..1f03b1b2e 100644 --- a/charts/managed-identity-wallet/templates/deployment.yaml +++ b/charts/managed-identity-wallet/templates/deployment.yaml @@ -51,8 +51,42 @@ spec: image: "{{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: + - name: APP_LOG_LEVEL + value: {{ .Values.miw.logging.level }} + - name: MIW_HOST_NAME + value: {{ tpl .Values.miw.host . }} + - name: ENCRYPTION_KEY + value: {{ .Values.miw.database.encryptionKey }} + - name: AUTHORITY_WALLET_BPN + value: {{ tpl .Values.miw.authorityWallet.bpn . }} + - name: AUTHORITY_WALLET_DID + value: {{ tpl .Values.miw.authorityWallet.did . }} + - name: ENFORCE_HTTPS_IN_DID_RESOLUTION + value: {{ .Values.miw.ssi.enforceHttpsInDidWebResolution | quote }} + - name: APPLICATION_ENVIRONMENT + value: {{ .Values.miw.environment }} + - name: KEYCLOAK_REALM + value: {{ tpl .Values.miw.keycloak.realm . }} + - name: KEYCLOAK_CLIENT_ID + value: {{ .Values.miw.keycloak.clientId }} + - name: AUTH_SERVER_URL + value: {{ tpl .Values.miw.keycloak.url . }} + - name: USE_SSL + value: {{ .Values.miw.database.useSSL | quote }} + - name: DB_HOST + value: {{ tpl .Values.miw.database.host . }} + - name: DB_PORT + value: {{ .Values.miw.database.port | quote }} + - name: DB_NAME + value: {{ tpl .Values.miw.database.database . }} + - name: DB_USER_NAME + value: {{ .Values.miw.database.user }} + - name: DB_PASSWORD + value: {{ .Values.miw.database.password }} - name: APPLICATION_PORT value: "8080" + - name: VC_EXPIRY_DATE + value: {{ .Values.miw.ssi.vcExpiryDate | quote }} {{- if or .Values.envs .Values.secrets }} {{- range $key, $val := .Values.envs }} - name: {{ $key }} @@ -89,7 +123,7 @@ spec: periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 - initialDelaySeconds: 30 + initialDelaySeconds: 60 resources: {{- toYaml .Values.resources | nindent 12 }} diff --git a/charts/managed-identity-wallet/templates/job-keycloak-db.yaml b/charts/managed-identity-wallet/templates/job-keycloak-db.yaml new file mode 100644 index 000000000..2b2a789b4 --- /dev/null +++ b/charts/managed-identity-wallet/templates/job-keycloak-db.yaml @@ -0,0 +1,43 @@ +{{- if .Values.keycloak.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-job-create-db-keycloak +spec: + template: + spec: + containers: + - name: create-db + image: postgres:13 + env: + - name: USER + value: {{ tpl ( .Values.keycloak.externalDatabase.user | quote ) . }} + - name: PGPASSWORD + value: {{ tpl ( .Values.keycloak.externalDatabase.password | quote ) . }} + - name: HOST + value: {{ tpl ( .Values.keycloak.externalDatabase.host | quote ) . }} + - name: PORT + value: {{ tpl ( .Values.keycloak.externalDatabase.port | quote ) . }} + - name: DATABASE + value: {{ tpl ( .Values.keycloak.externalDatabase.database | quote ) . }} + command: [ "bash", "-c", "--" ] + args: + - | + echo "Postgres user: $USER" + echo "Postgres host: $HOST" + echo "Postgres port: $PORT" + echo "Postgres database: $DATABASE" + + echo "Waiting for postgres to start" + while ! psql -h $HOST -p $PORT -U $USER -d postgres -c "select 1" > /dev/null 2>&1; do + sleep 1 + done + + echo "Creating database $DATABASE" + psql -h $HOST -p $PORT -U $USER -d postgres -c "CREATE DATABASE $DATABASE" > /dev/null 2>&1 || echo "Skip creation as database $DATABASE already exists" + + securityContext: {{ .Values.jobSecurityContext | toYaml | nindent 12 }} + restartPolicy: Never + backoffLimit: 0 +--- +{{- end}} # end if .Values.keycloak.enabled diff --git a/charts/managed-identity-wallet/templates/job-miw-db.yaml b/charts/managed-identity-wallet/templates/job-miw-db.yaml new file mode 100644 index 000000000..680292937 --- /dev/null +++ b/charts/managed-identity-wallet/templates/job-miw-db.yaml @@ -0,0 +1,40 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-job-create-db-miw +spec: + template: + spec: + containers: + - name: create-db + image: postgres:13 + env: + - name: USER + value: {{ tpl ( .Values.miw.database.user | quote ) . }} + - name: PGPASSWORD + value: {{ tpl ( .Values.miw.database.password | quote ) . }} + - name: HOST + value: {{ tpl ( .Values.miw.database.host | quote ) . }} + - name: PORT + value: {{ tpl ( .Values.miw.database.port | quote ) . }} + - name: DATABASE + value: {{ tpl ( .Values.miw.database.database | quote ) . }} + command: [ "bash", "-c", "--" ] + args: + - | + echo "Postgres user: $USER" + echo "Postgres host: $HOST" + echo "Postgres port: $PORT" + echo "Postgres database: $DATABASE" + + echo "Waiting for postgres to start" + while ! psql -h $HOST -p $PORT -U $USER -d postgres -c "select 1" > /dev/null 2>&1; do + sleep 1 + done + + echo "Creating database $DATABASE" + psql -h $HOST -p $PORT -U $USER -d postgres -c "CREATE DATABASE $DATABASE" > /dev/null 2>&1 || echo "Skip creation as database $DATABASE already exists" + + securityContext: {{ .Values.jobSecurityContext | toYaml | nindent 12 }} + restartPolicy: Never + backoffLimit: 0 diff --git a/charts/managed-identity-wallet/values.yaml b/charts/managed-identity-wallet/values.yaml index 5209f22a4..4805f8407 100644 --- a/charts/managed-identity-wallet/values.yaml +++ b/charts/managed-identity-wallet/values.yaml @@ -17,60 +17,99 @@ # * SPDX-License-Identifier: Apache-2.0 # ********************************************************************************/ +anchors: + setupDependencies: &setupDependencies true + postgres: + host: &postgresHost "{{ .Release.Name }}-postgresql" + port: &postgresPort 5432 + user: &postgresUser user + password: &postgresPassword password + database: &postgresDatabase postgres + backup: + enabled: &postgresBackupEnabled false + keycloak: + realm: &keycloakRealm miw_test + clientId: &keycloakClientId miw_private_client + host: &keycloakHost "{{ .Release.Name }}-keycloak" + url: &keycloakUrl "http://{{ .Release.Name }}-keycloak" + user: &keycloakUser user + password: &keycloakPassword password + postgres: + database: &keyCloakPostgresDatabase "miw_keycloak" + miw: + host: &miwHost "{{ .Release.Name }}-managed-identity-wallet:8080" + environment: &miwEnvironment dev + logging: + level: &miwLoggingLevel INFO + authorityWallet: + bpn: &authorityWalletBpn "BPNL000000000000" + did: &authorityWalletDid "did:web:{{ .Release.Name }}-managed-identity-wallet%3A8080:BPNL000000000000" + ssi: + useHttpsInDidWebResolution: &useHttpsInDidWebResolution false + vcExpiryDate: &vcExpiryDate "31-12-2023" + postgres: + database: &miwPostgresDatabase "miw_app" + encryptionKey: &miwPostgresEncryptionKey 76a7834fb37e090c2789a9b1a76748d3 + defaultSecurityContext: &defaultSecurityContext + runAsUser: 1001 + runAsGroup: 0 + runAsNonRoot: true + # -- The amount of replicas to run replicaCount: 1 # -- Image of the main container image: # -- Image repository - repository: tractusx/managed-identity-wallet + # TODO change back to tractusx/managed-identity-wallet + repository: ghcr.io/catenax-ng/tx-managed-identity-wallet_miw_service # -- PullPolicy pullPolicy: Always # -- Image tag (empty one will use "appVersion" value from chart definition) - tag: "" + # TODO remove latest again + tag: "latest" nameOverride: "" fullnameOverride: "" # -- Parameters for the application (will be stored as secrets - so, for passwords, ...) -secrets: {} +secrets: { } # DB_USER_NAME: xxx # Has to be the same as below in "postgresql" section # DB_PASSWORD: xxx # Has to be the same as below in "postgresql" section # KEYCLOAK_CLIENT_ID: xxx # ENCRYPTION_KEY: xxx # 64 chars # -- Parameters for the application (will be provided as plain environment variables) -envs: - DB_HOST: "{{ .Release.Name }}-postgresql" - DB_PORT: 5432 - # set it also in the init script in the postgres initdb section below!! - DB_NAME: miw - DB_USER_NAME: postgres - DB_PASSWORD: postgres - USE_SSL: false - KEYCLOAK_REALM: miw_test - KEYCLOAK_CLIENT_ID: miw_private_client - AUTH_SERVER_URL: "http://{{ .Release.Name }}-keycloak" - ENCRYPTION_KEY: 76a7834fb37e090c2789a9b1a76748d3 - APPLICATION_ENVIRONMENT: dev - ENFORCE_HTTPS_IN_DID_RESOLUTION: false -# DB_POOL_SIZE: xxx -# KEYCLOAK_MIW_PUBLIC_CLIENT: xxx -# MANAGEMENT_PORT: xxx -# MIW_HOST_NAME: xxx - MIW_HOST_NAME: "{{ .Release.Name }}-managed-identity-wallet:8080" - AUTHORITY_WALLET_BPN: BPNL000000000000 -# AUTHORITY_WALLET_NAME: xxx - AUTHORITY_WALLET_DID: did:web:{{ .Release.Name }}-managed-identity-wallet%3A8080:BPNL000000000000 -# VC_SCHEMA_LINK: xxx -# VC_EXPIRY_DATE: xxx -# KEYCLOAK_REALM: xxx -# AUTH_SERVER_URL: xxx +envs: { } + +miw: + host: *miwHost + environment: *miwEnvironment + ssi: + enforceHttpsInDidWebResolution: *useHttpsInDidWebResolution + vcExpiryDate: *vcExpiryDate + authorityWallet: + bpn: *authorityWalletBpn + did: *authorityWalletDid + database: + useSSL: false + port: *postgresPort + host: *postgresHost + user: *postgresUser + password: *postgresPassword + database: *miwPostgresDatabase + encryptionKey: *miwPostgresEncryptionKey + keycloak: + realm: *keycloakRealm + clientId: *keycloakClientId + url: *keycloakUrl + logging: + level: *miwLoggingLevel # -- ServiceAccount configuration serviceAccount: create: true - annotations: {} + annotations: { } name: "" # -- Service configuration @@ -81,27 +120,27 @@ service: # -- Ingress configuration ingress: enabled: false - annotations: {} + annotations: { } hosts: - host: chart-example.local paths: - path: / pathType: ImplementationSpecific - tls: [] + tls: [ ] # - secretName: chart-example-tls # hosts: # - chart-example.local # -- PodSecurityContext -podSecurityContext: {} +podSecurityContext: { } + +# -- JobSecurityContext +jobSecurityContext: + *defaultSecurityContext # -- Preconfigured SecurityContext securityContext: - privileged: false - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsGroup: 11111 - runAsUser: 11111 + *defaultSecurityContext # -- Resource boundaries resources: @@ -117,63 +156,51 @@ nodeSelector: "kubernetes.io/os": linux # -- Tolerations configuration -tolerations: [] +tolerations: [ ] # -- Affinity configuration -affinity: {} +affinity: { } # -- PodAnnotation configuration -podAnnotations: {} - -# -- Simple Postgresql backup solution (Dump data to second PV) -backup: - # -- Backup database - database: - # -- Enable / Disable the backup - enabled: false - # -- Backup schedule (help: https://crontab.guru) - cron: "* */6 * * *" - # -- Storage configuration - storage: - # -- Set to true, if the PV should stay even when the chart release is uninstalled - keepStorage: true - # -- Disk size for backup content - diskSize: 10G - # -- storageClassName - storageClassName: "-" +podAnnotations: { } keycloak: - enabled: true + enabled: *setupDependencies postgresql: enabled: false externalDatabase: - host: '{{ .Release.Name }}-postgresql' - port: 5432 - user: postgres - password: postgres - database: keycloak + host: *postgresHost + port: *postgresPort + user: *postgresUser + password: *postgresPassword + database: *keyCloakPostgresDatabase auth: - adminUser: user - adminPassword: password - postgresql: - enabled: false + adminUser: *keycloakUser + adminPassword: *keycloakPassword keycloakConfigCli: enabled: true existingConfigmap: keycloak-realm-config + backoffLimit: 5 extraEnvVars: - name: KEYCLOAK_HOSTNAME - value: "{{ .Release.Name }}-keycloak" + value: *keycloakHost postgresql: - primary: - initdb: - scripts: - init_db_script.sh: | - #!/bin/sh - createdb -O postgres miw - user: postgres - password: postgres + enabled: *setupDependencies + service: + port: *postgresPort auth: - password: postgres - username: postgres - postgresPassword: postgres + database: *postgresDatabase + username: *postgresUser + password: *postgresPassword + # -- see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#backup-parameters + backup: + enabled: *postgresBackupEnabled + conjob: + schedule: "* */6 * * *" + containerSecurityContext: + *defaultSecurityContext + storage: + existingClaim: "" + resourcePolicy: "keep" + size: "8Gi" \ No newline at end of file