From 38f4e1a4a338df1eb01fedc67d221626757f1c6c Mon Sep 17 00:00:00 2001 From: syed salman <72004356+syedsalman3753@users.noreply.github.com> Date: Tue, 28 Nov 2023 23:09:55 +0530 Subject: [PATCH] [DSD-3884] Updated deployment as per esignet vc release (#1453) * [DSD-3884] Updated deployment as per esignet vc release Signed-off-by: syed salman * [DSD-3884] updated chart version Signed-off-by: syed salman --------- Signed-off-by: syed salman --- deployment/v3/external/postgres/README.md | 29 ++++++++++++-- deployment/v3/external/postgres/init_db.sh | 6 +-- .../v3/external/postgres/init_values.yaml | 21 ++++++---- deployment/v3/external/postgres/install.sh | 2 +- deployment/v3/external/postgres/values.yaml | 26 ++++++------- deployment/v3/mosip/artifactory/install.sh | 2 +- deployment/v3/mosip/ida/README.md | 5 +++ deployment/v3/mosip/ida/copy_cm.sh | 28 +++++++++---- deployment/v3/mosip/ida/install.sh | 24 +++++++++--- deployment/v3/mosip/keymanager/copy_cm.sh | 25 ++++++++---- deployment/v3/mosip/keymanager/install.sh | 2 +- .../v3/mosip/mosip-file-server/README.md | 15 ++++--- .../v3/mosip/mosip-file-server/copy_cm.sh | 17 ++++++-- .../v3/mosip/mosip-file-server/install.sh | 2 +- .../v3/mosip/partner-onboarder/install.sh | 39 +++++++++++++++---- 15 files changed, 177 insertions(+), 66 deletions(-) diff --git a/deployment/v3/external/postgres/README.md b/deployment/v3/external/postgres/README.md index bcdaf1d82..47266436a 100644 --- a/deployment/v3/external/postgres/README.md +++ b/deployment/v3/external/postgres/README.md @@ -4,10 +4,8 @@ ```sh ./install.sh ``` -* A random password will get assigned for `postgres` user if you have not specified a password. The password may be obtained using following script: -```sh -./get_pwd.sh -``` +* A random password will get assigned for `postgres` user if you have not specified a password. The password may be obtained from Rancher console. + ## Test * Make sure docker is running from machine you are testing. * Postgres is accessible over "internal" channel, i.e. over Wireguard. Make sure you have the Wireguard setup along with credentials to connect to internal load balancer. @@ -29,6 +27,29 @@ Note that PVC and PV are not deleted after helm delete. So if you would like to ## Init a specific DB To initialized a specific db disable init of all others in `init_values.yaml` by settings `true` -> `false`. Get db-user password with `get_pwd.sh`. Provide the password in `init_values.yaml` and run `init_db.sh`. +## DB export + +* Export all DB's to a single file via below command: + ``` + pg_dumpall -c --if-exists -h -p -U -f .dump + ``` + +## DB import + +* Import DB's from backup file via below command: + ``` + psql -h -p -U -f .dump + ``` + ## Troubleshooting * If you face login issues even when the password entered is correct, it could be due to previous PVC, and PV. Delete them, but exercise caution as this will delete all persistent data. +* If you face below error while importing db's. + ``` + psql:all-db-backup.dump:139: ERROR: option "locale" not recognized + LINE 1: ...late1 WITH TEMPLATE = template0 ENCODING = 'UTF8' LOCALE = '... + ``` + Then replace `LOCALE` with `LC_COLLATE` in `.dump` file via sed command. + ``` + sed -i 's/LOCALE/LC_COLLATE/g' .dump + ``` diff --git a/deployment/v3/external/postgres/init_db.sh b/deployment/v3/external/postgres/init_db.sh index a907c7ff0..0db082fb9 100755 --- a/deployment/v3/external/postgres/init_db.sh +++ b/deployment/v3/external/postgres/init_db.sh @@ -8,14 +8,14 @@ fi function initialize_db() { NS=postgres - CHART_VERSION=12.0.1-B3 + CHART_VERSION=12.0.1-B4 helm repo update while true; do read -p "CAUTION: all existing data will be lost. Are you sure?(Y/n)" yn if [ $yn = "Y" ] then echo Removing any existing installation - helm -n $NS delete postgres-init + helm -n $NS delete postgres-init || true echo Initializing DB helm -n $NS install postgres-init mosip/postgres-init -f init_values.yaml --version $CHART_VERSION --wait --wait-for-jobs break @@ -32,4 +32,4 @@ set -o errexit ## set -e : exit the script if any statement returns a non-true set -o nounset ## set -u : exit the script if you try to use an uninitialised variable set -o errtrace # trace ERR through 'time command' and other functions set -o pipefail # trace ERR through pipes -initialize_db # calling function \ No newline at end of file +initialize_db # calling function diff --git a/deployment/v3/external/postgres/init_values.yaml b/deployment/v3/external/postgres/init_values.yaml index 8cdc055cb..b88410bbc 100644 --- a/deployment/v3/external/postgres/init_values.yaml +++ b/deployment/v3/external/postgres/init_values.yaml @@ -4,48 +4,55 @@ dbUserPasswords: databases: mosip_master: enabled: true + branch: v1.2.0.1-B1 mosip_audit: enabled: true + branch: v1.2.0.1-B1 mosip_keymgr: - enabled: true + enabled: true + branch: release-1.2.0.1 mosip_kernel: enabled: true + branch: v1.2.0.1-B1 mosip_idmap: enabled: true + branch: v1.2.0.1-B1 mosip_prereg: enabled: true + branch: v1.2.0.1-B1 mosip_idrepo: enabled: true + branch: v1.2.0.1-B1 mosip_ida: enabled: true + branch: release-1.2.0.1 mosip_credential: enabled: true + branch: v1.2.0.1-B1 mosip_regprc: enabled: true - - mosip_regdevice: - enabled: true - - mosip_authdevice: - enabled: true + branch: v1.2.0.1-B2 mosip_pms: enabled: true + branch: v1.2.0.1-B3 mosip_hotlist: enabled: true + branch: v1.2.0.1-B1 mosip_resident: enabled: true + branch: v1.2.0.1-B2 mosip_toolkit: enabled: false diff --git a/deployment/v3/external/postgres/install.sh b/deployment/v3/external/postgres/install.sh index 98f6e9e2b..ca0df2085 100755 --- a/deployment/v3/external/postgres/install.sh +++ b/deployment/v3/external/postgres/install.sh @@ -15,7 +15,7 @@ kubectl label ns $NS istio-injection=enabled --overwrite function installing_postgres() { echo Installing Postgres - helm -n $NS install postgres mosip/postgresql --version 10.16.2 -f values.yaml --wait + helm -n $NS install postgres bitnami/postgresql --version 13.1.5 -f values.yaml --wait echo Installed Postgres echo Installing gateways and virtual services diff --git a/deployment/v3/external/postgres/values.yaml b/deployment/v3/external/postgres/values.yaml index 01a8e7f4e..69ef5b441 100644 --- a/deployment/v3/external/postgres/values.yaml +++ b/deployment/v3/external/postgres/values.yaml @@ -1,13 +1,13 @@ -resources: - limits: {} - # cpu: 250m - # memory: 1Gi - requests: - cpu: 3000m - memory: 3000Mi - -postgresqlExtendedConf: - wal_level: logical - max_wal_senders: 20 - max_replication_slots: 10 - max_connections: 1000 +primary: + extendedConfiguration: | + max_connections=1000 + wal_level=logical + max_wal_senders=20 + max_replication_slots=10 + resources: + limits: {} + # cpu: 250m + # memory: 1Gi + requests: + cpu: 3000m + memory: 3000Mi \ No newline at end of file diff --git a/deployment/v3/mosip/artifactory/install.sh b/deployment/v3/mosip/artifactory/install.sh index bf4c8de6a..4f5178001 100755 --- a/deployment/v3/mosip/artifactory/install.sh +++ b/deployment/v3/mosip/artifactory/install.sh @@ -7,7 +7,7 @@ if [ $# -ge 1 ] ; then fi NS=artifactory -CHART_VERSION=12.0.1-B3 +CHART_VERSION=12.0.1-B6 echo Create $NS namespace kubectl create ns $NS diff --git a/deployment/v3/mosip/ida/README.md b/deployment/v3/mosip/ida/README.md index 98c08280c..7bdb2b41c 100644 --- a/deployment/v3/mosip/ida/README.md +++ b/deployment/v3/mosip/ida/README.md @@ -4,5 +4,10 @@ ``` ./install.sh ``` +* During the execution of the `install.sh` script, a prompt appears requesting information regarding the presence of a public domain and a valid SSL certificate on the server. +* If the server lacks a public domain and a valid SSL certificate, it is advisable to select the `n` option. Opting it will enable the `init-container` with an `emptyDir` volume and include it in the deployment process. +* The init-container will proceed to download the server's self-signed SSL certificate and mount it to the specified location within the container's Java keystore (i.e., `cacerts`) file. +* This particular functionality caters to scenarios where the script needs to be employed on a server utilizing self-signed SSL certificates. + ## Onboard IDA as partner Partner onboarding is already done as part of default IDA installation. However, IDA's certificates needs to be uploaded to Keymanager. Upload using Postman collections as given [here](certs_upload/postman/README.md) diff --git a/deployment/v3/mosip/ida/copy_cm.sh b/deployment/v3/mosip/ida/copy_cm.sh index cf83e2693..e065eac48 100755 --- a/deployment/v3/mosip/ida/copy_cm.sh +++ b/deployment/v3/mosip/ida/copy_cm.sh @@ -1,11 +1,25 @@ #!/bin/bash # Copy configmaps from other namespaces -# DST_NS: Destination namespace +# DST_NS: Destination namespace + +function copying_cm() { + COPY_UTIL=../../utils/copy_cm_func.sh + DST_NS=ida + + $COPY_UTIL configmap global default $DST_NS + $COPY_UTIL configmap artifactory-share artifactory $DST_NS + $COPY_UTIL configmap config-server-share config-server $DST_NS + $COPY_UTIL configmap softhsm-ida-share softhsm $DST_NS + return 0 +} + + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +copying_cm # calling function -COPY_UTIL=../../utils/copy_cm_func.sh -DST_NS=ida -$COPY_UTIL configmap global default $DST_NS -$COPY_UTIL configmap artifactory-share artifactory $DST_NS -$COPY_UTIL configmap config-server-share config-server $DST_NS -$COPY_UTIL configmap softhsm-ida-share softhsm $DST_NS diff --git a/deployment/v3/mosip/ida/install.sh b/deployment/v3/mosip/ida/install.sh index 193616126..6b9288cb6 100755 --- a/deployment/v3/mosip/ida/install.sh +++ b/deployment/v3/mosip/ida/install.sh @@ -7,8 +7,8 @@ if [ $# -ge 1 ] ; then fi NS=ida -CHART_VERSION=12.0.1-B3 -KEYGEN_CHART_VERSION=12.0.1-B2 +CHART_VERSION=12.0.1-B5 +KEYGEN_CHART_VERSION=12.0.1-B3 echo Create $NS namespace kubectl create ns $NS @@ -22,17 +22,31 @@ function installing_ida() { sed -i 's/\r$//' copy_cm.sh ./copy_cm.sh + echo "Do you have public domain & valid SSL? (Y/n) " + echo "Y: if you have public domain & valid ssl certificate" + echo "n: If you don't have a public domain and a valid SSL certificate. Note: It is recommended to use this option only in development environments." + read -p "" flag + + if [ -z "$flag" ]; then + echo "'flag' was provided; EXITING;" + exit 1; + fi + ENABLE_INSECURE='' + if [ "$flag" = "n" ]; then + ENABLE_INSECURE='--set enable_insecure=true'; + fi + echo Running ida keygen helm -n $NS install ida-keygen mosip/keygen --wait --wait-for-jobs --version $KEYGEN_CHART_VERSION -f keygen_values.yaml echo Installing ida auth - helm -n $NS install ida-auth mosip/ida-auth --version $CHART_VERSION + helm -n $NS install ida-auth mosip/ida-auth --version $CHART_VERSION $ENABLE_INSECURE echo Installing ida internal - helm -n $NS install ida-internal mosip/ida-internal --version $CHART_VERSION + helm -n $NS install ida-internal mosip/ida-internal --version $CHART_VERSION $ENABLE_INSECURE echo Installing ida otp - helm -n $NS install ida-otp mosip/ida-otp --version $CHART_VERSION + helm -n $NS install ida-otp mosip/ida-otp --version $CHART_VERSION $ENABLE_INSECURE kubectl -n $NS get deploy -o name | xargs -n1 -t kubectl -n $NS rollout status echo Intalled ida services diff --git a/deployment/v3/mosip/keymanager/copy_cm.sh b/deployment/v3/mosip/keymanager/copy_cm.sh index d31f3271b..13c1fdf70 100755 --- a/deployment/v3/mosip/keymanager/copy_cm.sh +++ b/deployment/v3/mosip/keymanager/copy_cm.sh @@ -1,14 +1,25 @@ #!/bin/bash # Copy configmaps from other namespaces -# DST_NS: Destination (current) namespace -COPY_UTIL=../../utils/copy_cm_func.sh -DST_NS=keymanager +# DST_NS: Destination (current) namespace -$COPY_UTIL configmap global default $DST_NS -$COPY_UTIL configmap artifactory-share artifactory $DST_NS -$COPY_UTIL configmap config-server-share config-server $DST_NS -$COPY_UTIL configmap softhsm-kernel-share softhsm $DST_NS +function copying_cm() { + COPY_UTIL=../../utils/copy_cm_func.sh + DST_NS=keymanager + $COPY_UTIL configmap global default $DST_NS + $COPY_UTIL configmap artifactory-share artifactory $DST_NS + $COPY_UTIL configmap config-server-share config-server $DST_NS + $COPY_UTIL configmap softhsm-kernel-share softhsm $DST_NS + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +copying_cm # calling function diff --git a/deployment/v3/mosip/keymanager/install.sh b/deployment/v3/mosip/keymanager/install.sh index 3caa50db9..a526de19d 100755 --- a/deployment/v3/mosip/keymanager/install.sh +++ b/deployment/v3/mosip/keymanager/install.sh @@ -7,7 +7,7 @@ if [ $# -ge 1 ] ; then fi NS=keymanager -CHART_VERSION=12.0.1-B2 +CHART_VERSION=12.0.1-B3 echo Creating $NS namespace kubectl create ns $NS diff --git a/deployment/v3/mosip/mosip-file-server/README.md b/deployment/v3/mosip/mosip-file-server/README.md index 1451c1127..295e7e455 100644 --- a/deployment/v3/mosip/mosip-file-server/README.md +++ b/deployment/v3/mosip/mosip-file-server/README.md @@ -1,14 +1,17 @@ -# Regclient +# mosip-file-server ## Introduction -The chart here installs a mosip-file-server accessed over an https URL. +The chart here installs a mosip-file-server accessed over an https URL. ## Install -* Make sure global configmap contains the url for mosip-file-server host e.g. `fileserver.sandbox.xyz.net`. -* The url must point to your internal loadbalancer as regclient will typically not be open to public. +* Mosip-file-server contains certs, json which will be used by partners to integrate with MOSIP services. * Install ```sh ./install.sh ``` -## Download -The download URL will be available at `https://your-fileserver-host`. Example: `https://fileserver.sandbox.xyz.net`. +## URL +* The URL will be available at https://api-host. + Example: + * https://api.sandbox.xyz.net/.well-known/ + * https://api.sandbox.xyz.net/inji/ + * https://api.sandbox.xyz.net/mosip-certs/ \ No newline at end of file diff --git a/deployment/v3/mosip/mosip-file-server/copy_cm.sh b/deployment/v3/mosip/mosip-file-server/copy_cm.sh index 987519fe0..8cb770131 100755 --- a/deployment/v3/mosip/mosip-file-server/copy_cm.sh +++ b/deployment/v3/mosip/mosip-file-server/copy_cm.sh @@ -2,7 +2,18 @@ # Copy configmaps from other namespaces # DST_NS: Destination namespace -COPY_UTIL=../../utils/copy_cm_func.sh -DST_NS=mosip-file-server +function copying_cm() { + COPY_UTIL=../../utils/copy_cm_func.sh + DST_NS=mosip-file-server -$COPY_UTIL configmap config-server-share config-server $DST_NS + $COPY_UTIL configmap config-server-share config-server $DST_NS + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +copying_cm # calling function \ No newline at end of file diff --git a/deployment/v3/mosip/mosip-file-server/install.sh b/deployment/v3/mosip/mosip-file-server/install.sh index 7b7471272..82c9f82f2 100755 --- a/deployment/v3/mosip/mosip-file-server/install.sh +++ b/deployment/v3/mosip/mosip-file-server/install.sh @@ -7,7 +7,7 @@ if [ $# -ge 1 ] ; then fi NS=mosip-file-server -CHART_VERSION=12.0.1-B3 +CHART_VERSION=12.0.1-B4 echo Create $NS namespace kubectl create ns $NS diff --git a/deployment/v3/mosip/partner-onboarder/install.sh b/deployment/v3/mosip/partner-onboarder/install.sh index 4338ed689..79d30b901 100755 --- a/deployment/v3/mosip/partner-onboarder/install.sh +++ b/deployment/v3/mosip/partner-onboarder/install.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Onboards default partners +# Onboards default partners ## Usage: ./install.sh [kubeconfig] if [ $# -ge 1 ] ; then @@ -8,7 +8,7 @@ fi echo "Do you have public domain & valid SSL? (Y/n) " echo "Y: if you have public domain & valid ssl certificate" -echo "n: if you don't have public domain & valid ssl certificate" +echo "n: If you don't have a public domain and a valid SSL certificate. Note: It is recommended to use this option only in development environments." read -p "" flag if [ -z "$flag" ]; then @@ -17,11 +17,11 @@ if [ -z "$flag" ]; then fi ENABLE_INSECURE='' if [ "$flag" = "n" ]; then - ENABLE_INSECURE='--set onboarding.enableInsecure=true'; + ENABLE_INSECURE='--set onboarding.configmaps.onboarding.ENABLE_INSECURE=true'; fi NS=onboarder -CHART_VERSION=12.0.1-B3 +CHART_VERSION=12.0.1-B4 echo Create $NS namespace kubectl create ns $NS @@ -43,13 +43,38 @@ function installing_onboarder() { sed -i 's/\r$//' copy_secrets.sh ./copy_secrets.sh + read -p "Provide onboarder bucket name : " s3_bucket + if [[ -z $s3_bucket ]]; then + echo "s3_bucket not provided; EXITING;"; + exit 1; + fi + if [[ $s3_bucket == *[' !@#$%^&*()+']* ]]; then + echo "s3_bucket should not contain spaces / any special character; EXITING"; + exit 1; + fi + read -p "Provide onboarder s3 bucket region : " s3_region + if [[ $s3_region == *[' !@#$%^&*()+']* ]]; then + echo "s3_region should not contain spaces / any special character; EXITING"; + exit 1; + fi + + read -p "Provide S3 URL : " s3_url + if [[ -z $s3_url ]]; then + echo "s3_url not provided; EXITING;" + exit 1; + fi + + s3_user_key=$( kubectl -n s3 get cm s3 -o json | jq -r '.data."s3-user-key"' ) + echo Onboarding default partners helm -n $NS install partner-onboarder mosip/partner-onboarder \ - --set onboarding.configmaps.s3.s3-host='http://minio.minio:9000' \ - --set onboarding.configmaps.s3.s3-user-key='admin' \ - --set onboarding.configmaps.s3.s3-region='' \ + --set onboarding.configmaps.s3.s3-host="$s3_url" \ + --set onboarding.configmaps.s3.s3-user-key="$s3_user_key" \ + --set onboarding.configmaps.s3.s3-region="$s3_region" \ + --set onboarding.configmaps.s3.s3-bucket-name="$s3_bucket" \ $ENABLE_INSECURE \ -f values.yaml \ + --wait --wait-for-jobs \ --version $CHART_VERSION echo "Reports are moved to S3 under onboarder bucket"