diff --git a/deploy/ida-apitestrig/install.sh b/deploy/ida-apitestrig/install.sh index ee1b41b183..b4ef4ebe8c 100755 --- a/deploy/ida-apitestrig/install.sh +++ b/deploy/ida-apitestrig/install.sh @@ -7,7 +7,7 @@ if [ $# -ge 1 ] ; then fi NS=ida -CHART_VERSION=0.0.1-develop +CHART_VERSION=1.3.0-beta.1-develop COPY_UTIL=../copy_cm_func.sh echo Create $NS namespace diff --git a/deploy/ida/install.sh b/deploy/ida/install.sh index b85e80e2d0..15b615afb1 100755 --- a/deploy/ida/install.sh +++ b/deploy/ida/install.sh @@ -7,7 +7,7 @@ if [ $# -ge 1 ] ; then fi NS=ida -CHART_VERSION=0.0.1-develop +CHART_VERSION=1.3.0-beta.1-develop COPY_UTIL=../copy_cm_func.sh echo Create $NS namespace diff --git a/helm/ida-auth/Chart.yaml b/helm/ida-auth/Chart.yaml index 601877c656..2c092efa99 100644 --- a/helm/ida-auth/Chart.yaml +++ b/helm/ida-auth/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: ida-auth description: A Helm chart for MOSIP IDA module type: application -version: 0.0.1-develop +version: 1.3.0-beta.1-develop appVersion: "" dependencies: - name: common diff --git a/helm/ida-auth/values.yaml b/helm/ida-auth/values.yaml index 1264991e59..2be32187df 100644 --- a/helm/ida-auth/values.yaml +++ b/helm/ida-auth/values.yaml @@ -12,23 +12,18 @@ ## commonLabels: app.kubernetes.io/component: mosip - ## Add annotations to all the deployed resources ## commonAnnotations: {} - ## Kubernetes Cluster Domain ## clusterDomain: cluster.local - ## Extra objects to deploy (value evaluated as a template) ## extraDeploy: [] - ## Number of nodes ## replicaCount: 1 - service: type: ClusterIP port: 80 @@ -49,11 +44,10 @@ service: ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ## externalTrafficPolicy: Cluster - image: registry: docker.io repository: mosipqa/authentication-service - tag: develop + tag: 1.3.x ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -65,10 +59,8 @@ image: ## # pullSecrets: # - myRegistryKeySecretName - ## Port on which this particular spring service module is running. springServicePort: 8090 - ## Configure extra options for liveness and readiness probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @@ -82,7 +74,6 @@ startupProbe: timeoutSeconds: 5 failureThreshold: 30 successThreshold: 1 - livenessProbe: enabled: true httpGet: @@ -93,7 +84,6 @@ livenessProbe: timeoutSeconds: 5 failureThreshold: 6 successThreshold: 1 - readinessProbe: enabled: true httpGet: @@ -104,7 +94,6 @@ readinessProbe: timeoutSeconds: 5 failureThreshold: 6 successThreshold: 1 - ## # existingConfigmap: @@ -112,12 +101,10 @@ readinessProbe: ## command: [] args: [] - ## Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: @@ -131,37 +118,31 @@ resources: requests: cpu: 100m memory: 1000Mi - additionalResources: ## Specify any JAVA_OPTS string here. These typically will be specified in conjunction with above resources ## Example: java_opts: "-Xms500M -Xmx500M" javaOpts: "-Xms2000M -Xmx2000M" - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## Clamav container already runs as 'mosip' user, so we may not need to enable this containerSecurityContext: enabled: false runAsUser: mosip runAsNonRoot: true - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## podSecurityContext: enabled: false fsGroup: 1001 - ## Pod affinity preset ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## Allowed values: soft, hard ## podAffinityPreset: "" - ## Pod anti-affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## Allowed values: soft, hard ## podAntiAffinityPreset: soft - ## Node affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity ## Allowed values: soft, hard @@ -183,32 +164,26 @@ nodeAffinityPreset: ## - e2e-az2 ## values: [] - ## Affinity for pod assignment. Evaluated as a template. ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## affinity: {} - ## Node labels for pod assignment. Evaluated as a template. ## ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} - ## Tolerations for pod assignment. Evaluated as a template. ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] - ## Pod extra labels ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## podLabels: {} - ## Annotations for server pods. ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} - ## pods' priority. ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ ## @@ -217,15 +192,12 @@ podAnnotations: {} ## lifecycleHooks for the container to automate configuration before or after startup. ## lifecycleHooks: {} - ## Custom Liveness probes for ## customLivenessProbe: {} - ## Custom Rediness probes ## customReadinessProbe: {} - ## Update strategy - only really applicable for deployments with RWO PVs attached ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will @@ -233,7 +205,6 @@ customReadinessProbe: {} ## updateStrategy: type: RollingUpdate - ## Additional environment variables to set ## Example: ## extraEnvVars: @@ -241,7 +212,6 @@ updateStrategy: ## value: "bar" ## extraEnvVars: [] - ## ConfigMap with extra environment variables that used ## extraEnvVarsCM: @@ -249,19 +219,15 @@ extraEnvVarsCM: - config-server-share - artifactory-share - softhsm-ida-share - ## Secret with extra environment variables ## extraEnvVarsSecret: [] - ## Extra volumes to add to the deployment ## extraVolumes: [] - ## Extra volume mounts to add to the container ## extraVolumeMounts: [] - ## Add init containers to the pods. ## Example: ## initContainers: @@ -276,17 +242,7 @@ initContainers: - command: - /bin/bash - -c - - if [ "$ENABLE_INSECURE" = "true" ]; then HOST=$( env | grep "mosip-api-internal-host" - |sed "s/mosip-api-internal-host=//g"); if [ -z "$HOST" ]; then echo "HOST - $HOST is empty; EXITING"; exit 1; fi; openssl s_client -servername "$HOST" - -connect "$HOST":443 > "$HOST.cer" 2>/dev/null & sleep 2 ; sed -i -ne '/-BEGIN - CERTIFICATE-/,/-END CERTIFICATE-/p' "$HOST.cer"; cat "$HOST.cer"; /usr/local/openjdk-11/bin/keytool - -delete -alias "$HOST" -keystore $JAVA_HOME/lib/security/cacerts -storepass - changeit; /usr/local/openjdk-11/bin/keytool -trustcacerts -keystore "$JAVA_HOME/lib/security/cacerts" - -storepass changeit -noprompt -importcert -alias "$HOST" -file "$HOST.cer" - ; if [ $? -gt 0 ]; then echo "Failed to add SSL certificate for host $host; - EXITING"; exit 1; fi; cp /usr/local/openjdk-11/lib/security/cacerts /cacerts; - fi + - if [ "$ENABLE_INSECURE" = "true" ]; then HOST=$( env | grep "mosip-api-internal-host" |sed "s/mosip-api-internal-host=//g"); if [ -z "$HOST" ]; then echo "HOST $HOST is empty; EXITING"; exit 1; fi; openssl s_client -servername "$HOST" -connect "$HOST":443 > "$HOST.cer" 2>/dev/null & sleep 2 ; sed -i -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "$HOST.cer"; cat "$HOST.cer"; /usr/local/openjdk-11/bin/keytool -delete -alias "$HOST" -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit; /usr/local/openjdk-11/bin/keytool -trustcacerts -keystore "$JAVA_HOME/lib/security/cacerts" -storepass changeit -noprompt -importcert -alias "$HOST" -file "$HOST.cer" ; if [ $? -gt 0 ]; then echo "Failed to add SSL certificate for host $host; EXITING"; exit 1; fi; cp /usr/local/openjdk-11/lib/security/cacerts /cacerts; fi env: - name: ENABLE_INSECURE value: "true" @@ -304,7 +260,6 @@ initContainers: volumeMounts: - mountPath: /cacerts name: cacerts - ## Add sidecars to the pods. ## Example: ## sidecars: @@ -316,7 +271,6 @@ initContainers: ## containerPort: 1234 ## sidecars: {} - persistence: enabled: false ## If defined, storageClassName: @@ -341,7 +295,6 @@ persistence: mountDir: /home/mosip/config/ volume_name: config # pvc_claim_name: pkcs12-keys.p12 - ## Init containers parameters: ## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. ## @@ -375,12 +328,10 @@ volumePermissions: ## cpu: 100m ## memory: 128Mi ## - ## Specifies whether RBAC resources should be created ## rbac: create: true - ## Specifies whether a ServiceAccount should be created ## serviceAccount: @@ -389,7 +340,6 @@ serviceAccount: ## If not set and create is true, a name is generated using the fullname template ## name: - ## Prometheus Metrics ## metrics: @@ -399,7 +349,6 @@ metrics: ## podAnnotations: prometheus.io/scrape: "true" - endpointPath: /idauthentication/v1/actuator/prometheus ## Prometheus Service Monitor ## ref: https://github.com/coreos/prometheus-operator @@ -427,7 +376,6 @@ metrics: ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec ## additionalLabels: {} - ## Custom PrometheusRule to be defined ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions @@ -445,7 +393,6 @@ metrics: # labels: # severity: error rules: [] - ## IDA Auth needs both internal & external access. istio: enabled: true @@ -467,8 +414,6 @@ istio: prefix: /idauthentication/v1/identity-key-binding - uri: prefix: /idauthentication/v1/vci-exchange - enable_insecure: false - springConfigNameEnv: activeProfileEnv: diff --git a/helm/ida-internal/Chart.yaml b/helm/ida-internal/Chart.yaml index ec14128514..1706e9b442 100644 --- a/helm/ida-internal/Chart.yaml +++ b/helm/ida-internal/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: ida-internal description: A Helm chart for MOSIP IDA module type: application -version: 0.0.1-develop +version: 1.3.0-beta.1-develop appVersion: "" dependencies: - name: common diff --git a/helm/ida-internal/values.yaml b/helm/ida-internal/values.yaml index e0bc1158ba..17d39aeacf 100644 --- a/helm/ida-internal/values.yaml +++ b/helm/ida-internal/values.yaml @@ -12,23 +12,18 @@ ## commonLabels: app.kubernetes.io/component: mosip - ## Add annotations to all the deployed resources ## commonAnnotations: {} - ## Kubernetes Cluster Domain ## clusterDomain: cluster.local - ## Extra objects to deploy (value evaluated as a template) ## extraDeploy: [] - ## Number of nodes ## replicaCount: 1 - service: type: ClusterIP port: 80 @@ -49,11 +44,10 @@ service: ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ## externalTrafficPolicy: Cluster - image: registry: docker.io repository: mosipqa/authentication-internal-service - tag: develop + tag: 1.3.x ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -65,10 +59,8 @@ image: ## # pullSecrets: # - myRegistryKeySecretName - ## Port on which this particular spring service module is running. springServicePort: 8093 - ## Configure extra options for liveness and readiness probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @@ -82,7 +74,6 @@ startupProbe: timeoutSeconds: 5 failureThreshold: 30 successThreshold: 1 - livenessProbe: enabled: true httpGet: @@ -93,7 +84,6 @@ livenessProbe: timeoutSeconds: 5 failureThreshold: 6 successThreshold: 1 - readinessProbe: enabled: true httpGet: @@ -104,7 +94,6 @@ readinessProbe: timeoutSeconds: 5 failureThreshold: 6 successThreshold: 1 - ## # existingConfigmap: @@ -112,12 +101,10 @@ readinessProbe: ## command: [] args: [] - ## Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: @@ -131,37 +118,31 @@ resources: requests: cpu: 100m memory: 1500Mi - additionalResources: ## Specify any JAVA_OPTS string here. These typically will be specified in conjunction with above resources ## Example: java_opts: "-Xms500M -Xmx500M" javaOpts: "-Xms2000M -Xmx2000M" - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## Clamav container already runs as 'mosip' user, so we may not need to enable this containerSecurityContext: enabled: false runAsUser: mosip runAsNonRoot: true - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## podSecurityContext: enabled: false fsGroup: 1001 - ## Pod affinity preset ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## Allowed values: soft, hard ## podAffinityPreset: "" - ## Pod anti-affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## Allowed values: soft, hard ## podAntiAffinityPreset: soft - ## Node affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity ## Allowed values: soft, hard @@ -183,32 +164,26 @@ nodeAffinityPreset: ## - e2e-az2 ## values: [] - ## Affinity for pod assignment. Evaluated as a template. ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## affinity: {} - ## Node labels for pod assignment. Evaluated as a template. ## ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} - ## Tolerations for pod assignment. Evaluated as a template. ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] - ## Pod extra labels ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## podLabels: {} - ## Annotations for server pods. ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} - ## pods' priority. ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ ## @@ -217,15 +192,12 @@ podAnnotations: {} ## lifecycleHooks for the container to automate configuration before or after startup. ## lifecycleHooks: {} - ## Custom Liveness probes for ## customLivenessProbe: {} - ## Custom Rediness probes ## customReadinessProbe: {} - ## Update strategy - only really applicable for deployments with RWO PVs attached ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will @@ -233,7 +205,6 @@ customReadinessProbe: {} ## updateStrategy: type: RollingUpdate - ## Additional environment variables to set ## Example: ## extraEnvVars: @@ -241,7 +212,6 @@ updateStrategy: ## value: "bar" ## extraEnvVars: [] - ## ConfigMap with extra environment variables that used ## extraEnvVarsCM: @@ -249,19 +219,15 @@ extraEnvVarsCM: - config-server-share - artifactory-share - softhsm-ida-share - ## Secret with extra environment variables ## extraEnvVarsSecret: [] - ## Extra volumes to add to the deployment ## extraVolumes: [] - ## Extra volume mounts to add to the container ## extraVolumeMounts: [] - ## Add init containers to the pods. ## Example: ## initContainers: @@ -276,17 +242,7 @@ initContainers: - command: - /bin/bash - -c - - if [ "$ENABLE_INSECURE" = "true" ]; then HOST=$( env | grep "mosip-api-internal-host" - |sed "s/mosip-api-internal-host=//g"); if [ -z "$HOST" ]; then echo "HOST - $HOST is empty; EXITING"; exit 1; fi; openssl s_client -servername "$HOST" - -connect "$HOST":443 > "$HOST.cer" 2>/dev/null & sleep 2 ; sed -i -ne '/-BEGIN - CERTIFICATE-/,/-END CERTIFICATE-/p' "$HOST.cer"; cat "$HOST.cer"; /usr/local/openjdk-11/bin/keytool - -delete -alias "$HOST" -keystore $JAVA_HOME/lib/security/cacerts -storepass - changeit; /usr/local/openjdk-11/bin/keytool -trustcacerts -keystore "$JAVA_HOME/lib/security/cacerts" - -storepass changeit -noprompt -importcert -alias "$HOST" -file "$HOST.cer" - ; if [ $? -gt 0 ]; then echo "Failed to add SSL certificate for host $host; - EXITING"; exit 1; fi; cp /usr/local/openjdk-11/lib/security/cacerts /cacerts; - fi + - if [ "$ENABLE_INSECURE" = "true" ]; then HOST=$( env | grep "mosip-api-internal-host" |sed "s/mosip-api-internal-host=//g"); if [ -z "$HOST" ]; then echo "HOST $HOST is empty; EXITING"; exit 1; fi; openssl s_client -servername "$HOST" -connect "$HOST":443 > "$HOST.cer" 2>/dev/null & sleep 2 ; sed -i -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "$HOST.cer"; cat "$HOST.cer"; /usr/local/openjdk-11/bin/keytool -delete -alias "$HOST" -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit; /usr/local/openjdk-11/bin/keytool -trustcacerts -keystore "$JAVA_HOME/lib/security/cacerts" -storepass changeit -noprompt -importcert -alias "$HOST" -file "$HOST.cer" ; if [ $? -gt 0 ]; then echo "Failed to add SSL certificate for host $host; EXITING"; exit 1; fi; cp /usr/local/openjdk-11/lib/security/cacerts /cacerts; fi env: - name: ENABLE_INSECURE value: "true" @@ -304,7 +260,6 @@ initContainers: volumeMounts: - mountPath: /cacerts name: cacerts - ## Add sidecars to the pods. ## Example: ## sidecars: @@ -316,7 +271,6 @@ initContainers: ## containerPort: 1234 ## sidecars: {} - persistence: enabled: false ## If defined, storageClassName: @@ -341,7 +295,6 @@ persistence: mountDir: /home/mosip/config/ volume_name: config # pvc_claim_name: pkcs12-keys.p12 - ## Init containers parameters: ## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. ## @@ -375,12 +328,10 @@ volumePermissions: ## cpu: 100m ## memory: 128Mi ## - ## Specifies whether RBAC resources should be created ## rbac: create: true - ## Specifies whether a ServiceAccount should be created ## serviceAccount: @@ -389,7 +340,6 @@ serviceAccount: ## If not set and create is true, a name is generated using the fullname template ## name: - ## Prometheus Metrics ## metrics: @@ -399,7 +349,6 @@ metrics: ## podAnnotations: prometheus.io/scrape: "true" - endpointPath: /idauthentication/v1/internal/actuator/health ## Prometheus Service Monitor ## ref: https://github.com/coreos/prometheus-operator @@ -427,7 +376,6 @@ metrics: ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec ## additionalLabels: {} - ## Custom PrometheusRule to be defined ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions @@ -445,14 +393,12 @@ metrics: # labels: # severity: error rules: [] - ## Internal access istio: enabled: true gateways: - istio-system/internal prefix: /idauthentication/v1/internal - enable_insecure: false springConfigNameEnv: activeProfileEnv: diff --git a/helm/ida-otp/Chart.yaml b/helm/ida-otp/Chart.yaml index e4eb4a9762..0a3a1de9d6 100644 --- a/helm/ida-otp/Chart.yaml +++ b/helm/ida-otp/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: ida-otp description: A Helm chart for MOSIP IDA module type: application -version: 0.0.1-develop +version: 1.3.0-beta.1-develop appVersion: "" dependencies: - name: common diff --git a/helm/ida-otp/values.yaml b/helm/ida-otp/values.yaml index e9c83140e6..8d54a84574 100644 --- a/helm/ida-otp/values.yaml +++ b/helm/ida-otp/values.yaml @@ -12,23 +12,18 @@ ## commonLabels: app.kubernetes.io/component: mosip - ## Add annotations to all the deployed resources ## commonAnnotations: {} - ## Kubernetes Cluster Domain ## clusterDomain: cluster.local - ## Extra objects to deploy (value evaluated as a template) ## extraDeploy: [] - ## Number of nodes ## replicaCount: 1 - service: type: ClusterIP port: 80 @@ -49,11 +44,10 @@ service: ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ## externalTrafficPolicy: Cluster - image: registry: docker.io repository: mosipqa/authentication-otp-service - tag: develop + tag: 1.3.x ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images @@ -65,10 +59,8 @@ image: ## # pullSecrets: # - myRegistryKeySecretName - ## Port on which this particular spring service module is running. springServicePort: 8092 - ## Configure extra options for liveness and readiness probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes ## @@ -82,7 +74,6 @@ startupProbe: timeoutSeconds: 5 failureThreshold: 30 successThreshold: 1 - livenessProbe: enabled: true httpGet: @@ -93,7 +84,6 @@ livenessProbe: timeoutSeconds: 5 failureThreshold: 6 successThreshold: 1 - readinessProbe: enabled: true httpGet: @@ -104,7 +94,6 @@ readinessProbe: timeoutSeconds: 5 failureThreshold: 6 successThreshold: 1 - ## # existingConfigmap: @@ -112,12 +101,10 @@ readinessProbe: ## command: [] args: [] - ## Deployment pod host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] - ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: @@ -131,37 +118,31 @@ resources: requests: cpu: 100m memory: 1000Mi - additionalResources: ## Specify any JAVA_OPTS string here. These typically will be specified in conjunction with above resources ## Example: java_opts: "-Xms500M -Xmx500M" javaOpts: "-Xms2000M -Xmx2000M" - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## Clamav container already runs as 'mosip' user, so we may not need to enable this containerSecurityContext: enabled: false runAsUser: mosip runAsNonRoot: true - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## podSecurityContext: enabled: false fsGroup: 1001 - ## Pod affinity preset ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## Allowed values: soft, hard ## podAffinityPreset: "" - ## Pod anti-affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ## Allowed values: soft, hard ## podAntiAffinityPreset: soft - ## Node affinity preset ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity ## Allowed values: soft, hard @@ -183,32 +164,26 @@ nodeAffinityPreset: ## - e2e-az2 ## values: [] - ## Affinity for pod assignment. Evaluated as a template. ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity ## affinity: {} - ## Node labels for pod assignment. Evaluated as a template. ## ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} - ## Tolerations for pod assignment. Evaluated as a template. ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ## tolerations: [] - ## Pod extra labels ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## podLabels: {} - ## Annotations for server pods. ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ## podAnnotations: {} - ## pods' priority. ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ ## @@ -217,15 +192,12 @@ podAnnotations: {} ## lifecycleHooks for the container to automate configuration before or after startup. ## lifecycleHooks: {} - ## Custom Liveness probes for ## customLivenessProbe: {} - ## Custom Rediness probes ## customReadinessProbe: {} - ## Update strategy - only really applicable for deployments with RWO PVs attached ## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the ## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will @@ -233,7 +205,6 @@ customReadinessProbe: {} ## updateStrategy: type: RollingUpdate - ## Additional environment variables to set ## Example: ## extraEnvVars: @@ -241,7 +212,6 @@ updateStrategy: ## value: "bar" ## extraEnvVars: [] - ## ConfigMap with extra environment variables that used ## extraEnvVarsCM: @@ -249,19 +219,15 @@ extraEnvVarsCM: - config-server-share - artifactory-share - softhsm-ida-share - ## Secret with extra environment variables ## extraEnvVarsSecret: [] - ## Extra volumes to add to the deployment ## extraVolumes: [] - ## Extra volume mounts to add to the container ## extraVolumeMounts: [] - ## Add init containers to the pods. ## Example: ## initContainers: @@ -276,17 +242,7 @@ initContainers: - command: - /bin/bash - -c - - if [ "$ENABLE_INSECURE" = "true" ]; then HOST=$( env | grep "mosip-api-internal-host" - |sed "s/mosip-api-internal-host=//g"); if [ -z "$HOST" ]; then echo "HOST - $HOST is empty; EXITING"; exit 1; fi; openssl s_client -servername "$HOST" - -connect "$HOST":443 > "$HOST.cer" 2>/dev/null & sleep 2 ; sed -i -ne '/-BEGIN - CERTIFICATE-/,/-END CERTIFICATE-/p' "$HOST.cer"; cat "$HOST.cer"; /usr/local/openjdk-11/bin/keytool - -delete -alias "$HOST" -keystore $JAVA_HOME/lib/security/cacerts -storepass - changeit; /usr/local/openjdk-11/bin/keytool -trustcacerts -keystore "$JAVA_HOME/lib/security/cacerts" - -storepass changeit -noprompt -importcert -alias "$HOST" -file "$HOST.cer" - ; if [ $? -gt 0 ]; then echo "Failed to add SSL certificate for host $host; - EXITING"; exit 1; fi; cp /usr/local/openjdk-11/lib/security/cacerts /cacerts; - fi + - if [ "$ENABLE_INSECURE" = "true" ]; then HOST=$( env | grep "mosip-api-internal-host" |sed "s/mosip-api-internal-host=//g"); if [ -z "$HOST" ]; then echo "HOST $HOST is empty; EXITING"; exit 1; fi; openssl s_client -servername "$HOST" -connect "$HOST":443 > "$HOST.cer" 2>/dev/null & sleep 2 ; sed -i -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' "$HOST.cer"; cat "$HOST.cer"; /usr/local/openjdk-11/bin/keytool -delete -alias "$HOST" -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit; /usr/local/openjdk-11/bin/keytool -trustcacerts -keystore "$JAVA_HOME/lib/security/cacerts" -storepass changeit -noprompt -importcert -alias "$HOST" -file "$HOST.cer" ; if [ $? -gt 0 ]; then echo "Failed to add SSL certificate for host $host; EXITING"; exit 1; fi; cp /usr/local/openjdk-11/lib/security/cacerts /cacerts; fi env: - name: ENABLE_INSECURE value: "true" @@ -304,7 +260,6 @@ initContainers: volumeMounts: - mountPath: /cacerts name: cacerts - ## Add sidecars to the pods. ## Example: ## sidecars: @@ -316,7 +271,6 @@ initContainers: ## containerPort: 1234 ## sidecars: {} - persistence: enabled: false ## If defined, storageClassName: @@ -341,7 +295,6 @@ persistence: mountDir: /home/mosip/config/ volume_name: config # pvc_claim_name: pkcs12-keys.p12 - ## Init containers parameters: ## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. ## @@ -375,12 +328,10 @@ volumePermissions: ## cpu: 100m ## memory: 128Mi ## - ## Specifies whether RBAC resources should be created ## rbac: create: true - ## Specifies whether a ServiceAccount should be created ## serviceAccount: @@ -389,7 +340,6 @@ serviceAccount: ## If not set and create is true, a name is generated using the fullname template ## name: - ## Prometheus Metrics ## metrics: @@ -399,7 +349,6 @@ metrics: ## podAnnotations: prometheus.io/scrape: "true" - endpointPath: /idauthentication/v1/otp/actuator/prometheus ## Prometheus Service Monitor ## ref: https://github.com/coreos/prometheus-operator @@ -427,7 +376,6 @@ metrics: ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec ## additionalLabels: {} - ## Custom PrometheusRule to be defined ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions @@ -445,13 +393,11 @@ metrics: # labels: # severity: error rules: [] - istio: enabled: true gateways: - istio-system/internal prefix: /idauthentication/v1/otp - enable_insecure: false springConfigNameEnv: activeProfileEnv: