Merge pull request #370 from mosip/MOSIP-35816

[MOSIP-35816]

README.md

@@ -4,31 +4,20 @@ signup-service is part of the esignet, but has a separate Helm chart to install
 
 ## Installing in k8s cluster using helm
 ### Pre-requisites
-1. Set the kube config file of the Mosip cluster having dependent services is set correctly in PC.
-2. Make sure [DB setup](db_scripts/README.md#install-in-existing-mosip-k8-cluster) is done.
-3. Add / merge below mentioned properties files into existing config branch:
-   * [signup-default.properties](https://github.com/mosip/mosip-config/blob/v1.2.0.1-B3/esignet-default.properties)
-   * [application-default.properties](https://github.com/mosip/mosip-config/blob/v1.2.0.1-B3/application-default.properties)
-4. Below are the dependent services required for signup service integrated with MOSIP IDA:
+1. Set the kube config file of the Esignet k8 cluster having esignet services is set correctly in PC.
+1. Below are the dependent services required for signup service integrated with MOSIP IDA:
    | Chart | Chart version |
    |---|---|
    |[Keycloak](https://github.com/mosip/mosip-infra/tree/v1.2.0.1-B3/deployment/v3/external/iam) | 7.1.18 |
    |[Keycloak-init](https://github.com/mosip/mosip-infra/tree/v1.2.0.1-B3/deployment/v3/external/iam) | 12.0.1-B3 |
-   |[Postgres](https://github.com/mosip/mosip-infra/tree/v1.2.0.1-B3/deployment/v3/external/postgres) | 10.16.2 |
-   |[Postgres Init](https://github.com/mosip/mosip-infra/tree/v1.2.0.1-B3/deployment/v3/external/postgres) | 12.0.1-B3 |
-   |[Minio](https://github.com/mosip/mosip-infra/tree/v1.2.0.1-B3/deployment/v3/external/object-store) | 10.1.6 |
    |[Kafka](https://github.com/mosip/mosip-infra/tree/v1.2.0.1-B3/deployment/v3/external/kafka) | 0.4.2 |
-   |[Config-server](https://github.com/mosip/mosip-infra/tree/v1.2.0.1-B3/deployment/v3/mosip/config-server) | 12.0.1-B3 |
-   |[Websub](https://github.com/mosip/mosip-infra/tree/v1.2.0.1-B3/deployment/v3/mosip/websub) | 12.0.1-B2 |
-   |[Artifactory server](https://github.com/mosip/mosip-infra/tree/v1.2.0.1-B3/deployment/v3/mosip/artifactory) | 12.0.1-B3 |
-   |[Keymanager service](https://github.com/mosip/mosip-infra/blob/v1.2.0.1-B3/deployment/v3/mosip/keymanager) | 12.0.1-B2 |
-   |[Kernel services](https://github.com/mosip/mosip-infra/blob/v1.2.0.1-B3/deployment/v3/mosip/kernel) | 12.0.1-B2 |
-   |[Biosdk service](https://github.com/mosip/mosip-infra/tree/v1.2.0.1-B3/deployment/v3/mosip/biosdk) | 12.0.1-B3 |
-   |[Idrepo services](https://github.com/mosip/mosip-infra/blob/v1.2.0.1-B3/deployment/v3/mosip/idrepo) | 12.0.1-B2 |
-   |[Pms services](https://github.com/mosip/mosip-infra/blob/v1.2.0.1-B3/deployment/v3/mosip/pms) | 12.0.1-B3 |
-   |[IDA services](https://github.com/mosip/mosip-infra/blob/v1.2.0.1-B3/deployment/v3/mosip/ida) | 12.0.1-B3 |
 
-### Install
+### Setup pre-requisites for signup services
+```
+cd deploy
+./prereq.sh
+```
+### Install Signup service
 * Install `kubectl` and `helm` utilities.
 * Run `install.sh` to run the partner-onboarder to create the signup-oidc
  ```
@@ -37,28 +26,23 @@ signup-service is part of the esignet, but has a separate Helm chart to install
   ```
 * Run `install-all.sh` to deploy signup services.
   ```
-  cd helm
-  ./install-all.sh
+  cd deploy
+  ./install-signup.sh
   ```
-* During the execution of the `install-all.sh` script, a prompt appears requesting information regarding the presence of a public domain and a valid SSL certificate on the server.
-* If the server lacks a public domain and a valid SSL certificate, it is advisable to select the `n` option. Opting it will enable the `init-container` with an `emptyDir` volume and include it in the deployment process.
-* The init-container will proceed to download the server's self-signed SSL certificate and mount it to the specified location within the container's Java keystore (i.e., `cacerts`) file.
-* This particular functionality caters to scenarios where the script needs to be employed on a server utilizing self-signed SSL certificates.
-
 ### Delete
-* Run `delete-all.sh` to remove signup services.
+* Run `delete-signup.sh` to remove signup services.
   ```
-  cd helm
-  ./delete-all.sh
+  cd deploy
+  ./delete-signup.sh
   ```
-
 ### Restart
-* Run `restart-all.sh` to restart signup services.
+* Run `restart-signup.sh` to restart signup services.
   ```
-  cd helm
-  ./restart-all.sh
+  cd deploy
+  ./restart-signup.sh
   ```
-
+## Partner onboarding
+* Perform Partner onboarding for esignet Signup OIDC client using [steps](partner-onboarder/README.md) only if mosip-identity plugin is used.  
 
 ## APIs
 API documentation is available [here](https://mosip.stoplight.io/docs/identity-provider/branches/signupV1/t9tvfbteqqokf-e-signet-signup-portal-ap-is).

helm/delete-all.sh → deploy/delete-signup.sh

@@ -1,23 +1,17 @@
 #!/bin/bash
-
-# deletes signup services in correct order
-## Usage: ./delete-all.sh [kubeconfig]
+# Deleted signup services in correct order
+## Usage: ./restart-all.sh [kubeconfig]
 
 if [ $# -ge 1 ] ; then
   export KUBECONFIG=$1
 fi
 
 function Deleting_All() {
   ROOT_DIR=`pwd`
-  SOFTHSM_NS=softhsm
-
-  helm -n $SOFTHSM_NS delete softhsm-signup
 
-  declare -a module=("signup-service"
-         "signup-ui"
-                     )
+  declare -a module=("signup-service" "signup-ui")
 
-  echo Installing signup services
+  echo restarting signup services
 
   for i in "${module[@]}"
   do

helm/install-all.sh → deploy/install-signup.sh

@@ -1,38 +1,36 @@
 #!/bin/bash
-
-# Installs signup services in correct order
-## Usage: ./install-all.sh [kubeconfig]
+## Installs signup services in correct order
+## Usage: ./install.sh [kubeconfig]
 
 if [ $# -ge 1 ] ; then
   export KUBECONFIG=$1
 fi
 
 ROOT_DIR=`pwd`
 
-function installing_All() {
-  helm repo add mosip https://mosip.github.io/mosip-helm
-  helm repo update
+function installing_signup() {
 
-  declare -a module=("signup-service"
-                 "signup-ui"
-                     )
+  helm repo add mosip https://mosip.github.io/mosip-helm
+  # List of modules to install
+  declare -a modules=("signup-service" "signup-ui")
 
-  echo Installing signup services
+  echo "Installing signup services"
 
-  for i in "${module[@]}"
+  # Install modules
+  for module in "${modules[@]}"
   do
-    cd $ROOT_DIR/"$i"
+    cd $ROOT_DIR/"$module"
     ./install.sh
   done
 
-  echo All signup services deployed sucessfully.
+  echo "All signup services deployed successfully."
   return 0
 }
 
-# set commands for error handling.
+# Set commands for error handling.
 set -e
 set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
-set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o nounset   ## set -u : exit the script if you try to use an uninitialized variable
 set -o errtrace  # trace ERR through 'time command' and other functions
 set -o pipefail  # trace ERR through pipes
-installing_All   # calling function
+installing_signup   # calling function

deploy/keycloak/keycloak-init-values.yaml

@@ -0,0 +1,15 @@
+keycloak:
+  realms:
+    mosip: # realm
+      roles:
+        - AUTH
+        - ID_REPOSITORY
+        - REGISTRATION_ADMIN
+      clients:   
+        - name: mosip-signup-client
+          mappers: []
+          saroles:
+            - AUTH
+            - CREDENTIAL_REQUEST
+            - ID_REPOSITORY
+            - REGISTRATION_ADMIN

deploy/keycloak/keycloak-init.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+# Initialises signup keycloak-init
+## Usage: ./keycloak-init.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+NS=signup
+CHART_VERSION=0.0.1-develop
+COPY_UTIL=../copy_cm_func.sh
+
+helm repo add mosip https://mosip.github.io/mosip-helm
+helm repo update
+
+echo "checking if mosip-pms-client, mosip-ida-client & mpartner_default_auth client is created already"
+IAMHOST_URL=$(kubectl -n esignet get cm esignet-global -o jsonpath={.data.mosip-iam-external-host})
+SIGNUP_CLIENT_SECRET_KEY='mosip_signup_client_secret'
+SIGNUP_CLIENT_SECRET_VALUE=$(kubectl -n keycloak get secrets keycloak-client-secrets -o jsonpath={.data.$SIGNUP_CLIENT_SECRET_KEY} | base64 -d)
+echo "Copying keycloak configmaps and secret"
+$COPY_UTIL configmap keycloak-host keycloak $NS
+$COPY_UTIL configmap keycloak-env-vars keycloak $NS
+$COPY_UTIL secret keycloak keycloak $NS
+
+echo "creating and adding roles to keycloak pms & mpartner_default_auth clients for ESIGNET"
+kubectl -n $NS delete secret --ignore-not-found=true keycloak-client-secrets
+helm -n $NS delete signup-keycloak-init
+helm -n $NS install signup-keycloak-init mosip/keycloak-init \
+  -f keycloak-init-values.yaml \
+  --set clientSecrets[0].name="$SIGNUP_CLIENT_SECRET_KEY" \
+  --set clientSecrets[0].secret="$SIGNUP_CLIENT_SECRET_VALUE" \
+  --version $CHART_VERSION --wait --wait-for-jobs
+
+SIGNUP_CLIENT_SECRET_VALUE=$(kubectl -n $NS get secrets keycloak-client-secrets -o jsonpath={.data.$SIGNUP_CLIENT_SECRET_KEY})
+# Check if the secret exists
+if kubectl get secret keycloak-client-secrets -n keycloak >/dev/null 2>&1; then
+  echo "Secret 'keycloak-client-secrets' exists. Performing secret update..."
+  kubectl -n keycloak get secret keycloak-client-secrets -o json |
+  jq ".data[\"$SIGNUP_CLIENT_SECRET_KEY\"]=\"$SIGNUP_CLIENT_SECRET_VALUE\"" |
+  kubectl apply -f -
+else
+  echo "Secret 'keycloak-client-secrets' does not exist. Copying the secret to the keycloak namespace."
+  $COPY_UTIL secret keycloak-client-secrets $NS keycloak
+fi

deploy/prereq.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+
+# Installs signup services in correct order
+## Usage: ./install-all.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+ROOT_DIR=`pwd`
+NS=signup
+
+echo "This script considers below mentioned points:"
+echo "1. Keycloak is installed in keycloak namespace and already initialised once during esignet pre-requisites initialisation."
+echo "2. Redis is installed and relevant secret and configmap is present in redis namespace as part of esignet pre-requisites installation."
+echo "3. Kafka is installed in kafka namespace as part of esignet pre-requisites installation."
+
+function installing_prereq() {
+  helm repo add mosip https://mosip.github.io/mosip-helm
+  helm repo update
+
+  echo Create $NS namespace
+  kubectl create ns $NS || true
+
+  ./copy_cm_func.sh configmap esignet-global esignet $NS
+  echo "Sucessfully copied esignet-global configmap from esignet namespace to "$NS" "
+
+
+  ./copy_cm_func.sh configmap redis-config redis $NS
+  ./copy_cm_func.sh secret redis redis $NS
+  echo "Sucessfully copied configmaps and secrets required to connect to the redis server from redis namespace which is also shared with esignet"
+
+  echo "Note: By default pointing to the Kafka installed in kafka namespace used by esignet service as well. In case want to change the same, deploy new kafka server and update in signup application properties."
+
+  cd $ROOT_DIR/keycloak
+  ./keycloak-init.sh
+
+  SIGNUP_HOST=$(kubectl -n esignet get cm esignet-global -o jsonpath={.data.mosip-signup-host})
+  echo "Please enter the recaptcha admin site key for domain "$SIGNUP_HOST""
+  read SSITE_KEY
+  echo Please enter the recaptcha admin secret key for domain $SIGNUP_HOST
+  read SSECRET_KEY
+
+  echo Setting up captcha secrets
+  kubectl -n $NS create secret generic signup-captcha --from-literal=signup-captcha-site-key=$SSITE_KEY --from-literal=signup-captcha-secret-key=$SSECRET_KEY --dry-run=client -o yaml | kubectl apply -f -
+
+  echo creating empty signup-keystore-password secret
+  kubectl -n $NS create secret generic signup-keystore-password --from-literal=signup-keystore-password='' --dry-run=client -o yaml | kubectl apply -f -
+
+  echo creating empty signup-keystore secret
+  kubectl -n $NS create secret generic signup-keystore --from-literal=oidckeystore.p12='' --dry-run=client -o yaml | kubectl apply -f -
+
+  echo All signup services pre-requisites deployed sucessfully.
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+installing_prereq   # calling function

helm/restart-all.sh → deploy/restart-signup.sh

@@ -1,5 +1,4 @@
 #!/bin/bash
-
 # restarts signup services in correct order
 ## Usage: ./restart-all.sh [kubeconfig]
 
@@ -10,9 +9,7 @@ fi
 function Restarting_All() {
   ROOT_DIR=`pwd`
 
-  declare -a module=("signup-service"
-         "signup-ui"
-                     )
+  declare -a module=("signup-service" "signup-ui")
 
   echo restarting signup services
 

helm/signup-service/delete.sh → deploy/signup-service/delete.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Uninstalls all signup helm charts
+# Deletes signup helm chart
 ## Usage: ./delete.sh [kubeconfig]
 
 if [ $# -ge 1 ] ; then
@@ -9,8 +9,8 @@ fi
 function Deleting_signup() {
   NS=signup
   while true; do
-      read -p "Are you sure you want to delete all signup helm charts?(Y/n) " yn
-      if [ $yn = "Y" ]
+      read -p "Are you sure you want to delete signup helm charts?(Y/n) " yn
+      if [[ $yn = "Y" ]] || [[ $yn = "y" ]];
         then
           helm -n $NS delete signup
           break