Merge pull request #278 from Rakshitha650/develop

[MOSIP-33894]automated signup-oidc p12 generation and mount the p12 to the signup deployment

README.md

@@ -85,6 +85,11 @@ mosip.kernel.sms.country.code=+91
 
 ### Install
 * Install `kubectl` and `helm` utilities.
+* Run `install.sh` to run the partner-onboarder to create the signup-oidc
+ ```
+  cd partner-onboarder
+  ./install.sh
+  ```
 * Run `install-all.sh` to deploy signup services.
   ```
   cd helm

helm/signup-service/templates/deployment.yaml

@@ -8,8 +8,8 @@ metadata:
   name: {{ template "common.names.fullname" . }}
   annotations:
     {{- if .Values.commonAnnotations }}
-    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
-    {{- end }}
+      {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+      {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
   {{- if .Values.updateStrategy }}
@@ -21,9 +21,9 @@ spec:
     metadata:
       annotations:
         {{- if or .Values.podAnnotations .Values.metrics.enabled }}
-        {{- include "signup.podAnnotations" . | nindent 8 }}
-        {{- end }}
-       
+          {{- include "signup.podAnnotations" . | nindent 8 }}
+          {{- end }}
+
       labels: {{- include "common.labels.standard" . | nindent 8 }}
         {{- if .Values.podLabels }}
         {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }}
@@ -71,7 +71,7 @@ spec:
               mountPath: bar
         {{- end }}
         {{- if .Values.enable_insecure }}
-          {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
         {{- end }}
       containers:
         - name: signup
@@ -99,19 +99,19 @@ spec:
             {{- end }}
           envFrom:
             {{- if .Values.extraEnvVarsCM }}
-            {{- range .Values.extraEnvVarsCM }}
-            - configMapRef:
-                name: {{ . }}
-            {{- end }}
-            {{- end }}
-            {{- if .Values.extraEnvVarsSecret }}
-            - secretRef:
-                name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
-            {{- end }}
+              {{- range .Values.extraEnvVarsCM }}
+              - configMapRef:
+                  name: {{ . }}
+              {{- end }}
+              {{- end }}
+              {{- if .Values.extraEnvVarsSecret }}
+              - secretRef:
+                  name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
+              {{- end }}
           ports:
             - name: spring-service
               containerPort: {{ .Values.springServicePort }}
-           
+
           {{- if .Values.resources }}
           resources: {{- toYaml .Values.resources | nindent 12 }}
           {{- end }}
@@ -136,6 +136,12 @@ spec:
             name: cacerts
             subPath: cacerts
           {{- end }}
+          {{- if .Values.volumes.secrets }}
+          {{- range $secretName, $value := .Values.volumes.secrets }}
+          - name: {{ $secretName }}
+            mountPath: {{ $value.path }}
+          {{- end }}
+          {{- end }}
         {{- if .Values.sidecars }}
         {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }}
         {{- end }}
@@ -144,3 +150,10 @@ spec:
       - name: cacerts
         emptyDir: {}
       {{- end }}
+      {{- if .Values.volumes.secrets }}
+      {{- range $secretName, $value := .Values.volumes.secrets }}
+      - name: {{ $secretName }}
+        secret:
+          secretName: {{ $secretName }}
+      {{- end }}
+      {{- end }}

helm/signup-service/values.yaml

@@ -302,8 +302,8 @@ initContainers:
     terminationMessagePath: /dev/termination-log
     terminationMessagePolicy: File
     volumeMounts:
-      - mountPath: /cacerts
-        name: cacerts
+      - mountPath: /keys
+        name: keys
 
 ## Add sidecars to the  pods.
 ## Example:
@@ -469,3 +469,9 @@ istio:
   prefix: /v1/signup/
 
 enable_insecure: false
+
+volumes:
+  secrets:
+    signupoidc:
+      key: oidckeystore.p12
+      path: /home/mosip/keys

partner-onboarder/README.md

@@ -0,0 +1,33 @@
+# Partner Onboarder
+
+## Overview
+* Upload certificate for default partners. Refer [mosip-onboarding repo](https://github.com/mosip/mosip-onboarding).
+
+## Install 
+* Set `values.yaml` to run onboarder for specific modules.
+* run `./install.sh`.
+```
+./install.sh
+```
+# Troubleshootings
+
+* After completion of the job, a very detailed `html report` is prepared and stored in minio as part of onboarding bucket.
+
+* The user can go and view the same for more information or response messages.
+
+### Commonly found issues 
+
+ 1. KER-ATH-401: Authentication Failed
+
+    Resolution: You need to provide correct secretkey for mosip-deployment-client.
+
+ 2. Certificate dates are not valid
+
+    Resolution: Check with admin regarding adding grace period in configuration.
+
+ 3. Upload of certificate will not be allowed to update other domain certificate
+
+    Resolution: This is expected when you try to upload `ida-cred` certificate twice. It should only run once and if you see this error while uploading a second      time it can be ignored as the cert is already present.
+
+
+

partner-onboarder/copy_cm.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Copy configmaps from other namespaces
+# DST_NS: Destination namespace 
+
+COPY_UTIL=./copy_cm_func.sh
+DST_NS=signup
+
+$COPY_UTIL configmap global default $DST_NS
+$COPY_UTIL configmap keycloak-env-vars keycloak $DST_NS
+$COPY_UTIL configmap keycloak-host keycloak $DST_NS

partner-onboarder/copy_cm_func.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+# Copy configmap and secret from one namespace to another.
+# ./copy_cm_func.sh <resource> <configmap_name> <source_namespace> <destination_namespace> [name]
+# Parameters:
+#   resource: configmap|secret
+#   name: Optional new name of the configmap or secret in destination namespace.  This may be needed if there is
+#         clash of names
+
+if [ $1 = "configmap" ]
+then
+  RESOURCE=configmap
+elif [ $1 = "secret" ]
+then
+  RESOURCE=secret
+else
+  echo "Incorrect resource $1. Exiting.."
+  exit 1
+fi
+
+
+if [ $# -ge 5 ]
+then
+   kubectl -n $4 delete --ignore-not-found=true $RESOURCE $5
+   kubectl -n $3 get $RESOURCE $2 -o yaml | sed "s/namespace: $3/namespace: $4/g" | sed "s/name: $2/name: $5/g" | kubectl -n $4 create -f -  
+else
+   kubectl -n $4 delete --ignore-not-found=true $RESOURCE $2
+   kubectl -n $3 get $RESOURCE $2 -o yaml | sed "s/namespace: $3/namespace: $4/g" |  kubectl -n $4 create -f -  
+fi 
+
+
+
+
+

partner-onboarder/copy_secrets.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# Copy secrets from other namespaces
+# DST_NS: Destination namespace
+
+COPY_UTIL=./copy_cm_func.sh
+DST_NS=signup
+
+$COPY_UTIL secret s3 s3 $DST_NS
+$COPY_UTIL secret keycloak keycloak $DST_NS
+$COPY_UTIL secret keycloak-client-secrets keycloak $DST_NS

partner-onboarder/delete.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# Uninstalls partner-onboarder helm
+## Usage: ./delete.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+function deleting_onboarder() {
+  NS=signup
+  while true; do
+      read -p "Are you sure you want to delete all partner-onboarder ?(Y/n) " yn
+      if [ $yn = "Y" ]; then
+        echo Deleting signup-partner-onboarder helm
+        helm -n $NS delete signup-partner-onboarder
+        break
+      fi
+  done
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+deleting_onboarder   # calling function

partner-onboarder/install.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+# Onboards default partners 
+## Usage: ./install.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+echo "Do you have public domain & valid SSL? (Y/n) "
+echo "Y: if you have public domain & valid ssl certificate"
+echo "n: if you don't have a public domain and a valid SSL certificate. It will add an ssl certificate in onboarder docker. Only recommended to use in local development environments"
+read -p "" flag
+
+if [ -z "$flag" ]; then
+  echo "'flag' was provided; EXITING;"
+  exit 1;
+fi
+ENABLE_INSECURE=''
+if [ "$flag" = "n" ]; then
+  ENABLE_INSECURE='--set onboarding.configmaps.onboarding.ENABLE_INSECURE=true';
+fi
+
+NS=signup
+CHART_VERSION=0.0.1-develop
+
+echo Create $NS namespace
+kubectl create ns $NS
+
+function installing_onboarder() {
+
+  read -p "Is values.yaml for onboarder chart set correctly as part of Pre-requisites?(Y/n) " yn;
+  if [ $yn = "Y" ]; then
+    echo Istio label
+    kubectl label ns $NS istio-injection=disabled --overwrite
+    helm repo update
+
+    echo Copy configmaps
+    kubectl -n $NS --ignore-not-found=true delete cm s3
+    kubectl -n $NS --ignore-not-found=true delete cm onboarder-namespace
+    sed -i 's/\r$//' copy_cm.sh
+    ./copy_cm.sh
+
+    echo Copy secrets
+    sed -i 's/\r$//' copy_secrets.sh
+    ./copy_secrets.sh
+
+    read -p "Provide onboarder bucket name : " s3_bucket
+    if [[ -z $s3_bucket ]]; then
+      echo "s3_bucket not provided; EXITING;";
+      exit 1;
+    fi
+    if [[ $s3_bucket == *[' !@#$%^&*()+']* ]]; then
+      echo "s3_bucket should not contain spaces / any special character; EXITING";
+      exit 1;
+    fi
+    read -p "Provide onboarder s3 bucket region : " s3_region
+    if [[ $s3_region == *[' !@#$%^&*()+']* ]]; then
+      echo "s3_region should not contain spaces / any special character; EXITING";
+      exit 1;
+    fi
+
+    read -p "Provide S3 URL : " s3_url
+    if [[ -z $s3_url ]]; then
+      echo "s3_url not provided; EXITING;"
+      exit 1;
+    fi
+
+    s3_user_key=$( kubectl -n s3 get cm s3 -o json | jq -r '.data."s3-user-key"' )
+
+    echo Onboarding default partners
+    helm -n $NS install signup-partner-onboarder /home/techno-376/IdeaProjects/mosip-helm/charts/partner-onboarder \
+    --set image.repository=mosipdev/partner-onboarder \
+    --set image.tag=develop \
+    --set onboarding.configmaps.s3.s3-host="$s3_url" \
+    --set onboarding.configmaps.s3.s3-user-key="$s3_user_key" \
+    --set onboarding.configmaps.s3.s3-region="$s3_region" \
+    --set onboarding.configmaps.s3.s3-bucket-name="$s3_bucket" \
+    $ENABLE_INSECURE \
+    -f values.yaml \
+    --version $CHART_VERSION \
+    --wait --wait-for-jobs
+
+    echo Updating signup-keystore-password value
+    kubectl -n $NS create secret generic signup-keystore-password --from-literal=signup-keystore-password='mosip123' --dry-run=client -o yaml | kubectl apply -f -
+    ./copy_cm_func.sh secret signup-keystore-password signup config-server
+
+    echo Updating signup keystore-password
+    kubectl -n config-server set env --keys=signup-keystore-password --from secret/signup-keystore-password deployment/config-server --prefix=SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_
+
+    kubectl -n config-server rollout restart deployment config-server
+    kubectl -n config-server rollout status deployment config-server
+
+    echo Reports are moved to S3 under onboarder bucket
+    return 0
+  fi
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+installing_onboarder   # calling function

partner-onboarder/values.yaml

@@ -0,0 +1,26 @@
+onboarding:
+  modules:
+    - name: ida
+      enabled: false
+    - name: print
+      enabled: false
+    - name: abis
+      enabled: false
+    - name: resident
+      enabled: false
+    - name: mobileid
+      enabled: false
+    - name: digitalcard
+      enabled: false
+    - name: esignet
+      enabled: false
+    - name: resident-oidc
+      enabled: false
+    - name: demo-oidc
+      enabled: false
+    - name: mimoto-keybinding
+      enabled: false
+    - name: mimoto-oidc
+      enabled: false
+    - name: signup-oidc
+      enabled: true