Consolidate into 'foundry' namespace (#46)

foundry/certs/generate-certs

@@ -21,4 +21,4 @@ cfssl gencert $ARGS -ca int-ca.pem -ca-key int-ca-key.pem -config config.json \
 # Create pkcs12 host bundle for identity signing key
 openssl pkcs12 -export -out host.pfx -inkey host-key.pem -in host.pem \
                -passin pass:foundry -passout pass:foundry
-sed -ri "s|(signer:) \"\"|\1 $(base64 -w0 host.pfx)|" ../common/identity.values.yaml
+sed -ri "s|(signer:) \"\"|\1 $(base64 -w0 host.pfx)|" ~/foundry/identity.values.yaml

foundry/topomojo/gameboard.values.yaml → foundry/gameboard.values.yaml

@@ -103,7 +103,7 @@ gameboard-api:
   env:
     PathBase: "/gameboard"
     Database__Provider: PostgreSQL
-    Database__ConnectionString: "Server=postgresql.common.svc.cluster.local;Port=5432;Database=gameboard;Username=postgres;Password=foundry;SSL Mode=Prefer;Trust Server Certificate=true;"
+    Database__ConnectionString: "Server=postgresql;Port=5432;Database=gameboard;Username=postgres;Password=foundry;SSL Mode=Prefer;Trust Server Certificate=true;"
     # Cache__SharedFolder: ""
     Oidc__Audience: gameboard-api
     Oidc__Authority: https://foundry.local/identity

foundry/install.sh

@@ -4,19 +4,109 @@
 # Released under a BSD (SEI)-style license, please see LICENSE.md in the
 # project root or contact permission@sei.cmu.edu for full terms.
 
-##############################
-#   Foundry Stacks Install   #
-##############################
+#############################
+#   Foundry Stack Install   #
+#############################
+
+GITEA_OAUTH_CLIENT_SECRET=$(openssl rand -hex 16)
+GITEA_ADMIN_PASSWORD=$(pwgen 12)
 
 # Change to the current directory
 cd "$(dirname "${BASH_SOURCE[0]}")"
 
-# Install stacks
-common/install.sh
-topomojo/install.sh
+# Create foundry namespace and switch to it
+kubectl apply -f namespace.yaml
+kubectl config set-context --current --namespace=foundry
+
+# Add host certificate
+kubectl create secret tls appliance-cert --key certs/host-key.pem --cert <( cat certs/host.pem certs/int-ca.pem )
+
+# Install NFS server
+helm repo add kvaps https://kvaps.github.io/charts
+helm install -f nfs-server-provisioner.values.yaml nfs-server-provisioner kvaps/nfs-server-provisioner
+
+# Install ingress-nginx
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+helm install --wait ingress-nginx ingress-nginx/ingress-nginx --values ingress-nginx.values.yaml
+
+# Install PostgreSQL
+helm repo add bitnami https://charts.bitnami.com/bitnami
+helm install --wait -f postgresql.values.yaml postgresql bitnami/postgresql
+
+# Install pgAdmin4
+helm repo add runix https://helm.runix.net/
+kubectl create secret generic pgpassfile --from-literal=pgpassfile=postgresql:5432:\*:postgres:foundry
+helm install -f pgadmin4.values.yaml pgadmin4 runix/pgadmin4
+
+# Install code-server (browser-based VS Code)
+helm repo add nicholaswilde https://nicholaswilde.github.io/helm-charts/
+helm install -f code-server.values.yaml code-server nicholaswilde/code-server
+
+# Kubernetes Dashboard
+helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
+helm install -f kubernetes-dashboard.values.yaml kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard
+
+# Add root CA to chart values
+cat certs/root-ca.pem | sed 's/^/  /' | sed -i -re 's/(cacert:).*/\1 |-/' -e '/cacert:/ r /dev/stdin' mkdocs-material.values.yaml
+cp certs/root-ca.pem ../mkdocs/docs/root-ca.crt
+
+# Install Identity
+sed -i -r "s/<GITEA_OAUTH_CLIENT_SECRET>/$GITEA_OAUTH_CLIENT_SECRET/" identity.values.yaml
+helm repo add sei https://helm.cyberforce.site/charts
+helm install --wait -f identity.values.yaml identity sei/identity
+
+# Install Gitea
+git config --global init.defaultBranch main
+helm repo add gitea https://dl.gitea.io/charts/
+kubectl exec postgresql-0 -- psql 'postgresql://postgres:foundry@localhost' -c 'CREATE DATABASE gitea;'
+kubectl create secret generic gitea-oauth-client --from-literal=key=gitea-client --from-literal=secret=$GITEA_OAUTH_CLIENT_SECRET
+kubectl create secret generic gitea-admin-creds --from-literal=username=administrator --from-literal=password=$GITEA_ADMIN_PASSWORD
+helm install -f gitea.values.yaml gitea gitea/gitea
+timeout 5m bash -c 'while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' https://foundry.local/gitea)" != "200" ]]; do sleep 5; done' || false
+./scripts/setup-gitea
+
+# Install Material for MkDocs
+helm install -f mkdocs-material.values.yaml mkdocs-material sei/mkdocs-material
+
+# Add root CA to chart values
+cat certs/root-ca.pem | sed 's/^/    /' | sed -i -re 's/(cacert:).*/\1 |-/' -e '/cacert:/ r /dev/stdin' gameboard.values.yaml
+cat certs/root-ca.pem | sed 's/^/        /' | sed -i -re 's/(cacert.crt:).*/\1 |-/' -e '/cacert.crt:/ r /dev/stdin' topomojo.values.yaml
+
+# Install TopoMojo
+kubectl apply -f topomojo-pvc.yaml
+helm install --wait -f topomojo.values.yaml topomojo sei/topomojo
+kubectl apply -f console-ingress.yaml
+sleep 60
+
+# Add bot user to TopoMojo
+TOPOMOJO_ACCESS_TOKEN=$(curl --silent --request POST \
+  --url 'https://foundry.local/identity/connect/token' \
+  --data grant_type=password \
+  --data client_id=bootstrap-client \
+  --data client_secret=foundry \
+  --data username=administrator@foundry.local \
+  --data password=foundry | jq -r '.access_token')
+
+USER_ID=$(curl -X POST --silent \
+  --url "https://foundry.local/topomojo/api/user" \
+  -H "Authorization: Bearer $TOPOMOJO_ACCESS_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{ "name": "bot-gameboard", "role": "user", "scope": "gameboard" }' | jq -r '.id')
+
+API_KEY=$(curl -X POST --silent \
+  --url "https://foundry.local/topomojo/api/apikey/$USER_ID" \
+  -H "Authorization: Bearer $TOPOMOJO_ACCESS_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{}" | jq -r '.value')
+
+# Install Gameboard
+sed -i -r "s/(Core__GameEngineClientSecret:).*/\1 $API_KEY/" gameboard.values.yaml
+helm install --wait -f gameboard.values.yaml gameboard sei/gameboard
 
-# Switch to common namespace
-kubectl config set-context --current --namespace=common
+# Add administrator user to Gameboard
+timeout 5m bash -c 'until kubectl exec postgresql-0 -n foundry -- env PGPASSWORD=foundry psql -lqt -U postgres | cut -d \| -f 1 | grep -qw gameboard; do sleep 5; done' || false
+sleep 5
+kubectl exec postgresql-0 -n foundry -- psql 'postgresql://postgres:foundry@localhost/gameboard' -c "INSERT INTO \"Users\" (\"Id\",\"Name\",\"ApprovedName\",\"Role\") VALUES ('dee684c5-2eaf-401a-915b-d3d4320fe5d5', 'Administrator', 'Administrator', 63);"
 
 # Create git repo to track changes
 git init

foundry/common/namespace.yaml → foundry/namespace.yaml

@@ -1,6 +1,6 @@
 kind: Namespace
 apiVersion: v1
 metadata:
-  name: common
+  name: foundry
   labels:
-    name: common
+    name: foundry

foundry/topomojo/setup-esxi → foundry/scripts/setup-esxi

@@ -15,10 +15,9 @@ ESXI_USER=root
 ESXI_HOSTNAME=esxi.foundry.local
 ESXI_CERTDIR=/etc/vmware/ssl
 RUI_CRT=$(cat ../certs/host.pem ../certs/int-ca.pem)
-RUI_KEY=$(<../certs/host-key.pem)
+RUI_KEY=$(<certs/host-key.pem)
 APPLIANCE_IP=$(ip route get 1 | sed -n 's/^.*src \([0-9.]*\) .*$/\1/p')
-TOPOMOJO_NAMESPACE=topomojo
-TOPOMOJO_NFS_PV=$(kubectl get pvc topomojo-nfs -n $TOPOMOJO_NAMESPACE --output=jsonpath='{.spec.volumeName}')
+TOPOMOJO_NFS_PV=$(kubectl get pvc topomojo-nfs -n foundry --output=jsonpath='{.spec.volumeName}')
 TOPOMOJO_STOCK_PATH=/vmfs/volumes/datastore1/topomojo/00000000-0000-0000-0000-000000000000
 TOPOMOJO_ACCESS_TOKEN=$(curl --silent --request POST \
                              --url 'https://foundry.local/identity/connect/token' \
@@ -96,8 +95,8 @@ EOF
 fi
 
 # Configure topomojo-api
-sed -i -r "s/(Pod__Url:).*/\1 https:\/\/$ESXI_HOSTNAME/" topomojo.values.yaml 
-helm upgrade --install --wait -n $TOPOMOJO_NAMESPACE -f topomojo.values.yaml topomojo sei/topomojo
-kubectl rollout restart -n $TOPOMOJO_NAMESPACE deployment.apps/topomojo-topomojo-api
+sed -i -r "s/(Pod__Url:).*/\1 https:\/\/$ESXI_HOSTNAME/" ~/foundry/topomojo.values.yaml
+helm upgrade --install --wait -n foundry -f ~/foundry/topomojo.values.yaml topomojo sei/topomojo
+kubectl rollout restart -n foundry deployment.apps/topomojo-topomojo-api
 
 echo -e "\nESXi setup completed for $ESXI_HOSTNAME\n"

foundry/topomojo/topomojo.values.yaml → foundry/topomojo.values.yaml

@@ -109,7 +109,7 @@ topomojo-api:
   env:
     PathBase: "/topomojo"
     Database__Provider: PostgreSQL
-    Database__ConnectionString: Server=postgresql.common.svc.cluster.local;Port=5432;Database=topomojo;Username=postgres;Password=foundry;SSL Mode=Prefer;Trust Server Certificate=true;
+    Database__ConnectionString: Server=postgresql;Port=5432;Database=topomojo;Username=postgres;Password=foundry;SSL Mode=Prefer;Trust Server Certificate=true;
     Database__AdminId: dee684c5-2eaf-401a-915b-d3d4320fe5d5
     Database__AdminName: Administrator
     Cache__SharedFolder: ""

mkdocs/docs/index.md

@@ -45,8 +45,8 @@ The following third-party applications are loaded on this appliance:
 The appliance comes preloaded with a sample challenge from _President's Cup 2020_. Run the following commands to download the virtual machine images (~20 GB) to ESXi and load the challenge into TopoMojo.
 
 ```
-cd ~/foundry/topomojo
-./content-import content/pc2-d01.json
+cd ~/foundry/content
+./content-import pc2-d01.json
 ```
 
 ## Under the hood

setup-appliance

@@ -10,7 +10,7 @@
 echo "$APPLIANCE_VERSION" > /etc/appliance_version
 
 # Expand LVM volume to use full drive capacity
-~/foundry/expand-volume
+~/foundry/scripts/expand-volume
 
 # Disable swap for Kubernetes
 swapoff -a
@@ -82,13 +82,13 @@ sudo -u $SSH_USERNAME git clone https://github.com/jaggedmountain/k-alias.git
 chmod -x /etc/update-motd.d/00-header
 chmod -x /etc/update-motd.d/10-help-text
 sed -i -r 's/(ENABLED=)1/\10/' /etc/default/motd-news
-cp ~/foundry/foundry-banner /etc/update-motd.d/05-foundry-banner
-rm ~/foundry/foundry-banner
+cp ~/foundry/scripts/display-banner /etc/update-motd.d/05-display-banner
+rm ~/foundry/scripts/display-banner
 sed -i "s/{version}/$APPLIANCE_VERSION/" ~/mkdocs/docs/index.md
 echo -e "Foundry Appliance $APPLIANCE_VERSION \\\n \l \n" > /etc/issue
 
 # Create systemd service to configure netplan primary interface
-mv /home/foundry/foundry/configure-nic /usr/local/bin
+mv /home/foundry/foundry/scripts/configure-nic /usr/local/bin
 cat <<EOF > /etc/systemd/system/configure-nic.service
 [Unit]
 Description=Configure Netplan primary Ethernet interface