From 37a8dd002b25cc731275ea4a9a944470f62f4fc7 Mon Sep 17 00:00:00 2001 From: syed salman Date: Fri, 17 May 2024 20:22:06 +0530 Subject: [PATCH 1/2] [DSD-4578] updated charts as per key migration Signed-off-by: syed salman --- charts/hsm-key-migrator/.gitignore | 1 + charts/hsm-key-migrator/.helmignore | 21 ++ charts/hsm-key-migrator/Chart.yaml | 21 ++ charts/hsm-key-migrator/README.md | 43 +++ charts/hsm-key-migrator/templates/NOTES.txt | 1 + .../hsm-key-migrator/templates/_helpers.tpl | 60 ++++ .../templates/clusterrolebinding.yaml | 19 ++ .../templates/extra-list.yaml | 4 + charts/hsm-key-migrator/templates/job.yaml | 84 +++++ .../templates/service-account.yaml | 12 + charts/hsm-key-migrator/values.yaml | 313 ++++++++++++++++++ charts/ida-auth/templates/deployment.yaml | 23 +- charts/ida-auth/values.yaml | 10 +- charts/ida-internal/templates/deployment.yaml | 23 +- charts/ida-internal/values.yaml | 9 +- charts/ida-otp/templates/deployment.yaml | 23 +- charts/ida-otp/values.yaml | 9 +- charts/keygen/templates/job.yaml | 34 ++ charts/keygen/templates/pvc.yaml | 32 ++ charts/keygen/values.yaml | 7 +- charts/keymanager/templates/deployment.yaml | 25 +- charts/keymanager/values.yaml | 10 +- 22 files changed, 758 insertions(+), 26 deletions(-) create mode 100644 charts/hsm-key-migrator/.gitignore create mode 100644 charts/hsm-key-migrator/.helmignore create mode 100644 charts/hsm-key-migrator/Chart.yaml create mode 100644 charts/hsm-key-migrator/README.md create mode 100644 charts/hsm-key-migrator/templates/NOTES.txt create mode 100644 charts/hsm-key-migrator/templates/_helpers.tpl create mode 100644 charts/hsm-key-migrator/templates/clusterrolebinding.yaml create mode 100644 charts/hsm-key-migrator/templates/extra-list.yaml create mode 100644 charts/hsm-key-migrator/templates/job.yaml create mode 100644 charts/hsm-key-migrator/templates/service-account.yaml create mode 100644 charts/hsm-key-migrator/values.yaml create mode 100644 charts/keygen/templates/pvc.yaml diff --git a/charts/hsm-key-migrator/.gitignore b/charts/hsm-key-migrator/.gitignore new file mode 100644 index 000000000..ee3892e87 --- /dev/null +++ b/charts/hsm-key-migrator/.gitignore @@ -0,0 +1 @@ +charts/ diff --git a/charts/hsm-key-migrator/.helmignore b/charts/hsm-key-migrator/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/hsm-key-migrator/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/hsm-key-migrator/Chart.yaml b/charts/hsm-key-migrator/Chart.yaml new file mode 100644 index 000000000..601cfe76a --- /dev/null +++ b/charts/hsm-key-migrator/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: hsm-key-migrator +description: A Helm chart to generate keys +type: application +version: 0.0.1-develop +appVersion: "" +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +home: https://mosip.io +keywords: + - mosip + - keymanager + - hsm-key-migrator + - kernel +maintainers: + - email: info@mosip.io + name: MOSIP diff --git a/charts/hsm-key-migrator/README.md b/charts/hsm-key-migrator/README.md new file mode 100644 index 000000000..82fb66f93 --- /dev/null +++ b/charts/hsm-key-migrator/README.md @@ -0,0 +1,43 @@ +# hsm-key-migrator + +Helm chart for installing Kernel module hsm-key-migrator. + +## TL;DR + +```console +$ helm repo add mosip https://mosip.github.io +$ helm install my-release mosip/hsm-key-migrator +``` + +## Introduction + +The helm chart here essentially contains job that generates encryption keys for kernel modules. The job is to be run only once during initial install. + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.1.0 +- PV provisioner support in the underlying infrastructure +- ReadWriteMany volumes for deployment scaling + +## Installing the Chart + +To install the chart with the release name `hsm-key-migrator`. + +```console +helm install my-release mosip/hsm-key-migrator +``` + +The command deploys hsm-key-migrator on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + diff --git a/charts/hsm-key-migrator/templates/NOTES.txt b/charts/hsm-key-migrator/templates/NOTES.txt new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/charts/hsm-key-migrator/templates/NOTES.txt @@ -0,0 +1 @@ + diff --git a/charts/hsm-key-migrator/templates/_helpers.tpl b/charts/hsm-key-migrator/templates/_helpers.tpl new file mode 100644 index 000000000..386c741f8 --- /dev/null +++ b/charts/hsm-key-migrator/templates/_helpers.tpl @@ -0,0 +1,60 @@ +{{/* +Return the proper image name +*/}} +{{- define "hsm-key-migrator.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "hsm-key-migrator.volumePermissions.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.volumePermissions.image "global" .Values.global ) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "hsm-key-migrator.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "hsm-key-migrator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (printf "%s" (include "common.names.fullname" .)) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message. +*/}} +{{- define "hsm-key-migrator.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "hsm-key-migrator.validateValues.foo" .) -}} +{{- $messages := append $messages (include "hsm-key-migrator.validateValues.bar" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message -}} +{{- end -}} +{{- end -}} + +{{/* +Return podAnnotations +*/}} +{{- define "hsm-key-migrator.podAnnotations" -}} +{{- if .Values.podAnnotations }} +{{ include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) }} +{{- end }} +{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} +{{ include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) }} +{{- end }} +{{- end -}} + + diff --git a/charts/hsm-key-migrator/templates/clusterrolebinding.yaml b/charts/hsm-key-migrator/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..27feb48c5 --- /dev/null +++ b/charts/hsm-key-migrator/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +kind: ClusterRoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "common.names.fullname" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "common.names.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "hsm-key-migrator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/hsm-key-migrator/templates/extra-list.yaml b/charts/hsm-key-migrator/templates/extra-list.yaml new file mode 100644 index 000000000..9ac65f9e1 --- /dev/null +++ b/charts/hsm-key-migrator/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/hsm-key-migrator/templates/job.yaml b/charts/hsm-key-migrator/templates/job.yaml new file mode 100644 index 000000000..3b68a777a --- /dev/null +++ b/charts/hsm-key-migrator/templates/job.yaml @@ -0,0 +1,84 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "common.names.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook-delete-policy": hook-succeeded + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + +spec: + backoffLimit: {{ .Values.backoffLimit }} + template: + metadata: + labels: {{- include "common.labels.standard" . | nindent 8 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + sidecar.istio.io/inject: "false" + spec: + {{- include "hsm-key-migrator.imagePullSecrets" . | nindent 6 }} + {{- if .Values.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: + fsGroup: {{ .Values.podSecurityContext.fsGroup }} + {{- if .Values.podSecurityContext.sysctls }} + sysctls: + {{- toYaml .Values.podSecurityContext.sysctls | nindent 8 }} + {{- end }} + {{- end }} + serviceAccountName: {{ include "hsm-key-migrator.serviceAccountName" . }} + restartPolicy: Never # This is one time job + containers: + - name: hsm-key-migrator + image: {{ template "hsm-key-migrator.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: container_user + value: {{ .Values.containerSecurityContext.runAsUser }} + - name: JDK_JAVA_OPTIONS + value: {{ .Values.additionalResources.javaOpts }} + - name: spring_config_name_env + value: {{ .Values.springConfigNameEnv }} + - name: active_profile_env + value: {{ .Values.activeProfileEnv }} + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + {{- if .Values.extraEnvVarsCM }} + {{- range .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ . }} + {{- end }} + {{- end }} + - configMapRef: + name: {{ .Values.softHsmCM }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} diff --git a/charts/hsm-key-migrator/templates/service-account.yaml b/charts/hsm-key-migrator/templates/service-account.yaml new file mode 100644 index 000000000..fb3de86f4 --- /dev/null +++ b/charts/hsm-key-migrator/templates/service-account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "hsm-key-migrator.serviceAccountName" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} diff --git a/charts/hsm-key-migrator/values.yaml b/charts/hsm-key-migrator/values.yaml new file mode 100644 index 000000000..eb05d491c --- /dev/null +++ b/charts/hsm-key-migrator/values.yaml @@ -0,0 +1,313 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Add labels to all the deployed resources +## +commonLabels: + app.kubernetes.io/component: mosip + +## Add annotations to all the deployed resources +## +commonAnnotations: {} + +## Kubernetes Cluster Domain +## +clusterDomain: cluster.local + +## Extra objects to deploy (value evaluated as a template) +## +extraDeploy: [] + +## Number of nodes +## +replicaCount: 1 + +image: + registry: docker.io + repository: mosipdev/keys-migrator + tag: develop + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +## +# existingConfigmap: + +## Command and args for running the container (set to default if not set). Use array form +## +command: [] +args: [] + +## Deployment pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] + +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: {} + # cpu: 200m + # memory: 256Mi + requests: {} + # cpu: 200m + # memory: 10Mi + +additionalResources: + ## Specify any JAVA_OPTS string here. These typically will be specified in conjunction with above resources + ## Example: java_opts: "-Xms500M -Xmx500M" + javaOpts: "" + +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## Clamav container already runs as 'mosip' user, so we may not need to enable this +containerSecurityContext: + enabled: false + runAsUser: mosip + runAsNonRoot: true + +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## +podSecurityContext: + enabled: false + fsGroup: 1001 + +## Pod affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAffinityPreset: "" + +## Pod anti-affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAntiAffinityPreset: soft + +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## Allowed values: soft, hard +## +nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + ## + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## Affinity for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## Node labels for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## Tolerations for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Pod extra labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} + +## Annotations for server pods. +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} + +## pods' priority. +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +# priorityClassName: "" + +## lifecycleHooks for the container to automate configuration before or after startup. +## +lifecycleHooks: {} + +## Custom Liveness probes for +## +customLivenessProbe: {} + +## Custom Rediness probes +## +customReadinessProbe: {} + +## "backoff" strategy - It is used when dealing with resources that are retrying or recovering from failures. +## +backoffLimit: 0 + +## Update strategy - only really applicable for deployments with RWO PVs attached +## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the +## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will +## terminate the single previous pod, so that the new, incoming pod can attach to the PV +## +updateStrategy: + type: RollingUpdate + +## Additional environment variables to set +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## + +extraEnvVars: [] + +## ConfigMap with extra environment variables that used +## +## IMPORTANT: softhsm name needs to be set if not default as mentioned below. This applies if softhsm name +## is different +extraEnvVarsCM: + - global + - config-server-share + - artifactory-share + +## Secret with extra environment variables +## +extraEnvVarsSecret: + +## Extra volumes to add to the deployment +## +extraVolumes: [] + +## Extra volume mounts to add to the container +## +extraVolumeMounts: [] + +## Add init containers to the pods. +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: {} + +## Add sidecars to the pods. +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: {} + +persistence: + enabled: false + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack). + ## + # storageClass: "-" + ## + ## If you want to reuse an existing claim, you can pass the name of the PVC using + ## the existingClaim variable + # existingClaim: your-claim + ## ReadWriteMany not supported by AWS gp2 + storageClass: + accessModes: + - ReadWriteOnce + size: 10M + existingClaim: + # Dir where config and keys are written inside container + mountDir: + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + enabled: false + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + pullSecrets: [] + ## - myRegistryKeySecretName + ## Init containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## + limits: {} + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## cpu: 100m + ## memory: 128Mi + ## + +## Specifies whether RBAC resources should be created +## +rbac: + create: true + +## Specifies whether a ServiceAccount should be created +## +serviceAccount: + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: + +# kernel or id-authentication +springConfigNameEnv: kernel +# default or migrator +activeProfileEnv: default + +## This param is to be set during installation. +## For Kernel: softhsm-kernel-share +## For IDA: softhsm-ida-share +softHsmCM: diff --git a/charts/ida-auth/templates/deployment.yaml b/charts/ida-auth/templates/deployment.yaml index 21228eb9a..13fb936ab 100644 --- a/charts/ida-auth/templates/deployment.yaml +++ b/charts/ida-auth/templates/deployment.yaml @@ -57,18 +57,20 @@ spec: initContainers: {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - name: volume-permissions - image: {{ include "ida-auth.volumePermissions.image" . }} + image: {{ template "ida-auth.image" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} command: - - %%commands%% + - /bin/bash + - -c + - chown -R 1001:1001 {{ .Values.persistence.mountDir }} securityContext: runAsUser: 0 {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} {{- end }} volumeMounts: - - name: foo - mountPath: bar + - name: {{ .Values.persistence.volume_name }} + mountPath: {{ .Values.persistence.mountDir }} {{- end }} {{- if .Values.enable_insecure }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} @@ -94,6 +96,10 @@ spec: value: {{ .Values.containerSecurityContext.runAsUser }} - name: JDK_JAVA_OPTIONS value: {{ .Values.additionalResources.javaOpts }} + - name: spring_config_name_env + value: {{ .Values.springConfigNameEnv }} + - name: active_profile_env + value: {{ .Values.activeProfileEnv }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} @@ -136,6 +142,10 @@ spec: name: cacerts subPath: cacerts {{- end }} + {{- if .Values.persistence.enabled }} + - name: {{ .Values.persistence.volume_name }} + mountPath: {{ .Values.persistence.mountDir }} + {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} @@ -144,3 +154,8 @@ spec: - name: cacerts emptyDir: {} {{- end }} + {{- if .Values.persistence.enabled }} + - name: {{ .Values.persistence.volume_name }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default .Values.persistence.pvc_claim_name }} + {{- end }} diff --git a/charts/ida-auth/values.yaml b/charts/ida-auth/values.yaml index de69213ea..348613b79 100644 --- a/charts/ida-auth/values.yaml +++ b/charts/ida-auth/values.yaml @@ -333,11 +333,14 @@ persistence: ## ReadWriteMany not supported by AWS gp2 storageClass: accessModes: - - ReadWriteOnce + - ReadWriteMany size: 10M + # existingClaim: pkcs12-keys.p12 existingClaim: # Dir where config and keys are written inside container - mountDir: + mountDir: /home/mosip/config/ + volume_name: config + # pvc_claim_name: pkcs12-keys.p12 ## Init containers parameters: ## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. @@ -466,3 +469,6 @@ istio: prefix: /idauthentication/v1/vci-exchange enable_insecure: false + +springConfigNameEnv: 'id-authentication' +activeProfileEnv: 'default' diff --git a/charts/ida-internal/templates/deployment.yaml b/charts/ida-internal/templates/deployment.yaml index 99a3f83a5..f80530066 100644 --- a/charts/ida-internal/templates/deployment.yaml +++ b/charts/ida-internal/templates/deployment.yaml @@ -57,18 +57,20 @@ spec: initContainers: {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - name: volume-permissions - image: {{ include "ida-internal.volumePermissions.image" . }} + image: {{ template "ida-internal.image" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} command: - - %%commands%% + - /bin/bash + - -c + - chown -R 1001:1001 {{ .Values.persistence.mountDir }} securityContext: runAsUser: 0 {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} {{- end }} volumeMounts: - - name: foo - mountPath: bar + - name: {{ .Values.persistence.volume_name }} + mountPath: {{ .Values.persistence.mountDir }} {{- end }} {{- if .Values.enable_insecure }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} @@ -94,6 +96,10 @@ spec: value: {{ .Values.containerSecurityContext.runAsUser }} - name: JDK_JAVA_OPTIONS value: {{ .Values.additionalResources.javaOpts }} + - name: spring_config_name_env + value: {{ .Values.springConfigNameEnv }} + - name: active_profile_env + value: {{ .Values.activeProfileEnv }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} @@ -136,6 +142,10 @@ spec: name: cacerts subPath: cacerts {{- end }} + {{- if .Values.persistence.enabled }} + - name: {{ .Values.persistence.volume_name }} + mountPath: {{ .Values.persistence.mountDir }} + {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} @@ -144,3 +154,8 @@ spec: - name: cacerts emptyDir: {} {{- end }} + {{- if .Values.persistence.enabled }} + - name: {{ .Values.persistence.volume_name }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default .Values.persistence.pvc_claim_name }} + {{- end }} diff --git a/charts/ida-internal/values.yaml b/charts/ida-internal/values.yaml index 5a6751623..3a38141af 100644 --- a/charts/ida-internal/values.yaml +++ b/charts/ida-internal/values.yaml @@ -333,11 +333,14 @@ persistence: ## ReadWriteMany not supported by AWS gp2 storageClass: accessModes: - - ReadWriteOnce + - ReadWriteMany size: 10M + # existingClaim: pkcs12-keys.p12 existingClaim: # Dir where config and keys are written inside container - mountDir: + mountDir: /home/mosip/config/ + volume_name: config + # pvc_claim_name: pkcs12-keys.p12 ## Init containers parameters: ## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. @@ -451,3 +454,5 @@ istio: prefix: /idauthentication/v1/internal enable_insecure: false +springConfigNameEnv: 'id-authentication' +activeProfileEnv: 'default' diff --git a/charts/ida-otp/templates/deployment.yaml b/charts/ida-otp/templates/deployment.yaml index 3cb03768b..34ba0095c 100644 --- a/charts/ida-otp/templates/deployment.yaml +++ b/charts/ida-otp/templates/deployment.yaml @@ -57,18 +57,20 @@ spec: initContainers: {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - name: volume-permissions - image: {{ include "ida-otp.volumePermissions.image" . }} + image: {{ template "ida-otp.image" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} command: - - %%commands%% + - /bin/bash + - -c + - chown -R 1001:1001 {{ .Values.persistence.mountDir }} securityContext: runAsUser: 0 {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} {{- end }} volumeMounts: - - name: foo - mountPath: bar + - name: {{ .Values.persistence.volume_name }} + mountPath: {{ .Values.persistence.mountDir }} {{- end }} {{- if .Values.enable_insecure }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} @@ -94,6 +96,10 @@ spec: value: {{ .Values.containerSecurityContext.runAsUser }} - name: JDK_JAVA_OPTIONS value: {{ .Values.additionalResources.javaOpts }} + - name: spring_config_name_env + value: {{ .Values.springConfigNameEnv }} + - name: active_profile_env + value: {{ .Values.activeProfileEnv }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} @@ -136,6 +142,10 @@ spec: name: cacerts subPath: cacerts {{- end }} + {{- if .Values.persistence.enabled }} + - name: {{ .Values.persistence.volume_name }} + mountPath: {{ .Values.persistence.mountDir }} + {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} @@ -144,3 +154,8 @@ spec: - name: cacerts emptyDir: {} {{- end }} + {{- if .Values.persistence.enabled }} + - name: {{ .Values.persistence.volume_name }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default .Values.persistence.pvc_claim_name }} + {{- end }} diff --git a/charts/ida-otp/values.yaml b/charts/ida-otp/values.yaml index 34fed5b90..effa17bc8 100644 --- a/charts/ida-otp/values.yaml +++ b/charts/ida-otp/values.yaml @@ -333,11 +333,14 @@ persistence: ## ReadWriteMany not supported by AWS gp2 storageClass: accessModes: - - ReadWriteOnce + - ReadWriteMany size: 10M + # existingClaim: pkcs12-keys.p12 existingClaim: # Dir where config and keys are written inside container - mountDir: + mountDir: /home/mosip/config/ + volume_name: config + # pvc_claim_name: pkcs12-keys.p12 ## Init containers parameters: ## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. @@ -450,3 +453,5 @@ istio: prefix: /idauthentication/v1/otp enable_insecure: false +springConfigNameEnv: 'id-authentication' +activeProfileEnv: 'default' diff --git a/charts/keygen/templates/job.yaml b/charts/keygen/templates/job.yaml index d737e0894..7f3919766 100644 --- a/charts/keygen/templates/job.yaml +++ b/charts/keygen/templates/job.yaml @@ -53,6 +53,27 @@ spec: {{- end }} serviceAccountName: {{ include "keygen.serviceAccountName" . }} restartPolicy: Never # This is one time job + initContainers: + {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} + - name: volume-permissions + image: {{ template "keygen.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + command: + - /bin/bash + - -c + - chown -R 1001:1001 {{ .Values.persistence.mountDir }} + securityContext: + runAsUser: 0 + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + volumeMounts: + - name: {{ .Values.persistence.volume_name }} + mountPath: {{ .Values.persistence.mountDir }} + {{- end }} + {{- if .Values.initContainers }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- end }} containers: - name: keygen image: {{ template "keygen.image" . }} @@ -64,6 +85,8 @@ spec: value: {{ .Values.additionalResources.javaOpts }} - name: spring_config_name_env value: {{ .Values.springConfigNameEnv }} + - name: active_profile_env + value: {{ .Values.activeProfileEnv }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} @@ -74,9 +97,20 @@ spec: name: {{ . }} {{- end }} {{- end }} + {{- if .Values.softHsmCM }} - configMapRef: name: {{ .Values.softHsmCM }} + {{- end }} {{- if .Values.extraEnvVarsSecret }} - secretRef: name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} {{- end }} + volumeMounts: + - name: {{ .Values.persistence.volume_name }} + mountPath: {{ .Values.persistence.mountDir }} + volumes: + {{- if .Values.persistence.enabled }} + - name: {{ .Values.persistence.volume_name }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default .Values.persistence.pvc_claim_name }} + {{ end }} diff --git a/charts/keygen/templates/pvc.yaml b/charts/keygen/templates/pvc.yaml new file mode 100644 index 000000000..1a7a90992 --- /dev/null +++ b/charts/keygen/templates/pvc.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ .Values.persistence.pvc_claim_name }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + "helm.sh/resource-policy": keep +spec: + accessModes: + {{- if not (empty .Values.persistence.accessModes) }} + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- else }} + - {{ .Values.persistence.accessModes | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 2 }} + {{- if .Values.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.dataSource "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/keygen/values.yaml b/charts/keygen/values.yaml index 30a879dc4..70f59f0a8 100644 --- a/charts/keygen/values.yaml +++ b/charts/keygen/values.yaml @@ -248,11 +248,14 @@ persistence: ## ReadWriteMany not supported by AWS gp2 storageClass: accessModes: - - ReadWriteOnce + - ReadWriteMany size: 10M existingClaim: # Dir where config and keys are written inside container - mountDir: + mountDir: /home/mosip/config/ + volume_name: config + # pvc_claim_name: pkcs12-keys.p12 + pvc_claim_name: ## Init containers parameters: ## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. diff --git a/charts/keymanager/templates/deployment.yaml b/charts/keymanager/templates/deployment.yaml index a92155d2d..2f145d164 100644 --- a/charts/keymanager/templates/deployment.yaml +++ b/charts/keymanager/templates/deployment.yaml @@ -57,18 +57,20 @@ spec: initContainers: {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }} - name: volume-permissions - image: {{ include "keymanager.volumePermissions.image" . }} + image: {{ template "keymanager.image" . }} imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} command: - - %%commands%% + - /bin/bash + - -c + - chown -R 1001:1001 {{ .Values.persistence.mountDir }} securityContext: runAsUser: 0 {{- if .Values.volumePermissions.resources }} resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} {{- end }} volumeMounts: - - name: foo - mountPath: bar + - name: {{ .Values.persistence.volume_name }} + mountPath: {{ .Values.persistence.mountDir }} {{- end }} {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} @@ -94,6 +96,10 @@ spec: value: {{ .Values.containerSecurityContext.runAsUser }} - name: JDK_JAVA_OPTIONS value: {{ .Values.additionalResources.javaOpts }} + - name: spring_config_name_env + value: {{ .Values.springConfigNameEnv }} + - name: active_profile_env + value: {{ .Values.activeProfileEnv }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} @@ -133,3 +139,14 @@ spec: {{- if .Values.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} + volumeMounts: + {{- if .Values.persistence.enabled }} + - name: {{ .Values.persistence.volume_name }} + mountPath: {{ .Values.persistence.mountDir }} + {{- end }} + volumes: + {{- if .Values.persistence.enabled }} + - name: {{ .Values.persistence.volume_name }} + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim | default .Values.persistence.pvc_claim_name }} + {{ end }} diff --git a/charts/keymanager/values.yaml b/charts/keymanager/values.yaml index 941a90e15..3d29508a4 100644 --- a/charts/keymanager/values.yaml +++ b/charts/keymanager/values.yaml @@ -302,11 +302,14 @@ persistence: ## ReadWriteMany not supported by AWS gp2 storageClass: accessModes: - - ReadWriteOnce + - ReadWriteMany size: 10M + # existingClaim: pkcs12-keys.p12 existingClaim: # Dir where config and keys are written inside container - mountDir: + mountDir: /home/mosip/config/ + volume_name: config + # pvc_claim_name: pkcs12-keys.p12 ## Init containers parameters: ## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. @@ -418,3 +421,6 @@ istio: enabled: true gateway: istio-system/internal prefix: /v1/keymanager + +springConfigNameEnv: kernel +activeProfileEnv: default From 042e0c48763532fc62ae4f1a939d2eaab0dd4d37 Mon Sep 17 00:00:00 2001 From: syed salman Date: Fri, 24 May 2024 23:43:52 +0530 Subject: [PATCH 2/2] [DSD-4578] Updated migration charts as per review changes requested Signed-off-by: syed salman --- charts/hsm-key-migrator/README.md | 43 ----------------- charts/ida-auth/templates/deployment.yaml | 6 +++ charts/ida-auth/values.yaml | 4 +- charts/ida-internal/templates/deployment.yaml | 6 +++ charts/ida-internal/values.yaml | 4 +- charts/ida-otp/templates/deployment.yaml | 6 +++ charts/ida-otp/values.yaml | 4 +- .../.gitignore | 0 .../.helmignore | 0 .../Chart.yaml | 8 ++-- charts/key-migration-utility/README.md | 47 +++++++++++++++++++ .../templates/NOTES.txt | 0 .../templates/_helpers.tpl | 16 +++---- .../templates/clusterrolebinding.yaml | 2 +- .../templates/extra-list.yaml | 0 .../templates/job.yaml | 12 +++-- .../templates/service-account.yaml | 2 +- .../values.yaml | 8 ++-- charts/keygen/templates/job.yaml | 4 ++ charts/keymanager/templates/deployment.yaml | 6 +++ charts/keymanager/values.yaml | 4 +- 21 files changed, 108 insertions(+), 74 deletions(-) delete mode 100644 charts/hsm-key-migrator/README.md rename charts/{hsm-key-migrator => key-migration-utility}/.gitignore (100%) rename charts/{hsm-key-migrator => key-migration-utility}/.helmignore (100%) rename charts/{hsm-key-migrator => key-migration-utility}/Chart.yaml (66%) create mode 100644 charts/key-migration-utility/README.md rename charts/{hsm-key-migrator => key-migration-utility}/templates/NOTES.txt (100%) rename charts/{hsm-key-migrator => key-migration-utility}/templates/_helpers.tpl (74%) rename charts/{hsm-key-migrator => key-migration-utility}/templates/clusterrolebinding.yaml (91%) rename charts/{hsm-key-migrator => key-migration-utility}/templates/extra-list.yaml (100%) rename charts/{hsm-key-migrator => key-migration-utility}/templates/job.yaml (89%) rename charts/{hsm-key-migrator => key-migration-utility}/templates/service-account.yaml (87%) rename charts/{hsm-key-migrator => key-migration-utility}/values.yaml (98%) diff --git a/charts/hsm-key-migrator/README.md b/charts/hsm-key-migrator/README.md deleted file mode 100644 index 82fb66f93..000000000 --- a/charts/hsm-key-migrator/README.md +++ /dev/null @@ -1,43 +0,0 @@ -# hsm-key-migrator - -Helm chart for installing Kernel module hsm-key-migrator. - -## TL;DR - -```console -$ helm repo add mosip https://mosip.github.io -$ helm install my-release mosip/hsm-key-migrator -``` - -## Introduction - -The helm chart here essentially contains job that generates encryption keys for kernel modules. The job is to be run only once during initial install. - -## Prerequisites - -- Kubernetes 1.12+ -- Helm 3.1.0 -- PV provisioner support in the underlying infrastructure -- ReadWriteMany volumes for deployment scaling - -## Installing the Chart - -To install the chart with the release name `hsm-key-migrator`. - -```console -helm install my-release mosip/hsm-key-migrator -``` - -The command deploys hsm-key-migrator on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -helm delete my-release -``` -The command removes all the Kubernetes components associated with the chart and deletes the release. - diff --git a/charts/ida-auth/templates/deployment.yaml b/charts/ida-auth/templates/deployment.yaml index 13fb936ab..dd244d5fd 100644 --- a/charts/ida-auth/templates/deployment.yaml +++ b/charts/ida-auth/templates/deployment.yaml @@ -94,12 +94,18 @@ spec: env: - name: container_user value: {{ .Values.containerSecurityContext.runAsUser }} + {{- if .Values.additionalResources.javaOpts }} - name: JDK_JAVA_OPTIONS value: {{ .Values.additionalResources.javaOpts }} + {{- end }} + {{- if .Values.springConfigNameEnv }} - name: spring_config_name_env value: {{ .Values.springConfigNameEnv }} + {{- end }} + {{- if .Values.activeProfileEnv }} - name: active_profile_env value: {{ .Values.activeProfileEnv }} + {{- end}} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} diff --git a/charts/ida-auth/values.yaml b/charts/ida-auth/values.yaml index 348613b79..8e808c5f4 100644 --- a/charts/ida-auth/values.yaml +++ b/charts/ida-auth/values.yaml @@ -470,5 +470,5 @@ istio: enable_insecure: false -springConfigNameEnv: 'id-authentication' -activeProfileEnv: 'default' +springConfigNameEnv: +activeProfileEnv: diff --git a/charts/ida-internal/templates/deployment.yaml b/charts/ida-internal/templates/deployment.yaml index f80530066..465d68012 100644 --- a/charts/ida-internal/templates/deployment.yaml +++ b/charts/ida-internal/templates/deployment.yaml @@ -94,12 +94,18 @@ spec: env: - name: container_user value: {{ .Values.containerSecurityContext.runAsUser }} + {{- if .Values.additionalResources.javaOpts }} - name: JDK_JAVA_OPTIONS value: {{ .Values.additionalResources.javaOpts }} + {{- end }} + {{- if .Values.springConfigNameEnv }} - name: spring_config_name_env value: {{ .Values.springConfigNameEnv }} + {{- end }} + {{- if .Values.activeProfileEnv }} - name: active_profile_env value: {{ .Values.activeProfileEnv }} + {{- end}} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} diff --git a/charts/ida-internal/values.yaml b/charts/ida-internal/values.yaml index 3a38141af..f1e5a5a17 100644 --- a/charts/ida-internal/values.yaml +++ b/charts/ida-internal/values.yaml @@ -454,5 +454,5 @@ istio: prefix: /idauthentication/v1/internal enable_insecure: false -springConfigNameEnv: 'id-authentication' -activeProfileEnv: 'default' +springConfigNameEnv: +activeProfileEnv: diff --git a/charts/ida-otp/templates/deployment.yaml b/charts/ida-otp/templates/deployment.yaml index 34ba0095c..7016a127a 100644 --- a/charts/ida-otp/templates/deployment.yaml +++ b/charts/ida-otp/templates/deployment.yaml @@ -94,12 +94,18 @@ spec: env: - name: container_user value: {{ .Values.containerSecurityContext.runAsUser }} + {{- if .Values.additionalResources.javaOpts }} - name: JDK_JAVA_OPTIONS value: {{ .Values.additionalResources.javaOpts }} + {{- end }} + {{- if .Values.springConfigNameEnv }} - name: spring_config_name_env value: {{ .Values.springConfigNameEnv }} + {{- end }} + {{- if .Values.activeProfileEnv }} - name: active_profile_env value: {{ .Values.activeProfileEnv }} + {{- end}} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} diff --git a/charts/ida-otp/values.yaml b/charts/ida-otp/values.yaml index effa17bc8..0208fc6d3 100644 --- a/charts/ida-otp/values.yaml +++ b/charts/ida-otp/values.yaml @@ -453,5 +453,5 @@ istio: prefix: /idauthentication/v1/otp enable_insecure: false -springConfigNameEnv: 'id-authentication' -activeProfileEnv: 'default' +springConfigNameEnv: +activeProfileEnv: diff --git a/charts/hsm-key-migrator/.gitignore b/charts/key-migration-utility/.gitignore similarity index 100% rename from charts/hsm-key-migrator/.gitignore rename to charts/key-migration-utility/.gitignore diff --git a/charts/hsm-key-migrator/.helmignore b/charts/key-migration-utility/.helmignore similarity index 100% rename from charts/hsm-key-migrator/.helmignore rename to charts/key-migration-utility/.helmignore diff --git a/charts/hsm-key-migrator/Chart.yaml b/charts/key-migration-utility/Chart.yaml similarity index 66% rename from charts/hsm-key-migrator/Chart.yaml rename to charts/key-migration-utility/Chart.yaml index 601cfe76a..d877f6208 100644 --- a/charts/hsm-key-migrator/Chart.yaml +++ b/charts/key-migration-utility/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -name: hsm-key-migrator -description: A Helm chart to generate keys +name: key-migration-utility +description: A Helm chart to migrate keys from any keystore type to any other supported format. type: application version: 0.0.1-develop appVersion: "" @@ -13,9 +13,7 @@ dependencies: home: https://mosip.io keywords: - mosip - - keymanager - - hsm-key-migrator - - kernel + - key-migration-utility maintainers: - email: info@mosip.io name: MOSIP diff --git a/charts/key-migration-utility/README.md b/charts/key-migration-utility/README.md new file mode 100644 index 000000000..5cb608860 --- /dev/null +++ b/charts/key-migration-utility/README.md @@ -0,0 +1,47 @@ +# key-migration-utility + +Helm chart for installing Kernel module key-migration-utility. + +## TL;DR + +```console +$ helm repo add mosip https://mosip.github.io +$ helm install my-release mosip/key-migration-utility +``` + +## Introduction + +The helm chart here essentially contains job that helps to migrate keys from any keystore type to any other supported format. + +Keymanager facilitates various keystore types, including `PKCS11`, `PKCS12`, `JCE`, and `offline`. + +**Note :** The offline keystore type is not compatible with keymigration operations. + +## Prerequisites + +- Kubernetes 1.12+ +- Helm 3.1.0 +- PV provisioner support in the underlying infrastructure +- ReadWriteMany volumes for deployment scaling + +## Installing the Chart + +To install the chart with the release name `key-migration-utility`. + +```console +helm install my-release mosip/key-migration-utility +``` + +The command deploys key-migration-utility on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` +The command removes all the Kubernetes components associated with the chart and deletes the release. + diff --git a/charts/hsm-key-migrator/templates/NOTES.txt b/charts/key-migration-utility/templates/NOTES.txt similarity index 100% rename from charts/hsm-key-migrator/templates/NOTES.txt rename to charts/key-migration-utility/templates/NOTES.txt diff --git a/charts/hsm-key-migrator/templates/_helpers.tpl b/charts/key-migration-utility/templates/_helpers.tpl similarity index 74% rename from charts/hsm-key-migrator/templates/_helpers.tpl rename to charts/key-migration-utility/templates/_helpers.tpl index 386c741f8..8602b84e4 100644 --- a/charts/hsm-key-migrator/templates/_helpers.tpl +++ b/charts/key-migration-utility/templates/_helpers.tpl @@ -1,28 +1,28 @@ {{/* Return the proper image name */}} -{{- define "hsm-key-migrator.image" -}} +{{- define "key-migration-utility.image" -}} {{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} {{- end -}} {{/* Return the proper image name (for the init container volume-permissions image) */}} -{{- define "hsm-key-migrator.volumePermissions.image" -}} +{{- define "key-migration-utility.volumePermissions.image" -}} {{- include "common.images.image" ( dict "imageRoot" .Values.volumePermissions.image "global" .Values.global ) -}} {{- end -}} {{/* Return the proper Docker Image Registry Secret Names */}} -{{- define "hsm-key-migrator.imagePullSecrets" -}} +{{- define "key-migration-utility.imagePullSecrets" -}} {{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) -}} {{- end -}} {{/* Create the name of the service account to use */}} -{{- define "hsm-key-migrator.serviceAccountName" -}} +{{- define "key-migration-utility.serviceAccountName" -}} {{- if .Values.serviceAccount.create -}} {{ default (printf "%s" (include "common.names.fullname" .)) .Values.serviceAccount.name }} {{- else -}} @@ -33,10 +33,10 @@ Create the name of the service account to use {{/* Compile all warnings into a single message. */}} -{{- define "hsm-key-migrator.validateValues" -}} +{{- define "key-migration-utility.validateValues" -}} {{- $messages := list -}} -{{- $messages := append $messages (include "hsm-key-migrator.validateValues.foo" .) -}} -{{- $messages := append $messages (include "hsm-key-migrator.validateValues.bar" .) -}} +{{- $messages := append $messages (include "key-migration-utility.validateValues.foo" .) -}} +{{- $messages := append $messages (include "key-migration-utility.validateValues.bar" .) -}} {{- $messages := without $messages "" -}} {{- $message := join "\n" $messages -}} @@ -48,7 +48,7 @@ Compile all warnings into a single message. {{/* Return podAnnotations */}} -{{- define "hsm-key-migrator.podAnnotations" -}} +{{- define "key-migration-utility.podAnnotations" -}} {{- if .Values.podAnnotations }} {{ include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) }} {{- end }} diff --git a/charts/hsm-key-migrator/templates/clusterrolebinding.yaml b/charts/key-migration-utility/templates/clusterrolebinding.yaml similarity index 91% rename from charts/hsm-key-migrator/templates/clusterrolebinding.yaml rename to charts/key-migration-utility/templates/clusterrolebinding.yaml index 27feb48c5..06d3c9f16 100644 --- a/charts/hsm-key-migrator/templates/clusterrolebinding.yaml +++ b/charts/key-migration-utility/templates/clusterrolebinding.yaml @@ -15,5 +15,5 @@ roleRef: name: {{ template "common.names.fullname" . }} subjects: - kind: ServiceAccount - name: {{ template "hsm-key-migrator.serviceAccountName" . }} + name: {{ template "key-migration-utility.serviceAccountName" . }} namespace: {{ .Release.Namespace }} diff --git a/charts/hsm-key-migrator/templates/extra-list.yaml b/charts/key-migration-utility/templates/extra-list.yaml similarity index 100% rename from charts/hsm-key-migrator/templates/extra-list.yaml rename to charts/key-migration-utility/templates/extra-list.yaml diff --git a/charts/hsm-key-migrator/templates/job.yaml b/charts/key-migration-utility/templates/job.yaml similarity index 89% rename from charts/hsm-key-migrator/templates/job.yaml rename to charts/key-migration-utility/templates/job.yaml index 3b68a777a..60d9f650a 100644 --- a/charts/hsm-key-migrator/templates/job.yaml +++ b/charts/key-migration-utility/templates/job.yaml @@ -22,7 +22,7 @@ spec: {{- end }} sidecar.istio.io/inject: "false" spec: - {{- include "hsm-key-migrator.imagePullSecrets" . | nindent 6 }} + {{- include "key-migration-utility.imagePullSecrets" . | nindent 6 }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -51,21 +51,25 @@ spec: {{- toYaml .Values.podSecurityContext.sysctls | nindent 8 }} {{- end }} {{- end }} - serviceAccountName: {{ include "hsm-key-migrator.serviceAccountName" . }} + serviceAccountName: {{ include "key-migration-utility.serviceAccountName" . }} restartPolicy: Never # This is one time job containers: - - name: hsm-key-migrator - image: {{ template "hsm-key-migrator.image" . }} + - name: key-migration-utility + image: {{ template "key-migration-utility.image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} env: - name: container_user value: {{ .Values.containerSecurityContext.runAsUser }} + {{- if .Values.additionalResources.javaOpts }} - name: JDK_JAVA_OPTIONS value: {{ .Values.additionalResources.javaOpts }} + {{- end }} - name: spring_config_name_env value: {{ .Values.springConfigNameEnv }} + {{- if .Values.activeProfileEnv }} - name: active_profile_env value: {{ .Values.activeProfileEnv }} + {{- end }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} diff --git a/charts/hsm-key-migrator/templates/service-account.yaml b/charts/key-migration-utility/templates/service-account.yaml similarity index 87% rename from charts/hsm-key-migrator/templates/service-account.yaml rename to charts/key-migration-utility/templates/service-account.yaml index fb3de86f4..fbb6145a8 100644 --- a/charts/hsm-key-migrator/templates/service-account.yaml +++ b/charts/key-migration-utility/templates/service-account.yaml @@ -5,7 +5,7 @@ metadata: {{- if .Values.commonLabels }} {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} {{- end }} - name: {{ template "hsm-key-migrator.serviceAccountName" . }} + name: {{ template "key-migration-utility.serviceAccountName" . }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} diff --git a/charts/hsm-key-migrator/values.yaml b/charts/key-migration-utility/values.yaml similarity index 98% rename from charts/hsm-key-migrator/values.yaml rename to charts/key-migration-utility/values.yaml index eb05d491c..b45a79c7b 100644 --- a/charts/hsm-key-migrator/values.yaml +++ b/charts/key-migration-utility/values.yaml @@ -302,10 +302,10 @@ serviceAccount: ## name: -# kernel or id-authentication -springConfigNameEnv: kernel -# default or migrator -activeProfileEnv: default +# migration +springConfigNameEnv: +# default or migration +activeProfileEnv: ## This param is to be set during installation. ## For Kernel: softhsm-kernel-share diff --git a/charts/keygen/templates/job.yaml b/charts/keygen/templates/job.yaml index 7f3919766..cb56d375c 100644 --- a/charts/keygen/templates/job.yaml +++ b/charts/keygen/templates/job.yaml @@ -81,12 +81,16 @@ spec: env: - name: container_user value: {{ .Values.containerSecurityContext.runAsUser }} + {{- if .Values.additionalResources.javaOpts }} - name: JDK_JAVA_OPTIONS value: {{ .Values.additionalResources.javaOpts }} + {{- end }} - name: spring_config_name_env value: {{ .Values.springConfigNameEnv }} + {{- if .Values.activeProfileEnv }} - name: active_profile_env value: {{ .Values.activeProfileEnv }} + {{- end }} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} diff --git a/charts/keymanager/templates/deployment.yaml b/charts/keymanager/templates/deployment.yaml index 2f145d164..5c5be01f3 100644 --- a/charts/keymanager/templates/deployment.yaml +++ b/charts/keymanager/templates/deployment.yaml @@ -94,12 +94,18 @@ spec: env: - name: container_user value: {{ .Values.containerSecurityContext.runAsUser }} + {{- if .Values.additionalResources.javaOpts }} - name: JDK_JAVA_OPTIONS value: {{ .Values.additionalResources.javaOpts }} + {{- end }} + {{- if .Values.springConfigNameEnv }} - name: spring_config_name_env value: {{ .Values.springConfigNameEnv }} + {{- end }} + {{- if .Values.activeProfileEnv }} - name: active_profile_env value: {{ .Values.activeProfileEnv }} + {{- end}} {{- if .Values.extraEnvVars }} {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} {{- end }} diff --git a/charts/keymanager/values.yaml b/charts/keymanager/values.yaml index 3d29508a4..f5f5fa5d4 100644 --- a/charts/keymanager/values.yaml +++ b/charts/keymanager/values.yaml @@ -422,5 +422,5 @@ istio: gateway: istio-system/internal prefix: /v1/keymanager -springConfigNameEnv: kernel -activeProfileEnv: default +springConfigNameEnv: +activeProfileEnv: