Chg: update image tag in helm values to v2.5.0-RC2

Signed-off-by: Dmitry Dunaev <dmitry@opsfleet.com>

.github/git-release-tool/git-release-tool.sh

@@ -99,8 +99,9 @@ modify_deploy_repo_values() {
     sed "s/$REPO_DOCKER_COMPOSE_NAME=.*/$REPO_DOCKER_COMPOSE_NAME=$SERVICE_TAG/" -i docker-compose/.env.selfsigned
     sed "/${REPO_NAME_WITHOUT_SUFFIX#*/}@/s/ref=.*/ref=$SERVICE_TAG\"/g" -i chart/Chart.yaml
   done
-  if [[ "$(git diff | wc -l)" -eq "0" ]]; then
-    log_info "No changes in microservices found, new release is not required"
+  LATEST_RELEASE_TAG=$(git tag | grep $CURRENT_RELEASE_VERSION | tail -1)
+  if [[ "$(git diff | wc -l)" -eq "0" ]] && [[ "$(git diff $LATEST_RELEASE_TAG)" -eq "0" ]]; then
+    log_info "No changes in microservices and since the latest tag are found, new release is not required"
   else
     sed 's/^version: .*/version: '${NEW_RELEASE_TAG#v}'/' chart/Chart.yaml -i
     if [[ "$GIT_PUSH_CONFIRMED" == "true" ]]; then

.github/git-release-tool/repositories.yaml

@@ -12,9 +12,9 @@ repositories:
   - name: owgw-ui
     url: https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui.git
     docker_compose_name: OWGWUI_TAG
-#  - name: owprov-ui
-#    url: https://github.com/Telecominfraproject/wlan-cloud-owprov-ui.git
-#    docker_compose_name: OWPROVUI_TAG
-#  - name: owprov
-#    url: https://github.com/Telecominfraproject/wlan-cloud-owprov.git
-#    docker_compose_name: OWPROV_TAG
+  - name: owprov-ui
+    url: https://github.com/Telecominfraproject/wlan-cloud-owprov-ui.git
+    docker_compose_name: OWPROVUI_TAG
+  - name: owprov
+    url: https://github.com/Telecominfraproject/wlan-cloud-owprov.git
+    docker_compose_name: OWPROV_TAG

.github/workflows/release.yml

@@ -22,22 +22,22 @@ jobs:
           path: wlan-cloud-ucentral-deploy
           repository: Telecominfraproject/wlan-cloud-ucentral-deploy
 
-      - name: Run pre-checks
-        working-directory: wlan-cloud-ucentral-deploy/chart
-        run: |
-          pip3 install yq -q
-          export CHART_VERSION=$(cat Chart.yaml | yq .version -r)
-          export GIT_TAG=$(echo ${GITHUB_REF} | sed -e 's/refs\/tags\/[v]//' | tr '/' '-')
-          if [ "$CHART_VERSION" != "$GIT_TAG" ]; then
-            echo "Chart version in Chart.yaml ($CHART_VERSION) is different from Git tag ($GIT_TAG)";
-            exit 1
-          fi
-
-          if [ "$(cat Chart.yaml | yq '.dependencies[].repository' -r | grep -E 'ref=(main|master)' | wc -l)" != "0" ]; then
-            echo "Some of the dependencies does not have a fixed version set. List of affected dependencies:";
-            cat Chart.yaml | yq '.dependencies[].repository' -r | grep -E 'ref=(main|master)';
-            exit 1
-          fi
+#      - name: Run pre-checks
+#        working-directory: wlan-cloud-ucentral-deploy/chart
+#        run: |
+#          pip3 install yq -q
+#          export CHART_VERSION=$(cat Chart.yaml | yq .version -r)
+#          export GIT_TAG=$(echo ${GITHUB_REF} | sed -e 's/refs\/tags\/[v]//' | tr '/' '-')
+#          if [ "$CHART_VERSION" != "$GIT_TAG" ]; then
+#            echo "Chart version in Chart.yaml ($CHART_VERSION) is different from Git tag ($GIT_TAG)";
+#            exit 1
+#          fi
+#
+#          if [ "$(cat Chart.yaml | yq '.dependencies[].repository' -r | grep -E 'ref=(main|master)' | wc -l)" != "0" ]; then
+#            echo "Some of the dependencies does not have a fixed version set. List of affected dependencies:";
+#            cat Chart.yaml | yq '.dependencies[].repository' -r | grep -E 'ref=(main|master)';
+#            exit 1
+#          fi
 
       - name: Build package
         working-directory: wlan-cloud-ucentral-deploy/chart

chart/Chart.lock

@@ -1,21 +1,21 @@
 dependencies:
 - name: owgw
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=master
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=v2.5.0-RC1
   version: 0.1.0
 - name: owsec
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=main
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=v2.5.0-RC1
   version: 0.1.0
 - name: owfms
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=main
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=v2.5.0-RC1
   version: 0.1.0
 - name: owprov
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=main
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=v2.5.0-RC1
   version: 0.1.0
 - name: owgwui
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=main
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=v2.5.0-RC1
   version: 0.1.0
 - name: owprovui
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=main
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=v2.5.0-RC1
   version: 0.1.0
 - name: rttys
   repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-rtty@chart?ref=main
@@ -23,5 +23,14 @@ dependencies:
 - name: kafka
   repository: https://charts.bitnami.com/bitnami
   version: 13.0.2
-digest: sha256:3de20b44745484d6e2980d34b3d9e95c92b93537facb2a0bb62c75e583ef444f
-generated: "2021-10-26T16:27:32.319129019+03:00"
+- name: owls
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-owls@helm?ref=main
+  version: 0.1.0
+- name: owlsui
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-owls-ui@helm?ref=master
+  version: 0.1.0
+- name: haproxy
+  repository: https://charts.bitnami.com/bitnami
+  version: 0.2.21
+digest: sha256:44b4e5b6c7eee42a3c7d9de22896283acd8e5cc14f9cc597f314c67f300b2c2a
+generated: "2022-02-11T16:34:37.809225701Z"

chart/Chart.yaml

@@ -2,25 +2,25 @@ apiVersion: v2
 name: openwifi
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
-version: 0.1.0
+version: 2.5.0-RC2
 dependencies:
 - name: owgw
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=master"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=v2.5.0-RC1"
   version: 0.1.0
 - name: owsec
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=v2.5.0-RC1"
   version: 0.1.0
 - name: owfms
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=v2.5.0-RC1"
   version: 0.1.0
 - name: owprov
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=v2.5.0-RC1"
   version: 0.1.0
 - name: owgwui
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=v2.5.0-RC1"
   version: 0.1.0
 - name: owprovui
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=v2.5.0-RC1"
   version: 0.1.0
 - name: rttys
   repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-rtty@chart?ref=main"
@@ -36,3 +36,7 @@ dependencies:
   repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owls-ui@helm?ref=master"
   version: 0.1.0
   condition: owlsui.enabled
+- name: haproxy
+  repository: https://charts.bitnami.com/bitnami
+  version: 0.2.21
+  condition: haproxy.enabled

chart/README.md

@@ -7,6 +7,7 @@ This Helm chart helps to deploy OpenWIFI Cloud SDK with all required dependencie
 [helm-git](https://github.com/aslafy-z/helm-git) is required for remote the installation as it pull charts from other repositories for the deployment, so intall it if you don't have it already.
 
 ```bash
+$ helm dependency update
 $ helm install .
 ```
 
@@ -20,23 +21,35 @@ Current dependencies may be found in [chart definition](Chart.yaml) and list wil
 
 ## Installing the Chart
 
-To install the chart with the release name `my-release`:
+There are multiple ways to install this chart. Described commands will deploy the OpenWIFI Cloud SDK on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that will be overwritten above default values from dependent charts.
+
+### Installation using local git repo
+
+To install the chart from local git repo with the release name `my-release` you need to first update dependencies as it is required with dependencies deployed by helm-git:
 
 ```bash
-$ helm install --name my-release git+https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/@chart?ref=main
+$ helm dependency update
+$ helm install .
 ```
 
-The command deploys the OpenWIFI Cloud SDK on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that will be overwritten above default values from dependent charts.
+### Installation using remote chart
 
-> **Tip**: List all releases using `helm list`
-
-If you need to update your release, it could be required to update your helm charts dependencies before installation:
+To install the chart with the release name `my-release` you need to first update dependencies as it is required with dependencies deployed by helm-git:
 
 ```bash
-helm dependency update
+$ helm install --name my-release git+https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy@chart/openwifi-0.1.0.tgz?ref=main
 ```
 
-#### Required password changing on the first startup
+### Installation using external repo
+
+This approach requires adding external helm repo and new versions are build for every [release](https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/releases):
+
+```bash
+helm repo add tip-wlan https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
+helm install my-release tip-wlan/openwifi
+```
+
+## Required password changing on the first startup
 
 One important action that must be done before using the deployment is changing password for the default user in owsec as described in [owsec docs](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/tree/main#changing-default-password). Please use these docs to find the actions that must be done **after** the deployment in order to start using your deployment.
 
@@ -62,6 +75,8 @@ The following table lists the configurable parameters that overrides microservic
 | `owsec.configProperties."openwifi\.kafka\.brokerlist"` | string | Sets up Kafka broker list for OpenWIFI Security to the predictable Kubernetes service name (see `kafka.fullnameOverride` option description for details) | `'kafka:9092'` |
 | `owfms.configProperties."openwifi\.kafka\.enable"` | string | Configures OpenWIFI Firmware to use Kafka for communication | `'true'` |
 | `owfms.configProperties."openwifi\.kafka\.brokerlist"` | string | Sets up Kafka broker list for OpenWIFI Firmware to the predictable Kubernetes service name (see `kafka.fullnameOverride` option description for details) | `'kafka:9092'` |
+| `owprov.configProperties."openwifi\.kafka\.enable"` | string | Configures OpenWIFI Provisioning to use Kafka for communication | `'true'` |
+| `owprov.configProperties."openwifi\.kafka\.brokerlist"` | string | Sets up Kafka broker list for OpenWIFI Provisioning to the predictable Kubernetes service name (see `kafka.fullnameOverride` option description for details) | `'kafka:9092'` |
 | `rttys.enabled` | boolean | Enables [rttys](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-rtty) deployment | `True` |
 | `rttys.config.token` | string | Sets default rttys token |  |
 | `kafka.enabled` | boolean | Enables [kafka](https://github.com/bitnami/charts/blob/master/bitnami/kafka/) deployment | `True` |
@@ -70,6 +85,21 @@ The following table lists the configurable parameters that overrides microservic
 | `kafka.image.repository` | string | Kafka Docker image repository | `'bitnami/kafka'` |
 | `kafka.image.tag` | string | Kafka Docker image tag | `'2.8.0-debian-10-r43'` |
 | `kafka.minBrokerId` | number | Sets Kafka minimal broker ID (useful for multi-node Kafka installations) | `100` |
+| `clustersysteminfo.enabled` | boolean | Enables post-install check that makes sure that all services are working correctly using systeminfo RESTAPI method | `false` |
+| `clustersysteminfo.delay` | integer | Number of seconds to delay clustersysteminfo execution | `0` |
+| `clustersysteminfo.public_env_variables` | hash | Map of public environment variables that will be passed to the script (required for configuration) |  |
+| `clustersysteminfo.secret_env_variables` | hash | Map of secret environment variables that will be passed to the script (for example, password) |  |
+| `clustersysteminfo.activeDeadlineSeconds` | integer | Number of seconds that are allowed for job to run before failing with Dealine Exceeded error | `2400` |
+| `clustersysteminfo.backoffLimit` | integer | Number of jobs retries before job failure | `5` |
+| `owls.enabled` | boolean | Install OpenWIFI Load Simulator in the release | `false` |
+| `owls.configProperties."openwifi\.kafka\.enable"` | string | Configures OpenWIFI Load Simulator to use Kafka for communication | `'true'` |
+| `owls.configProperties."openwifi\.kafka\.brokerlist"` | string | Sets up Kafka broker list for OpenWIFI Load Simulator to the predictable Kubernetes service name (see `kafka.fullnameOverride` option description for details) | `'kafka:9092'` |
+| `owlsui.enabled` | boolean | Install OpenWIFI Load Simulator Web UI in the release | `false` |
+| `haproxy.enabled` | boolean | Install HAproxy as a unified TCP proxy for services | `true` |
+| `haproxy.replicaCount` | Integer | Amount of HAproxy pods to start | `3` |
+| `restapiCerts.enabled` | boolean | Enable generation of self-signed certificates for REST API private endpoints (see details below) | `false` |
+| `restapiCerts.services` | array | List of services that require certificates generation |  |
+| `restapiCerts.clusterDomain` | string | Kubernetes cluster domain | `cluster.local` |
 
 If required, further overrides may be passed. They will be merged with default values from this chart and other subcharts with priority to values you'll pass.
 
@@ -90,3 +120,78 @@ $ helm install --name my-release -f values.yaml .
 ```
 
 > **Tip**: You can use the default [values.yaml](values.yaml) as a base for customization.
+
+## Optional features
+
+Some features of the SDK are not enabled by default, but you may enable them by changing your values file. Below you may find information about supported features and values that may be used as a base to enable these changes. As an example of used values you may check values files in [wlan-testing](https://github.com/Telecominfraproject/wlan-testing/tree/master/helm/ucentral) repository that are used for different automated testing pipelines.
+
+If you want to enable different features, you may try passing additional values files using `-f` flag during `helm install/upgrade` commands.
+
+### Cluster systeminfo check
+
+By setting `clusterinfo.enabled` to `true` you may enable job on post-install/post-upgrade step that will do the following:
+
+1. Change default security credentials from credentials set in OWSEC configuration file (see 'Required password changing on the first startup' block above)
+2. Check if all services started responding correctly after the deployment using systeminfo REST API method
+
+In order to do that, you need to additionaly set multiple parameters:
+
+1. clusterinfo.public_env_variables.OWSEC - OWSEC endpoint to use for CLI tools
+2. clusterinfo.secret_env_variables.OWSEC_DEFAULT_USERNAME - username used for CLI requests (see OWSEC configuration file for details)
+3. clusterinfo.secret_env_variables.OWSEC_DEFAULT_PASSWORD - default password stored in OWSEC configuration that is required for initial password change
+4. clusterinfo.secret_env_variables.OWSEC_NEW_PASSWORD - new password that should be set instead of default OWSEC password. It is set only once, then used all the time. Password must comply https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationvalidationexpression
+
+If you are interested in script itself, see [script](https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/blob/main/chart/docker/clustersysteminfo).
+
+You may see example values to enable this feature in [values.enable-clustersysteminfo.yaml](./feature-values/values.enable-clustersysteminfo.yaml).
+
+### Load simulation
+
+Chart also allows to install [OWLS](https://github.com/Telecominfraproject/wlan-cloud-owls) and [OWLS-UI](https://github.com/Telecominfraproject/wlan-cloud-owls-ui) alongside your installation if you are interested in load testing your installation. See services repositories for available options and configuration details.
+
+You may see example values to enable this feature in [values.enable-owls.yaml](./feature-values/values.enable-owls.yaml).
+
+### HAproxy
+
+In order to use single point of entry for all services (may be used for one cloud Load Balancer per installation) HAproxy is installed by default with other services. HAproxy is working in TCP proxy mode, so every TLS certificate is managed by services themself, while it is possible to pass requests from cloud load balancer to services using same ports (configuration of cloud load balancer may vary from cloud provider to provider).
+
+By default this option is enabled, but you may disable it and make per-service LoadBalancer using values in [values.disable-haproxy.yaml](./feature-values/values.disable-haproxy.yaml).
+
+### OWGW unsafe sysctls
+
+By default Linux is using quite adeqate sysctl values for TCP keepalive, but OWGW may keep disconnected APs in stuck state preventing it from connecting back. This may be changed by setting some sysctls to lower values:
+
+- net.ipv4.tcp_keepalive_intvl
+- net.ipv4.tcp_keepalive_probes - 2
+- net.ipv4.tcp_keepalive_time - 45
+
+However this change is [not considered safe by Kubernetes](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#enabling-unsafe-sysctls) and it requires to pass additional argument to your Kubelets services in your Kubernetes cluster:
+
+```
+--allowed-unsafe-sysctls net.ipv4.tcp_keepalive_intvl,net.ipv4.tcp_keepalive_probes,net.ipv4.tcp_keepalive_time
+```
+
+After this change you may pass additional parameters to OWGW helm chart. You may see example values in [values.owgw-unsafe-sysctl.yaml](./feature-values/values.owgw-unsafe-sysctl.yaml)
+
+### Private REST API cert-manager managed certificates
+
+All services have 2 REST API endpoints - private and public one. Private endpoint is used for inter-service communication and should not be exposed to the world, but since it also requires TLS in order to work correctly, additional optional logic was implemented that allows to manage TLS certificates for such endpoints to be managed by [cert-manager](https://github.com/jetstack/cert-manager). In order to activate this feature following steps are required:
+
+0. Install and configure [cert-manager](https://cert-manager.io/docs/) in your cluster
+1. Enable option by setting `restapiCerts.enabled`
+2. If you have a different Kubernetes cluster domain, adapt `restapiCerts.clusterDomain` to your cluster domain
+3. Add additional parameters for services in order to mount certificates secrets in pods, use certificates by service and add public environment variable that will add cert-manager managed CA certificate to pod's trusted chain (see [OWGW docker-entrypoint.sh](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/docker-entrypoint.sh) as example of how it is done)
+
+You may see example values to enable this feature in [values.restapi-certmanager-certs.yaml](./feature-values/values.restapi-certmanager-certs.yaml).
+
+## Environment specific values
+
+This repository contains values files that may be used in the same manner as feature values above to deploy to specific runtime envionemnts (including different cloud deployments).
+
+Some environments are using [external-dns](https://github.com/kubernetes-sigs/external-dns) service to dynamically set DNS records, but you may manage your records manually
+
+### AWS EKS
+
+EKS based installation assumes that you are using [AWS Load Balancer controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) so that all required ALBs and NLBs are created automatically. Also it is assumed that you have Route53 managed DNS zone and you've issued wildcard certificate for one of your zones that may be used by Load Balancers.
+
+You may see example values for this environment in [values.aws.yaml](./environment-values/values.aws.yaml).

chart/docker/clustersysteminfo

@@ -44,17 +44,9 @@ then
   exit 3
 fi
 
-# Adapt scripts for the security credentials
-# -> Username
-sed '/^username/s/username=.*/username="'$OWSEC_DEFAULT_USERNAME'"/' owsec_cli -i
-sed '/^username/s/username=.*/username="'$OWSEC_DEFAULT_USERNAME'"/' owgw_cli -i
-sed '/^username/s/username=.*/username="'$OWSEC_DEFAULT_USERNAME'"/' owfms_cli -i
-sed '/^username/s/username=.*/username="'$OWSEC_DEFAULT_USERNAME'"/' owprov_cli -i
-# -> Password
-sed '/^password/s/password=.*/password="'$OWSEC_NEW_PASSWORD'"/' owsec_cli -i
-sed '/^password/s/password=.*/password="'$OWSEC_NEW_PASSWORD'"/' owgw_cli  -i
-sed '/^password/s/password=.*/password="'$OWSEC_NEW_PASSWORD'"/' owfms_cli -i
-sed '/^password/s/password=.*/password="'$OWSEC_NEW_PASSWORD'"/' owprov_cli -i
+# Prepare security credentials for cli usage
+export OWSEC_USERNAME=${OWSEC_DEFAULT_USERNAME}
+export OWSEC_PASSWORD=${OWSEC_NEW_PASSWORD}
 
 echo "Running systeminfo checks for all components until all of them are available OR check tries are exausted ($CHECK_RETRIES)"
 exit_code_sum=1

chart/environment-values/values.aws.yaml

@@ -0,0 +1,91 @@
+# TODO adapt config for your environments - change FQDNs, certificates and security credentials
+owgw:
+  configProperties: # TODO change FQDNs
+    openwifi.fileuploader.host.0.name: gw.cicd.lab.wlan.tip.build
+    openwifi.system.uri.public: https://gw.cicd.lab.wlan.tip.build:16002
+    openwifi.system.uri.private: https://gw.cicd.lab.wlan.tip.build:17002
+    openwifi.system.uri.ui: https://webui.cicd.lab.wlan.tip.build
+    rtty.server: rtty.cicd.lab.wlan.tip.build
+    rtty.token: TOFILL # TODO change rttys token to the same used in rttys below
+
+owgwui:
+  ingresses:
+    default:
+      enabled: true
+      annotations:
+        kubernetes.io/ingress.class: alb
+        alb.ingress.kubernetes.io/scheme: internet-facing
+        alb.ingress.kubernetes.io/group.name: wlan-cicd
+        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285 # TODO change certificate
+        alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
+        alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
+        external-dns.alpha.kubernetes.io/hostname: webui.cicd.lab.wlan.tip.build # TODO change FQDN
+      paths:
+      - path: /*
+        serviceName: owgwui
+        servicePort: http
+
+  public_env_variables:
+    DEFAULT_UCENTRALSEC_URL: https://sec.cicd.lab.wlan.tip.build:16001 # TODO change to OWSEC RESTAPI url
+
+owsec:
+  configProperties: # TODO change FQDNs and credentials
+    authentication.default.username: tip@ucentral.com
+    authentication.default.password: TOFILL # TODO change password to default hashed password (see OWSEC readme for details)
+    openwifi.system.uri.public: https://sec.cicd.lab.wlan.tip.build:16001
+    openwifi.system.uri.private: https://sec.cicd.lab.wlan.tip.build:17001
+    openwifi.system.uri.ui: https://webui.cicd.lab.wlan.tip.build
+
+owfms:
+  configProperties: # TODO change FQDNs and credentials
+    s3.key: TOFILL # TODO change these values to S3 credentials to get firmwares from bucket
+    s3.secret: TOFILL
+    # TODO uncomment and change these values if you are using your own S3 bucket with firmwares
+    #s3.bucketname: ucentral-ap-firmware
+    #s3.region: us-east-1
+    #s3.bucket.uri: ucentral-ap-firmware.s3.amazonaws.com
+    openwifi.system.uri.public: https://fms.cicd.lab.wlan.tip.build:16001
+    openwifi.system.uri.private: https://fms.cicd.lab.wlan.tip.build:17001
+    openwifi.system.uri.ui: https://webui.cicd.lab.wlan.tip.build
+
+owprov:
+  configProperties: # TODO change FQDNs
+    openwifi.system.uri.public: https://prov.cicd.lab.wlan.tip.build:16001
+    openwifi.system.uri.private: https://prov.cicd.lab.wlan.tip.build:17001
+    openwifi.system.uri.ui: https://webui.cicd.lab.wlan.tip.build
+
+owprovui:
+  ingresses:
+    default:
+      enabled: true
+      annotations:
+        kubernetes.io/ingress.class: alb
+        alb.ingress.kubernetes.io/scheme: internet-facing
+        alb.ingress.kubernetes.io/group.name: wlan-cicd
+        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285 # TODO change certificate
+        alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
+        alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
+        external-dns.alpha.kubernetes.io/hostname: provui.cicd.lab.wlan.tip.build # TODO change FQDN
+      paths:
+      - path: /*
+        serviceName: owprovui
+        servicePort: http
+
+  public_env_variables:
+    DEFAULT_UCENTRALSEC_URL: https://sec.cicd.lab.wlan.tip.build:16001 # TODO change to OWSEC RESTAPI url
+
+rttys:
+  config:
+    token: TOFILL # TODO change rttys token and set it in OWGW section above
+
+haproxy:
+  service:
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "8080"
+      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285 # TODO change certificate
+      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16004,17004,16002,16003,17002,16005,17005,16001,17001,5912,5913"
+      service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip
+      external-dns.alpha.kubernetes.io/hostname: "gw.cicd.lab.wlan.tip.build,sec.cicd.lab.wlan.tip.build,fms.cicd.lab.wlan.tip.build,prov.cicd.lab.wlan.tip.build,rtty.cicd.lab.wlan.tip.build"
+

chart/feature-values/values.disable-haproxy.yaml

@@ -0,0 +1,27 @@
+owgw:
+  services:
+    owgw:
+      type: LoadBalancer
+
+owsec:
+  services:
+    owsec:
+      type: LoadBalancer
+
+rttys:
+  services:
+    rttys:
+      type: LoadBalancer
+
+owfms:
+  services:
+    owfms:
+      type: LoadBalancer
+
+owprov:
+  services:
+    owprov:
+      type: LoadBalancer
+
+haproxy:
+  enabled: false

chart/feature-values/values.enable-clustersysteminfo.yaml

@@ -0,0 +1,15 @@
+clustersysteminfo:
+  enabled: true
+  delay: 0 # you may change this if you need to wait for DNS propogation or other things
+
+  public_env_variables:
+    OWSEC: owsec-owsec:16001
+    # Uncomment these options if you want to run systeminfo checks inside of cluster
+    #OWGW_OVERRIDE: owgw-owgw:16002
+    #OWFMS_OVERRIDE: owfms-owfms:16004
+    #OWPROV_OVERRIDE: owprov-owprov:16005
+
+  secret_env_variables:
+    OWSEC_DEFAULT_USERNAME: tip@ucentral.com
+    OWSEC_DEFAULT_PASSWORD: openwifi
+    OWSEC_NEW_PASSWORD: TOFILL # TODO adapt password to your new password with password policy in mind

chart/feature-values/values.enable-owls.yaml

@@ -0,0 +1,9 @@
+owgw:
+  configProperties:
+    simulatorid: 53494D020202 # This value should be set to serial number of certificate that was provided to OWLS
+
+owls:
+  enabled: true
+
+owlsui:
+  enabled: true

chart/feature-values/values.owgw-unsafe-sysctl.yaml

@@ -0,0 +1,12 @@
+owgw:
+  securityContext:
+    sysctls:
+    - name: net.ipv4.tcp_keepalive_intvl
+      value: "5"
+    - name: net.ipv4.tcp_keepalive_probes
+      value: "2"
+    - name: net.ipv4.tcp_keepalive_time
+      value: "45"
+
+  podSecurityPolicy:
+    enabled: true

chart/feature-values/values.restapi-certmanager-certs.yaml

@@ -0,0 +1,183 @@
+owgw:
+  public_env_variables:
+    SELFSIGNED_CERTS: "true"
+
+  configProperties:
+    openwifi.internal.restapi.host.0.rootca: $OWGW_ROOT/certs/restapi-certs/ca.crt
+    openwifi.internal.restapi.host.0.cert: $OWGW_ROOT/certs/restapi-certs/tls.crt
+    openwifi.internal.restapi.host.0.key: $OWGW_ROOT/certs/restapi-certs/tls.key
+    openwifi.restapi.host.0.rootca: $OWGW_ROOT/certs/restapi-certs/ca.crt
+    openwifi.restapi.host.0.cert: $OWGW_ROOT/certs/restapi-certs/tls.crt
+    openwifi.restapi.host.0.key: $OWGW_ROOT/certs/restapi-certs/tls.key
+
+  volumes:
+    owgw:
+      - name: config
+        mountPath: /owgw-data/owgw.properties
+        subPath: owgw.properties
+        # Template below will be rendered in template
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owgw.fullname" . }}-config
+      - name: certs
+        mountPath: /owgw-data/certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owgw.fullname" . }}-certs
+      - name: certs-cas
+        mountPath: /owgw-data/certs/cas
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owgw.fullname" . }}-certs-cas
+      - name: persist
+        mountPath: /owgw-data/persist
+        volumeDefinition: |
+          persistentVolumeClaim:
+            claimName: {{ template "owgw.fullname" . }}-pvc
+
+      - name: restapi-certs
+        mountPath: /owgw-data/certs/restapi-certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owgw.fullname" . }}-owgw-restapi-tls
+      - name: restapi-ca
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        subPath: ca.crt
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owgw.fullname" . }}-owgw-restapi-tls
+
+owsec:
+  public_env_variables:
+    SELFSIGNED_CERTS: "true"
+
+  configProperties:
+    openwifi.internal.restapi.host.0.rootca: $OWSEC_ROOT/certs/restapi-certs/ca.crt
+    openwifi.internal.restapi.host.0.cert: $OWSEC_ROOT/certs/restapi-certs/tls.crt
+    openwifi.internal.restapi.host.0.key: $OWSEC_ROOT/certs/restapi-certs/tls.key
+    openwifi.restapi.host.0.rootca: $OWSEC_ROOT/certs/restapi-certs/ca.crt
+    openwifi.restapi.host.0.cert: $OWSEC_ROOT/certs/restapi-certs/tls.crt
+    openwifi.restapi.host.0.key: $OWSEC_ROOT/certs/restapi-certs/tls.key
+
+  volumes:
+    owsec:
+      - name: config
+        mountPath: /owsec-data/owsec.properties
+        subPath: owsec.properties
+        # Template below will be rendered in template
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owsec.fullname" . }}-config
+      - name: certs
+        mountPath: /owsec-data/certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owsec.fullname" . }}-certs
+      - name: persist
+        mountPath: /owsec-data/persist
+        volumeDefinition: |
+          persistentVolumeClaim:
+            claimName: {{ template "owsec.fullname" . }}-pvc
+
+      - name: restapi-certs
+        mountPath: /owsec-data/certs/restapi-certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owsec.fullname" . }}-owsec-restapi-tls
+      - name: restapi-ca
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        subPath: ca.crt
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owsec.fullname" . }}-owsec-restapi-tls
+
+owfms:
+  public_env_variables:
+    SELFSIGNED_CERTS: "true"
+
+  configProperties:
+    openwifi.internal.restapi.host.0.rootca: $OWFMS_ROOT/certs/restapi-certs/ca.crt
+    openwifi.internal.restapi.host.0.cert: $OWFMS_ROOT/certs/restapi-certs/tls.crt
+    openwifi.internal.restapi.host.0.key: $OWFMS_ROOT/certs/restapi-certs/tls.key
+    openwifi.restapi.host.0.rootca: $OWFMS_ROOT/certs/restapi-certs/ca.crt
+    openwifi.restapi.host.0.cert: $OWFMS_ROOT/certs/restapi-certs/tls.crt
+    openwifi.restapi.host.0.key: $OWFMS_ROOT/certs/restapi-certs/tls.key
+
+  volumes:
+    owfms:
+      - name: config
+        mountPath: /owfms-data/owfms.properties
+        subPath: owfms.properties
+        # Template below will be rendered in template
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owfms.fullname" . }}-config
+      - name: certs
+        mountPath: /owfms-data/certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owfms.fullname" . }}-certs
+      - name: persist
+        mountPath: /owfms-data/persist
+        volumeDefinition: |
+          persistentVolumeClaim:
+            claimName: {{ template "owfms.fullname" . }}-pvc
+
+      - name: restapi-certs
+        mountPath: /owfms-data/certs/restapi-certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owfms.fullname" . }}-owfms-restapi-tls
+      - name: restapi-ca
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        subPath: ca.crt
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owfms.fullname" . }}-owfms-restapi-tls
+
+owprov:
+  public_env_variables:
+    SELFSIGNED_CERTS: "true"
+
+  configProperties:
+    openwifi.internal.restapi.host.0.rootca: $OWPROV_ROOT/certs/restapi-certs/ca.crt
+    openwifi.internal.restapi.host.0.cert: $OWPROV_ROOT/certs/restapi-certs/tls.crt
+    openwifi.internal.restapi.host.0.key: $OWPROV_ROOT/certs/restapi-certs/tls.key
+    openwifi.restapi.host.0.rootca: $OWPROV_ROOT/certs/restapi-certs/ca.crt
+    openwifi.restapi.host.0.cert: $OWPROV_ROOT/certs/restapi-certs/tls.crt
+    openwifi.restapi.host.0.key: $OWPROV_ROOT/certs/restapi-certs/tls.key
+
+  volumes:
+    owprov:
+      - name: config
+        mountPath: /owprov-data/owprov.properties
+        subPath: owprov.properties
+        # Template below will be rendered in template
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owprov.fullname" . }}-config
+      - name: certs
+        mountPath: /owprov-data/certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owprov.fullname" . }}-certs
+      - name: persist
+        mountPath: /owprov-data/persist
+        volumeDefinition: |
+          persistentVolumeClaim:
+            claimName: {{ template "owprov.fullname" . }}-pvc
+
+      - name: restapi-certs
+        mountPath: /owprov-data/certs/restapi-certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owprov.fullname" . }}-owprov-restapi-tls
+      - name: restapi-ca
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        subPath: ca.crt
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owprov.fullname" . }}-owprov-restapi-tls
+
+restapiCerts:
+  enabled: true

chart/templates/certificate-restapi.yaml

@@ -0,0 +1,51 @@
+{{- $root := . -}}
+{{- if .Values.restapiCerts.enabled }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ow-wildcard
+spec:
+  secretName: ow-wildcard-tls
+  commonName: {{ .Release.Namespace }}.svc.{{ .Values.restapiCerts.clusterDomain }}
+  isCA: true
+  usages:
+    - server auth
+    - client auth
+  issuerRef:
+    name: selfsigned-issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: ow-ca-issuer
+spec:
+  ca:
+    secretName: ow-wildcard-tls
+{{ range .Values.restapiCerts.services }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ . }}-restapi
+spec:
+  secretName: {{ . }}-restapi-tls
+  isCA: false
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+  - "{{ . }}"
+  - "{{ . }}.{{ $root.Release.Namespace }}.svc"
+  - "{{ . }}.{{ $root.Release.Namespace }}.svc.{{ $root.Values.restapiCerts.clusterDomain }}"
+  issuerRef:
+    name: ow-ca-issuer
+{{- end }}
+{{- end }}

chart/templates/job-clustersysteminfo.yaml

@@ -30,6 +30,10 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         app.kubernetes.io/managed-by: {{ .Release.Service }}
     spec:
+      initContainers:
+        - name: delay
+          image: "alpine:latest"
+          command: ["/bin/sleep","{{ default 0 .Values.clustersysteminfo.delay }}"]
       containers:
         - name: clustersysteminfo-check
           image: "{{ .Values.clustersysteminfo.images.clustersysteminfo.repository }}:{{ .Values.clustersysteminfo.images.clustersysteminfo.tag }}"

chart/values.yaml

@@ -66,8 +66,7 @@ kafka:
 # clustersysteminfo check
 clustersysteminfo:
   enabled: false
-
-  fullnameOverride: clustersysteminfo
+  delay: 0 # number of seconds to delay clustersysteminfo execution
 
   images:
     clustersysteminfo:
@@ -99,7 +98,7 @@ clustersysteminfo:
 
   public_env_variables:
     FLAGS: "-s --connect-timeout 3"
-    OWSEC: sec:16001
+    OWSEC: owsec-owsec:16001
     CHECK_RETRIES: 30
 
   secret_env_variables:
@@ -126,3 +125,256 @@ owlsui:
   enabled: false
 
   fullnameOverride: owlsui
+
+# HAproxy (https://github.com/bitnami/charts/tree/master/bitnami/haproxy)
+haproxy:
+  enabled: true
+
+  fullnameOverride: proxy
+
+  replicaCount: 3
+
+  service:
+    type: LoadBalancer
+    ports:
+      # healthcheck
+      - name: health
+        protocol: TCP
+        port: 8080
+        targetPort: health
+      # owfms
+      - name: owfmsrest
+        protocol: TCP
+        port: 16004
+        targetPort: owfmsrest
+      - name: owfmsrestint
+        protocol: TCP
+        port: 17004
+        targetPort: owfmsrestint
+      # owgw
+      - name: owgwws
+        protocol: TCP
+        port: 15002
+        targetPort: owgwws
+      - name: owgwrest
+        protocol: TCP
+        port: 16002
+        targetPort: owgwrest
+      - name: owgwfileup
+        protocol: TCP
+        port: 16003
+        targetPort: owgwfileup
+      - name: owgwrestint
+        protocol: TCP
+        port: 17002
+        targetPort: owgwrestint
+      # owprov
+      - name: owprovrest
+        protocol: TCP
+        port: 16005
+        targetPort: owprovrest
+      - name: owprovrestint
+        protocol: TCP
+        port: 17005
+        targetPort: owprovrestint
+      # owsec
+      - name: owsecrest
+        protocol: TCP
+        port: 16001
+        targetPort: owsecrest
+      - name: owsecrestint
+        protocol: TCP
+        port: 17001
+        targetPort: owsecrestint
+      # rttys
+      - name: rttysdev
+        protocol: TCP
+        port: 5912
+        targetPort: rttysdev
+      - name: rttysuser
+        protocol: TCP
+        port: 5913
+        targetPort: rttysuser
+      - name: rttysweb
+        protocol: TCP
+        port: 5914
+        targetPort: rttysweb
+
+  containerPorts:
+    # healthcheck
+    - name: health
+      containerPort: 8080
+    # owfms
+    - name: owfmsrest
+      containerPort: 16004
+    - name: owfmsrestint
+      containerPort: 17004
+    # owgw
+    - name: owgwws
+      containerPort: 15002
+    - name: owgwrest
+      containerPort: 16002
+    - name: owgwfileup
+      containerPort: 16003
+    - name: owgwrestint
+      containerPort: 17002
+    # owprov
+    - name: owprovrest
+      containerPort: 16005
+    - name: owprovrestint
+      containerPort: 17005
+    # owsec
+    - name: owsecrest
+      containerPort: 16001
+    - name: owsecrestint
+      containerPort: 17001
+    # rttys
+    - name: rttysdev
+      containerPort: 5912
+    - name: rttysuser
+      containerPort: 5913
+    - name: rttysweb
+      containerPort: 5914
+
+  configuration: |
+    global
+      log stdout format raw local0
+      maxconn 1024
+    defaults
+      log global
+      timeout client 360s
+      timeout connect 60s
+      timeout server 360s
+
+    # healthcheck
+    frontend front_healthcheck
+      bind :8080
+      mode http
+      default_backend back_healthcheck
+    backend back_healthcheck
+      mode http
+      http-after-response set-header Access-Control-Allow-Origin "*"
+      http-after-response set-header Access-Control-Max-Age "31536000"
+      http-request return status 200 content-type "text/plain" string "Pong"
+
+    # owfms
+    frontend front_owfms_rest
+      bind :16004
+      mode tcp
+      default_backend back_owfms_rest
+    backend back_owfms_rest
+      mode tcp
+      server svc_owfms_rest owfms-owfms:16004
+
+    frontend front_owfms_rest_internal
+      bind :17004
+      mode tcp
+      default_backend back_owfms_rest_internal
+    backend back_owfms_rest_internal
+      mode tcp
+      server svc_owfms_rest_internal owfms-owfms:17004
+
+    # owgw
+    frontend front_owgw_websocket
+      bind :15002
+      mode tcp
+      default_backend back_owgw_websocket
+    backend back_owgw_websocket
+      mode tcp
+      server svc_owgw_websocket owgw-owgw:15002
+
+    frontend front_owgw_rest
+      bind :16002
+      mode tcp
+      default_backend back_owgw_rest
+    backend back_owgw_rest
+      mode tcp
+      server svc_owgw_rest owgw-owgw:16002
+
+    frontend front_owgw_fileuploader
+      bind :16003
+      mode tcp
+      default_backend back_owgw_fileuploader
+    backend back_owgw_fileuploader
+      mode tcp
+      server svc_owgw_fileuploader owgw-owgw:16003
+
+    frontend front_owgw_rest_internal
+      bind :17002
+      mode tcp
+      default_backend back_owgw_rest_internal
+    backend back_owgw_rest_internal
+      mode tcp
+      server svc_owgw_rest_internal owgw-owgw:17002
+
+    # owprov
+    frontend front_owprov_rest
+      bind :16005
+      mode tcp
+      default_backend back_owprov_rest
+    backend back_owprov_rest
+      mode tcp
+      server svc_owprov_rest owprov-owprov:16005
+
+    frontend front_owprov_rest_internal
+      bind :17005
+      mode tcp
+      default_backend back_owprov_rest_internal
+    backend back_owprov_rest_internal
+      mode tcp
+      server svc_owprov_rest_internal owprov-owprov:17005
+
+    # owsec
+    frontend front_owsec_rest
+      bind :16001
+      mode tcp
+      default_backend back_owsec_rest
+    backend back_owsec_rest
+      mode tcp
+      server svc_owsec_rest owsec-owsec:16001
+
+    frontend front_owsec_rest_internal
+      bind :17001
+      mode tcp
+      default_backend back_owsec_rest_internal
+    backend back_owsec_rest_internal
+      mode tcp
+      server svc_owsec_rest_internal owsec-owsec:17001
+
+    # rttys
+    frontend front_rttys_dev
+      bind :5912
+      mode tcp
+      default_backend back_rttys_dev
+    backend back_rttys_dev
+      mode tcp
+      server svc_rttys_dev rttys-rttys:5912
+
+    frontend front_rttys_user
+      bind :5913
+      mode tcp
+      default_backend back_rttys_user
+    backend back_rttys_user
+      mode tcp
+      server svc_rttys_user rttys-rttys:5913
+
+    frontend front_rttys_web
+      bind :5914
+      mode tcp
+      default_backend back_rttys_web
+    backend back_rttys_web
+      mode tcp
+      server svc_rttys_web rttys-rttys:5914
+
+# Cert-manager RESTAPI certs
+restapiCerts:
+  enabled: false
+
+  services:
+    - owgw-owgw
+    - owsec-owsec
+    - owfms-owfms
+    - owprov-owprov
+    - owls-owls
+
+  clusterDomain: cluster.local

docker-compose/.env

@@ -1,11 +1,11 @@
 # Image tags
 COMPOSE_PROJECT_NAME=openwifi
-OWGW_TAG=master
-OWGWUI_TAG=main
-OWSEC_TAG=main
-OWFMS_TAG=main
-OWPROV_TAG=main
-OWPROVUI_TAG=main
+OWGW_TAG=v2.5.0-RC1
+OWGWUI_TAG=v2.5.0-RC1
+OWSEC_TAG=v2.5.0-RC1
+OWFMS_TAG=v2.5.0-RC1
+OWPROV_TAG=v2.5.0-RC1
+OWPROVUI_TAG=v2.5.0-RC1
 RTTYS_TAG=3.5.0
 KAFKA_TAG=latest
 ZOOKEEPER_TAG=latest

docker-compose/.env.letsencrypt

@@ -1,11 +1,11 @@
 # Image tags
 COMPOSE_PROJECT_NAME=openwifi
-OWGW_TAG=master
-OWGWUI_TAG=main
-OWSEC_TAG=main
-OWFMS_TAG=main
-OWPROV_TAG=main
-OWPROVUI_TAG=main
+OWGW_TAG=v2.5.0-RC1
+OWGWUI_TAG=v2.5.0-RC1
+OWSEC_TAG=v2.5.0-RC1
+OWFMS_TAG=v2.5.0-RC1
+OWPROV_TAG=v2.5.0-RC1
+OWPROVUI_TAG=v2.5.0-RC1
 RTTYS_TAG=3.5.0
 KAFKA_TAG=latest
 ZOOKEEPER_TAG=latest

docker-compose/.env.selfsigned

@@ -1,11 +1,11 @@
 # Image tags
 COMPOSE_PROJECT_NAME=openwifi
-OWGW_TAG=master
-OWGWUI_TAG=main
-OWSEC_TAG=main
-OWFMS_TAG=main
-OWPROV_TAG=main
-OWPROVUI_TAG=main
+OWGW_TAG=v2.5.0-RC1
+OWGWUI_TAG=v2.5.0-RC1
+OWSEC_TAG=v2.5.0-RC1
+OWFMS_TAG=v2.5.0-RC1
+OWPROV_TAG=v2.5.0-RC1
+OWPROVUI_TAG=v2.5.0-RC1
 RTTYS_TAG=3.5.0
 KAFKA_TAG=latest
 ZOOKEEPER_TAG=latest

docker-compose/README.md

@@ -1,4 +1,4 @@
-# Docker Compose
+# OpenWifi SDK Docker Compose
 ### Overview
 With the provided Docker Compose files you can instantiate a deployment of the OpenWifi microservices and related components. The repository contains a self-signed certificate and a TIP-signed gateway certificate which are valid for the `*.wlan.local` domain. You also have the possibility to either generate and use Letsencrypt certs or provide your own certificates. Furthermore the deployments are split by whether Traefik is used as a reverse proxy/load balancer in front of the microservices or if they are exposed directly on the host. The advantage of using the deployments with Traefik is that you can use Letsencrypt certs (automatic certificate generation and renewal) and you have the ability to scale specific containers to multiple replicas.  
 The repository also contains a separate Docker Compose deployment to set up the [OWLS microservice](https://github.com/Telecominfraproject/wlan-cloud-owls) and related components for running a load simulation test against an existing controller.
@@ -7,7 +7,7 @@ The repository also contains a separate Docker Compose deployment to set up the
 - [Non-LB deployment with PostgreSQL](#non-lb-deployment-with-postgresql)
 - [LB deployment with self-signed certificates](#lb-deployment-with-self-signed-certificates)
 - [LB deployment with Letsencrypt certificates](#lb-deployment-with-letsencrypt-certificates)
-- [OWLS deployment with self-signed certificates](#owls-deployment-with-self-signed-certificates)
+- [OWLS deployment with self-signed certificates](owls/README.md)
 ### Configuration
 If you don't bind mount your own config files they are generated on every startup based on the environment variables in the microservice specific env files. For an overview of the supported configuration properties have a look into the microservice specific env files. For an explanation of the configuration properties please see the README in the respective microservice repository.  
 Be aware that the non-LB deployment exposes the generated config files on the host. So if you want to make configuration changes afterwards, please do them directly in the config files located in the microservice data directories.
@@ -188,19 +188,5 @@ For the Letsencrypt challenge to work you need a public IP address. The hostname
 3. Spin up the deployment with `docker-compose -f docker-compose.lb.letsencrypt.yml --env-file .env.letsencrypt up -d`. Make sure to specify the Compose and the according .env file every time you're working with the deployment or create an alias, for example `alias docker-compose-lb-letsencrypt="docker-compose -f docker-compose.lb.letsencrypt.yml --env-file .env.letsencrypt"`. You also have the possibility to scale specific services to a specified number of instances with `docker-compose-lb-letsencrypt up -d --scale SERVICE=NUM`, where `SERVICE` is the service name as defined in the Compose file.
 4. Check if the containers are up and running with `docker-compose-lb-letsencrypt ps`.
 5. Login to the UI and follow the instructions to change your default password.
-## OWLS deployment with self-signed certificates
-To run a load simulation you need to obtain a TIP signed client certificate which will be used to connect to the gateway. The certificate CN has to start with the characters `53494d` like it is described [here](https://github.com/Telecominfraproject/wlan-cloud-owls#get-a-simulator-key). Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host.
-1. Copy or move your TIP signed load simulation client certificate into the `docker-compose/certs` directory. Don't forget to name the files `device-cert.pem` and `device-key.pem` or adapt the path names in the OWLS configuration if you're using different file names.
-2. To be able to run load simulation tests against your OpenWifi deployment, you'll have to [configure the OWGW microservice](https://github.com/Telecominfraproject/wlan-cloud-owls#prepare-your-openwifi-gateway) to allow load simulation tests. You can do that by either editing the OWGW env file or doing the changes directly in the OWGW configuration file if it is exposed on the host.
-3. Switch into the project directory with `cd docker-compose/owls`.
-4. Add an entry for `openwifi-owls.wlan.local` in your hosts file which points to `127.0.0.1` or whatever the IP of the host running the OWLS deployment is.
-5. Spin up the deployment with `docker-compose up -d`.
-6. Check if the containers are up and running with `docker-compose ps`.
-7. Add SSL certificate exceptions in your browser by visiting https://openwifi-owls.wlan.local:16001 and https://openwifi-owls.wlan.local:16007.
-8. If you're using an OpenWifi deployment with self-signed certificates, you'll have to add a custom hosts entry for `openwifi.wlan.local` on the machine running the OWLS deployment pointing to the remote IP of your OpenWifi host.
-9. Login to the UI by visiting https://openwifi-owls.wlan.local and follow the instructions to change your default password.
-10. In the Simulation tab, click on the + sign on the right side to add a load simulation.
-11. Fill out the required fields. MAC prefix is used for the MAC addresses of the simulated devices, so you can use any six-digit hexadecimal number. Specify the remote address of your OpenWifi gateway in the Gateway field, for example `https://openwifi.wlan.local:15002`. Adapt the rest of the settings according to your needs.
-12. Click on the floppy disk icon to save your load simulation. You can run it by clicking the play symbol in the table view.
 
 **Note**: All deployments create local volumes to persist mostly application, database and certificate data. In addition to that the `certs/` directory is bind mounted into the microservice containers. Be aware that for the bind mounts the host directories and files will be owned by the user in the container. Since the files are under version control, you may have to change the ownership to your user again before pulling changes.

docker-compose/owls/README.md

@@ -0,0 +1,16 @@
+# OpenWifi OWLS Docker Compose
+## Deployment with self-signed certificates
+To run a load simulation you need to generate a specific Digicert-signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations.  
+Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host.
+1. Copy or move your AP load simulation certificate into the `docker-compose/certs` directory. Don't forget to name the files `device-cert.pem` and `device-key.pem` or adapt the path names in the OWLS configuration if you're using different file names.
+2. To be able to run load simulation tests against your OpenWifi SDK deployment, you'll have to [add the serial number of your generated AP certificate to the gateway configuration](https://github.com/Telecominfraproject/wlan-cloud-owls#prepare-your-openwifi-gateway). You can do that by either editing [owgw.env](../owgw.env) or doing the changes directly in your OWGW configuration file if it is exposed on your Docker host.
+3. Switch into the project directory with `cd docker-compose/owls`.
+4. Add an entry for `openwifi-owls.wlan.local` in your hosts file which points to `127.0.0.1` or whatever the IP of the host running the OWLS deployment is.
+5. Spin up the deployment with `docker-compose up -d`.
+6. Check if the containers are up and running with `docker-compose ps`.
+7. Add SSL certificate exceptions in your browser by visiting https://openwifi-owls.wlan.local:16001 and https://openwifi-owls.wlan.local:16007.
+8. If you're using an OpenWifi deployment with self-signed certificates, you'll have to add a custom hosts entry for `openwifi.wlan.local` on the machine running the OWLS deployment pointing to the remote IP of your OpenWifi host.
+9. Login to the UI by visiting https://openwifi-owls.wlan.local and follow the instructions to change your default password.
+10. In the Simulation tab, click on the + sign on the right side to add a load simulation.
+11. Fill out the required fields. MAC prefix is used for the MAC addresses of the simulated devices, so you can use any six-digit hexadecimal number. Specify the remote address of your OpenWifi gateway in the Gateway field, for example `https://openwifi.wlan.local:15002`. Adapt the rest of the settings according to your needs.
+12. Click on the floppy disk icon to save your load simulation. You can run it by clicking the play symbol in the table view.