[MOSIP-31911] Automated Creation of readuser for postgres,minio and k…

charts/keycloak-init/values.yaml

@@ -26,15 +26,15 @@
 jobAnnotations: {}
 
 jobSecurityContext: {}
-  # fsGroup: 2000
+# fsGroup: 2000
 
 securityContext: {}
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+# runAsUser: 1000
 
 service:
   type: ClusterIP
@@ -44,7 +44,7 @@
   enabled: false
   annotations: {}
     # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
+  # kubernetes.io/tls-acme: "true"
   hosts:
     - host: chart-example.local
       paths: []
@@ -63,7 +63,7 @@
   #   memory: 128Mi
   # requests:
   #   cpu: 100m
-  #   memory: 128Mi
+#   memory: 128Mi
 
 nodeSelector: {}
 
@@ -233,7 +233,7 @@
         - name: add_oidc_client
           description: Scope required to create OIDC client
           protocol: openid-connect
           "Include In Token Scope": on
           attributes: {
             display.on.consent.screen: "false",
             include.in.token.scope: "true"
@@ -241,7 +241,7 @@
         - name: update_oidc_client
           description: ''
           protocol: openid-connect
           "Include In Token Scope": on
           attributes: {
             display.on.consent.screen: "false",
             include.in.token.scope: "true"
@@ -249,7 +249,7 @@
         - name: get_certificate
           description: Scope required to create OIDC client
           protocol: openid-connect
           "Include In Token Scope": on
           attributes: {
             display.on.consent.screen: "false",
             include.in.token.scope: "true"
@@ -257,7 +257,7 @@
         - name: upload_certificate
           description: ''
           protocol: openid-connect
           "Include In Token Scope": on
           attributes: {
             display.on.consent.screen: "false",
             include.in.token.scope: "true"
@@ -265,7 +265,7 @@
         - name: individual_id
           description: Scope required to create resident client
           protocol: openid-connect
           "Include In Token Scope": on
           attributes: {
             display.on.consent.screen: "true",
             include.in.token.scope: "true"
@@ -273,7 +273,7 @@
         - name: ida_token
           description: ''
           protocol: openid-connect
           "Include In Token Scope": on
           attributes: {
             display.on.consent.screen: "true",
             include.in.token.scope: "true"
@@ -281,7 +281,7 @@
         - name: send_binding_otp
           description: Scope required to create mpartner-default-mobile client
           protocol: openid-connect
           "Include In Token Scope": on
           attributes: {
             display.on.consent.screen: "false",
             include.in.token.scope: "true"
@@ -289,7 +289,7 @@
         - name: wallet_binding
           description: Scope required to create mpartner-default-mobile client
           protocol: openid-connect
           "Include In Token Scope": on
           attributes: {
             display.on.consent.screen: "false",
             include.in.token.scope: "true"

charts/readuser-util/.gitignore

@@ -0,0 +1,2 @@
+!charts/
+!charts/*/

charts/readuser-util/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: readuser-util
+description: A Helm chart to deploy multiple readuser helm charts.
+type: application
+version: 0.0.1-develop
+dependencies:
+  - name: postgres-readuser-util
+    version: 0.0.1-develop
+    condition: postgres-readuser-util.enabled
+  - name: s3-readuser-util
+    version: 0.0.1-develop
+    condition: s3-readuser-util.enabled
+home: https://mosip.io
+keywords:
+  - mosip
+  - readuser-util
+maintainers:
+  - email: [email protected]
+    name: MOSIP
+appVersion: "1.16.0"

charts/readuser-util/README.md

@@ -0,0 +1,25 @@
+# Readuser Util Helm Chart
+
+This Helm chart deploys multiple readuser utility Helm charts for creating users with read-only privilages for postgres and minio servers.
+
+
+## Dependencies
+
+This chart has dependencies on the following Helm charts:
+
+1. **postgres-readuser-util**
+    - **Version**: 0.0.1-develop
+    - **Condition**: Enabled if `postgres-readuser-util.enabled` is set to `true`
+
+2. **s3-readuser-util**
+    - **Version**: 0.0.1-develop
+    - **Condition**: Enabled if `s3-readuser-util.enabled` is set to `true`
+
+## Notes
+
+* In order to update the "user" and "host" details for readuser creation for both postgres and minio servers you will have to update the values.yaml file.  
+* For more information about dependency chart please go through the README.md file of the specific dependency charts. 
+
+## Install
+
+* `helm install my-release mosip/readuser-util`

charts/readuser-util/charts/postgres-readuser-util/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: postgres-readuser-util
+description: A Helm chart for creation of readuser with read-only privilages for postgres server
+home: https://mosip.io
+keywords:
+  - mosip
+  - postgres-readuser-util
+maintainers:
+  - email: [email protected]
+    name: MOSIP
+type: application
+version: 0.0.1-develop
+appVersion: "1.16.0"

charts/readuser-util/charts/postgres-readuser-util/README.md

@@ -0,0 +1,20 @@
+# PostgreSQL ReadUser Creation Chart:
+
+This helm chart is designed to run a script that creates a read-only user in a PostgreSQL database. The chart uses a PostgreSQL Docker image and executes a script provided via a ConfigMap.
+
+## Prerequisites
+Before deploying this chart, ensure the following prerequisites are met:
+
+- Kubernetes Cluster: A running Kubernetes cluster.
+- PostgreSQL Deployment: PostgreSQL should be deployed and running in your cluster.
+- Kubernetes Secrets and ConfigMaps:
+  * A Secret containing the PostgreSQL password.
+  * A ConfigMap containing the script to create the read-only user.
+
+## Notes
+
+* The PostgreSQL password is securely stored in a Kubernetes Secret.
+
+## Install
+
+* `helm install my-release mosip/postgres-readuser-util`

charts/readuser-util/charts/postgres-readuser-util/templates/configmaps.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: readuser-script
+  namespace: util
+data:
+  create-readuser.sh: |
+    #!/bin/bash
+
+    # Retrieve the PostgreSQL superuser password from the environment variable
+    export PGPASSWORD=$POSTGRES_PASSWORD
+
+    # List of schemas
+    SCHEMAS=("audit" "credential" "hotlist" "ida" "idmap" "idrepo" "kernel" "keymgr" "master" "pms" "prereg" "regprc" "resident")
+
+    if [ "{{ .Values.user.action }}" = "create" ]; then
+      # Create user and set connection limit
+      psql -h "{{ .Values.user.dbhost }}" -p "{{ .Values.user.dbport }}" -U postgres -c "CREATE USER {{ .Values.user.username }} WITH PASSWORD '{{ .Values.user.password }}';"
+      psql -h "{{ .Values.user.dbhost }}" -p "{{ .Values.user.dbport }}" -U postgres -c "ALTER USER {{ .Values.user.username }} WITH CONNECTION LIMIT -1;"
+
+      # Grant privileges
+      for SCHEMA in "${SCHEMAS[@]}"; do
+          psql -h "{{ .Values.user.dbhost }}" -p "{{ .Values.user.dbport }}" -U postgres -d "mosip_$SCHEMA" -c "GRANT USAGE ON SCHEMA $SCHEMA TO {{ .Values.user.username }};"
+          psql -h "{{ .Values.user.dbhost }}" -p "{{ .Values.user.dbport }}" -U postgres -d "mosip_$SCHEMA" -c "GRANT SELECT ON ALL TABLES IN SCHEMA $SCHEMA TO {{ .Values.user.username }};"
+          psql -h "{{ .Values.user.dbhost }}" -p "{{ .Values.user.dbport }}" -U postgres -d "mosip_$SCHEMA" -c "ALTER DEFAULT PRIVILEGES IN SCHEMA $SCHEMA GRANT SELECT ON TABLES TO {{ .Values.user.username }};"
+      done
+    elif [ "{{ .Values.user.action }}" = "delete" ]; then
+      # Reassign objects owned by the user to another user (e.g., postgres)
+      for DB in "mosip_audit" "mosip_credential" "mosip_hotlist" "mosip_ida" "mosip_idmap" "mosip_idrepo" "mosip_kernel" "mosip_keymgr" "mosip_master" "mosip_pms" "mosip_prereg" "mosip_regprc" "mosip_resident"; do
+        psql -h "{{ .Values.user.dbhost }}" -p "{{ .Values.user.dbport }}" -U postgres -d "$DB" -c "REASSIGN OWNED BY {{ .Values.user.username }} TO postgres;"
+        psql -h "{{ .Values.user.dbhost }}" -p "{{ .Values.user.dbport }}" -U postgres -d "$DB" -c "DROP OWNED BY {{ .Values.user.username }};"
+      done
+      # Drop user
+      psql -h "{{ .Values.user.dbhost }}" -p "{{ .Values.user.dbport }}" -U postgres -c "DROP USER IF EXISTS {{ .Values.user.username }};"
+    else
+      echo "Invalid action: $ACTION. Use 'create' or 'delete'."
+      exit 1
+    fi

charts/readuser-util/charts/postgres-readuser-util/templates/job.yaml

@@ -0,0 +1,30 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: postgres-readuser
+  namespace: util
+spec:
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+    spec:
+      containers:
+        - name: create-readuser
+          image: postgres:16
+          command: ["/bin/bash", "/scripts/create-readuser.sh"]
+          env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-postgresql
+                  key: postgres-password
+          volumeMounts:
+            - name: script-volume
+              mountPath: /scripts
+      restartPolicy: Never
+      volumes:
+        - name: script-volume
+          configMap:
+            name: readuser-script
+  backoffLimit: 4

charts/readuser-util/charts/postgres-readuser-util/values.yaml

@@ -0,0 +1,47 @@
+# Default values for readuser.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: postgres
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: "16"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+user:
+  action: create
+  username: readuser
+  password: mosip123
+  dbport: 5432
+  dbhost: api-internal.xyz.mosip.net
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+
+# Additional volumes on the output Deployment definition.
+volumes: []
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: []
+# - name: foo
+#   mountPath: "/etc/foo"
+#   readOnly: true

charts/readuser-util/charts/s3-readuser-util/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: s3-readuser-util
+description: A Helm chart for creation of s3 readonly user and policy.
+type: application
+version: 0.0.1-develop
+appVersion: "1.16.0"
+home: https://mosip.io
+keywords:
+  - mosip
+  - s3-readuser-util
+maintainers:
+  - email: [email protected]
+    name: MOSIP

charts/readuser-util/charts/s3-readuser-util/README.md

@@ -0,0 +1,21 @@
+# S3 Initialization Chart:
+
+This helm chart is designed to initialize MinIO with user management and policy attachment based on the specified action (create or delete). The Job will either create a new user and attach a policy or delete an existing user in the MinIO server.
+
+## Prerequisites
+Ensure the following prerequisites are met before deploying the chart:
+
+- Kubernetes Cluster: A running Kubernetes cluster.
+- MinIO Deployment: MinIO server should be deployed and running.
+- Kubernetes ConfigMap and Secrets:
+  * ConfigMap containing the policy JSON.
+  * Secret containing the MinIO access and secret keys.
+- Configuration for the username, password, policy name, and action should be managed via a values file (typically used with Helm charts).
+
+### Notes:
+
+* The action (create or delete), username, password, and policy name should be set in the values.yaml file, which will be referenced in the Job manifest.
+
+### Install
+
+* `helm install my-release mosip/s3-readuser-util`

charts/readuser-util/charts/s3-readuser-util/templates/configmaps.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: s3-policy
+  namespace: util
+data:
+  readuser.json: |
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Action": [
+            "s3:GetBucketLocation",
+            "s3:ListBucket",
+            "s3:ListBucketMultipartUploads"
+          ],
+          "Effect": "Allow",
+          "Resource": [
+            "arn:aws:s3:::*"
+          ]
+        },
+        {
+          "Action": [
+            "s3:GetObject",
+            "s3:ListMultipartUploadParts"
+          ],
+          "Effect": "Allow",
+          "Resource": [
+            "arn:aws:s3:::*/*"
+          ]
+        }
+      ]
+    }

charts/readuser-util/charts/s3-readuser-util/templates/job.yaml

@@ -0,0 +1,46 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: s3-init
+  namespace: util
+spec:
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+    spec:
+      containers:
+        - name: minio-client
+          image: minio/mc
+          env:
+            - name: MINIO_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: minio
+                  key: root-user
+            - name: MINIO_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: minio
+                  key: root-password
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              mc alias set s3 http://minio.minio:9000 $MINIO_ACCESS_KEY $MINIO_SECRET_KEY;
+              if [ "{{ .Values.s3user.action }}" = "create" ]; then
+                echo "Creating user {{ .Values.s3user.username }}...";
+                mc admin policy create s3 {{.Values.s3user.policyName}} /config/readuser.json;
+                mc admin user add s3 {{.Values.s3user.username}} {{.Values.s3user.password}};
+                mc admin policy attach s3 {{.Values.s3user.policyName}} --user {{.Values.s3user.username}};
+              elif [ "{{ .Values.s3user.action }}" = "delete" ]; then
+                echo "Deleting user {{ .Values.s3user.username }}...";
+                mc admin user remove s3 {{ .Values.s3user.username }};
+              fi
+          volumeMounts:
+            - name: config-volume
+              mountPath: /config
+      restartPolicy: OnFailure
+      volumes:
+        - name: config-volume
+          configMap:
+            name: s3-policy