diff --git a/deploy/conf-secrets/README.md b/deploy/conf-secrets/README.md new file mode 100644 index 0000000000..46a97d9b19 --- /dev/null +++ b/deploy/conf-secrets/README.md @@ -0,0 +1,40 @@ +# Config Server Secrets + +This module generates and install secrets required by config-server. + +Note: +* The conf-secrets must not be deleted in any case of re-deployment, upgrade or migration process as we have separated the conf-secrets from config-server to ensure conf-secrets are not deleted. +* Incase if you have a scenario where you have to delete the conf-secrets from the environment make sure to run `delete.sh` script as the script delete's the helm chart and takes the backup of the existing `conf-secrets-various` secret. + + +## Install +```sh +./install.sh [kubeconfig] +``` + +## Delete +``` +./delete.sh [kubeconfig] +``` + +## Secrets to be updated for Migartion scenerios +### 1.1.5.5-P1 to 1.2.0.1 +* After installing Conf secrets in 1.2.0.1 update below mentioned keys with values from V2 configuration files. +* | Property file (V2 conf) | Property file (V3 conf) | parameters | keys (Conf-screts) | + |---------------------------------|--------------------------------------|--|--| + | id-authentication-mz.properties | id-authentication-default.properties | ida-websub-authtype-callback-secret | ida-websub-authtype-callback-secret | + | id-authentication-mz.properties | id-authentication-default.properties | ida-websub-ca-certificate-callback-secret | ida-websub-ca-certificate-callback-secret | + | id-authentication-mz.properties | id-authentication-default.properties | ida-websub-credential-issue-callback-secret | ida-websub-credential-issue-callback-secret | + | id-authentication-mz.properties | id-authentication-default.properties | ida-websub-hotlist-callback-secret | ida-websub-hotlist-callback-secret | + | id-authentication-mz.properties | id-authentication-default.properties | ida-websub-partner-service-callback-secret | ida-websub-partner-service-callback-secret | + | mimoto-mz.properties | mimoto-default.properties | mosip.partner.crypto.p12.password | mosip-partner-crypto-p12-password | + | print-mz.properties | print-default.properties | mosip.event.secret | print-websub-hub-secret | + | id-authentication-mz.properties | id-authentication-default.properties | mosip.ida.kyc.token.secret | mosip-ida-kyc-token-secret | + | mimoto-mz.properties | mimoto-default.properties | wallet.binding.partner.api.key | mimoto-wallet-binding-partner-api-key | + | id-authentication-mz.properties | id-authentication-default.properties | mosip-kernel-tokenid-uin-salt | mosip-kernel-tokenid-uin-salt | + | id-authentication-mz.properties | id-authentication-default.properties | mosip.kernel.tokenid.partnercode.salt | mosip-kernel-tokenid-partnercode-salt | + | resident-mz.properties | resident-default.properties | resident.websub.authtype.status.secret | resident-websub-authtype-status-secret | + | resident-mz.properties | resident-default.properties | resident.websub.credential.status.update.secret | resident-websub-credential-status-update-secret | + | resident-mz.properties | resident-default.properties | resident.websub.auth.transaction.status.secret | resident-websub-auth-transaction-status-secret | + | id-authentication-mz.properties | id-authentication-default.properties | ida-websub-masterdata-templates-callback-secret | ida-websub-masterdata-templates-callback-secret | + | id-repository-mz.properties | id-repository-default.properties | mosip.idrepo.websub.vid-credential-update.secret | idrepo-websub-vid-credential-update-secret | diff --git a/deploy/conf-secrets/delete.sh b/deploy/conf-secrets/delete.sh new file mode 100755 index 0000000000..0c982fcd31 --- /dev/null +++ b/deploy/conf-secrets/delete.sh @@ -0,0 +1,37 @@ +#!/bin/bash +# Uninstalls the conf-secrets helm chart +## Usage: ./delete.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function deleting_conf_secrets() { + NS=conf-secrets + SECRET_NAME=conf-secrets-various + BACKUP_DIR=./conf_secrets_backup + mkdir -p $BACKUP_DIR + while true; do + read -p "Are you sure you want to delete the conf-secrets helm chart?(Y/n) " yn + if [ $yn = "Y" ] + then + # Backup the conf-secrets + kubectl get secret $SECRET_NAME -n $NS -o yaml > $BACKUP_DIR/$SECRET_NAME.yaml + helm -n $NS delete conf-secrets + echo "deleted conf-secrets helm chart" + echo "Backup of conf-secrets is taken and stored in conf_secrets_backup directory." + break + else + break + fi + done + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +deleting_conf_secrets # calling function \ No newline at end of file diff --git a/deploy/conf-secrets/install.sh b/deploy/conf-secrets/install.sh new file mode 100755 index 0000000000..3c1c2e2bf1 --- /dev/null +++ b/deploy/conf-secrets/install.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +# Installs config-server secrets +## Usage: ./install_secrets.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +NS=conf-secrets +CHART_VERSION=0.0.1-develop + +echo Create $NS namespace +kubectl create ns $NS + +function config_secrets() { + echo Istio label + kubectl label ns $NS istio-injection=enabled --overwrite + helm repo update + + echo "Installing Secrets required by config-server" + helm -n $NS install conf-secrets mosip/conf-secrets --version $CHART_VERSION --wait + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +config_secrets # calling function diff --git a/deploy/config-server/README.md b/deploy/config-server/README.md new file mode 100644 index 0000000000..87b23a7b51 --- /dev/null +++ b/deploy/config-server/README.md @@ -0,0 +1,31 @@ +# Config server + +## Introduction +Config server serves all properties required by MOSIP modules. This must be installed before any other MOSIP modules. + +## Pre-requisites +* `conf-secrets` MOSIP module. + +## Install +* Review `values.yaml` and make sure git repository parameters are as per your installation. +* Install +```sh +./install.sh +``` + +## Delete +* To delete config-server. +```sh +./delete.sh +``` + +## Enable config-server to pull configurations from local git repository. + +Enable Config-server to Pull Configurations from Local Repository: +* While running the install script the user will be prompted to decide whether the config-server should pull configurations from a local repository (NFS). +* If the user choose to use local git repository then the user will be asked to provide the NFS path(Dir where local repository is cloned) and the NFS server IP. +* If the user choose to not to pull configurations from a local repository (NFS) then the configurations will be pulled from remote repository which is defined in values.yaml file. + +Note: +* Before choosing to pull configurations from a local repository (NFS) the user must clone the config-server repository manually into the nfs server where the configurations can be maintained. +* And checkout to the specific branch from where the configurations need to be taken. diff --git a/deploy/config-server/copy_cm.sh b/deploy/config-server/copy_cm.sh new file mode 100755 index 0000000000..496d6962bd --- /dev/null +++ b/deploy/config-server/copy_cm.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# Copy configmaps from other namespaces + +function copying_cm() { + UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh + COPY_UTIL=./copy_cm_func.sh + DST_NS=config-server # DST_NS: Destination namespace + + wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh + + $COPY_UTIL configmap global default $DST_NS + $COPY_UTIL configmap keycloak-host keycloak $DST_NS + $COPY_UTIL configmap activemq-activemq-artemis-share activemq $DST_NS + $COPY_UTIL configmap s3 s3 $DST_NS + $COPY_UTIL configmap msg-gateway msg-gateways $DST_NS + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +copying_cm # calling function diff --git a/deploy/config-server/copy_secrets.sh b/deploy/config-server/copy_secrets.sh new file mode 100755 index 0000000000..ff728ea65f --- /dev/null +++ b/deploy/config-server/copy_secrets.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# Copy secrets from other namespaces + +function copying_secrets() { + UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh + COPY_UTIL=./copy_cm_func.sh + + DST_NS=config-server # DST_NS: Destination namespace + + wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh + + $COPY_UTIL secret db-common-secrets postgres $DST_NS + $COPY_UTIL secret keycloak keycloak $DST_NS + $COPY_UTIL secret keycloak-client-secrets keycloak $DST_NS + $COPY_UTIL secret activemq-activemq-artemis activemq $DST_NS + $COPY_UTIL secret softhsm-kernel softhsm $DST_NS + $COPY_UTIL secret softhsm-ida softhsm $DST_NS + $COPY_UTIL secret s3 s3 $DST_NS + $COPY_UTIL secret msg-gateway msg-gateways $DST_NS + $COPY_UTIL secret mosip-captcha captcha $DST_NS + $COPY_UTIL secret conf-secrets-various conf-secrets $DST_NS + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +copying_secrets # calling function diff --git a/deploy/config-server/delete.sh b/deploy/config-server/delete.sh new file mode 100755 index 0000000000..0c3a620601 --- /dev/null +++ b/deploy/config-server/delete.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# Uninstalls config server +## Usage: ./delete.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function config_server() { + NS=config-server + while true; do + read -p "Are you sure you want to delete config-server helm charts?(Y/n) " yn + if [ $yn = "Y" ] + then + kubectl -n $NS delete configmap global keycloak-host activemq-activemq-artemis-share s3 msg-gateway + kubectl -n $NS delete secret db-common-secrets keycloak keycloak-client-secrets activemq-activemq-artemis softhsm-kernel softhsm-ida s3 msg-gateway mosip-captcha conf-secrets-various + helm -n $NS delete config-server + break + else + break + fi + done + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +config_server # calling function diff --git a/deploy/config-server/get_encrypt_key.sh b/deploy/config-server/get_encrypt_key.sh new file mode 100755 index 0000000000..595d9231ce --- /dev/null +++ b/deploy/config-server/get_encrypt_key.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# Config server encryption key. +# NOTE: Needed if you encrypt data and hardcode it in the property files. +echo Config server encryption key: $(kubectl get secret --namespace config-server config-server -o jsonpath="{.data.encrypt-key}" | base64 --decode) diff --git a/deploy/config-server/get_keycloak_secrets.sh b/deploy/config-server/get_keycloak_secrets.sh new file mode 100755 index 0000000000..70987efdb0 --- /dev/null +++ b/deploy/config-server/get_keycloak_secrets.sh @@ -0,0 +1,7 @@ +#!/bin/bash +# All keycloak secrets as seen by config server. Note that source of keycloak secrets is in keycloak namespace +# the secrets here are copy of the original. They must match. This script is more for debugging if there some +# mismatch. +echo Keycloak admin password: $(kubectl get secret --namespace config-server keycloak -o jsonpath="{.data.admin-password}" | base64 --decode) +echo Keycloak preregistration client password: $(kubectl get secret --namespace config-server keycloak-client-secrets -o jsonpath="{.data.preregistration_mosip_prereg_client_secret}" | base64 --decode) +echo Keycloak mosip-admin-client password: $(kubectl get secret --namespace config-server keycloak-client-secrets -o jsonpath="{.data.mosip_mosip_admin_client_secret}" | base64 --decode) diff --git a/deploy/config-server/install.sh b/deploy/config-server/install.sh new file mode 100755 index 0000000000..7c75ec09f8 --- /dev/null +++ b/deploy/config-server/install.sh @@ -0,0 +1,78 @@ +#!/bin/bash +# Installs config-server +## Usage: ./install.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +NS=config-server +CHART_VERSION=0.0.2-develop + +read -p "Is conf-secrets module installed?(Y/n) " conf_installed +read -p "Do you want to enable config-server to pull configurations from multiple repositories?(Y/n)( Default: n )" comp_enabled +if [[ -z $comp_enabled ]]; then + comp_enabled=n +fi +if [ "$comp_enabled" = "Y" ]; then + COMPOSITE_PROFILES="true" +else + COMPOSITE_PROFILES="false" +fi + +read -p "Do you want to enable config-server to pull configurations from local repository?(Y/n)( Default: n )" local_enabled +if [[ -z $local_enabled ]]; then + local_enabled=n +fi + +if [ "$local_enabled" = "Y" ]; then + LOCALREPO="true" + read -p "Provide the NFS path where the local repository is cloned/maintained: " path + NFS_PATH="$path" + + read -p "Provide the NFS IP address of the server where the local repository is cloned: " ip + NFS_SERVER="$ip" +else + LOCALREPO="false" + NFS_PATH="" + NFS_SERVER="" +fi + +if [ $conf_installed = "Y" ]; then read -p "Is values.yaml for config-server chart set correctly as part of Pre-requisites?(Y/n) " yn; fi +if [ $yn = "Y" ] + then + echo Create $NS namespace + kubectl create ns $NS + + # set commands for error handling. + set -e + set -o errexit ## set -e : exit the script if any statement returns a non-true return value + set -o nounset ## set -u : exit the script if you try to use an uninitialised variable + set -o errtrace # trace ERR through 'time command' and other functions + set -o pipefail # trace ERR through pipes + + echo Istio label + kubectl label ns $NS istio-injection=enabled --overwrite + helm repo update + + echo Copy configmaps + sed -i 's/\r$//' copy_cm.sh + ./copy_cm.sh + + echo Copy secrets + sed -i 's/\r$//' copy_secrets.sh + ./copy_secrets.sh + + echo "Installing config-server" + helm -n $NS install config-server mosip/config-server \ + --set spring_profiles.enabled="$COMPOSITE_PROFILES" \ + --set localRepo.enabled="$LOCALREPO" \ + --set volume.nfs.path="$NFS_PATH" \ + --set volume.nfs.server="$NFS_SERVER" \ + -f values.yaml \ + --wait --version $CHART_VERSION + echo "Installed Config-server". + else + echo Exiting the MOSIP installation. Please meet the pre-requisites and than start again. + kill -9 `ps --pid $$ -oppid=`; exit +fi diff --git a/deploy/config-server/restart.sh b/deploy/config-server/restart.sh new file mode 100755 index 0000000000..ad2e5f04e5 --- /dev/null +++ b/deploy/config-server/restart.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# Restart the config-server service +## Usage: ./restart.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function config_server() { + NS=config-server + kubectl -n $NS rollout restart deploy + + kubectl -n $NS get deploy -o name | xargs -n1 -t kubectl -n $NS rollout status + + echo Restarted config-server services + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +config_server # calling function diff --git a/deploy/config-server/values.yaml b/deploy/config-server/values.yaml new file mode 100644 index 0000000000..b8bb504038 --- /dev/null +++ b/deploy/config-server/values.yaml @@ -0,0 +1,63 @@ +gitRepo: + uri: https://github.com/mosip/mosip-config + version: v1.2.0.1 + ## Folders within the base repo where properties may be found. + searchFolders: "" + private: false + ## User name of user who has access to the private repo. Ignore for public repo + username: "" + token: "" + +spring_profiles: + enabled: false + spring_profiles_active: composite + spring_compositeRepos: + # Based on the user requiremnt the number of multiple sources from where configuration needs to be pulled can be updated below as mentioned. + - type: git + uri: "< config-repo url >" + version: < branch-name > + spring_cloud_config_server_git_cloneOnStart: true + spring_cloud_config_server_git_force_pull: true + spring_cloud_config_server_git_refreshRate: 5 + - type: git + uri: "< config-repo url >" + version: < branch-name > + spring_cloud_config_server_git_cloneOnStart: true + spring_cloud_config_server_git_force_pull: true + spring_cloud_config_server_git_refreshRate: 5 + spring_fail_on_composite_error: false + +localRepo: + enabled: false # Set this to "true" inorder to Enable config-server to pull configurations from local git repo. + spring_profiles_active: "native" + spring_cloud_config_server_native_search_locations: "file:///var/lib/config_repo" + spring_cloud_config_server_accept_empty: true + spring_cloud_config_server_git_force_pull: false + spring_cloud_config_server_git_refreshRate: 0 + spring_cloud_config_server_git_cloneOnStart: false + +volume: + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack). + ## + # storageClass: "-" + ## + ## If you want to reuse an existing claim, you can pass the name of the PVC using + ## the existingClaim variable + # existingClaim: your-claim + ## ReadWriteMany not supported by AWS gp2 + name: config-server + storageClass: nfs-client + accessModes: + - ReadWriteMany + size: 10Mi + existingClaim: + # Dir where config and keys are written inside container + mountDir: '/var/lib/config_repo' + nfs: + path: '' # Dir within the nfs server where config repo is cloned/maintained locally. + server: '' # Ip address of nfs server. + diff --git a/deploy/README.md b/deploy/kernel/README.md similarity index 100% rename from deploy/README.md rename to deploy/kernel/README.md diff --git a/deploy/copy_cm.sh b/deploy/kernel/copy_cm.sh similarity index 100% rename from deploy/copy_cm.sh rename to deploy/kernel/copy_cm.sh diff --git a/deploy/delete.sh b/deploy/kernel/delete.sh similarity index 100% rename from deploy/delete.sh rename to deploy/kernel/delete.sh diff --git a/deploy/install.sh b/deploy/kernel/install.sh similarity index 100% rename from deploy/install.sh rename to deploy/kernel/install.sh diff --git a/deploy/restart.sh b/deploy/kernel/restart.sh similarity index 100% rename from deploy/restart.sh rename to deploy/kernel/restart.sh diff --git a/helm/conf-secrets/.gitignore b/helm/conf-secrets/.gitignore new file mode 100644 index 0000000000..ee3892e879 --- /dev/null +++ b/helm/conf-secrets/.gitignore @@ -0,0 +1 @@ +charts/ diff --git a/helm/conf-secrets/.helmignore b/helm/conf-secrets/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/helm/conf-secrets/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/conf-secrets/Chart.yaml b/helm/conf-secrets/Chart.yaml new file mode 100644 index 0000000000..cc6300b7d5 --- /dev/null +++ b/helm/conf-secrets/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: conf-secrets +description: A Helm chart for deploying secrets required by MOSIP config-server +type: application +version: 0.0.1-develop +appVersion: 1.1.2 +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +home: https://mosip.io +keywords: + - config-server + - conf-secrets +maintainers: + - email: info@mosip.io + name: MOSIP diff --git a/helm/conf-secrets/templates/_helpers.tpl b/helm/conf-secrets/templates/_helpers.tpl new file mode 100644 index 0000000000..74150b8c4e --- /dev/null +++ b/helm/conf-secrets/templates/_helpers.tpl @@ -0,0 +1,24 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "conf-secrets.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "conf-secrets.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} diff --git a/helm/conf-secrets/templates/secret.yaml b/helm/conf-secrets/templates/secret.yaml new file mode 100644 index 0000000000..918c768d73 --- /dev/null +++ b/helm/conf-secrets/templates/secret.yaml @@ -0,0 +1,34 @@ +## This file contains various secrets that are needed by different mosip modules. The reason for defining +## them here (and not while module installation) is as follows: +## 1. These secrets are made available to modules via config property files (defined in *.properties) +## 2. Config server is installed before MOSIP modules +## 3. To preserve these secrets even when config-server is deleted and reinstalled, these secrets have been moved to different helm chart +## Some of them may not be used as the corresponding modules may not be installed. +## For websub hub secret refer to: https://www.w3.org/TR/websub/#subscriber-sends-subscription-request + +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-various" (include "conf-secrets.fullname" .) }} +type: Opaque +data: + ida-websub-authtype-callback-secret: {{ randAlphaNum 16 | b64enc | quote }} + ida-websub-credential-issue-callback-secret: {{ randAlphaNum 16 | b64enc | quote }} + ida-websub-partner-service-callback-secret: {{ randAlphaNum 16 | b64enc | quote }} + ida-websub-ca-certificate-callback-secret: {{ randAlphaNum 16 | b64enc | quote }} + ida-websub-hotlist-callback-secret: {{ randAlphaNum 16 | b64enc | quote }} + ida-websub-masterdata-templates-callback-secret: {{ randAlphaNum 16 | b64enc | quote }} + ida-websub-masterdata-titles-callback-secret: {{ randAlphaNum 16 | b64enc | quote }} + idrepo-websub-vid-credential-update-secret: {{ randAlphaNum 16 | b64enc | quote }} + mosip-kernel-tokenid-uin-salt: {{ randAlphaNum 16 | b64enc | quote }} + mosip-kernel-tokenid-partnercode-salt: {{ randAlphaNum 16 | b64enc | quote }} + print-websub-hub-secret: {{ randAlphaNum 16 | b64enc | quote }} + hub-secret-encryption-key: {{ randAlphaNum 16 | b64enc | quote }} + resident-websub-authtype-status-secret: {{ randAlphaNum 16 | b64enc | quote }} + resident-websub-auth-transaction-status-secret: {{ randAlphaNum 16 | b64enc | quote }} + resident-websub-credential-status-update-secret: {{ randAlphaNum 16 | b64enc | quote }} + resident-websub-regproc-workflow-complete-secret: {{ randAlphaNum 16 | b64enc | quote }} + mosip-resident-request-credential-encryption-key: {{ randAlphaNum 16 | b64enc | quote }} + idrepo-websub-remove-id-status-secret: {{ randAlphaNum 16 | b64enc | quote }} + mosip-ida-kyc-token-secret: {{ randAlphaNum 32 | b64enc | b64enc | quote }} + mosip-partner-crypto-p12-password: {{ .Values.secrets.mosip_partner_crypto_p12_password | b64enc | quote }} \ No newline at end of file diff --git a/helm/conf-secrets/values.yaml b/helm/conf-secrets/values.yaml new file mode 100644 index 0000000000..cd8f9de625 --- /dev/null +++ b/helm/conf-secrets/values.yaml @@ -0,0 +1,4 @@ +fullnameOverride: "" +nameOverride: "" +secrets: + mosip_partner_crypto_p12_password: 'abc123' diff --git a/helm/config-server/.gitignore b/helm/config-server/.gitignore new file mode 100644 index 0000000000..ee3892e879 --- /dev/null +++ b/helm/config-server/.gitignore @@ -0,0 +1 @@ +charts/ diff --git a/helm/config-server/.helmignore b/helm/config-server/.helmignore new file mode 100644 index 0000000000..684b32bf16 --- /dev/null +++ b/helm/config-server/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +README.md diff --git a/helm/config-server/Chart.yaml b/helm/config-server/Chart.yaml new file mode 100644 index 0000000000..20c86c789b --- /dev/null +++ b/helm/config-server/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: config-server +description: A Helm chart for configuration of MOSIP modules +type: application +version: 0.0.2-develop +appVersion: 1.1.2 +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +home: https://mosip.io +keywords: + - config-server +maintainers: + - email: info@mosip.io + name: MOSIP diff --git a/helm/config-server/README.md b/helm/config-server/README.md new file mode 100644 index 0000000000..01e5f8bf90 --- /dev/null +++ b/helm/config-server/README.md @@ -0,0 +1,88 @@ +# Config Server + +Helm chart for installing for Config Server. + +## Install + +```console +$ helm repo add mosip https://mosip.github.io +$ helm install my-release mosip/config-server +``` + +## Add New Placeholder + +* To add a new placeholder, we have to define it in the `_overides.tpl` file. +* In `overrides` section of `values.yaml`, add configmap or secret name in which new placeholder's value is defined. + ``` + overrides: + secrets: + secretName: + + configmaps: + configmapName: + ``` +* Based upon new secrets or configmaps added, add respective section in `_overides.tpl` file.
+ ``: is the actual keyname for new placeholder's value added in configmap/secrets.
+ ``: is referred as `placeholder.name` by config-server in property files.
+ + Example for new value in configmap: + ``` + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_ + valueFrom: + configMapKeyRef: + name: {{ .Values.overrides.configmaps.configmapName }} + key: + ``` + Example for new value in secret: + ``` + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_ + valueFrom: + secretKeyRef: + name: {{ .Values.overrides.secrets.secretName }} + key: + ``` + +### Enable config-server to pull configurations from local git repo. + +Set the below configuration values as mentioned in the values.yaml file in-order to pull the configurations from local git repository +* Set `localRepo` enabled to `true`. +* Update the `spring.profiles.active` to `native` under localRepo. +* Update the `spring.cloud.config.server.native.search-locations` to `file:///var/lib/config_repo` as this is the mountDir where your local configurations are cloned/maintained. +* Update the `spring.cloud.config.server.accept-empty` to `true`. # Server would return a HTTP 404 status, if the application is not found.By default, this flag is set to true. +* Update the `spring.cloud.config.server.git.force-pull` to `false`. # Spring Cloud Config Server makes a clone of the remote git repository and if somehow the local copy gets dirty (e.g. folder content changes by OS process) so Spring Cloud Config Server cannot update the local copy from remote repository but as our configurations are maintained locally we are setting this to `false`. +* Update the `spring.cloud.config.server.git.refreshRate` to `0`. # Setting up refresh rate to 5 seconds so that config server will check for updates in Git repo after every one minute, can be lowered down for production. +* Update the `spring.cloud.config.server.git.cloneOnStart` to `false`. # Adding provision to clone on start of server instead of first request but our configurations are stored in local so no need to clone the repository on start of server so setting it to `false`. + +### Enable config-server to pull configurations from multiple sources. + +In some scenarios, you may wish to pull configuration data from multiple environment repositories. To do so, you can enable the `composite profile` in your helm `values` YAML file, Composite Profiles in Spring Cloud Config Server provide a flexible mechanism for combining multiple profiles into a single effective profile. If, for example, you want to pull configuration data from a local repository as well as two Git repositories, you can set the following properties for your configuration server: + +``` +spring_profiles: + enabled: true + spring_profiles_active: composite + spring_compositeRepos: + - type: git # Type "git" is to pull the configurations from remote git repository. + uri: "https://github.com/mosip/inji-config" + version: develop + spring_cloud_config_server_git_cloneOnStart: true + spring_cloud_config_server_git_force_pull: true + spring_cloud_config_server_git_refreshRate: 5 + - type: git + uri: "https://github.com/mosip/mosip-config" + version: develop + spring_cloud_config_server_git_cloneOnStart: true + spring_cloud_config_server_git_force_pull: true + spring_cloud_config_server_git_refreshRate: 5 + - type: native # Type "native" is to pull the configurations from local git repository. + uri: "file:///var/lib/config_repo" # Dir path of local git repo + version: develop + spring_cloud_config_server_git_cloneOnStart: false # This is set to "false" when type is "native". + spring_cloud_config_server_git_force_pull: false # This is set to "false" when type is "native". + spring_cloud_config_server_git_refreshRate: 0 # This is set to "0" when type is "native". + spring_fail_on_composite_error: false +``` + +Using the above configuration, precedence is determined by the order in which repositories are listed under the composite key. In the above example, the git repository is listed first, so a value found in the git repository will override values found for the same property in the second configuration Git repository and third configuration local repository. + +Note: Based on the user requiremnt the number of multiple sources from where configuration needs to be pulled can be updated as mentioned in the above code block. \ No newline at end of file diff --git a/helm/config-server/templates/NOTES.txt b/helm/config-server/templates/NOTES.txt new file mode 100644 index 0000000000..49d744ca36 --- /dev/null +++ b/helm/config-server/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "config-server.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "config-server.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "config-server.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "config-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/helm/config-server/templates/_helpers.tpl b/helm/config-server/templates/_helpers.tpl new file mode 100644 index 0000000000..0c7bc043cc --- /dev/null +++ b/helm/config-server/templates/_helpers.tpl @@ -0,0 +1,75 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "config-server.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "config-server.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "config-server.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "config-server.labels" -}} +helm.sh/chart: {{ include "config-server.chart" . }} +{{ include "config-server.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "config-server.selectorLabels" -}} +app.kubernetes.io/name: {{ include "config-server.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "config-server.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "config-server.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Determine if there are any native repos in the spring composite repos. +*/}} +{{- define "config-server.hasNative" -}} +{{- $hasNative := false -}} +{{- range .Values.spring_profiles.spring_compositeRepos }} + {{- if eq .type "native" }} + {{- $hasNative = true -}} + {{- end }} +{{- end }} +{{- $hasNative -}} +{{- end -}} diff --git a/helm/config-server/templates/config-pv.yaml b/helm/config-server/templates/config-pv.yaml new file mode 100644 index 0000000000..d209ba3aa8 --- /dev/null +++ b/helm/config-server/templates/config-pv.yaml @@ -0,0 +1,21 @@ +{{- if .Values.spring_profiles.enabled }} + {{- if or .Values.localRepo.enabled (include "config-server.hasNative" . | eq "true") }} +apiVersion: v1 +kind: PersistentVolume +metadata: + name: {{ .Values.volume.name }} + labels: + name: {{ .Values.volume.name }} +spec: + storageClassName: {{ .Values.volume.storageClass }} + capacity: + storage: {{ .Values.volume.size }} + accessModes: + {{- range .Values.volume.accessModes }} + - {{ . }} + {{- end }} + nfs: + server: {{ .Values.volume.nfs.server }} + path: {{ .Values.volume.nfs.path }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/config-server/templates/config-pvc.yaml b/helm/config-server/templates/config-pvc.yaml new file mode 100644 index 0000000000..b06ab48675 --- /dev/null +++ b/helm/config-server/templates/config-pvc.yaml @@ -0,0 +1,21 @@ +{{- if .Values.spring_profiles.enabled }} + {{- if or .Values.localRepo.enabled (include "config-server.hasNative" . | eq "true") }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .Values.volume.name }} + namespace: {{ .Release.Namespace | quote }} +spec: + storageClassName: {{ .Values.volume.storageClass }} + accessModes: + {{- range .Values.volume.accessModes }} + - {{ . }} + {{- end }} + resources: + requests: + storage: {{ .Values.volume.size }} + selector: + matchLabels: + name: {{ .Values.volume.name }} + {{- end }} +{{- end }} diff --git a/helm/config-server/templates/configmap-env-vars.yaml b/helm/config-server/templates/configmap-env-vars.yaml new file mode 100644 index 0000000000..e77e702f08 --- /dev/null +++ b/helm/config-server/templates/configmap-env-vars.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-env-vars" (include "config-server.fullname" .) }} + namespace: {{ .Release.Namespace }} +data: + SPRING_CLOUD_CONFIG_SERVER_GIT_SEARCHPATHS: {{ .Values.gitRepo.searchFolders | quote }} + {{- if .Values.spring_profiles.enabled }} + {{- range $index, $repo := .Values.spring_profiles.spring_compositeRepos }} + SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_{{ $index }}_URI: "{{ $repo.uri }}" + {{- end }} + {{- else if .Values.localRepo.enabled }} + SPRING_CLOUD_CONFIG_SERVER_GIT_URI: {{ .Values.volume.mountDir | quote }} + + {{- else }} + SPRING_CLOUD_CONFIG_SERVER_GIT_URI: {{ .Values.gitRepo.uri | quote }} + {{- end }} + SPRING_CLOUD_CONFIG_SERVER_GIT_USERNAME: {{ .Values.gitRepo.username | quote }} diff --git a/helm/config-server/templates/configmap-share.yaml b/helm/config-server/templates/configmap-share.yaml new file mode 100644 index 0000000000..08be86692a --- /dev/null +++ b/helm/config-server/templates/configmap-share.yaml @@ -0,0 +1,16 @@ +## The config map here defines env variables that are required by +## other modules +## sprint_config_url_env: Internal url of config server. Since config server is in its own namespace +## full service url is given to access the same. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-share" (include "config-server.fullname" .) }} + namespace: {{ .Release.Namespace }} +data: + active_profile_env : {{ .Values.activeProfileEnv }} + spring_config_label_env: {{ .Values.gitRepo.version }} + spring_config_url_env: {{ printf "http://%s.%s/config" (include "config-server.fullname" .) .Release.Namespace }} + cache_config_url_env: {{ printf "http://%s.%s/config/*/%s/%s/hazelcast_cache.xml" (include "config-server.fullname" .) .Release.Namespace .Values.activeProfileEnv .Values.gitRepo.version }} + hub_config_file_url_env: {{ printf "http://%s.%s/config/*/%s/%s/websub-service.toml" (include "config-server.fullname" .) .Release.Namespace .Values.activeProfileEnv .Values.gitRepo.version }} + consolidator_config_file_url_env: {{ printf "http://%s.%s/config/*/%s/%s/websub-consolidator.toml" (include "config-server.fullname" .) .Release.Namespace .Values.activeProfileEnv .Values.gitRepo.version }} diff --git a/helm/config-server/templates/deployment.yaml b/helm/config-server/templates/deployment.yaml new file mode 100644 index 0000000000..00045c3696 --- /dev/null +++ b/helm/config-server/templates/deployment.yaml @@ -0,0 +1,146 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "config-server.fullname" . }} + labels: + {{- include "config-server.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "config-server.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "config-server.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "config-server.serviceAccountName" . }} + {{- if .Values.podSecurityContext.enabled }} + securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + {{- if .Values.spring_profiles.enabled }} + - name: SPRING_PROFILES_ACTIVE + value: "{{ .Values.spring_profiles.spring_profiles_active }}" + {{- range $index, $repo := .Values.spring_profiles.spring_compositeRepos }} + - name: SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_{{ $index }}_URI + value: "{{ $repo.uri }}" + - name: SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_{{ $index }}_TYPE + value: "{{ $repo.type }}" + - name: SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_{{ $index }}_DEFAULT_LABEL + value: "{{ $repo.version }}" + - name: SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_{{ $index }}_CLONE_ON_START + value: "{{ $repo.spring_cloud_config_server_git_cloneOnStart }}" + - name: SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_{{ $index }}_FORCE_PULL + value: "{{ $repo.spring_cloud_config_server_git_force_pull }}" + - name: SPRING_CLOUD_CONFIG_SERVER_COMPOSITE_{{ $index }}_REFRESH_RATE + value: "{{ $repo.spring_cloud_config_server_git_refreshRate }}" + {{- end }} + - name: SPRING_CLOUD_CONFIG_SERVER_FAILONCOMPOSITEERROR + value: "{{ .Values.spring_profiles.spring_fail_on_composite_error }}" + {{- end }} + {{- if .Values.localRepo.enabled }} + - name: spring_cloud_config_server_native_search-locations + value: {{ .Values.localRepo.spring_cloud_config_server_native_search_locations | quote }} + - name: spring_cloud_config_server_accept-empty + value: {{ .Values.localRepo.spring_cloud_config_server_accept_empty | quote }} + - name: spring_cloud_config_server_git_force-pull + value: {{ .Values.localRepo.spring_cloud_config_server_git_force_pull | quote }} + - name: spring_cloud_config_server_git_refreshRate + value: {{ .Values.localRepo.spring_cloud_config_server_git_refreshRate | quote }} + - name: spring_cloud_config_server_git_cloneOnStart + value: {{ .Values.localRepo.spring_cloud_config_server_git_cloneOnStart | quote }} + {{- end }} + + - name: SPRING_CLOUD_CONFIG_SERVER_GIT_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "config-server.fullname" . }} + key: github-token + {{- range .Values.envVariables }} + {{- if .enabled }} + - name: {{ .name }} + valueFrom: + {{- if .valueFrom.configMapKeyRef }} + configMapKeyRef: + name: {{ .valueFrom.configMapKeyRef.name }} + key: {{ .valueFrom.configMapKeyRef.key }} + {{- else if .valueFrom.secretKeyRef }} + secretKeyRef: + name: {{ .valueFrom.secretKeyRef.name }} + key: {{ .valueFrom.secretKeyRef.key }} + {{- end }} + {{- end }} + {{- end }} + + + {{- if .Values.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + envFrom: + - configMapRef: + name: {{ printf "%s-env-vars" (include "config-server.fullname" .) }} + ports: + - name: http + containerPort: {{ .Values.springServicePort }} + protocol: TCP + {{- if .Values.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }} + {{- else if .Values.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }} + {{- else if .Values.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }} + {{- else if .Values.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.spring_profiles.enabled }} + {{- if or .Values.localRepo.enabled (include "config-server.hasNative" . | eq "true") }} + volumeMounts: + - name: {{ .Values.volume.name }} + mountPath: {{ .Values.volume.mountDir }} + {{- end }} + {{- end }} + {{- if .Values.spring_profiles.enabled }} + {{- if or .Values.localRepo.enabled (include "config-server.hasNative" . | eq "true") }} + volumes: + - name: {{ .Values.volume.name }} + persistentVolumeClaim: + claimName: {{ .Values.volume.name }} + {{- end }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/config-server/templates/hpa.yaml b/helm/config-server/templates/hpa.yaml new file mode 100644 index 0000000000..1608d76da0 --- /dev/null +++ b/helm/config-server/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "config-server.fullname" . }} + labels: + {{- include "config-server.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "config-server.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/helm/config-server/templates/ingress.yaml b/helm/config-server/templates/ingress.yaml new file mode 100644 index 0000000000..e0d9918b67 --- /dev/null +++ b/helm/config-server/templates/ingress.yaml @@ -0,0 +1,41 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "config-server.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "config-server.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + backend: + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} diff --git a/helm/config-server/templates/secret.yaml b/helm/config-server/templates/secret.yaml new file mode 100644 index 0000000000..7fcb70c3ea --- /dev/null +++ b/helm/config-server/templates/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "config-server.fullname" . }} + labels: + {{- include "config-server.labels" . | nindent 4 }} + namespace: {{ .Release.Namespace }} +type: Opaque +data: + github-token: {{ .Values.gitRepo.token | quote }} diff --git a/helm/config-server/templates/service.yaml b/helm/config-server/templates/service.yaml new file mode 100644 index 0000000000..023bb27d06 --- /dev/null +++ b/helm/config-server/templates/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "config-server.fullname" . }} + labels: + {{- include "config-server.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.springServicePort }} + protocol: TCP + selector: + {{- include "config-server.selectorLabels" . | nindent 4 }} diff --git a/helm/config-server/templates/serviceaccount.yaml b/helm/config-server/templates/serviceaccount.yaml new file mode 100644 index 0000000000..9132e783a5 --- /dev/null +++ b/helm/config-server/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "config-server.serviceAccountName" . }} + labels: + {{- include "config-server.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/config-server/templates/tests/test-connection.yaml b/helm/config-server/templates/tests/test-connection.yaml new file mode 100644 index 0000000000..4a66ce9180 --- /dev/null +++ b/helm/config-server/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "config-server.fullname" . }}-test-connection" + labels: + {{- include "config-server.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "config-server.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/helm/config-server/values.yaml b/helm/config-server/values.yaml new file mode 100644 index 0000000000..6b0aeadd75 --- /dev/null +++ b/helm/config-server/values.yaml @@ -0,0 +1,790 @@ +# Default values for config-server. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: mosipdev/kernel-config-server + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: develop + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +## Port on which this particular spring service module is running. +springServicePort: 51000 + +## Configure extra options for startup, liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## +startupProbe: + enabled: true + httpGet: + path: "/config/application/default" + port: 51000 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 60 + successThreshold: 1 + +livenessProbe: + enabled: true + httpGet: + path: "/config/application/default" + port: 51000 + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +readinessProbe: + enabled: true + httpGet: + path: "/config/application/default" + port: 51000 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + +podAnnotations: {} + +## Config server docker runs as non-root user by default, so enabling the below may not be required. +podSecurityContext: + enabled: false + runAsUser: 1001 + runAsGroup: 2001 + fsGroup: 3001 + +## Config server docker runs as non-root user by default, so enabling the below may not be required. +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: [] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 200m + memory: 1500Mi + requests: + cpu: 50m + memory: 500Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +## Git repository from where config server will read the properties etc. This repo could public or private +## For private repos access token is required. +## version: branch/tag of the repo to be used +gitRepo: + uri: https://github.com/mosip/mosip-config + version: develop + ## Folders within the base repo where properties may be found. + searchFolders: "" + private: false + ## User name of user who has access to the private repo. Ignore for public repo + username: "" + token: "" + +spring_profiles: + enabled: false + spring_profiles_active: composite + spring_compositeRepos: + # Based on the user requiremnt the number of multiple sources from where configuration needs to be pulled can be updated below as mentioned. + - type: git + uri: "< config-repo url >" + version: < branch-name > + spring_cloud_config_server_git_cloneOnStart: true + spring_cloud_config_server_git_force_pull: true + spring_cloud_config_server_git_refreshRate: 5 + - type: git + uri: "< config-repo url >" + version: < branch-name > + spring_cloud_config_server_git_cloneOnStart: true + spring_cloud_config_server_git_force_pull: true + spring_cloud_config_server_git_refreshRate: 5 + spring_fail_on_composite_error: false + +localRepo: + enabled: false + spring_profiles_active: "native" + spring_cloud_config_server_native_search_locations: "file:///var/lib/config_repo" + spring_cloud_config_server_accept_empty: true + spring_cloud_config_server_git_force_pull: false + spring_cloud_config_server_git_refreshRate: 0 + spring_cloud_config_server_git_cloneOnStart: false + +volume: + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack). + ## + # storageClass: "-" + ## + ## If you want to reuse an existing claim, you can pass the name of the PVC using + ## the existingClaim variable + # existingClaim: your-claim + ## ReadWriteMany not supported by AWS gp2 + name: config-server + storageClass: nfs-client + accessModes: + - ReadWriteMany + size: 10Mi + existingClaim: + # Dir where config and keys are written inside container + mountDir: '/var/lib/config_repo' + nfs: + path: '' # Dir within the nfs server where config repo is cloned/maintained locally. + server: '' # Ip address of nfs server. + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## +volumePermissions: + enabled: true + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: "10" + pullPolicy: Always + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + pullSecrets: [] + ## - myRegistryKeySecretName + ## Init containers' resource requests and limits + ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## + limits: {} + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## cpu: 100m + ## memory: 128Mi + ## + +# All env variables that are accessed from mosip config properties +envVariables: + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_API_PUBLIC_HOST + valueFrom: + configMapKeyRef: + name: global + key: mosip-api-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_API_INTERNAL_HOST + valueFrom: + configMapKeyRef: + name: global + key: mosip-api-internal-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_ADMIN_HOST + valueFrom: + configMapKeyRef: + name: global + key: mosip-admin-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_PREREG_HOST + valueFrom: + configMapKeyRef: + name: global + key: mosip-prereg-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_RESIDENT_HOST + valueFrom: + configMapKeyRef: + name: global + key: mosip-resident-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_PMP_HOST + valueFrom: + configMapKeyRef: + name: global + key: mosip-pmp-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_COMPLIANCE_HOST + valueFrom: + configMapKeyRef: + name: global + key: mosip-compliance-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_ESIGNET_HOST + valueFrom: + configMapKeyRef: + name: global + key: mosip-esignet-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_DB_DBUSER_PASSWORD + valueFrom: + secretKeyRef: + name: db-common-secrets + key: db-dbuser-password + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_KEYCLOAK_INTERNAL_URL + valueFrom: + configMapKeyRef: + name: keycloak-host + key: keycloak-internal-url + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_KEYCLOAK_EXTERNAL_URL + valueFrom: + configMapKeyRef: + name: keycloak-host + key: keycloak-external-url + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_KEYCLOAK_INTERNAL_HOST + valueFrom: + configMapKeyRef: + name: keycloak-host + key: keycloak-internal-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_KEYCLOAK_EXTERNAL_HOST + valueFrom: + configMapKeyRef: + name: keycloak-host + key: keycloak-external-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_ABIS_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_abis_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_SYNCDATA_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_syncdata_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_CRESER_IDPASS_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_creser_idpass_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MPARTNER_DEFAULT_AUTH_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mpartner_default_auth_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_IDREPO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_idrepo_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MPARTNER_DEFAULT_PRINT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mpartner_default_print_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MPARTNER_DEFAULT_DIGITALCARD_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mpartner_default_digitalcard_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_ADMIN_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_admin_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_AUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_auth_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_CREREQ_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_crereq_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_CRESER_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_creser_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_DATSHA_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_datsha_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_IDA_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_ida_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_MISP_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_misp_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_PMS_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_pms_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_POLICYMANAGER_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_policymanager_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_REG_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_reg_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_REGPROC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_regproc_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_RESIDENT_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_resident_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_PREREG_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_prereg_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_HOTLIST_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_hotlist_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_DIGITALCARD_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mosip_digitalcard_client_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: keycloak + key: admin-password + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SOFTHSM_KERNEL_SECURITY_PIN + valueFrom: + secretKeyRef: + name: softhsm-kernel + key: security-pin + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SOFTHSM_IDA_SECURITY_PIN + valueFrom: + secretKeyRef: + name: softhsm-ida + key: security-pin + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_ACTIVEMQ_HOST + valueFrom: + configMapKeyRef: + name: activemq-activemq-artemis-share + key: activemq-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_ACTIVEMQ_CORE_PORT + valueFrom: + configMapKeyRef: + name: activemq-activemq-artemis-share + key: activemq-core-port + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_ACTIVEMQ_PASSWORD + valueFrom: + secretKeyRef: + name: activemq-activemq-artemis + key: artemis-password + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_IDA_WEBSUB_AUTHTYPE_CALLBACK_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: ida-websub-authtype-callback-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_IDA_WEBSUB_CREDENTIAL_ISSUE_CALLBACK_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: ida-websub-credential-issue-callback-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_IDA_WEBSUB_PARTNER_SERVICE_CALLBACK_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: ida-websub-partner-service-callback-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_IDA_WEBSUB_CA_CERTIFICATE_CALLBACK_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: ida-websub-ca-certificate-callback-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_IDA_WEBSUB_HOTLIST_CALLBACK_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: ida-websub-hotlist-callback-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_IDA_WEBSUB_MASTERDATA_TEMPLATES_CALLBACK_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: ida-websub-masterdata-templates-callback-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_IDA_WEBSUB_MASTERDATA_TITLES_CALLBACK_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: ida-websub-masterdata-titles-callback-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_IDREPO_WEBSUB_VID_CREDENTIAL_UPDATE_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: idrepo-websub-vid-credential-update-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_RESIDENT_WEBSUB_CREDENTIAL_STATUS_UPDATE_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: resident-websub-credential-status-update-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_KERNEL_TOKENID_UIN_SALT + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: mosip-kernel-tokenid-uin-salt + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_KERNEL_TOKENID_PARTNERCODE_SALT + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: mosip-kernel-tokenid-partnercode-salt + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_PRINT_WEBSUB_HUB_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: print-websub-hub-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_HUB_SECRET_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: hub-secret-encryption-key + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_S3_ACCESSKEY + valueFrom: + configMapKeyRef: + name: s3 + key: s3-user-key + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_S3_REGION + valueFrom: + configMapKeyRef: + name: s3 + key: s3-region + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_S3_SECRETKEY + valueFrom: + secretKeyRef: + name: s3 + key: s3-user-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SMTP_HOST + valueFrom: + configMapKeyRef: + name: msg-gateway + key: smtp-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SMS_HOST + valueFrom: + configMapKeyRef: + name: msg-gateway + key: sms-host + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SMTP_PORT + valueFrom: + configMapKeyRef: + name: msg-gateway + key: smtp-port + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SMS_PORT + valueFrom: + configMapKeyRef: + name: msg-gateway + key: sms-port + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SMTP_USERNAME + valueFrom: + configMapKeyRef: + name: msg-gateway + key: smtp-username + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SMS_USERNAME + valueFrom: + configMapKeyRef: + name: msg-gateway + key: sms-username + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SMTP_SECRET + valueFrom: + secretKeyRef: + name: msg-gateway + key: smtp-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SMS_SECRET + valueFrom: + secretKeyRef: + name: msg-gateway + key: sms-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_SMS_AUTHKEY + valueFrom: + secretKeyRef: + name: msg-gateway + key: sms-authkey + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_PREREG_CAPTCHA_SITE_KEY + valueFrom: + secretKeyRef: + name: mosip-captcha + key: prereg-captcha-site-key + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_PREREG_CAPTCHA_SECRET_KEY + valueFrom: + secretKeyRef: + name: mosip-captcha + key: prereg-captcha-secret-key + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_RESIDENT_CAPTCHA_SITE_KEY + valueFrom: + secretKeyRef: + name: mosip-captcha + key: resident-captcha-site-key + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_RESIDENT_CAPTCHA_SECRET_KEY + valueFrom: + secretKeyRef: + name: mosip-captcha + key: resident-captcha-secret-key + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_S3_PRETEXT_VALUE + valueFrom: + secretKeyRef: + name: s3 + key: s3-pretext-value + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MPARTNER_DEFAULT_MOBILE_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mpartner_default_mobile_secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_RESIDENT_WEBSUB_AUTHTYPE_STATUS_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: resident-websub-authtype-status-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_RESIDENT_WEBSUB_AUTH_TRANSACTION_STATUS_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: resident-websub-auth-transaction-status-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_IDA_KYC_TOKEN_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: mosip-ida-kyc-token-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_RESIDENT_WEBSUB_REGPROC_WORKFLOW_COMPLETE_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: resident-websub-regproc-workflow-complete-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_IDREPO_WEBSUB_REMOVE_ID_STATUS_SECRET + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: idrepo-websub-remove-id-status-secret + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_PARTNER_CRYPTO_P12_PASSWORD + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: mosip-partner-crypto-p12-password + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MOSIP_RESIDENT_REQUEST_CREDENTIAL_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: conf-secrets-various + key: mosip-resident-request-credential-encryption-key + enabled: true + + - name: SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_MPARTNER_DEFAULT_TEMPLATE_SECRET + valueFrom: + secretKeyRef: + name: keycloak-client-secrets + key: mpartner_default_template_secret + enabled: true + + +## The active profile env if you have another set of properties. Correspondingly, properties in Git repo will +## have names of type "*-default.properties" +activeProfileEnv: default