-
Notifications
You must be signed in to change notification settings - Fork 180
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[MOSIP-35490] moved required helm and deploy scripts to modular repo
Signed-off-by: Chandra Keshav Mishra <[email protected]>
- Loading branch information
Showing
41 changed files
with
1,869 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
# Config Server Secrets | ||
|
||
This module generates and install secrets required by config-server. | ||
|
||
Note: | ||
* The conf-secrets must not be deleted in any case of re-deployment, upgrade or migration process as we have separated the conf-secrets from config-server to ensure conf-secrets are not deleted. | ||
* Incase if you have a scenario where you have to delete the conf-secrets from the environment make sure to run `delete.sh` script as the script delete's the helm chart and takes the backup of the existing `conf-secrets-various` secret. | ||
|
||
|
||
## Install | ||
```sh | ||
./install.sh [kubeconfig] | ||
``` | ||
|
||
## Delete | ||
``` | ||
./delete.sh [kubeconfig] | ||
``` | ||
|
||
## Secrets to be updated for Migartion scenerios | ||
### 1.1.5.5-P1 to 1.2.0.1 | ||
* After installing Conf secrets in 1.2.0.1 update below mentioned keys with values from V2 configuration files. | ||
* | Property file (V2 conf) | Property file (V3 conf) | parameters | keys (Conf-screts) | | ||
|---------------------------------|--------------------------------------|--|--| | ||
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-authtype-callback-secret | ida-websub-authtype-callback-secret | | ||
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-ca-certificate-callback-secret | ida-websub-ca-certificate-callback-secret | | ||
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-credential-issue-callback-secret | ida-websub-credential-issue-callback-secret | | ||
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-hotlist-callback-secret | ida-websub-hotlist-callback-secret | | ||
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-partner-service-callback-secret | ida-websub-partner-service-callback-secret | | ||
| mimoto-mz.properties | mimoto-default.properties | mosip.partner.crypto.p12.password | mosip-partner-crypto-p12-password | | ||
| print-mz.properties | print-default.properties | mosip.event.secret | print-websub-hub-secret | | ||
| id-authentication-mz.properties | id-authentication-default.properties | mosip.ida.kyc.token.secret | mosip-ida-kyc-token-secret | | ||
| mimoto-mz.properties | mimoto-default.properties | wallet.binding.partner.api.key | mimoto-wallet-binding-partner-api-key | | ||
| id-authentication-mz.properties | id-authentication-default.properties | mosip-kernel-tokenid-uin-salt | mosip-kernel-tokenid-uin-salt | | ||
| id-authentication-mz.properties | id-authentication-default.properties | mosip.kernel.tokenid.partnercode.salt | mosip-kernel-tokenid-partnercode-salt | | ||
| resident-mz.properties | resident-default.properties | resident.websub.authtype.status.secret | resident-websub-authtype-status-secret | | ||
| resident-mz.properties | resident-default.properties | resident.websub.credential.status.update.secret | resident-websub-credential-status-update-secret | | ||
| resident-mz.properties | resident-default.properties | resident.websub.auth.transaction.status.secret | resident-websub-auth-transaction-status-secret | | ||
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-masterdata-templates-callback-secret | ida-websub-masterdata-templates-callback-secret | | ||
| id-repository-mz.properties | id-repository-default.properties | mosip.idrepo.websub.vid-credential-update.secret | idrepo-websub-vid-credential-update-secret | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
#!/bin/bash | ||
# Uninstalls the conf-secrets helm chart | ||
## Usage: ./delete.sh [kubeconfig] | ||
|
||
if [ $# -ge 1 ] ; then | ||
export KUBECONFIG=$1 | ||
fi | ||
|
||
function deleting_conf_secrets() { | ||
NS=conf-secrets | ||
SECRET_NAME=conf-secrets-various | ||
BACKUP_DIR=./conf_secrets_backup | ||
mkdir -p $BACKUP_DIR | ||
while true; do | ||
read -p "Are you sure you want to delete the conf-secrets helm chart?(Y/n) " yn | ||
if [ $yn = "Y" ] | ||
then | ||
# Backup the conf-secrets | ||
kubectl get secret $SECRET_NAME -n $NS -o yaml > $BACKUP_DIR/$SECRET_NAME.yaml | ||
helm -n $NS delete conf-secrets | ||
echo "deleted conf-secrets helm chart" | ||
echo "Backup of conf-secrets is taken and stored in conf_secrets_backup directory." | ||
break | ||
else | ||
break | ||
fi | ||
done | ||
return 0 | ||
} | ||
|
||
# set commands for error handling. | ||
set -e | ||
set -o errexit ## set -e : exit the script if any statement returns a non-true return value | ||
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable | ||
set -o errtrace # trace ERR through 'time command' and other functions | ||
set -o pipefail # trace ERR through pipes | ||
deleting_conf_secrets # calling function |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
#!/usr/bin/env bash | ||
# Installs config-server secrets | ||
## Usage: ./install_secrets.sh [kubeconfig] | ||
|
||
if [ $# -ge 1 ] ; then | ||
export KUBECONFIG=$1 | ||
fi | ||
|
||
NS=conf-secrets | ||
CHART_VERSION=0.0.1-develop | ||
|
||
echo Create $NS namespace | ||
kubectl create ns $NS | ||
|
||
function config_secrets() { | ||
echo Istio label | ||
kubectl label ns $NS istio-injection=enabled --overwrite | ||
helm repo update | ||
|
||
echo "Installing Secrets required by config-server" | ||
helm -n $NS install conf-secrets mosip/conf-secrets --version $CHART_VERSION --wait | ||
return 0 | ||
} | ||
|
||
# set commands for error handling. | ||
set -e | ||
set -o errexit ## set -e : exit the script if any statement returns a non-true return value | ||
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable | ||
set -o errtrace # trace ERR through 'time command' and other functions | ||
set -o pipefail # trace ERR through pipes | ||
config_secrets # calling function |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
# Config server | ||
|
||
## Introduction | ||
Config server serves all properties required by MOSIP modules. This must be installed before any other MOSIP modules. | ||
|
||
## Pre-requisites | ||
* `conf-secrets` MOSIP module. | ||
|
||
## Install | ||
* Review `values.yaml` and make sure git repository parameters are as per your installation. | ||
* Install | ||
```sh | ||
./install.sh | ||
``` | ||
|
||
## Delete | ||
* To delete config-server. | ||
```sh | ||
./delete.sh | ||
``` | ||
|
||
## Enable config-server to pull configurations from local git repository. | ||
|
||
Enable Config-server to Pull Configurations from Local Repository: | ||
* While running the install script the user will be prompted to decide whether the config-server should pull configurations from a local repository (NFS). | ||
* If the user choose to use local git repository then the user will be asked to provide the NFS path(Dir where local repository is cloned) and the NFS server IP. | ||
* If the user choose to not to pull configurations from a local repository (NFS) then the configurations will be pulled from remote repository which is defined in values.yaml file. | ||
|
||
Note: | ||
* Before choosing to pull configurations from a local repository (NFS) the user must clone the config-server repository manually into the nfs server where the configurations can be maintained. | ||
* And checkout to the specific branch from where the configurations need to be taken. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
#!/bin/bash | ||
# Copy configmaps from other namespaces | ||
|
||
function copying_cm() { | ||
UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh | ||
COPY_UTIL=./copy_cm_func.sh | ||
DST_NS=config-server # DST_NS: Destination namespace | ||
|
||
wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh | ||
|
||
$COPY_UTIL configmap global default $DST_NS | ||
$COPY_UTIL configmap keycloak-host keycloak $DST_NS | ||
$COPY_UTIL configmap activemq-activemq-artemis-share activemq $DST_NS | ||
$COPY_UTIL configmap s3 s3 $DST_NS | ||
$COPY_UTIL configmap msg-gateway msg-gateways $DST_NS | ||
return 0 | ||
} | ||
|
||
# set commands for error handling. | ||
set -e | ||
set -o errexit ## set -e : exit the script if any statement returns a non-true return value | ||
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable | ||
set -o errtrace # trace ERR through 'time command' and other functions | ||
set -o pipefail # trace ERR through pipes | ||
copying_cm # calling function |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
#!/bin/bash | ||
# Copy secrets from other namespaces | ||
|
||
function copying_secrets() { | ||
UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh | ||
COPY_UTIL=./copy_cm_func.sh | ||
|
||
DST_NS=config-server # DST_NS: Destination namespace | ||
|
||
wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh | ||
|
||
$COPY_UTIL secret db-common-secrets postgres $DST_NS | ||
$COPY_UTIL secret keycloak keycloak $DST_NS | ||
$COPY_UTIL secret keycloak-client-secrets keycloak $DST_NS | ||
$COPY_UTIL secret activemq-activemq-artemis activemq $DST_NS | ||
$COPY_UTIL secret softhsm-kernel softhsm $DST_NS | ||
$COPY_UTIL secret softhsm-ida softhsm $DST_NS | ||
$COPY_UTIL secret s3 s3 $DST_NS | ||
$COPY_UTIL secret msg-gateway msg-gateways $DST_NS | ||
$COPY_UTIL secret mosip-captcha captcha $DST_NS | ||
$COPY_UTIL secret conf-secrets-various conf-secrets $DST_NS | ||
return 0 | ||
} | ||
|
||
# set commands for error handling. | ||
set -e | ||
set -o errexit ## set -e : exit the script if any statement returns a non-true return value | ||
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable | ||
set -o errtrace # trace ERR through 'time command' and other functions | ||
set -o pipefail # trace ERR through pipes | ||
copying_secrets # calling function |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#!/bin/bash | ||
# Uninstalls config server | ||
## Usage: ./delete.sh [kubeconfig] | ||
|
||
if [ $# -ge 1 ] ; then | ||
export KUBECONFIG=$1 | ||
fi | ||
|
||
function config_server() { | ||
NS=config-server | ||
while true; do | ||
read -p "Are you sure you want to delete config-server helm charts?(Y/n) " yn | ||
if [ $yn = "Y" ] | ||
then | ||
kubectl -n $NS delete configmap global keycloak-host activemq-activemq-artemis-share s3 msg-gateway | ||
kubectl -n $NS delete secret db-common-secrets keycloak keycloak-client-secrets activemq-activemq-artemis softhsm-kernel softhsm-ida s3 msg-gateway mosip-captcha conf-secrets-various | ||
helm -n $NS delete config-server | ||
break | ||
else | ||
break | ||
fi | ||
done | ||
return 0 | ||
} | ||
|
||
# set commands for error handling. | ||
set -e | ||
set -o errexit ## set -e : exit the script if any statement returns a non-true return value | ||
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable | ||
set -o errtrace # trace ERR through 'time command' and other functions | ||
set -o pipefail # trace ERR through pipes | ||
config_server # calling function |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
#!/bin/bash | ||
# Config server encryption key. | ||
# NOTE: Needed if you encrypt data and hardcode it in the property files. | ||
echo Config server encryption key: $(kubectl get secret --namespace config-server config-server -o jsonpath="{.data.encrypt-key}" | base64 --decode) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
#!/bin/bash | ||
# All keycloak secrets as seen by config server. Note that source of keycloak secrets is in keycloak namespace | ||
# the secrets here are copy of the original. They must match. This script is more for debugging if there some | ||
# mismatch. | ||
echo Keycloak admin password: $(kubectl get secret --namespace config-server keycloak -o jsonpath="{.data.admin-password}" | base64 --decode) | ||
echo Keycloak preregistration client password: $(kubectl get secret --namespace config-server keycloak-client-secrets -o jsonpath="{.data.preregistration_mosip_prereg_client_secret}" | base64 --decode) | ||
echo Keycloak mosip-admin-client password: $(kubectl get secret --namespace config-server keycloak-client-secrets -o jsonpath="{.data.mosip_mosip_admin_client_secret}" | base64 --decode) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
#!/bin/bash | ||
# Installs config-server | ||
## Usage: ./install.sh [kubeconfig] | ||
|
||
if [ $# -ge 1 ] ; then | ||
export KUBECONFIG=$1 | ||
fi | ||
|
||
NS=config-server | ||
CHART_VERSION=0.0.2-develop | ||
|
||
read -p "Is conf-secrets module installed?(Y/n) " conf_installed | ||
read -p "Do you want to enable config-server to pull configurations from multiple repositories?(Y/n)( Default: n )" comp_enabled | ||
if [[ -z $comp_enabled ]]; then | ||
comp_enabled=n | ||
fi | ||
if [ "$comp_enabled" = "Y" ]; then | ||
COMPOSITE_PROFILES="true" | ||
else | ||
COMPOSITE_PROFILES="false" | ||
fi | ||
|
||
read -p "Do you want to enable config-server to pull configurations from local repository?(Y/n)( Default: n )" local_enabled | ||
if [[ -z $local_enabled ]]; then | ||
local_enabled=n | ||
fi | ||
|
||
if [ "$local_enabled" = "Y" ]; then | ||
LOCALREPO="true" | ||
read -p "Provide the NFS path where the local repository is cloned/maintained: " path | ||
NFS_PATH="$path" | ||
|
||
read -p "Provide the NFS IP address of the server where the local repository is cloned: " ip | ||
NFS_SERVER="$ip" | ||
else | ||
LOCALREPO="false" | ||
NFS_PATH="" | ||
NFS_SERVER="" | ||
fi | ||
|
||
if [ $conf_installed = "Y" ]; then read -p "Is values.yaml for config-server chart set correctly as part of Pre-requisites?(Y/n) " yn; fi | ||
if [ $yn = "Y" ] | ||
then | ||
echo Create $NS namespace | ||
kubectl create ns $NS | ||
|
||
# set commands for error handling. | ||
set -e | ||
set -o errexit ## set -e : exit the script if any statement returns a non-true return value | ||
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable | ||
set -o errtrace # trace ERR through 'time command' and other functions | ||
set -o pipefail # trace ERR through pipes | ||
|
||
echo Istio label | ||
kubectl label ns $NS istio-injection=enabled --overwrite | ||
helm repo update | ||
|
||
echo Copy configmaps | ||
sed -i 's/\r$//' copy_cm.sh | ||
./copy_cm.sh | ||
|
||
echo Copy secrets | ||
sed -i 's/\r$//' copy_secrets.sh | ||
./copy_secrets.sh | ||
|
||
echo "Installing config-server" | ||
helm -n $NS install config-server mosip/config-server \ | ||
--set spring_profiles.enabled="$COMPOSITE_PROFILES" \ | ||
--set localRepo.enabled="$LOCALREPO" \ | ||
--set volume.nfs.path="$NFS_PATH" \ | ||
--set volume.nfs.server="$NFS_SERVER" \ | ||
-f values.yaml \ | ||
--wait --version $CHART_VERSION | ||
echo "Installed Config-server". | ||
else | ||
echo Exiting the MOSIP installation. Please meet the pre-requisites and than start again. | ||
kill -9 `ps --pid $$ -oppid=`; exit | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
#!/bin/bash | ||
# Restart the config-server service | ||
## Usage: ./restart.sh [kubeconfig] | ||
|
||
if [ $# -ge 1 ] ; then | ||
export KUBECONFIG=$1 | ||
fi | ||
|
||
function config_server() { | ||
NS=config-server | ||
kubectl -n $NS rollout restart deploy | ||
|
||
kubectl -n $NS get deploy -o name | xargs -n1 -t kubectl -n $NS rollout status | ||
|
||
echo Restarted config-server services | ||
return 0 | ||
} | ||
|
||
# set commands for error handling. | ||
set -e | ||
set -o errexit ## set -e : exit the script if any statement returns a non-true return value | ||
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable | ||
set -o errtrace # trace ERR through 'time command' and other functions | ||
set -o pipefail # trace ERR through pipes | ||
config_server # calling function |
Oops, something went wrong.