Merge pull request mosip#986 from Prafulrakhade/release-1.2.1.x

[MOSIP-33380] added chart-lint-publish.yml file, helm and deploy scri…

.github/workflows/chart-lint-publish.yml

@@ -0,0 +1,62 @@
+name: Validate / Publish helm charts
+
+on:
+  release:
+    types: [published]
+  pull_request:
+    types: [opened, reopened, synchronize]
+    paths:
+      - 'helm/**'
+  workflow_dispatch:
+    inputs:
+      IGNORE_CHARTS:
+        description: 'Provide list of charts to be ignored separated by pipe(|)'
+        required: false
+        default: '""'
+        type: string
+      CHART_PUBLISH:
+        description: 'Chart publishing to gh-pages branch'
+        required: false
+        default: 'NO'
+        type: string
+        options:
+          - YES
+          - NO
+      INCLUDE_ALL_CHARTS:
+        description: 'Include all charts for Linting/Publishing (YES/NO)'
+        required: false
+        default: 'NO'
+        type: string
+        options:
+          - YES
+          - NO
+  push:
+    branches:
+      - '!release-branch'
+      - '!master'
+      - 1.*
+      - 0.*
+      - develop
+      - MOSIP*
+      - release*
+    paths:
+      - './helm/**'
+
+jobs:
+  chart-lint-publish:
+    uses: mosip/kattu/.github/workflows/chart-lint-publish.yml@master
+    with:
+      CHARTS_DIR: ./helm
+      CHARTS_URL: https://mosip.github.io/mosip-helm
+      REPOSITORY: mosip-helm
+      BRANCH: gh-pages
+      INCLUDE_ALL_CHARTS: "${{ inputs.INCLUDE_ALL_CHARTS || 'NO' }}"
+      IGNORE_CHARTS: "${{ inputs.IGNORE_CHARTS || '\"\"' }}"
+      CHART_PUBLISH: "${{ inputs.CHART_PUBLISH || 'YES' }}"
+      LINTING_CHART_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-schema.yaml"
+      LINTING_LINTCONF_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/lintconf.yaml"
+      LINTING_CHART_TESTING_CONFIG_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-testing-config.yaml"
+      LINTING_HEALTH_CHECK_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/health-check-schema.yaml"
+    secrets:
+      TOKEN: ${{ secrets.ACTION_PAT }}
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

deploy/.gitignore

@@ -0,0 +1 @@
+ui_values.yaml

deploy/README.md

@@ -0,0 +1,38 @@
+# Admin module
+
+## Install
+```
+./install.sh
+```
+
+## Admin proxy
+Admin service accesses other services like Materdata and Keymanager and currently there is only one URL that is used to connect to both these services. This will get fixed in future versions, but as a an interim solution, Admin Proxy docker has been created, which is basically an Nginx proxy connecting to the above services with these URLs: 
+```
+http://admin-proxy/v1/masterdata
+http://admin-proxy/v1/keymanager
+```
+The proxy is installed as part of `install.sh` script.
+
+## Admin user
+1. In Keycloak, create a user in `mosip` realm called `globaladmin` and assign role `GLOBAL_ADMIN`.  Make sure this user has strong credentials. 
+2. Use this user to login into Admin portal via Keycloak. (Note that this user is already on-boarded as default user while uploading masterdata XLS in Kernel module)
+3. _Strongly Recommended_: Create another user in keycloak with authentic name, email, details, strong password and `GLOBAL_ADMIN` role.  Assign global zone to this user via Admin portal, and then delete `globaladmin` from Keycloak and masterdata DB.  
+
+## Admin portal
+Access the portal with following URL:
+```
+https://<your-internal-api-host>/admin-ui/
+
+Example:
+https://api-internal.sandbox.xyz.net/admin-ui/
+```
+Your wireguard client must be running for this access.
+
+## Onboarding
+Use the portal to onboard user, machine, center.
+
+Note that for onboarding a user (like a Zonal Admin or Registration Officer),
+1. Create user in Keycloak with appropriate role. 
+1. Map the user to a Zone using Admin portal.
+1. Map user to a registration center (in case of Registration Officer/Supervisor) using Admin portal.
+

deploy/admin-proxy.yaml

@@ -0,0 +1,137 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: admin-proxy
+  name: admin-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: admin-proxy
+  template:
+    metadata:
+      labels:
+        app: admin-proxy
+    spec:
+      containers:
+      - name: admin-proxy
+        image: nginxinc/nginx-unprivileged:1.21.6-alpine
+        ports:
+        - name: http
+          containerPort: 8080
+        livenessProbe:
+          httpGet:
+            path: "/ping"
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 20
+          timeoutSeconds: 1
+          failureThreshold: 2
+          successThreshold: 1
+        readinessProbe:
+          httpGet:
+            path: "/ping"
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 10
+          timeoutSeconds: 1
+          failureThreshold: 2
+          successThreshold: 1
+
+        volumeMounts:
+        - name: nginx-conf
+          mountPath: /etc/nginx/
+      volumes:
+      - name: nginx-conf
+        configMap:
+          name: admin-proxy
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: admin-proxy
+data:
+  nginx.conf: |-
+    worker_processes  auto;
+    error_log  /var/log/nginx/error.log notice;
+    pid        /tmp/nginx.pid;
+    events {
+        worker_connections  1024;
+    }
+    http {
+        proxy_temp_path /tmp/proxy_temp;
+        client_body_temp_path /tmp/client_temp;
+        fastcgi_temp_path /tmp/fastcgi_temp;
+        uwsgi_temp_path /tmp/uwsgi_temp;
+        scgi_temp_path /tmp/scgi_temp;
+
+        #include       /etc/nginx/mime.types;
+        #default_type  application/octet-stream;
+
+        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for"';
+
+        access_log  /var/log/nginx/access.log  main;
+
+        proxy_buffer_size  128k;
+        proxy_buffers  4 256k;
+        proxy_busy_buffers_size 256k;
+
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+        gzip  on;
+
+        server {
+            listen 8080;
+
+            location /v1/masterdata {
+                proxy_pass                      http://masterdata.kernel;
+                proxy_http_version              1.1;
+                proxy_set_header                Upgrade $http_upgrade;
+                proxy_set_header                Connection "upgrade";
+                proxy_set_header                Host $host;
+                proxy_set_header                Referer $http_referer;
+                proxy_set_header                X-Real-IP $remote_addr;
+                proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header                X-Forwarded-Proto $scheme;
+                proxy_pass_request_headers      on;
+            }
+
+            location /v1/keymanager {
+                proxy_pass                      http://keymanager.keymanager;
+                proxy_http_version              1.1;
+                proxy_set_header                Upgrade $http_upgrade;
+                proxy_set_header                Connection "upgrade";
+                proxy_set_header                Host $host;
+                proxy_set_header                Referer $http_referer;
+                proxy_set_header                X-Real-IP $remote_addr;
+                proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header                X-Forwarded-Proto $scheme;
+                proxy_pass_request_headers      on;
+            }
+            location /ping {
+                return 200 'ping';
+            }
+        }
+    }
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: admin-proxy
+  name: admin-proxy
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: admin-proxy

deploy/copy_cm.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# Copy configmaps from other namespaces
+# DST_NS: Destination namespace 
+
+function copying_cm() {
+  COPY_UTIL=./copy_cm_func.sh
+  DST_NS=admin
+
+  $COPY_UTIL configmap global default $DST_NS
+  $COPY_UTIL configmap artifactory-share artifactory $DST_NS
+  $COPY_UTIL configmap config-server-share config-server $DST_NS
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+copying_cm   # calling function
+

deploy/copy_cm_func.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# Copy configmap and secret from one namespace to another.
+# ./copy_cm_func.sh <resource> <configmap_name> <source_namespace> <destination_namespace> [name]
+# Parameters:
+#   resource: configmap|secret
+#   name: Optional new name of the configmap or secret in destination namespace.  This may be needed if there is
+#         clash of names
+
+if [ $1 = "configmap" ]
+then
+  RESOURCE=configmap
+elif [ $1 = "secret" ]
+then
+  RESOURCE=secret
+else
+  echo "Incorrect resource $1. Exiting.."
+  exit 1
+fi
+
+
+if [ $# -ge 5 ]
+then
+   kubectl -n $4 delete --ignore-not-found=true $RESOURCE $5
+   kubectl -n $3 get $RESOURCE $2 -o yaml | sed "s/namespace: $3/namespace: $4/g" | sed "s/name: $2/name: $5/g" | kubectl -n $4 create -f -  
+else
+   kubectl -n $4 delete --ignore-not-found=true $RESOURCE $2
+   kubectl -n $3 get $RESOURCE $2 -o yaml | sed "s/namespace: $3/namespace: $4/g" |  kubectl -n $4 create -f -  
+fi 
+
+
+
+
+

deploy/delete.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# Uninstalls all admin helm charts 
+## Usage: ./delete.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+function deleting_admin() {
+  NS=admin
+  while true; do
+      read -p "Are you sure you want to delete ALL Admin helm charts?(Y/n) " yn
+      if [ $yn = "Y" ]
+        then
+          kubectl delete -n $NS -f admin-proxy.yaml
+          helm -n $NS delete admin-hotlist
+          helm -n $NS delete admin-service
+          helm -n $NS delete admin-ui
+          break
+        else
+          break
+      fi
+  done
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+deleting_admin   # calling function

deploy/install.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# Installs the admin module
+# Make sure you have updated ui_values.yaml
+## Usage: ./install.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+NS=admin
+NS_KERNEL=kernel
+CHART_VERSION=12.1.0
+ADMIN_UI_CHART_VERSION=12.0.1
+
+echo Create $NS namespace
+kubectl create ns $NS
+
+function installing_admin() {
+  echo Istio label
+  kubectl label ns $NS istio-injection=enabled --overwrite
+  helm repo update
+
+  echo Copy configmaps
+  sed -i 's/\r$//' copy_cm.sh
+  ./copy_cm.sh
+
+  API_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-api-internal-host})
+  ADMIN_HOST=$(kubectl get cm global -o jsonpath={.data.mosip-admin-host})
+
+  echo Installing Admin-Proxy into Masterdata and Keymanager.
+  kubectl -n $NS apply -f admin-proxy.yaml
+
+  echo Installing admin hotlist service.
+  helm -n $NS install admin-hotlist mosip/admin-hotlist --version $CHART_VERSION
+
+  echo Installing admin service. Will wait till service gets installed.
+  helm -n $NS install admin-service mosip/admin-service --set istio.corsPolicy.allowOrigins\[0\].prefix=https://$ADMIN_HOST --wait --version $CHART_VERSION
+
+  echo Installing admin-ui
+  helm -n $NS install admin-ui mosip/admin-ui --set admin.apiUrl=https://$API_HOST/v1/ --set istio.hosts\[0\]=$ADMIN_HOST --version $ADMIN_UI_CHART_VERSION
+
+  kubectl -n $NS  get deploy -o name |  xargs -n1 -t  kubectl -n $NS rollout status
+
+  echo Installed admin services
+
+  echo "Admin portal URL: https://$ADMIN_HOST/admin-ui/"
+
+  echo Installing masterdata and allowing Admin UI to access masterdata services.
+  helm -n $NS_KERNEL install masterdata mosip/masterdata  --set istio.corsPolicy.allowOrigins\[0\].exact=https://$ADMIN_HOST  --version $CHART_VERSION
+
+  echo Installing syncdata
+  helm -n $NS_KERNEL install syncdata mosip/syncdata --version $CHART_VERSION
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+installing_admin   # calling function