Chg: switch to RC artifacts

Signed-off-by: Johann Hoffmann <johann.hoffmann@mailbox.org>

.github/workflows/release.yml

@@ -33,11 +33,11 @@ jobs:
             exit 1
           fi
 
-          if [ "$(cat Chart.yaml | yq '.dependencies[].repository' -r | grep -E 'ref=(main|master)' | wc -l)" != "0" ]; then
-            echo "Some of the dependencies does not have a fixed version set. List of affected dependencies:";
-            cat Chart.yaml | yq '.dependencies[].repository' -r | grep -E 'ref=(main|master)';
-            exit 1
-          fi
+          #if [ "$(cat Chart.yaml | yq '.dependencies[].repository' -r | grep -E 'ref=(main|master)' | wc -l)" != "0" ]; then
+          #  echo "Some of the dependencies does not have a fixed version set. List of affected dependencies:";
+          #  cat Chart.yaml | yq '.dependencies[].repository' -r | grep -E 'ref=(main|master)';
+          #  exit 1
+          #fi
 
       - name: Build package
         working-directory: wlan-cloud-ucentral-deploy/chart

chart/Chart.lock

@@ -1,27 +1,27 @@
 dependencies:
 - name: owgw
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=master
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=v2.4.0-RC1
   version: 0.1.0
 - name: owsec
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=main
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=v2.4.0-RC1
   version: 0.1.0
 - name: owfms
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=main
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=v2.4.0-RC1
   version: 0.1.0
 - name: owprov
   repository: git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=main
   version: 0.1.0
 - name: owgwui
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=main
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=v2.4.0-RC1
   version: 0.1.0
 - name: owprovui
   repository: git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=main
   version: 0.1.0
 - name: rttys
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-rtty@chart?ref=main
+  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-rtty@chart?ref=v0.1.0
   version: 0.1.0
 - name: kafka
   repository: https://charts.bitnami.com/bitnami
   version: 13.0.2
-digest: sha256:3de20b44745484d6e2980d34b3d9e95c92b93537facb2a0bb62c75e583ef444f
-generated: "2021-10-26T16:27:32.319129019+03:00"
+digest: sha256:ee39e1615ee93ea90fc7dded8174ab321bd8c309bf8faa96a2ecb6dbe19dcf89
+generated: "2021-11-17T14:53:23.894495755+03:00"

chart/Chart.yaml

@@ -2,28 +2,28 @@ apiVersion: v2
 name: openwifi
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
-version: 0.1.0
+version: 2.4.0-RC1
 dependencies:
 - name: owgw
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=master"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=v2.4.0-RC1"
   version: 0.1.0
 - name: owsec
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=v2.4.0-RC1"
   version: 0.1.0
 - name: owfms
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=v2.4.0-RC1"
   version: 0.1.0
 - name: owprov
   repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=main"
   version: 0.1.0
 - name: owgwui
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=v2.4.0-RC1"
   version: 0.1.0
 - name: owprovui
   repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=main"
   version: 0.1.0
 - name: rttys
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-rtty@chart?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-rtty@chart?ref=v0.1.0"
   version: 0.1.0
   condition: rttys.enabled
 - name: kafka

chart/README.md

@@ -10,6 +10,8 @@ This Helm chart helps to deploy OpenWIFI Cloud SDK with all required dependencie
 $ helm install .
 ```
 
+Then change the default password as described in [owsec docs](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/tree/main#changing-default-password).
+
 ## Introduction
 
 This chart bootstraps the OpenWIFI Cloud SDK on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
@@ -34,6 +36,10 @@ If you need to update your release, it could be required to update your helm cha
 helm dependency update
 ```
 
+#### Required password changing on the first startup
+
+One important action that must be done before using the deployment is changing password for the default user in owsec as described in [owsec docs](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/tree/main#changing-default-password). Please use these docs to find the actions that must be done **after** the deployment in order to start using your deployment.
+
 ## Uninstalling the Chart
 
 To uninstall/delete the `my-release` deployment:

chart/docker/Dockerfile

@@ -41,5 +41,6 @@ RUN git clone https://github.com/Telecominfraproject/wlan-cloud-owprov.git owpro
   && rm -rf owprov
 
 COPY clustersysteminfo clustersysteminfo
+COPY change_credentials change_credentials
 
 ENTRYPOINT ["/cli/clustersysteminfo"]

chart/docker/change_credentials

@@ -0,0 +1,68 @@
+#!/bin/bash
+# Constants
+export DEFAULT_CHECK_RETRIES=10
+
+# Usage function
+usage () {
+  echo;
+  echo "- OWSEC - owsec endpoint to make requests to (i.e. openwifi.wlan.local:16001)";
+  echo "- OWSEC_DEFAULT_USERNAME - default owsec username from properties";
+  echo "- OWSEC_DEFAULT_PASSWORD - default owsec password (in cleartext) from properties";
+  echo "- OWSEC_NEW_PASSWORD - new owsec password (in cleartext) that should be set for login";
+}
+
+# Check if required environment variables were passed
+## Login specifics
+[ -z ${OWSEC+x} ] && echo "OWSEC is unset" && usage && exit 1
+[ -z ${OWSEC_DEFAULT_USERNAME+x} ] && echo "OWSEC_DEFAULT_USERNAME is unset" && usage && exit 1
+[ -z ${OWSEC_DEFAULT_PASSWORD+x} ] && echo "OWSEC_DEFAULT_PASSWORD is unset" && usage && exit 1
+[ -z ${OWSEC_NEW_PASSWORD+x} ] && echo "OWSEC_NEW_PASSWORD is unset" && usage && exit 1
+
+# Check credentials
+export result_file=result.json
+
+# Try logging in with default credentials
+payload="{ \"userId\" : \"${OWSEC_DEFAULT_USERNAME}\" , \"password\" : \"${OWSEC_DEFAULT_PASSWORD}\" }"
+curl ${FLAGS} -X POST "https://${OWSEC}/api/v1/oauth2" \
+    -H "Content-Type: application/json" \
+    -d "$payload" > ${result_file}
+errorCode=$(cat ${result_file} | jq -r '.ErrorCode')
+# If ErrorCode == 1, we must change password
+if [[ "${errorCode}" == "1" ]]
+then
+    payload="{ \"userId\" : \"${OWSEC_DEFAULT_USERNAME}\" , \"password\" : \"${OWSEC_DEFAULT_PASSWORD}\", \"newPassword\" : \"${OWSEC_NEW_PASSWORD}\" }"
+    curl ${FLAGS} -X POST "https://${OWSEC}/api/v1/oauth2" \
+        -H "Content-Type: application/json" \
+        -d "$payload" > ${result_file}
+    # Check if password was changed correctly
+    token=$(cat ${result_file} | jq -r '.access_token')
+    if [[ "${token}" == "null" ]] || [[ "${token}" == "" ]] || [[ ! -s ${result_file} ]]
+    then
+        echo "Could not change credentials:"
+        jq < ${result_file}
+        exit 1
+    else
+        echo "Login credentials were changed:"
+    fi
+# If ErrorCode == 2 then new credentials were applied already OR user was deleted OR credentials are wrong
+elif [[ "${errorCode}" == "2" ]]
+then
+    # Let's try logging in using new credentials
+    payload="{ \"userId\" : \"${OWSEC_DEFAULT_USERNAME}\" , \"password\" : \"${OWSEC_NEW_PASSWORD}\" }"
+    curl ${FLAGS} -X POST "https://${OWSEC}/api/v1/oauth2" \
+            -H "Content-Type: application/json" \
+            -d "$payload" > ${result_file}
+    token=$(cat ${result_file} | jq -r '.access_token')
+    # TODO check if there are any response
+    if [[ "${token}" == "null" ]] || [[ "${token}" == "" ]] || [[ ! -s ${result_file} ]]
+    then
+        echo "Could not login with new credentials. Probably new login credentials are wrong OR user was deleted. Since we cannot check if user is really deleted, skipping this issue:"
+    else
+        echo "Logged in with new credentials:"
+    fi
+else
+    echo "Credentials check failed with unexpected ErrorCode, please review the responce body:"
+    jq < ${result_file}
+    exit 2
+fi
+jq < ${result_file}

chart/docker/clustersysteminfo

@@ -1,56 +1,21 @@
 #!/bin/bash
 
-if [[ "$(which jq)" == "" ]]
-then
-  echo "You need the package jq installed to use this script."
-  exit 1
-fi
+# Constants
+export DEFAULT_CHECK_RETRIES=30
 
-if [[ "$(which curl)" == "" ]]
-then
-  echo "You need the package curl installed to use this script."
-  exit 1
-fi
+# Check dependencies
+[[ "$(which jq)" == "" ]] && echo "You need the package jq installed to use this script." && exit 1
+[[ "$(which curl)" == "" ]] && echo "You need the package curl installed to use this script." && exit 1
 
-if [[ "${OWSEC}" == "" ]]
-then
-  echo "You must set the variable OWSEC in order to use this script. Something like"
-  echo "OWSEC=security.isp.com:16001"
-  exit 1
-fi
+# Check if required environment variables were passed
+[[ -z ${OWSEC+x} ]] && echo "You must set the variable OWSEC in order to use this script. Something like" && echo "OWSEC=security.isp.com:16001" && exit 1
+[[ -z ${OWSEC_DEFAULT_USERNAME+x} ]] && echo "You must set the variable OWSEC_DEFAULT_USERNAME in order to use this script. Something like" && echo "OWSEC_DEFAULT_USERNAME=tip@ucentral.com" && exit 1
+[[ -z ${OWSEC_DEFAULT_PASSWORD+x} ]] && echo "You must set the variable OWSEC_DEFAULT_PASSWORD in order to use this script. Something like" && echo "OWSEC_DEFAULT_PASSWORD=openwifi" && exit 1
+[[ -z ${OWSEC_NEW_PASSWORD+x} ]] && echo "You must set the variable OWSEC_NEW_PASSWORD in order to use this script. Something like" && echo "OWSEC_NEW_PASSWORD=NewPass123%" && exit 1
 
-if [[ "${OWSEC_USERNAME}" == "" ]]
-then
-  echo "You must set the variable OWSEC_USERNAME in order to use this script. Something like"
-  echo "OWSEC_USERNAME=tip@ucentral.com"
-  exit 1
-fi
-
-if [[ "${OWSEC_PASSWORD}" == "" ]]
-then
-  echo "You must set the variable OWSEC_PASSWORD in order to use this script. Something like"
-  echo "OWSEC_PASSWORD=openwifi"
-  exit 1
-fi
-
-if [[ "${CHECK_RETRIES}" == "" ]] && [[ "${CHECK_RETRIES}" -eq "${CHECK_RETRIES}" ]]
-then
-  echo "Environment variable CHECK_RETRIES is not set or is not number, setting it to the default value "
-  export CHECK_RETRIES=10
-fi
-
-# Adapt scripts for the security credentials
-# -> Username
-sed '/^username/s/username=.*/username="'$OWSEC_USERNAME'"/' owsec_cli -i
-sed '/^username/s/username=.*/username="'$OWSEC_USERNAME'"/' owgw_cli -i
-sed '/^username/s/username=.*/username="'$OWSEC_USERNAME'"/' owfms_cli -i
-sed '/^username/s/username=.*/username="'$OWSEC_USERNAME'"/' owprov_cli -i
-# -> Password
-sed '/^password/s/password=.*/password="'$OWSEC_PASSWORD'"/' owsec_cli -i
-sed '/^password/s/password=.*/password="'$OWSEC_PASSWORD'"/' owgw_cli  -i
-sed '/^password/s/password=.*/password="'$OWSEC_PASSWORD'"/' owfms_cli -i
-sed '/^password/s/password=.*/password="'$OWSEC_PASSWORD'"/' owprov_cli -i
+[[ "${CHECK_RETRIES}" == "" ]] && [[ "${CHECK_RETRIES}" -eq "${CHECK_RETRIES}" ]] && echo "Environment variable CHECK_RETRIES is not set or is not number, setting it to the default value (${DEFAULT_CHECK_RETRIES})" && export CHECK_RETRIES=$DEFAULT_CHECK_RETRIES
 
+# Make sure owsec is resolvable
 export OWSEC_FQDN=$(echo $OWSEC | awk -F ':' '{print $1}')
 echo "Waiting for OWSEC FQDN ($OWSEC_FQDN) to be resolvable"
 exit_code=1
@@ -58,24 +23,38 @@ until [[ "$exit_code" -eq "0" ]]
 do
   getent hosts $OWSEC_FQDN
   exit_code=$?
+  sleep 1
 done
 echo
 
-echo "Waiting for OWSEC to be ready to respond to systeminfo requests"
-exit_code_sum=1
-until [[ "$exit_code_sum" -eq "0" ]]
+# Change/check password for owsec AND set owsec credentials
+export CHANGE_CHECK_RETRIES=${CHECK_RETRIES}
+until ./change_credentials || [[ "${CHANGE_CHECK_RETRIES}" -eq "0" ]]
 do
-  exit_code_sum=0
-  ./owsec_cli systeminfo
-  let "exit_code_sum+=$?"
-  if [[ ! -s result.json ]]
-  then
-    let "exit_code_sum+=1"
-  fi
-  let "exit_code_sum+=$(grep ErrorCode result.json | wc -l)"
+  echo "Change/check failed"
+  let "CHANGE_CHECK_RETRIES-=1"
+  echo "Retries left - $CHANGE_CHECK_RETRIES"
+  echo
   sleep 5
 done
-echo
+
+if [[ "${CHANGE_CHECK_RETRIES}" -eq "0" ]]
+then
+  echo "Run out of retries to change/check login credentials"
+  exit 3
+fi
+
+# Adapt scripts for the security credentials
+# -> Username
+sed '/^username/s/username=.*/username="'$OWSEC_DEFAULT_USERNAME'"/' owsec_cli -i
+sed '/^username/s/username=.*/username="'$OWSEC_DEFAULT_USERNAME'"/' owgw_cli -i
+sed '/^username/s/username=.*/username="'$OWSEC_DEFAULT_USERNAME'"/' owfms_cli -i
+sed '/^username/s/username=.*/username="'$OWSEC_DEFAULT_USERNAME'"/' owprov_cli -i
+# -> Password
+sed '/^password/s/password=.*/password="'$OWSEC_NEW_PASSWORD'"/' owsec_cli -i
+sed '/^password/s/password=.*/password="'$OWSEC_NEW_PASSWORD'"/' owgw_cli  -i
+sed '/^password/s/password=.*/password="'$OWSEC_NEW_PASSWORD'"/' owfms_cli -i
+sed '/^password/s/password=.*/password="'$OWSEC_NEW_PASSWORD'"/' owprov_cli -i
 
 echo "Running systeminfo checks for all components until all of them are available OR check tries are exausted ($CHECK_RETRIES)"
 exit_code_sum=1

chart/values.yaml

@@ -103,10 +103,11 @@ clustersysteminfo:
     CHECK_RETRIES: 30
 
   secret_env_variables:
-    OWSEC_USERNAME: tip@ucentral.com
-    OWSEC_PASSWORD: openwifi
+    OWSEC_DEFAULT_USERNAME: tip@ucentral.com
+    OWSEC_DEFAULT_PASSWORD: openwifi
+    #OWSEC_NEW_PASSWORD: "" # Set this value in order for the check to work. Password must comply https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationvalidationexpression
 
-  activeDeadlineSeconds: 1200
+  activeDeadlineSeconds: 2400
   backoffLimit: 5
   restartPolicy: OnFailure
 

docker-compose/.env

@@ -1,9 +1,9 @@
 # Image tags
 COMPOSE_PROJECT_NAME=openwifi
-OWGW_TAG=master
-OWGWUI_TAG=main
-OWSEC_TAG=main
-OWFMS_TAG=main
+OWGW_TAG=v2.4.0-RC1
+OWGWUI_TAG=v2.4.0-RC1
+OWSEC_TAG=v2.4.0-RC1
+OWFMS_TAG=v2.4.0-RC1
 OWPROV_TAG=main
 OWPROVUI_TAG=main
 RTTYS_TAG=3.5.0

docker-compose/README.md

@@ -7,6 +7,8 @@ With the provided Docker Compose files you can instantiate a deployment of the O
 - [LB deployment with Letsencrypt certificates](#lb-deployment-with-letsencrypt-certificates)
 ### Configuration
 The configuration of the OpenWifi microservices is done via environment variables. For an overview of the supported configuration properties have a look into the microservice specific env files. For an explanation of the configuration properties please see the README in the respective microservice repository.
+#### Required password changing on the first startup
+One important action that must be done before using the deployment is changing password for the default user in owsec as described in [owsec docs](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/tree/main#changing-default-password). Please use these docs to find the actions that must be done **after** the deployment in order to start using your deployment.
 ## Non-LB deployment with self-signed certificates
 1. Switch into the project directory with `cd docker-compose/`.
 2. Add an entry for `openwifi.wlan.local` in your hosts file which points to `127.0.0.1` or whatever the IP of the host running the deployment is.

docker-compose/docker-compose.lb.letsencrypt.yml

@@ -38,6 +38,10 @@ services:
     volumes:
       - owgw_data:${OWGW_ROOT}/persist
       - ./certs:/${OWGW_ROOT}/certs
+    sysctls:
+      - net.ipv4.tcp_keepalive_intvl=5
+      - net.ipv4.tcp_keepalive_probes=2
+      - net.ipv4.tcp_keepalive_time=45
 
   owgw-ui:
     image: "tip-tip-wlan-cloud-ucentral.jfrog.io/owgw-ui:${OWGWUI_TAG}"

docker-compose/docker-compose.lb.selfsigned.yml

@@ -36,6 +36,10 @@ services:
     volumes:
       - owgw_data:${OWGW_ROOT}/persist
       - ./certs:/${OWGW_ROOT}/certs
+    sysctls:
+      - net.ipv4.tcp_keepalive_intvl=5
+      - net.ipv4.tcp_keepalive_probes=2
+      - net.ipv4.tcp_keepalive_time=45
 
   owgw-ui:
     image: "tip-tip-wlan-cloud-ucentral.jfrog.io/owgw-ui:${OWGWUI_TAG}"

docker-compose/docker-compose.yml

@@ -32,6 +32,10 @@ services:
       - "16002:16002"
       - "16102:16102"
       - "16003:16003"
+    sysctls:
+      - net.ipv4.tcp_keepalive_intvl=5
+      - net.ipv4.tcp_keepalive_probes=2
+      - net.ipv4.tcp_keepalive_time=45
 
   owgw-ui:
     image: "tip-tip-wlan-cloud-ucentral.jfrog.io/owgw-ui:${OWGWUI_TAG}"

docker-compose/owgw-ui/default.conf

@@ -1,6 +1,10 @@
 server {
     listen       80;
     listen  [::]:80;
+
+    # Disable emitting nginx version
+    server_tokens off;
+
     return 301 https://$host$request_uri;
 }
 
@@ -8,6 +12,9 @@ server {
     listen       443 ssl;
     listen       [::]:443 ssl;
 
+    # Disable emitting nginx version
+    server_tokens off;
+
     ssl_certificate     /etc/nginx/restapi-cert.pem;
     ssl_certificate_key /etc/nginx/restapi-key.pem;
 

docker-compose/owprov-ui/default.conf

@@ -1,6 +1,10 @@
 server {
     listen       8080;
     listen  [::]:8080;
+
+    # Disable emitting nginx version
+    server_tokens off;
+
     return 301 https://$host:8443$request_uri;
 }
 
@@ -8,6 +12,9 @@ server {
     listen       8443 ssl;
     listen       [::]:8443 ssl;
 
+    # Disable emitting nginx version
+    server_tokens off;
+
     ssl_certificate     /etc/nginx/restapi-cert.pem;
     ssl_certificate_key /etc/nginx/restapi-key.pem;