From 8d19ae796df7572ede04bd3dc6a46e39377b2a01 Mon Sep 17 00:00:00 2001 From: Rakshitha650 Date: Mon, 15 Jul 2024 18:23:59 +0530 Subject: [PATCH 1/3] [MOSIP-33894] Signed-off-by: techno-376 --- helm/signup-service/install.sh | 8 +- helm/signup-service/templates/deployment.yaml | 45 +++++--- helm/signup-service/values.yaml | 10 +- partner-onboarder/README.md | 33 ++++++ partner-onboarder/copy_cm.sh | 10 ++ partner-onboarder/copy_cm_func.sh | 33 ++++++ partner-onboarder/copy_secrets.sh | 10 ++ partner-onboarder/delete.sh | 28 +++++ partner-onboarder/install.sh | 104 ++++++++++++++++++ partner-onboarder/values.yaml | 26 +++++ 10 files changed, 285 insertions(+), 22 deletions(-) create mode 100644 partner-onboarder/README.md create mode 100755 partner-onboarder/copy_cm.sh create mode 100755 partner-onboarder/copy_cm_func.sh create mode 100755 partner-onboarder/copy_secrets.sh create mode 100755 partner-onboarder/delete.sh create mode 100755 partner-onboarder/install.sh create mode 100644 partner-onboarder/values.yaml diff --git a/helm/signup-service/install.sh b/helm/signup-service/install.sh index c70b6e6e..8d371246 100755 --- a/helm/signup-service/install.sh +++ b/helm/signup-service/install.sh @@ -22,7 +22,7 @@ kubectl create ns $NS function installing_signup() { echo Istio label - kubectl label ns $SOFTHSM_NS istio-injection=enabled --overwrite + # kubectl label ns $SOFTHSM_NS istio-injection=enabled --overwrite helm repo add mosip https://mosip.github.io/mosip-helm helm repo update @@ -33,7 +33,7 @@ function installing_signup() { echo Copy configmaps ./copy_cm_func.sh configmap global default config-server - echo Copy secrets +# echo Copy secrets ./copy_cm_func.sh secret softhsm-signup softhsm config-server kubectl -n config-server set env --keys=mosip-signup-host --from configmap/global deployment/config-server --prefix=SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_ @@ -56,10 +56,10 @@ function installing_signup() { ./copy_cm_func.sh secret signup-misp-onboarder-key signup config-server - echo Copy configmaps +# echo Copy configmaps ./copy_cm.sh - echo copy secrets +# echo copy secrets ./copy_secrets.sh SIGNUP_CLIENT_SECRET_KEY='mosip_signup_client_secret' diff --git a/helm/signup-service/templates/deployment.yaml b/helm/signup-service/templates/deployment.yaml index c4a6972b..b507bbb5 100644 --- a/helm/signup-service/templates/deployment.yaml +++ b/helm/signup-service/templates/deployment.yaml @@ -8,8 +8,8 @@ metadata: name: {{ template "common.names.fullname" . }} annotations: {{- if .Values.commonAnnotations }} - {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.replicaCount }} {{- if .Values.updateStrategy }} @@ -21,9 +21,9 @@ spec: metadata: annotations: {{- if or .Values.podAnnotations .Values.metrics.enabled }} - {{- include "signup.podAnnotations" . | nindent 8 }} - {{- end }} - + {{- include "signup.podAnnotations" . | nindent 8 }} + {{- end }} + labels: {{- include "common.labels.standard" . | nindent 8 }} {{- if .Values.podLabels }} {{- include "common.tplvalues.render" (dict "value" .Values.podLabels "context" $) | nindent 8 }} @@ -71,7 +71,7 @@ spec: mountPath: bar {{- end }} {{- if .Values.enable_insecure }} - {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} + {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} containers: - name: signup @@ -99,19 +99,19 @@ spec: {{- end }} envFrom: {{- if .Values.extraEnvVarsCM }} - {{- range .Values.extraEnvVarsCM }} - - configMapRef: - name: {{ . }} - {{- end }} - {{- end }} - {{- if .Values.extraEnvVarsSecret }} - - secretRef: - name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} - {{- end }} + {{- range .Values.extraEnvVarsCM }} + - configMapRef: + name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.extraEnvVarsSecret }} + - secretRef: + name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }} + {{- end }} ports: - name: spring-service containerPort: {{ .Values.springServicePort }} - + {{- if .Values.resources }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- end }} @@ -136,6 +136,12 @@ spec: name: cacerts subPath: cacerts {{- end }} + {{- if .Values.volumes.secrets }} + {{- range $secretName, $value := .Values.volumes.secrets }} + - name: {{ $secretName }} + mountPath: {{ $value.path }} + {{- end }} + {{- end }} {{- if .Values.sidecars }} {{- include "common.tplvalues.render" ( dict "value" .Values.sidecars "context" $) | nindent 8 }} {{- end }} @@ -144,3 +150,10 @@ spec: - name: cacerts emptyDir: {} {{- end }} + {{- if .Values.volumes.secrets }} + {{- range $secretName, $value := .Values.volumes.secrets }} + - name: {{ $secretName }} + secret: + secretName: {{ $secretName }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/helm/signup-service/values.yaml b/helm/signup-service/values.yaml index 7553ed90..43e8ed4a 100644 --- a/helm/signup-service/values.yaml +++ b/helm/signup-service/values.yaml @@ -302,8 +302,8 @@ initContainers: terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - - mountPath: /cacerts - name: cacerts + - mountPath: /keys + name: keys ## Add sidecars to the pods. ## Example: @@ -469,3 +469,9 @@ istio: prefix: /v1/signup/ enable_insecure: false + +volumes: + secrets: + signupoidc: + key: oidckeystore.p12 + path: /home/mosip/keys diff --git a/partner-onboarder/README.md b/partner-onboarder/README.md new file mode 100644 index 00000000..f757cd40 --- /dev/null +++ b/partner-onboarder/README.md @@ -0,0 +1,33 @@ +# Partner Onboarder + +## Overview +* Upload certificate for default partners. Refer [mosip-onboarding repo](https://github.com/mosip/mosip-onboarding). + +## Install +* Set `values.yaml` to run onboarder for specific modules. +* run `./install.sh`. +``` +./install.sh +``` +# Troubleshootings + +* After completion of the job, a very detailed `html report` is prepared and stored in minio as part of onboarding bucket. + +* The user can go and view the same for more information or response messages. + +### Commonly found issues + + 1. KER-ATH-401: Authentication Failed + + Resolution: You need to provide correct secretkey for mosip-deployment-client. + + 2. Certificate dates are not valid + + Resolution: Check with admin regarding adding grace period in configuration. + + 3. Upload of certificate will not be allowed to update other domain certificate + + Resolution: This is expected when you try to upload `ida-cred` certificate twice. It should only run once and if you see this error while uploading a second time it can be ignored as the cert is already present. + + + diff --git a/partner-onboarder/copy_cm.sh b/partner-onboarder/copy_cm.sh new file mode 100755 index 00000000..d73bffcb --- /dev/null +++ b/partner-onboarder/copy_cm.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# Copy configmaps from other namespaces +# DST_NS: Destination namespace + +COPY_UTIL=./copy_cm_func.sh +DST_NS=signup + +$COPY_UTIL configmap global default $DST_NS +$COPY_UTIL configmap keycloak-env-vars keycloak $DST_NS +$COPY_UTIL configmap keycloak-host keycloak $DST_NS diff --git a/partner-onboarder/copy_cm_func.sh b/partner-onboarder/copy_cm_func.sh new file mode 100755 index 00000000..7b225948 --- /dev/null +++ b/partner-onboarder/copy_cm_func.sh @@ -0,0 +1,33 @@ +#!/bin/sh +# Copy configmap and secret from one namespace to another. +# ./copy_cm_func.sh [name] +# Parameters: +# resource: configmap|secret +# name: Optional new name of the configmap or secret in destination namespace. This may be needed if there is +# clash of names + +if [ $1 = "configmap" ] +then + RESOURCE=configmap +elif [ $1 = "secret" ] +then + RESOURCE=secret +else + echo "Incorrect resource $1. Exiting.." + exit 1 +fi + + +if [ $# -ge 5 ] +then + kubectl -n $4 delete --ignore-not-found=true $RESOURCE $5 + kubectl -n $3 get $RESOURCE $2 -o yaml | sed "s/namespace: $3/namespace: $4/g" | sed "s/name: $2/name: $5/g" | kubectl -n $4 create -f - +else + kubectl -n $4 delete --ignore-not-found=true $RESOURCE $2 + kubectl -n $3 get $RESOURCE $2 -o yaml | sed "s/namespace: $3/namespace: $4/g" | kubectl -n $4 create -f - +fi + + + + + diff --git a/partner-onboarder/copy_secrets.sh b/partner-onboarder/copy_secrets.sh new file mode 100755 index 00000000..137c1e7b --- /dev/null +++ b/partner-onboarder/copy_secrets.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# Copy secrets from other namespaces +# DST_NS: Destination namespace + +COPY_UTIL=./copy_cm_func.sh +DST_NS=signup + +$COPY_UTIL secret s3 s3 $DST_NS +$COPY_UTIL secret keycloak keycloak $DST_NS +$COPY_UTIL secret keycloak-client-secrets keycloak $DST_NS diff --git a/partner-onboarder/delete.sh b/partner-onboarder/delete.sh new file mode 100755 index 00000000..10aee991 --- /dev/null +++ b/partner-onboarder/delete.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# Uninstalls partner-onboarder helm +## Usage: ./delete.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +function deleting_onboarder() { + NS=signup + while true; do + read -p "Are you sure you want to delete all partner-onboarder ?(Y/n) " yn + if [ $yn = "Y" ]; then + echo Deleting signup-partner-onboarder helm + helm -n $NS delete signup-partner-onboarder + break + fi + done + return 0 +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +deleting_onboarder # calling function diff --git a/partner-onboarder/install.sh b/partner-onboarder/install.sh new file mode 100755 index 00000000..57ab5b0a --- /dev/null +++ b/partner-onboarder/install.sh @@ -0,0 +1,104 @@ +#!/bin/bash +# Onboards default partners +## Usage: ./install.sh [kubeconfig] + +if [ $# -ge 1 ] ; then + export KUBECONFIG=$1 +fi + +echo "Do you have public domain & valid SSL? (Y/n) " +echo "Y: if you have public domain & valid ssl certificate" +echo "n: if you don't have a public domain and a valid SSL certificate. It will add an ssl certificate in onboarder docker. Only recommended to use in local development environments" +read -p "" flag + +if [ -z "$flag" ]; then + echo "'flag' was provided; EXITING;" + exit 1; +fi +ENABLE_INSECURE='' +if [ "$flag" = "n" ]; then + ENABLE_INSECURE='--set onboarding.configmaps.onboarding.ENABLE_INSECURE=true'; +fi + +NS=signup +CHART_VERSION=0.0.1-develop + +echo Create $NS namespace +kubectl create ns $NS + +function installing_onboarder() { + + read -p "Is values.yaml for onboarder chart set correctly as part of Pre-requisites?(Y/n) " yn; + if [ $yn = "Y" ]; then + echo Istio label + kubectl label ns $NS istio-injection=disabled --overwrite + helm repo update + + echo Copy configmaps + kubectl -n $NS --ignore-not-found=true delete cm s3 + kubectl -n $NS --ignore-not-found=true delete cm onboarder-namespace + sed -i 's/\r$//' copy_cm.sh + ./copy_cm.sh + + echo Copy secrets + sed -i 's/\r$//' copy_secrets.sh + ./copy_secrets.sh + + read -p "Provide onboarder bucket name : " s3_bucket + if [[ -z $s3_bucket ]]; then + echo "s3_bucket not provided; EXITING;"; + exit 1; + fi + if [[ $s3_bucket == *[' !@#$%^&*()+']* ]]; then + echo "s3_bucket should not contain spaces / any special character; EXITING"; + exit 1; + fi + read -p "Provide onboarder s3 bucket region : " s3_region + if [[ $s3_region == *[' !@#$%^&*()+']* ]]; then + echo "s3_region should not contain spaces / any special character; EXITING"; + exit 1; + fi + + read -p "Provide S3 URL : " s3_url + if [[ -z $s3_url ]]; then + echo "s3_url not provided; EXITING;" + exit 1; + fi + + s3_user_key=$( kubectl -n s3 get cm s3 -o json | jq -r '.data."s3-user-key"' ) + + echo Onboarding default partners + helm -n $NS install signup-partner-onboarder /home/techno-376/IdeaProjects/mosip-helm/charts/partner-onboarder \ + --set image.repository=mosipdev/partner-onboarder \ + --set image.tag=develop \ + --set onboarding.configmaps.s3.s3-host="$s3_url" \ + --set onboarding.configmaps.s3.s3-user-key="$s3_user_key" \ + --set onboarding.configmaps.s3.s3-region="$s3_region" \ + --set onboarding.configmaps.s3.s3-bucket-name="$s3_bucket" \ + $ENABLE_INSECURE \ + -f values.yaml \ + --version $CHART_VERSION \ + --wait --wait-for-jobs + + echo Updating signup-keystore-password value + kubectl -n $NS create secret generic signup-keystore-password --from-literal=signup-keystore-password='mosip123' --dry-run=client -o yaml | kubectl apply -f - + ./copy_cm_func.sh secret signup-keystore-password signup config-server + + echo Updating signup keystore-password + kubectl -n config-server set env --keys=signup-keystore-password --from secret/signup-keystore-password deployment/config-server --prefix=SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_ + + kubectl -n config-server rollout restart deployment config-server + kubectl -n config-server rollout status deployment config-server + + echo Reports are moved to S3 under onboarder bucket + return 0 + fi +} + +# set commands for error handling. +set -e +set -o errexit ## set -e : exit the script if any statement returns a non-true return value +set -o nounset ## set -u : exit the script if you try to use an uninitialised variable +set -o errtrace # trace ERR through 'time command' and other functions +set -o pipefail # trace ERR through pipes +installing_onboarder # calling function diff --git a/partner-onboarder/values.yaml b/partner-onboarder/values.yaml new file mode 100644 index 00000000..fbf1ff69 --- /dev/null +++ b/partner-onboarder/values.yaml @@ -0,0 +1,26 @@ +onboarding: + modules: + - name: ida + enabled: false + - name: print + enabled: false + - name: abis + enabled: false + - name: resident + enabled: false + - name: mobileid + enabled: false + - name: digitalcard + enabled: false + - name: esignet + enabled: false + - name: resident-oidc + enabled: false + - name: demo-oidc + enabled: false + - name: mimoto-keybinding + enabled: false + - name: mimoto-oidc + enabled: false + - name: signup-oidc + enabled: true From d01784516416cff35c0b0870ef29b9dedeb6371c Mon Sep 17 00:00:00 2001 From: Rakshitha650 Date: Mon, 15 Jul 2024 18:27:46 +0530 Subject: [PATCH 2/3] [MOSIP-33894] Signed-off-by: techno-376 --- helm/signup-service/install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/helm/signup-service/install.sh b/helm/signup-service/install.sh index 8d371246..c70b6e6e 100755 --- a/helm/signup-service/install.sh +++ b/helm/signup-service/install.sh @@ -22,7 +22,7 @@ kubectl create ns $NS function installing_signup() { echo Istio label - # kubectl label ns $SOFTHSM_NS istio-injection=enabled --overwrite + kubectl label ns $SOFTHSM_NS istio-injection=enabled --overwrite helm repo add mosip https://mosip.github.io/mosip-helm helm repo update @@ -33,7 +33,7 @@ function installing_signup() { echo Copy configmaps ./copy_cm_func.sh configmap global default config-server -# echo Copy secrets + echo Copy secrets ./copy_cm_func.sh secret softhsm-signup softhsm config-server kubectl -n config-server set env --keys=mosip-signup-host --from configmap/global deployment/config-server --prefix=SPRING_CLOUD_CONFIG_SERVER_OVERRIDES_ @@ -56,10 +56,10 @@ function installing_signup() { ./copy_cm_func.sh secret signup-misp-onboarder-key signup config-server -# echo Copy configmaps + echo Copy configmaps ./copy_cm.sh -# echo copy secrets + echo copy secrets ./copy_secrets.sh SIGNUP_CLIENT_SECRET_KEY='mosip_signup_client_secret' From a5cd2e8a62a7054206012d7e16fb19a5ae9a1c06 Mon Sep 17 00:00:00 2001 From: Rakshitha650 Date: Mon, 15 Jul 2024 19:49:05 +0530 Subject: [PATCH 3/3] [MOSIP-33894] Signed-off-by: techno-376 --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index deac801f..4c46043d 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,11 @@ mosip.kernel.sms.country.code=+91 ### Install * Install `kubectl` and `helm` utilities. +* Run `install.sh` to run the partner-onboarder to create the signup-oidc + ``` + cd partner-onboarder + ./install.sh + ``` * Run `install-all.sh` to deploy signup services. ``` cd helm