From 6d5369036fdc3e7f2b9f0f38f0d8bc2d5d766a1e Mon Sep 17 00:00:00 2001 From: Chandra Keshav Mishra Date: Tue, 3 Dec 2024 09:40:17 +0530 Subject: [PATCH] [MOSIP-35490] moved required helm and deploy scripts to modular repo Signed-off-by: Chandra Keshav Mishra --- helm/dslrig/.gitignore | 1 + helm/dslrig/.helmignore | 21 + helm/dslrig/Chart.yaml | 19 + helm/dslrig/README.md | 10 + helm/dslrig/templates/NOTES.txt | 1 + helm/dslrig/templates/_helpers.tpl | 61 ++ helm/dslrig/templates/configmaps.yaml | 21 + helm/dslrig/templates/cronjob.yaml | 160 +++++ helm/dslrig/templates/extra-list.yaml | 4 + .../templates/pod-reader-role-binding.yaml | 14 + helm/dslrig/templates/pod-reader-role.yaml | 9 + helm/dslrig/templates/pvc.yaml | 35 ++ helm/dslrig/templates/secrets.yaml | 21 + helm/dslrig/templates/service-account.yaml | 12 + helm/dslrig/values.yaml | 583 ++++++++++++++++++ 15 files changed, 972 insertions(+) create mode 100644 helm/dslrig/.gitignore create mode 100644 helm/dslrig/.helmignore create mode 100644 helm/dslrig/Chart.yaml create mode 100644 helm/dslrig/README.md create mode 100644 helm/dslrig/templates/NOTES.txt create mode 100644 helm/dslrig/templates/_helpers.tpl create mode 100644 helm/dslrig/templates/configmaps.yaml create mode 100644 helm/dslrig/templates/cronjob.yaml create mode 100644 helm/dslrig/templates/extra-list.yaml create mode 100644 helm/dslrig/templates/pod-reader-role-binding.yaml create mode 100644 helm/dslrig/templates/pod-reader-role.yaml create mode 100644 helm/dslrig/templates/pvc.yaml create mode 100644 helm/dslrig/templates/secrets.yaml create mode 100644 helm/dslrig/templates/service-account.yaml create mode 100644 helm/dslrig/values.yaml diff --git a/helm/dslrig/.gitignore b/helm/dslrig/.gitignore new file mode 100644 index 00000000..ee3892e8 --- /dev/null +++ b/helm/dslrig/.gitignore @@ -0,0 +1 @@ +charts/ diff --git a/helm/dslrig/.helmignore b/helm/dslrig/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/helm/dslrig/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/helm/dslrig/Chart.yaml b/helm/dslrig/Chart.yaml new file mode 100644 index 00000000..894da111 --- /dev/null +++ b/helm/dslrig/Chart.yaml @@ -0,0 +1,19 @@ +apiVersion: v2 +name: dslrig +description: A Helm chart to deploy dslrig to test working of MOSIP modules +type: application +version: 0.0.1-develop +appVersion: "" +dependencies: + - name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 1.x.x +home: https://mosip.io +keywords: + - mosip + - dslrig +maintainers: + - email: info@mosip.io + name: MOSIP diff --git a/helm/dslrig/README.md b/helm/dslrig/README.md new file mode 100644 index 00000000..fc718095 --- /dev/null +++ b/helm/dslrig/README.md @@ -0,0 +1,10 @@ +# dslrig [Work In Progress (WIP)] + +Helm chart to deploy dslrig for `MOSIP` modules + +## TL;DR + +```console +$ helm repo add mosip https://mosip.github.io +$ helm install my-release mosip/dslrig +``` diff --git a/helm/dslrig/templates/NOTES.txt b/helm/dslrig/templates/NOTES.txt new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/helm/dslrig/templates/NOTES.txt @@ -0,0 +1 @@ + diff --git a/helm/dslrig/templates/_helpers.tpl b/helm/dslrig/templates/_helpers.tpl new file mode 100644 index 00000000..419f57da --- /dev/null +++ b/helm/dslrig/templates/_helpers.tpl @@ -0,0 +1,61 @@ +{{/* +Return the proper image name +*/}} + + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "dslrig.volumePermissions.image" -}} +{{- include "common.images.image" ( dict "imageRoot" .Values.volumePermissions.image "global" .Values.global ) -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "dslrig.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.volumePermissions.image) "global" .Values.global) -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "dslrig.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (printf "%s" (include "common.names.fullname" .)) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message. +*/}} +{{- define "dslrig.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "dslrig.validateValues.foo" .) -}} +{{- $messages := append $messages (include "dslrig.validateValues.bar" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message -}} +{{- end -}} +{{- end -}} + +{{/* +Return podAnnotations +*/}} +{{- define "dslrig.podAnnotations" -}} +{{- if .Values.podAnnotations }} +{{ include "common.tplvalues.render" (dict "value" .Values.podAnnotations "context" $) }} +{{- end }} +{{- if and .Values.metrics.enabled .Values.metrics.podAnnotations }} +{{ include "common.tplvalues.render" (dict "value" .Values.metrics.podAnnotations "context" $) }} +{{- end }} +{{- end -}} + +{{/* Create the name for restart cronjob */}} +{{- define "dslrig.cronjob" -}} +{{ default (printf "cronjob-%s" (include "common.names.fullname" .)) .Values.serviceAccount.name }} +{{- end -}} diff --git a/helm/dslrig/templates/configmaps.yaml b/helm/dslrig/templates/configmaps.yaml new file mode 100644 index 00000000..b90c1ca1 --- /dev/null +++ b/helm/dslrig/templates/configmaps.yaml @@ -0,0 +1,21 @@ +{{- if .Values.dslrig.configmaps }} +{{- range $cm_name, $cm_value := .Values.dslrig.configmaps }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $cm_name }} + namespace: {{ $.Release.Namespace }} + labels: {{- include "common.labels.standard" $ | nindent 8 }} + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 8 }} + {{- end }} +data: + {{- range $key, $value := $cm_value }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/helm/dslrig/templates/cronjob.yaml b/helm/dslrig/templates/cronjob.yaml new file mode 100644 index 00000000..6f244a4c --- /dev/null +++ b/helm/dslrig/templates/cronjob.yaml @@ -0,0 +1,160 @@ +{{- range $type := $.Values.types }} +{{- if $type.enabled }} +--- +apiVersion: {{ include "common.capabilities.cronjob.apiVersion" $ }} +kind: CronJob +metadata: + name: {{ template "dslrig.cronjob" $ }}-{{ $type.name }} + namespace: {{ $.Release.Namespace }} +spec: + {{- if eq $type.name "full" }} + suspend: false + {{- end }} + {{- if eq $type.name "sanity" }} + suspend: true + {{- end }} + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 1 # remove jobs which are successfully executed + failedJobsHistoryLimit: 1 # except 1 recent failed job, remove jobs which are not successfully executed + #schedule: '*/3 * * * *' # cron spec of time + schedule: {{ $.Values.crontime }} + jobTemplate: + spec: + backoffLimit: 0 # this has very low chance of failing, as all this does + # is prompt kubernetes to schedule new replica set for + # the deployment + # activeDeadlineSeconds: 600 # timeout, makes most sense with + # "waiting for rollout" variant specified below + template: + spec: + serviceAccountName: {{ template "dslrig.serviceAccountName" $ }} + restartPolicy: Never + initContainers: + - name: volume-permissions + image: {{ include "common.images.image" (dict "imageRoot" $.Values.containers.dslorchestrator.image "global" $.Values.global) }} + imagePullPolicy: {{ $.Values.containers.dslorchestrator.image.pullPolicy }} + securityContext: + runAsUser: 0 + command: + - /bin/bash + - -c + - chown -R mosip:mosip + {{- range $key, $value := $.Values.containers }} + {{- if $value.volumes }} + {{- range $value.volumes }} + {{ .mountDir }} + {{- end }} + {{- end }} + {{- end }} + volumeMounts: + {{- range $key, $value := (omit $.Values.containers "authdemo" ) }} + {{- if $value.volumes }} + {{- range $value.volumes }} + - name: {{ .pvc_name }} + mountPath: {{ .mountDir }} + {{- end }} + {{- end }} + {{- end }} + {{- if $.Values.enable_insecure }} + {{- include "common.tplvalues.render" (dict "value" $.Values.initContainers "context" $) | nindent 12 }} + {{- end }} + containers: + {{ range $key, $value := $.Values.containers }} + - name: {{ $key }} + image: {{ include "common.images.image" (dict "imageRoot" $value.image "global" $.Values.global) }} + imagePullPolicy: {{ $value.image.pullPolicy }} + {{- if $.Values.lifecycleHooks }} + lifecycle: {{- include "common.tpvalues.render" (dict "value" $.Values.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + {{- if $.Values.containerSecurityContext.enabled }} + securityContext: {{- omit $.Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if $value.command }} + command: + - {{- $value.command | quote | indent 1 }} + {{- end }} + {{- if $value.args }} + args: + {{- range $value.args }} + - {{- . | quote | indent 1 }} + {{- end }} + {{- end }} + env: + {{- if $.Values.extraEnvVars }} + {{- include "common.tpvalues.render" (dict "value" $.Values.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if eq $type.name "full" }} + - name: TESTLEVEL + value: "full" + {{- end }} + {{- if eq $type.name "sanity" }} + - name: TESTLEVEL + value: "sanity" + {{- end }} + {{- if $value.envVars }} + {{- range $envName, $envValue := $value.envVars }} + - name: {{ $envName }} + value: {{ $envValue }} + {{- end }} + {{- end }} + envFrom: + {{- if $value.envVarsCM }} + {{- range $value.envVarsCM }} + - configMapRef: + name: {{ . }} + {{- end }} + {{- end }} + {{- if $value.envVarsSecret }} + {{- range $value.envVarsSecret }} + - secretRef: + name: {{ . }} + {{- end }} + {{- end }} + ports: + - name: spring-service + containerPort: {{ $value.springServicePort }} + {{- if $value.healthcheck.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit $value.healthcheck.startupProbe "enabled") "context" $) | nindent 14 }} + {{- end }} + {{- if $value.healthcheck.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit $value.healthcheck.livenessProbe "enabled") "context" $) | nindent 14 }} + {{- end }} + {{- if $value.healthcheck.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit $value.healthcheck.readinessProbe "enabled") "context" $) | nindent 14 }} + {{- end }} + {{- if $.Values.resources }} + resources: {{- toYaml $.Values.resources | nindent 14 }} + {{- end }} + volumeMounts: + - name: del-cm + mountPath: /home/mosip/scripts/ + {{- if $value.volumes }} + {{- range $value.volumes }} + - name: {{ .pvc_name }} + mountPath: {{ .mountDir }} + {{- end }} + {{- end }} + {{- if $.Values.enable_insecure }} + - mountPath: /usr/local/openjdk-11/lib/security/cacerts + name: cacerts + subPath: cacerts + {{- end }} + {{- end }} + volumes: + {{- range $volume_name, $volume := $.Values.volumes }} + {{- if and $volume.enabled (not $volume.existingClaim) }} + - name: {{ $volume_name }} + persistentVolumeClaim: + claimName: {{ $volume_name }} + {{- end }} + {{- end }} + {{- if $.Values.enable_insecure }} + - name: cacerts + emptyDir: {} + {{- end }} + - name: del-cm + configMap: + name: del + defaultMode: 511 +{{- end }} +{{- end }} diff --git a/helm/dslrig/templates/extra-list.yaml b/helm/dslrig/templates/extra-list.yaml new file mode 100644 index 00000000..9ac65f9e --- /dev/null +++ b/helm/dslrig/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/helm/dslrig/templates/pod-reader-role-binding.yaml b/helm/dslrig/templates/pod-reader-role-binding.yaml new file mode 100644 index 00000000..ac2be912 --- /dev/null +++ b/helm/dslrig/templates/pod-reader-role-binding.yaml @@ -0,0 +1,14 @@ +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: exec-pod-rolebinding + namespace: {{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: {{ template "dslrig.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: exec-pod-role + apiGroup: rbac.authorization.k8s.io diff --git a/helm/dslrig/templates/pod-reader-role.yaml b/helm/dslrig/templates/pod-reader-role.yaml new file mode 100644 index 00000000..4dfdceb4 --- /dev/null +++ b/helm/dslrig/templates/pod-reader-role.yaml @@ -0,0 +1,9 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: {{ .Release.Namespace }} + name: exec-pod-role +rules: + - apiGroups: [""] + resources: ["pods","pods/exec"] + verbs: ["get", "list", "delete", "exec", "create"] diff --git a/helm/dslrig/templates/pvc.yaml b/helm/dslrig/templates/pvc.yaml new file mode 100644 index 00000000..37ec6ba6 --- /dev/null +++ b/helm/dslrig/templates/pvc.yaml @@ -0,0 +1,35 @@ +{{- range $volume_name, $volume := .Values.volumes }} +{{- if and $volume.enabled (not $volume.existingClaim) }} +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ $volume_name }} + namespace: {{ $.Release.Namespace | quote }} + labels: {{- include "common.labels.standard" $ | nindent 4 }} + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if $.Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + "helm.sh/resource-policy": keep +spec: + accessModes: + {{- if not (empty $volume.accessModes) }} + {{- range $volume.accessModes }} + - {{ . | quote }} + {{- end }} + {{- else }} + - {{ $volume.accessMode | quote }} + {{- end }} + resources: + requests: + storage: {{ $volume.size | quote }} + {{- include "common.storage.class" (dict "persistence" $volume "global" $.Values.global) | nindent 2 }} + {{- if $volume.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" $volume.dataSource "context" $) | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/dslrig/templates/secrets.yaml b/helm/dslrig/templates/secrets.yaml new file mode 100644 index 00000000..a9aefce5 --- /dev/null +++ b/helm/dslrig/templates/secrets.yaml @@ -0,0 +1,21 @@ +{{- if .Values.dslrig.secrets }} +{{- range $secret_name, $secret_value := .Values.dslrig.secrets }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $secret_name }} + namespace: {{ $.Release.Namespace }} + labels: {{- include "common.labels.standard" $ | nindent 8 }} + {{- if $.Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if $.Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 8 }} + {{- end }} +type: Opaque +data: + {{- range $key, $value := $secret_value }} + {{ $key }}: {{ $value | b64enc | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/helm/dslrig/templates/service-account.yaml b/helm/dslrig/templates/service-account.yaml new file mode 100644 index 00000000..a34af2dc --- /dev/null +++ b/helm/dslrig/templates/service-account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + name: {{ template "dslrig.serviceAccountName" . }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + namespace: {{ .Release.Namespace }} diff --git a/helm/dslrig/values.yaml b/helm/dslrig/values.yaml new file mode 100644 index 00000000..84cf603e --- /dev/null +++ b/helm/dslrig/values.yaml @@ -0,0 +1,583 @@ +## Global Docker image parameters +## Please, note that this will override the image parameters, including dependencies, configured to use the global value +## Current available global Docker image parameters: imageRegistry and imagePullSecrets +## +# global: +# imageRegistry: myRegistryName +# imagePullSecrets: +# - myRegistryKeySecretName +# storageClass: myStorageClass + +## Add labels to all the deployed resources +## +commonLabels: + app.kubernetes.io/component: mosip + +## Add annotations to all the deployed resources +## +commonAnnotations: {} + +## Kubernetes Cluster Domain +## +clusterDomain: cluster.local + +## Extra objects to deploy (value evaluated as a template) +## +extraDeploy: [] + +## Number of nodes +## +replicaCount: 1 + +service: + type: ClusterIP + port: 80 + ## loadBalancerIP for the SuiteCRM Service (optional, cloud specific) + ## ref: http://kubernetes.io/docs/user-guide/services/#type-loadbalancer + ## + ## loadBalancerIP: + ## + ## nodePorts: + ## http: + ## https: + ## + nodePorts: + http: "" + https: "" + ## Enable client source IP preservation + ## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + + +## Configure extra options for liveness and readiness probes +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes +## + +## +# existingConfigmap: + +## Command and args for running the container (set to default if not set). Use array form +## +command: [] +args: [] + +## Deployment pod host aliases +## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ +## +hostAliases: [] + +## ref: http://kubernetes.io/docs/user-guide/compute-resources/ +## +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 3500m + memory: 4500Mi + requests: + cpu: 1000m + memory: 3500Mi + +additionalResources: + ## Specify any JAVA_OPTS string here. These typically will be specified in conjunction with above resources + ## Example: java_opts: "-Xms500M -Xmx500M" + javaOpts: "-Xms2600M -Xmx2600M" + +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +## Clamav container already runs as 'mosip' user, so we may not need to enable this +containerSecurityContext: + enabled: false + runAsUser: mosip + runAsNonRoot: true + +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod +## +podSecurityContext: + enabled: false + fsGroup: 1001 + +## Pod affinity preset +## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAffinityPreset: "" + +## Pod anti-affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity +## Allowed values: soft, hard +## +podAntiAffinityPreset: soft + +## Node affinity preset +## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## Allowed values: soft, hard +## +nodeAffinityPreset: + ## Node affinity type + ## Allowed values: soft, hard + ## + type: "" + ## Node label key to match + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## Node label values to match + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + +## Affinity for pod assignment. Evaluated as a template. +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## Node labels for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## Tolerations for pod assignment. Evaluated as a template. +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Pod extra labels +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ +## +podLabels: {} + +## Annotations for server pods. +## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ +## +podAnnotations: {} + +## pods' priority. +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +## +# priorityClassName: "" + +## lifecycleHooks for the container to automate configuration before or after startup. +## +lifecycleHooks: {} + +## Custom Liveness probes for +## +customLivenessProbe: {} + +## Custom Rediness probes +## +customReadinessProbe: {} + +## Update strategy - only really applicable for deployments with RWO PVs attached +## If replicas = 1, an update can get "stuck", as the previous pod remains attached to the +## PV, and the "incoming" pod can never start. Changing the strategy to "Recreate" will +## terminate the single previous pod, so that the new, incoming pod can attach to the PV +## +updateStrategy: + type: RollingUpdate + +## Additional environment variables to set +## Example: +## extraEnvVars: +## - name: FOO +## value: "bar" +## +extraEnvVars: [] + +## ConfigMap with extra environment variables +## +extraEnvVarsCM: [] +## Secret with extra environment variables +## +extraEnvVarsSecret: [] +## Extra volumes to add to the deployment +## +extraVolumes: [] + +## Extra volume mounts to add to the container +## +extraVolumeMounts: [] + +## Add init containers to the pods. +## Example: +## initContainers: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +initContainers: + - command: + - /bin/bash + - -c + - if [ "$ENABLE_INSECURE" = "true" ]; then HOST=$( env | grep "mosip-api-internal-host" + |sed "s/mosip-api-internal-host=//g"); if [ -z "$HOST" ]; then echo "HOST + $HOST is empty; EXITING"; exit 1; fi; openssl s_client -servername "$HOST" + -connect "$HOST":443 > "$HOST.cer" 2>/dev/null & sleep 2 ; sed -i -ne '/-BEGIN + CERTIFICATE-/,/-END CERTIFICATE-/p' "$HOST.cer"; cat "$HOST.cer"; /usr/local/openjdk-11/bin/keytool + -delete -alias "$HOST" -keystore $JAVA_HOME/lib/security/cacerts -storepass + changeit; /usr/local/openjdk-11/bin/keytool -trustcacerts -keystore "$JAVA_HOME/lib/security/cacerts" + -storepass changeit -noprompt -importcert -alias "$HOST" -file "$HOST.cer" + ; if [ $? -gt 0 ]; then echo "Failed to add SSL certificate for host $host; + EXITING"; exit 1; fi; cp /usr/local/openjdk-11/lib/security/cacerts /cacerts; + fi + env: + - name: ENABLE_INSECURE + value: "true" + envFrom: + - configMapRef: + name: global + image: docker.io/openjdk:11-jre + imagePullPolicy: Always + name: cacerts + resources: {} + securityContext: + runAsUser: 0 + capabilities: + add: + - SYS_PTRACE + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /cacerts + name: cacerts + +## Add sidecars to the pods. +## Example: +## sidecars: +## - name: your-image-name +## image: your-image +## imagePullPolicy: Always +## ports: +## - name: portname +## containerPort: 1234 +## +sidecars: {} + +volumes: + authdemo: + enabled: true + storageClass: 'longhorn' + accessModes: + - ReadWriteMany + size: 1Gi + existingClaim: + packetcreator-data: + enabled: true + storageClass: 'longhorn' + accessModes: + - ReadWriteMany + size: 50Gi + existingClaim: + dslorchestrator: + enabled: true + storageClass: 'longhorn' + accessModes: + - ReadWriteMany + size: 100Mi + existingClaim: +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section. +## + +## Specifies whether RBAC resources should be created +## +rbac: + create: true + +## Specifies whether a ServiceAccount should be created +## +serviceAccount: + create: true + ## The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the fullname template + ## + name: + +## Prometheus Metrics +## +metrics: + enabled: false + ## Prometheus pod annotations + ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ + ## + podAnnotations: + prometheus.io/scrape: "true" + + endpointPath: + + ## Prometheus Service Monitor + ## ref: https://github.com/coreos/prometheus-operator + ## + serviceMonitor: + ## If the operator is installed in your cluster, set to true to create a Service Monitor Entry + ## + enabled: true + ## Specify the namespace in which the serviceMonitor resource will be created + ## + # namespace: "" + ## Specify the interval at which metrics should be scraped + ## + interval: 10s + ## Specify the timeout after which the scrape is ended + ## + # scrapeTimeout: 30s + ## Specify Metric Relabellings to add to the scrape endpoint + ## + # relabellings: + ## Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + ## + additionalLabels: {} + + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + enabled: false + additionalLabels: {} + namespace: '' + ## List of rules, used as template by Helm. + ## These are just examples rules inspired from https://awesome-prometheus-alerts.grep.to/rules.html + # rules: + # - alert: RabbitmqDown + # expr: rabbitmq_up{service="{{ template "rabbitmq.fullname" . }}"} == 0 + # for: 5m + # labels: + # severity: error + rules: [] + +types: + - name: full + enabled: true + - name: sanity + enabled: true + +crontime: "0 3 * * *" ## run cronjob every day at 3 AM (time hr: 0-23 ) + + +dslrig: + configmaps: + s3: + s3-host: 'http://minio.minio:9000' + s3-user-key: 'admin' + s3-region: '' + db: + db-port: '5432' + db-su-user: 'postgres' + db-server: 'api-internal.dev.mosip.net' + dslrig: + ENABLE_INSECURE: "false" + ENDPOINT: "https://api-internal.dev.mosip.net" + USER: "api-internal.dev.mosip.net" + DEFAULT_SCENARIOS: "true" + authCertsPath: "/home/mosip/authcerts" + authDemoServiceBaseURL: "http://localhost" + authDemoServicePort: "8082" + # authdemo volume mountPath + mountPath: "/home/mosip/mountvolume" + # dslrig scenario mountPath + mountPathForScenario: "/home/mosip/mountvolume/" + packetUtilityBaseUrl: http://localhost:8080/v1/packetcreator + s3-account: "dslreports" + threadCount: "8" + push-reports-to-s3: "yes" + enableDebug: "yes" + langselect: "0" + del: + del.sh: | + #!/bin/bash + cd $work_dir; + curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"; + chmod +x kubectl; + ./kubectl -n dslrig exec -it $HOSTNAME -c authdemo -- bash -c "kill -s TERM\$( ps -aux | grep java | awk 'NR==1{print \$2}' ) || true;" ; + ./kubectl -n dslrig exec -it $HOSTNAME -c packetcreator-data -- bash -c "kill -9 \$( ps -aux | grep java | awk 'NR==1{print \$2}' ) || true;" ; + + secrets: + +enable_insecure: false + +containers: + dslorchestrator: + image: + registry: docker.io + repository: syedsalman041997/dsl-orchestrator + tag: develop + pullPolicy: Always + volumes: + - pvc_name: 'dslorchestrator' + mountDir: '/home/mosip/mountvolume/scenarios' + envVars: + JDK_JAVA_OPTIONS: '-Xms2600M -Xmx2600M' + container_user: 'mosip' + envVarsCM: + - global + - s3 + - keycloak-host + - db + - dslrig + - config-server-share + - artifactory-share + envVarsSecret: + - s3 + - keycloak-client-secrets + - postgres-postgresql + springServicePort: 8083 + healthcheck: + startupProbe: + enabled: false + livenessProbe: + enabled: false + readinessProbe: + enabled: false + command: '/bin/bash' + args: + - '-c' + - 'echo "Initial sleep 30 seconds"; + sleep 30; + MY_PROBE_CHECK_PATHS="$packetUtilityBaseUrl/actuator/health,$authDemoServiceBaseURL:$authDemoServicePort/v1/identity/actuator/health"; + for str in $(echo $MY_PROBE_CHECK_PATHS | tr "," " "); do + COUNT=60; + while [[ $COUNT -gt 0 ]]; do + curl_output=$(curl -w "%{http_code}" -o /dev/null -s -k "$str"); + if ! [[ "$curl_output" = "200" ]]; then + (( COUNT-- )); + echo "$str failed with status code $curl_output" >> /dev/stderr && sleep 10 && continue; + fi; + echo "$str passed with status code $curl_output"; + COUNT=50; + break; + done; + done; + echo "Sleeping for 30 seconds"; + sleep 30; + ./entrypoint.sh + bash scripts/del.sh ## Todo: Requires get api to shutdown authdemo and packetcreator. Currently we are stopping via kubectl command. + ' + authdemo: + image: + registry: docker.io + repository: mosipdev/authentication-demo-service + tag: develop + pullPolicy: Always + springServicePort: 8082 + volumes: + - pvc_name: 'authdemo' + mountDir: '/home/mosip/authcerts' + envVars: + JDK_JAVA_OPTIONS: '-Xms2600M -Xmx2600M' + container_user: 'mosip' + envVarsCM: + - global + - s3 + - keycloak-host + - db + - dslrig + - config-server-share + - artifactory-share + envVarsSecret: + - s3 + - keycloak-client-secrets + - postgres-postgresql + healthcheck: + startupProbe: + enabled: true + httpGet: + path: /v1/identity/actuator/health + port: 8082 + initialDelaySeconds: 0 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 60 + successThreshold: 1 + livenessProbe: + enabled: true + httpGet: + path: /v1/identity/actuator/health + port: 8082 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 10 + successThreshold: 1 + readinessProbe: + enabled: true + httpGet: + path: /v1/identity/actuator/health + port: 8082 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + packetcreator-data: + image: + registry: docker.io + repository: syedsalman041997/dsl-packetcreator + tag: develop + pullPolicy: Always + springServicePort: 8080 + volumes: + - pvc_name: 'packetcreator-data' + mountDir: '/home/mosip/mountvolume' + - pvc_name: 'authdemo' + mountDir: '/home/mosip/authcerts' + envVars: + JDK_JAVA_OPTIONS: '-Xms2600M -Xmx2600M' + container_user: 'mosip' + envVarsCM: + - global + - s3 + - keycloak-host + - db + - dslrig + - config-server-share + - artifactory-share + envVarsSecret: + - s3 + - keycloak-client-secrets + - postgres-postgresql + healthcheck: + startupProbe: + enabled: true + httpGet: + path: /v1/packetcreator/actuator/health + port: 8080 + initialDelaySeconds: 0 + periodSeconds: 20 + timeoutSeconds: 5 + failureThreshold: 60 + successThreshold: 1 + livenessProbe: + enabled: true + httpGet: + path: /v1/packetcreator/actuator/health + port: 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + readinessProbe: + enabled: true + httpGet: + path: /v1/packetcreator/actuator/health + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1