WIFI-13871 Correct log setting and point to chart

Signed-off-by: Carsten Schafer <Carsten.Schafer@kinarasystems.com>

.github/workflows/ci.yml

@@ -49,7 +49,7 @@ jobs:
     needs: envs
     steps:
     - name: Checkout actions repo
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         repository: Telecominfraproject/.github
         path: github
@@ -72,7 +72,7 @@ jobs:
     needs: envs
     steps:
     - name: Checkout actions repo
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         repository: Telecominfraproject/.github
         path: github
@@ -95,7 +95,7 @@ jobs:
     needs: envs
     steps:
     - name: Checkout actions repo
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         repository: Telecominfraproject/.github
         path: github

.github/workflows/clustersysteminfo_image_ci.yml

@@ -22,7 +22,7 @@ jobs:
       DOCKER_REGISTRY_URL: tip-tip-wlan-cloud-ucentral.jfrog.io
       DOCKER_REGISTRY_USERNAME: ucentral
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - name: Build Docker image
       working-directory: chart/docker

.github/workflows/enforce-jira-issue-key.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout actions repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           repository: Telecominfraproject/.github
           path: github

.github/workflows/git-release.yml

@@ -28,7 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repo
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         path: wlan-cloud-ucentral-deploy
 
@@ -36,7 +36,7 @@ jobs:
       run: |
         pip3 install yq
         helm plugin install https://github.com/databus23/helm-diff
-        helm plugin install https://github.com/aslafy-z/helm-git
+        helm plugin install https://github.com/aslafy-z/helm-git --version 0.16.0
         ls ~/.local/share/helm/plugins/helm-git/helm-git-plugin.sh || true
         sed 's/--skip-refresh //' -i ~/.local/share/helm/plugins/helm-git/helm-git-plugin.sh
 
@@ -54,6 +54,6 @@ jobs:
         git config --global credential.helper store
         git config --global user.email "tip-automation@telecominfraproject.com"
         git config --global user.name "TIP Automation User"
-        helm repo add bitnami https://charts.bitnami.com/bitnami
-        helm repo update
+        #helm repo add bitnami https://charts.bitnami.com/bitnami
+        #helm repo update
         ./git-release-tool.sh

.github/workflows/release.yml

@@ -11,13 +11,13 @@ defaults:
 
 jobs:
   helm-package:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     env:
       HELM_REPO_URL: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
       HELM_REPO_USERNAME: ucentral
     steps:
       - name: Checkout uCentral assembly chart repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           path: wlan-cloud-ucentral-deploy
           repository: Telecominfraproject/wlan-cloud-ucentral-deploy
@@ -42,9 +42,7 @@ jobs:
       - name: Build package
         working-directory: wlan-cloud-ucentral-deploy/chart
         run: |
-          helm plugin install https://github.com/aslafy-z/helm-git --version 0.10.0
-          helm repo add bitnami https://charts.bitnami.com/bitnami
-          helm repo update
+          helm plugin install https://github.com/aslafy-z/helm-git --version 0.16.0
           helm dependency update
           mkdir dist
           helm package . -d dist
@@ -70,7 +68,7 @@ jobs:
           cat Chart.yaml | yq -r '.dependencies[] | "\(.name) - \(.repository) v\(.version)"' >> release.txt
 
       - name: Create GitHub release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           body_path: wlan-cloud-ucentral-deploy/chart/release.txt
           files: wlan-cloud-ucentral-deploy/chart/dist/*
@@ -80,7 +78,7 @@ jobs:
     needs: helm-package
     steps:
     - name: Trigger testing of release
-      uses: peter-evans/repository-dispatch@v1
+      uses: peter-evans/repository-dispatch@v3
       with:
         token: ${{ secrets.WLAN_TESTING_PAT }}
         repository: Telecominfraproject/wlan-testing

cgw/.sops.yaml

@@ -0,0 +1,2 @@
+creation_rules:
+- kms: 'arn:aws:kms:us-east-2:289708231103:alias/helm-secrets'

cgw/README.md

@@ -0,0 +1,35 @@
+# CGW Charts
+
+## Pre-requisites
+
+The following binaries are needed:
+- [helmfile](https://github.com/helmfile/helmfile/releases/download/v0.165.0/helmfile_0.165.0_linux_amd64.tar.gz)
+- helm
+- kubectl
+
+The following helm plugins are needed:
+```bash
+helm plugin install https://github.com/aslafy-z/helm-git --version 0.16.0
+helm plugin install https://github.com/databus23/helm-diff
+helm plugin install https://github.com/jkroepke/helm-secrets
+```
+
+## Configuration
+
+_helmfile.yaml_ contains the configuration for all the environments. External values files are used for secrets or where appropriate. Each environment needs to be created in this file before it can be deployed.  The files in ./secrets/ are encrypted with SOPS. Use `helm secrets edit secrets/FILE` to edit.
+
+## Installation
+
+To install the entire stack: `helm --environment ENVNAME apply`.
+To install just cgw: `helm --environment ENVNAME -l app=cgw apply`.
+To install just cgw with a specific image tag: `helm --environment ENVNAME -l app=cgw apply --state-values-set "cgw.tag=latest"`.
+
+## Removal
+
+To remove the entire stack: `helm --environment ENVNAME delete`.
+To remove just cgw: `helm --environment ENVNAME -l app=cgw delete`.
+Delete the namespace manually if it is no longer required.
+
+# Re-installation
+
+Note that the kafka, postgres and redis charts do not want to be reinstalled so will have to be removed and installed. If you wish to upgrade these then you must follow the respective Bitnami instructions on how to upgrade these charts.

cgw/helmfile.yaml

@@ -0,0 +1,211 @@
+environments:
+  default:
+    secrets:
+      - secrets/values.postgres.yaml
+      - secrets/certs.tip.yaml
+    values:
+    - global:
+        name: devcgw
+        namespace: openwifi-devcgw
+        domain: cicd.lab.wlan.tip.build
+        certificateARN: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be
+    - kafka:
+        enabled: true
+    - redis:
+        enabled: true
+    - postgres:
+        enabled: true
+    - cgw:
+        enabled: true
+        tag: next
+  cgw01:
+    secrets:
+      - secrets/values.postgres.yaml
+      - secrets/certs.tip.yaml
+    values:
+    - global:
+        name: cgw01
+        namespace: openlan-cgw01
+        domain: cicd.lab.wlan.tip.build
+        certificateARN: arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c
+    - kafka:
+        enabled: true
+    - redis:
+        enabled: true
+    - postgres:
+        enabled: true
+    - cgw:
+        enabled: true
+        tag: next
+
+---
+
+helmDefaults:
+  force: false
+  timeout: 300
+  createNamespace: true
+
+releases:
+- name: kafka
+  version: 28.3.0
+  namespace: {{ .Environment.Values.global.namespace }}
+  condition: kafka.enabled
+  chart: oci://registry-1.docker.io/bitnamicharts/kafka
+  labels:
+    group: base
+    app: kafka
+  values:
+    - fullnameOverride: kafka
+    - volumePermissions:
+        enabled: true
+    - commonAnnotations:
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
+    - readinessProbe:
+        initialDelaySeconds: 45
+    - livenessProbe:
+        initialDelaySeconds: 60
+    - heapOpts: -Xmx1024m -Xms1024m
+    - kraft:
+        enabled: true
+    - zookeeper:
+        enabled: false
+    - provisioning:
+        enabled: true
+        topics:
+          - name: CnC
+            partitions: 1
+            replicationFactor: 1
+          - name: CnC_Res
+            partitions: 1
+            replicationFactor: 1
+    - controller:
+        replicaCount: 1
+        extraConfig: |-
+          maxMessageBytes = 1048588
+        extraEnvVars:
+          - name: ALLOW_PLAINTEXT_LISTENER
+            value: "yes"
+        resources:
+          requests:
+            cpu: 500m
+            memory: 512Mi
+          limits:
+            cpu: 750m
+            memory: 2Gi
+    - listeners:
+        client:
+          protocol: PLAINTEXT
+          containerPort: 9092
+        controller:
+          protocol: "PLAINTEXT"
+    - broker:
+        replicaCount: 2
+        persistence:
+          size: 20Gi
+        resources:
+          requests:
+            cpu: 500m
+            memory: 512Mi
+          limits:
+            cpu: 750m
+            memory: 2Gi
+
+- name: postgres
+  namespace: {{ .Environment.Values.global.namespace }}
+  chart: oci://registry-1.docker.io/bitnamicharts/postgresql
+  version: 13.4.3
+  condition: postgres.enabled
+  labels:
+    group: base
+    app: postgres
+  values:
+    - fullnameOverride: pgsql
+    # workaround for: postgresql.conf file not detected. Generating it...
+    # cp: cannot create regular file '/bitnami/postgresql/conf/postgresql.conf': Permission denied
+    - volumePermissions:
+        enabled: true
+    - global:
+        postgresql:
+          auth:
+            postgresPassword: {{ .Environment.Values.postgres.pgUser.password }}
+    - auth:
+        postgresPassword: {{ .Environment.Values.postgres.pgUser.password }}
+    - primary:
+        extendedConfiguration: |-
+          max_connections = 550
+          shared_buffers = 128MB
+          log_error_verbosity = verbose
+          tcp_keepalives_idle = 300
+          tcp_keepalives_interval = 30
+          tcp_user_timeout = 300
+        initdb:
+          scripts:
+            initusers.sql: |-
+              CREATE USER {{ .Environment.Values.postgres.cgwUser.name }};
+              ALTER USER cgw WITH ENCRYPTED PASSWORD '{{ .Environment.Values.postgres.cgwUser.password }}';
+              CREATE DATABASE cgw OWNER {{ .Environment.Values.postgres.cgwUser.name }};
+              \c cgw
+              CREATE TABLE infrastructure_groups (id INT PRIMARY KEY, reserved_size INT, actual_size INT);
+              CREATE TABLE infras (mac MACADDR PRIMARY KEY, infra_group_id INT, FOREIGN KEY(infra_group_id) REFERENCES infrastructure_groups(id) ON DELETE CASCADE);
+
+- name: redis
+  namespace: {{ .Environment.Values.global.namespace }}
+  chart: oci://registry-1.docker.io/bitnamicharts/redis
+  version: 19.5.2
+  condition: redis.enabled
+  labels:
+    group: base
+    app: redis
+  values:
+    - architecture: standalone
+    - auth:
+        enabled: false
+    - master:
+        extraEnvVars:
+          - name: ALLOW_EMPTY_PASSWORD
+            value: "yes"
+
+- name: cgw
+  namespace: {{ .Environment.Values.global.namespace }}
+  #chart: ../../openlan-cgw/helm
+  chart: "git+https://github.com/Telecominfraproject/openlan-cgw@helm?ref=next"
+  version: 0.1.0
+  condition: cgw.enabled
+  labels:
+    group: apps
+    app: cgw
+  secrets:
+    - secrets/certs.tip.yaml
+  values:
+    - images:
+        cgw:
+          tag: {{ .Environment.Values.cgw.tag }}
+    - public_env_variables:
+        CGW_DB_HOST: pgsql
+        CGW_DB_PORT: "5432"
+        CGW_DB_USERNAME: "{{ .Environment.Values.postgres.cgwUser.name }}"
+        CGW_KAFKA_HOST: kafka
+        CGW_KAFKA_PORT: "9092"
+        CGW_REDIS_HOST: redis-master
+        CGW_REDIS_PORT: "6379"
+        CGW_ALLOW_CERT_MISMATCH: "yes"
+        # use (#cpus * 2) - 2
+        DEFAULT_WSS_THREAD_NUM: "4"
+        # Useful for debugging:
+        #CGW_LOG_LEVEL: "debug"
+        #RUST_BACKTRACE: "full"
+    - secret_env_variables:
+        CGW_DB_PASSWORD: "{{ .Environment.Values.postgres.cgwUser.password }}"
+    - services:
+        cgw:
+          type: LoadBalancer
+          annotations:
+            external-dns.alpha.kubernetes.io/hostname: cgw-{{ .Environment.Values.global.name }}.{{ .Environment.Values.global.domain }}
+            #service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip
+            service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+            service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
+            service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Environment.Values.global.certificateARN }}
+            service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "15003"
+            service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true
+            service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16002"
+            alb.ingress.kubernetes.io/healthcheck-path: /health

cgw/secrets/values.postgres.yaml

@@ -0,0 +1,21 @@
+postgres:
+    pgUser:
+        password: ENC[AES256_GCM,data:QHV7Y5Jfes4=,iv:QTs0fu7behn1g2CLheoJROFHNYvN6OpS/vcQQC0NrMs=,tag:PeaRcoDsOrEjDN9KgHUEPA==,type:str]
+    cgwUser:
+        name: ENC[AES256_GCM,data:g6J6,iv:H4HxE5orLFXZFDDVD2tAS0PkOqNJ9j6SNu1ief7Snk0=,tag:Tuj9yjBcJzZBBZRtwAY33w==,type:str]
+        password: ENC[AES256_GCM,data:5K0f,iv:+g61dhYOOTbr8TwnwwLHgW17R+6zXpQT2PfgjvofvlI=,tag:1nSVXgkTC41d1AnDDE19Hg==,type:int]
+sops:
+    kms:
+        - arn: arn:aws:kms:us-east-2:289708231103:alias/helm-secrets
+          created_at: "2024-06-12T13:45:13Z"
+          enc: AQICAHiG/4CitJjM31GdYxTw9OLz/Zs5oK+DCq0cU2fAjtAA3AEPrxIAaT+xE4C1IFYmWvmkAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMrFaPNxf0atKVKnFsAgEQgDu8uqj035qrcelG0Dq4/Ond4H5bmpUHNRVEj0C8BFxg+a4R3loIk4NBeyuA0yqC0cQeWnA5e+/SjVtGAA==
+          aws_profile: ""
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-06-25T17:29:15Z"
+    mac: ENC[AES256_GCM,data:gbXt2MRhlx9zGcm9ZvXjWuwSPh/QHkNngGx0j0UQ61jZTINRh4ZgERuUj7Vpo1tg/blIFWbl768wB89RAGq3n1C4AcQpX3xvC33QyCT0i4pitQmnec9RnJL0L197mioOikPxl8z56WE1014EV+Vvbk7rf1CQkqrrEIJINoqSdfE=,iv:ThbvKhY0fsaXJz9rORnvxY64vMWyM/IOgSI+kuFFbAQ=,tag:fSF4tdyf3wc5+uIfoYLc5g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

chart/Chart.yaml

@@ -31,10 +31,6 @@ dependencies:
 - name: owrrm
   repository: "git+https://github.com/Telecominfraproject/wlan-cloud-rrm@helm?ref=main"
   version: 0.1.0
-- name: kafka
-  repository: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
-  version: 13.0.2
-  condition: kafka.enabled
 - name: owls
   repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owls@helm?ref=main"
   version: 0.1.0
@@ -43,11 +39,15 @@ dependencies:
   repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owls-ui@helm?ref=master"
   version: 0.1.0
   condition: owlsui.enabled
+- name: kafka
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 28.2.3
+  condition: kafka.enabled
 - name: haproxy
-  repository: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
-  version: 0.2.21
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 0.13.3
   condition: haproxy.enabled
-- name: postgresql-ha
-  repository: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
-  version: 8.6.13
-  condition: postgresql-ha.enabled
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 13.4.3
+  condition: postgresql.enabled

chart/README.md

@@ -1,10 +1,10 @@
 # openwifi
 
-This Helm chart helps to deploy OpenWIFI Cloud SDK with all required dependencies to the Kubernetes clusters. Purpose of this chart is to setup correct connections between other microservices and other dependencies with correct Values and other charts as dependencies in [chart definition](Chart.yaml)
+This Helm chart helps to deploy OpenWIFI Cloud SDK with all required dependencies to the Kubernetes clusters. The purpose of this chart is to set up the correct connections between other microservices and other dependencies with correct Values and other charts as dependencies in [chart definition](Chart.yaml)
 
 ## TL;DR;
 
-[helm-git](https://github.com/aslafy-z/helm-git) is required for remote the installation as it pull charts from other repositories for the deployment, so intall it if you don't have it already.
+[helm-git](https://github.com/aslafy-z/helm-git) is required for remote the installation as it pull charts from other repositories for the deployment, so install it if you don't have it already.
 
 Using that you can deploy Cloud SDK with 2 setups - without TLS certificates for RESTAPI endpoints and with them.
 
@@ -20,7 +20,7 @@ $ kubectl create secret generic openwifi-certs --from-file=../docker-compose/cer
 $ helm upgrade --install -f environment-values/values.base.secure.yaml openwifi .
 ```
 
-In order to acces the UI and other RESTAPI endpoints you should run the following commands after the deployment:
+In order to access the UI and other RESTAPI endpoints you should run the following commands after the deployment:
 
 ```
 $ kubectl port-forward deployment/proxy 5912 5913 16001 16002 16003 16004 16005 16006 16009 &
@@ -43,7 +43,7 @@ $ kubectl create secret generic openwifi-certs --from-file=../docker-compose/cer
 $ helm upgrade --install -f environment-values/values.base.insecure.yaml openwifi .
 ```
 
-In order to acces the UI and other RESTAPI endpoints you should run the following commands after the deployment:
+In order to access the UI and other RESTAPI endpoints you should run the following commands after the deployment:
 
 ```
 $ kubectl port-forward deployment/proxy 5912 5913 16001 16002 16003 16004 16005 16006 16009 &
@@ -167,7 +167,7 @@ The following table lists the configurable parameters that overrides microservic
 | `restapiCerts.services` | array | List of services that require certificates generation |  |
 | `restapiCerts.clusterDomain` | string | Kubernetes cluster domain | `cluster.local` |
 
-If required, further overrides may be passed. They will be merged with default values from this chart and other subcharts with priority to values you'll pass.
+If required, further overrides may be passed. They will be merged with default values from this chart and other sub-charts with priority to values you'll pass.
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
 
@@ -200,7 +200,7 @@ By setting `clusterinfo.enabled` to `true` you may enable job on post-install/po
 1. Change default security credentials from credentials set in OWSEC configuration file (see 'Required password changing on the first startup' block above)
 2. Check if all services started responding correctly after the deployment using systeminfo REST API method
 
-In order to do that, you need to additionaly set multiple parameters:
+In order to do that, you need to additionally set multiple parameters:
 
 1. clusterinfo.public_env_variables.OWSEC - OWSEC endpoint to use for CLI tools
 2. clusterinfo.secret_env_variables.OWSEC_DEFAULT_USERNAME - username used for CLI requests (see OWSEC configuration file for details)
@@ -221,17 +221,17 @@ You may see example values to enable this feature in [values.enable-owls.yaml](.
 
 In order to use single point of entry for all services (may be used for one cloud Load Balancer per installation) HAproxy is installed by default with other services. HAproxy is working in TCP proxy mode, so every TLS certificate is managed by services themself, while it is possible to pass requests from cloud load balancer to services using same ports (configuration of cloud load balancer may vary from cloud provider to provider).
 
-By default this option is enabled, but you may disable it and make per-service LoadBalancer using values in [values.disable-haproxy.yaml](./feature-values/values.disable-haproxy.yaml).
+By default, this option is enabled, but you may disable it and make per-service LoadBalancer using values in [values.disable-haproxy.yaml](./feature-values/values.disable-haproxy.yaml).
 
 ### OWGW unsafe sysctls
 
-By default Linux is using quite adeqate sysctl values for TCP keepalive, but OWGW may keep disconnected APs in stuck state preventing it from connecting back. This may be changed by setting some sysctls to lower values:
+By default, Linux is using quite adequate sysctl values for TCP keepalive, but OWGW may keep disconnected APs in stuck state preventing it from connecting back. This may be changed by setting some sysctls to lower values:
 
 - net.ipv4.tcp_keepalive_intvl
 - net.ipv4.tcp_keepalive_probes - 2
 - net.ipv4.tcp_keepalive_time - 45
 
-However this change is [not considered safe by Kubernetes](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#enabling-unsafe-sysctls) and it requires to pass additional argument to your Kubelets services in your Kubernetes cluster:
+However, this change is [not considered safe by Kubernetes](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#enabling-unsafe-sysctls), and it requires to pass additional argument to your Kubelets services in your Kubernetes cluster:
 
 ```
 --allowed-unsafe-sysctls net.ipv4.tcp_keepalive_intvl,net.ipv4.tcp_keepalive_probes,net.ipv4.tcp_keepalive_time
@@ -258,16 +258,16 @@ You may see example values to enable this feature in [values.restapi-disable-tls
 
 ### PostgreSQL storage option for services
 
-By default all microservices except RRM service use SQLite as default storage driver, but it is possible to use PostgreSQL for that purpose. Both [cluster-per-microservice](environment-values/values.openwifi-qa.external-db.yaml) and [cluster per installation](environment-values/values.openwifi-qa.single-external-db.yaml) deployments method may be used.
+By default, all microservices except RRM service use SQLite as default storage driver, but it is possible to use PostgreSQL for that purpose. Both [cluster-per-microservice](environment-values/values.openwifi-qa.external-db.yaml) and [cluster per installation](environment-values/values.openwifi-qa.single-external-db.yaml) deployments method may be used.
 
 ## Environment specific values
 
-This repository contains values files that may be used in the same manner as feature values above to deploy to specific runtime envionemnts (including different cloud deployments).
+This repository contains values files that may be used in the same manner as feature values above to deploy to specific runtime environments (including different cloud deployments).
 
 Some environments are using [external-dns](https://github.com/kubernetes-sigs/external-dns) service to dynamically set DNS records, but you may manage your records manually
 
 ### AWS EKS
 
-EKS based installation assumes that you are using [AWS Load Balancer controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) so that all required ALBs and NLBs are created automatically. Also it is assumed that you have Route53 managed DNS zone and you've issued wildcard certificate for one of your zones that may be used by Load Balancers.
+EKS based installation assumes that you are using [AWS Load Balancer controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) so that all required ALBs and NLBs are created automatically. Also, it is assumed that you have Route53 managed DNS zone, and you've issued wildcard certificate for one of your zones that may be used by Load Balancers.
 
 You may see example values for this environment in [values.aws.yaml](./environment-values/values.aws.yaml).

chart/docker/change_credentials

@@ -61,7 +61,7 @@ then
         echo "Logged in with new credentials:"
     fi
 else
-    echo "Credentials check failed with unexpected ErrorCode, please review the responce body:"
+    echo "Credentials check failed with unexpected ErrorCode, please review the response body:"
     jq < ${result_file}
     exit 2
 fi

chart/environment-values/.gitignore

@@ -0,0 +1,3 @@
+_values.custom-*.yaml
+certs/
+env_*

chart/environment-values/cleanup.sh

@@ -1,5 +1,15 @@
 #!/bin/bash
 [ -z "$NAMESPACE" ] && echo "No NAMESPACE set" && exit 1
-helm -n openwifi-$NAMESPACE delete tip-openwifi
-sleep 30
-kubectl delete ns openwifi-$NAMESPACE
+ns="openwifi-$NAMESPACE"
+echo "Cleaning up namespace $ns in 10 seconds..."
+sleep 10
+echo "- delete tip-openwifi helm release in $ns"
+helm -n "$ns" delete tip-openwifi
+if [[ "$1" == "full" ]] ; then
+    echo "- delete $ns namespace in 30 seconds..."
+    sleep 30
+    echo "- delete $ns namespace"
+    kubectl delete ns "$ns"
+fi
+echo "- cleaned up $ns namespace"
+exit 0

chart/environment-values/deploy.sh

@@ -2,48 +2,47 @@
 set -e
 
 # Usage function
-usage () {
-  echo >&2;
-  echo "This script is indended for OpenWIFI Cloud SDK deployment to TIP QA/Dev environments using assembly Helm chart (https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/chart) with configuration through environment variables" >&2;
-  echo >&2;
-  echo "Required environment variables:" >&2;
-  echo >&2;
-  echo "- NAMESPACE - namespace suffix that will used added for the Kubernetes environment (i.e. if you pass 'test', kubernetes namespace will be named 'ucentral-test')" >&2;
-  echo "- DEPLOY_METHOD - deployment method for the chart deployment (supported methods - 'git' (will use helm-git from assembly chart) and 'bundle' (will use chart stored in the Artifactory0" >&2;
-  echo "- CHART_VERSION - version of chart to be deployed from assembly chart (for 'git' method git ref may be passed, for 'bundle' method version of chart may be passed)" >&2;
-  echo >&2;
-  echo "- VALUES_FILE_LOCATION - path to file with override values that may be used for deployment" >&2;
-  echo "- DOMAIN - Domain name. default: cicd.lab.wlan.tip.build" >&2;
-  echo "- OWGW_AUTH_USERNAME - username to be used for requests to OpenWIFI Security" >&2;
-  echo "- OWGW_AUTH_PASSWORD - hashed password for OpenWIFI Security (details on this may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationdefaultpassword)" >&2;
-  echo "- OWFMS_S3_SECRET - secret key that is used for OpenWIFI Firmware access to firmwares S3 bucket" >&2;
-  echo "- OWFMS_S3_KEY - access key that is used for OpenWIFI Firmware access to firmwares S3 bucket" >&2;
-  echo "- OWSEC_NEW_PASSWORD - password that should be set to default user instead of default password from properties" >&2;
-  echo "- CERT_LOCATION - path to certificate in PEM format that will be used for securing all endpoint in all services" >&2;
-  echo "- KEY_LOCATION - path to private key in PEM format that will be used for securing all endpoint in all services" >&2;
-  echo >&2;
-  echo "Following environmnet variables may be passed, but will be ignored if CHART_VERSION is set to release (i.e. v2.4.0):" >&2;
-  echo >&2;
-  echo "- OWGW_VERSION - OpenWIFI Gateway version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWGWUI_VERSION - OpenWIFI Web UI version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWSEC_VERSION - OpenWIFI Security version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWFMS_VERSION - OpenWIFI Firmware version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWPROV_VERSION - OpenWIFI Provisioning version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWPROVUI_VERSION - OpenWIFI Provisioning Web UI version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWANALYTICS_VERSION - OpenWIFI Analytics version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWSUB_VERSION - OpenWIFI Subscription (Userportal) version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWRRM_VERSION - OpenWIFI radio resource management service (RRM) version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo >&2;
-  echo "Optional environment variables:" >&2;
-  echo >&2;
-  echo "- EXTRA_VALUES - extra values that should be passed to Helm deployment separated by comma (,)" >&2;
-  echo "- DEVICE_CERT_LOCATION - path to certificate in PEM format that will be used for load simulator" >&2;
-  echo "- DEVICE_KEY_LOCATION - path to private key in PEM format that will be used for load simulator" >&2;
-  echo "- USE_SEPARATE_OWGW_LB - flag that should change split external DNS for OWGW and other services" >&2;
-  echo "- INTERNAL_RESTAPI_ENDPOINT_SCHEMA - what schema to use for internal RESTAPI endpoints (https by default)" >&2;
-  echo "- IPTOCOUNTRY_IPINFO_TOKEN - token that should be set for IPInfo support (owgw/owprov iptocountry.ipinfo.token properties), ommited if not passed" >&2;
-  echo "- MAILER_USERNAME - SMTP username used for OWSEC mailer" >&2;
-  echo "- MAILER_PASSWORD - SMTP password used for OWSEC mailer (only if both MAILER_PASSWORD and MAILER_USERNAME are set, mailer will be enabled)" >&2;
+function usage()
+{
+    cat <<-EOF >&2
+
+This script is indended for OpenWIFI Cloud SDK deployment to TIP QA/Dev environments using assembly Helm chart (https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/chart) with configuration through environment variables
+
+Required environment variables:
+- NAMESPACE - namespace suffix that will used added for the Kubernetes environment (i.e. if you pass 'test', kubernetes namespace will be named 'ucentral-test')
+- DEPLOY_METHOD - deployment method for the chart deployment (supported methods - 'git' (will use helm-git from assembly chart), 'bundle' (will use chart stored in the Artifactory) or local
+- CHART_VERSION - version of chart to be deployed from assembly chart (for 'git' method git ref may be passed, for 'bundle' method version of chart may be passed)
+- VALUES_FILE_LOCATION - path to file with override values that may be used for deployment
+- DOMAIN - Domain name. default: cicd.lab.wlan.tip.build
+- OWGW_AUTH_USERNAME - username to be used for requests to OpenWIFI Security
+- OWGW_AUTH_PASSWORD - hashed password for OpenWIFI Security (details on this may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationdefaultpassword)
+- OWFMS_S3_SECRET - secret key that is used for OpenWIFI Firmware access to firmwares S3 bucket
+- OWFMS_S3_KEY - access key that is used for OpenWIFI Firmware access to firmwares S3 bucket
+- OWSEC_NEW_PASSWORD - password that should be set to default user instead of default password from properties
+- CERT_LOCATION - path to certificate in PEM format that will be used for securing all endpoint in all services
+- KEY_LOCATION - path to private key in PEM format that will be used for securing all endpoint in all services
+
+The following environmnet variables may be passed, but will be ignored if CHART_VERSION is set to release (i.e. v2.4.0):
+- OWGW_VERSION - OpenWIFI Gateway version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWGWUI_VERSION - OpenWIFI Web UI version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWSEC_VERSION - OpenWIFI Security version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWFMS_VERSION - OpenWIFI Firmware version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWPROV_VERSION - OpenWIFI Provisioning version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWPROVUI_VERSION - OpenWIFI Provisioning Web UI version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWANALYTICS_VERSION - OpenWIFI Analytics version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWSUB_VERSION - OpenWIFI Subscription (Userportal) version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWRRM_VERSION - OpenWIFI radio resource management service (RRM) version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+
+Optional environment variables:
+- EXTRA_VALUES - extra values that should be passed to Helm deployment separated by comma (,)
+- DEVICE_CERT_LOCATION - path to certificate in PEM format that will be used for load simulator
+- DEVICE_KEY_LOCATION - path to private key in PEM format that will be used for load simulator
+- USE_SEPARATE_OWGW_LB - flag that should change split external DNS for OWGW and other services
+- INTERNAL_RESTAPI_ENDPOINT_SCHEMA - what schema to use for internal RESTAPI endpoints (https by default)
+- IPTOCOUNTRY_IPINFO_TOKEN - token that should be set for IPInfo support (owgw/owprov iptocountry.ipinfo.token properties), ommited if not passed
+- MAILER_USERNAME - SMTP username used for OWSEC mailer
+- MAILER_PASSWORD - SMTP password used for OWSEC mailer (only if both MAILER_PASSWORD and MAILER_USERNAME are set, mailer will be enabled)
+EOF
 }
 
 # Global variables
@@ -51,32 +50,30 @@ VALUES_FILE_LOCATION_SPLITTED=()
 EXTRA_VALUES_SPLITTED=()
 
 # Helper functions
-check_if_chart_version_is_release() {
-  PARSED_CHART_VERSION=$(echo $CHART_VERSION | grep -xE "v\d+\.\d+\.\d+.*")
-  if [[ -z "$PARSED_CHART_VERSION" ]]; then
-    return 1
-  else
-    return 0
-  fi
+function check_if_chart_version_is_release()
+{
+    [[ "$CHART_VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]
 }
 
 # Check if required environment variables were passed
 ## Deployment specifics
 [ -z ${DEPLOY_METHOD+x} ] && echo "DEPLOY_METHOD is unset" >&2 && usage && exit 1
 [ -z ${CHART_VERSION+x} ] && echo "CHART_VERSION is unset" >&2 && usage && exit 1
-if check_if_chart_version_is_release; then
-  echo "Chart version ($CHART_VERSION) is release version, ignoring services versions"
-else
-  echo "Chart version ($CHART_VERSION) is not release version, checking if services versions are set"
-  [ -z ${OWGW_VERSION+x} ] && echo "OWGW_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWGWUI_VERSION+x} ] && echo "OWGWUI_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWSEC_VERSION+x} ] && echo "OWSEC_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWFMS_VERSION+x} ] && echo "OWFMS_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWPROV_VERSION+x} ] && echo "OWPROV_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWPROVUI_VERSION+x} ] && echo "OWPROVUI_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWANALYTICS_VERSION+x} ] && echo "OWANALYTICS_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWSUB_VERSION+x} ] && echo "OWSUB_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWRRM_VERSION+x} ] && echo "OWRRM_VERSION is unset" >&2 && usage && exit 1
+if [[ "$DEPLOY_METHOD" != "local" ]] ; then
+    if check_if_chart_version_is_release ; then
+        echo "Chart version ($CHART_VERSION) is a release version, ignoring services versions"
+    else
+        echo "Chart version ($CHART_VERSION) is not a release version, checking if services versions are set"
+        [ -z ${OWGW_VERSION+x} ] && echo "OWGW_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWGWUI_VERSION+x} ] && echo "OWGWUI_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWSEC_VERSION+x} ] && echo "OWSEC_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWFMS_VERSION+x} ] && echo "OWFMS_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWPROV_VERSION+x} ] && echo "OWPROV_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWPROVUI_VERSION+x} ] && echo "OWPROVUI_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWANALYTICS_VERSION+x} ] && echo "OWANALYTICS_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWSUB_VERSION+x} ] && echo "OWSUB_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWRRM_VERSION+x} ] && echo "OWRRM_VERSION is unset" >&2 && usage && exit 1
+    fi
 fi
 ## Environment specifics
 [ -z ${NAMESPACE+x} ] && echo "NAMESPACE is unset" >&2 && usage && exit 1
@@ -108,54 +105,55 @@ export OWANALYTICS_VERSION_TAG=$(echo ${OWANALYTICS_VERSION} | tr '/' '-')
 export OWSUB_VERSION_TAG=$(echo ${OWSUB_VERSION} | tr '/' '-')
 export OWRRM_VERSION_TAG=$(echo ${OWRRM_VERSION} | tr '/' '-')
 
-# Debug get bash version
-bash --version >&2
-
 # Check deployment method that's required for this environment
 helm plugin install https://github.com/databus23/helm-diff || true
-if [[ "$DEPLOY_METHOD" == "git" ]]; then
-  helm plugin install https://github.com/aslafy-z/helm-git --version 0.10.0 || true
-  rm -rf wlan-cloud-ucentral-deploy || true
-  git clone https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy.git
-  cd wlan-cloud-ucentral-deploy
-  git checkout $CHART_VERSION
-  cd chart
-  if ! check_if_chart_version_is_release; then
-    sed -i '/wlan-cloud-ucentralgw@/s/ref=.*/ref='${OWGW_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-ucentralgw-ui@/s/ref=.*/ref='${OWGWUI_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-ucentralsec@/s/ref=.*/ref='${OWSEC_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-ucentralfms@/s/ref=.*/ref='${OWFMS_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-owprov@/s/ref=.*/ref='${OWPROV_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-owprov-ui@/s/ref=.*/ref='${OWPROVUI_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-analytics@/s/ref=.*/ref='${OWANALYTICS_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-userportal@/s/ref=.*/ref='${OWSUB_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-rrm@/s/ref=.*/ref='${OWRRM_VERSION}'\"/g' Chart.yaml
-  fi
-  helm repo add bitnami https://charts.bitnami.com/bitnami
-  helm repo update
-  helm dependency update
-  cd ../..
-  export DEPLOY_SOURCE="wlan-cloud-ucentral-deploy/chart"
-elif [[ "$DEPLOY_METHOD" == "bundle" ]]; then
-  helm repo add tip-wlan-cloud-ucentral-helm https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/ || true
-  export DEPLOY_SOURCE="tip-wlan-cloud-ucentral-helm/openwifi --version $CHART_VERSION"
+if [[ "$DEPLOY_METHOD" == "git" ]] ; then
+    helm plugin list | grep "^helm-git" || helm plugin install https://github.com/aslafy-z/helm-git || true
+    rm -rf wlan-cloud-ucentral-deploy || true
+    git clone https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy.git
+    cd wlan-cloud-ucentral-deploy
+    git checkout $CHART_VERSION
+    cd chart
+    if ! check_if_chart_version_is_release ; then
+        sed -i '/wlan-cloud-ucentralgw@/s/ref=.*/ref='${OWGW_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-ucentralgw-ui@/s/ref=.*/ref='${OWGWUI_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-ucentralsec@/s/ref=.*/ref='${OWSEC_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-ucentralfms@/s/ref=.*/ref='${OWFMS_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-owprov@/s/ref=.*/ref='${OWPROV_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-owprov-ui@/s/ref=.*/ref='${OWPROVUI_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-analytics@/s/ref=.*/ref='${OWANALYTICS_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-userportal@/s/ref=.*/ref='${OWSUB_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-rrm@/s/ref=.*/ref='${OWRRM_VERSION}'\"/g' Chart.yaml
+    fi
+    #helm repo add bitnami https://charts.bitnami.com/bitnami && helm repo update
+    [ -z "$SKIP_DEPS" ] && helm dependency update
+    cd ../..
+    export DEPLOY_SOURCE="wlan-cloud-ucentral-deploy/chart"
+elif [[ "$DEPLOY_METHOD" == "bundle" ]] ; then
+    helm repo add tip-wlan-cloud-ucentral-helm https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/ || true
+    export DEPLOY_SOURCE="tip-wlan-cloud-ucentral-helm/openwifi --version $CHART_VERSION"
+elif [[ "$DEPLOY_METHOD" == "local" ]] ; then
+    export DEPLOY_SOURCE=".."
+    pushd ..
+    [ -z "$SKIP_DEPS" ] && helm dependency update
+    popd
 else
-  echo "Deploy method is not correct: $DEPLOY_METHOD. Valid values: git or bundle" >&2
-  exit 1
+    echo "Deploy method is not correct: $DEPLOY_METHOD. Valid values: git, bundle or local" >&2
+    exit 1
 fi
 
 VALUES_FILES_FLAGS=()
 IFS=',' read -ra VALUES_FILE_LOCATION_SPLITTED <<< "$VALUES_FILE_LOCATION"
 for VALUE_FILE in ${VALUES_FILE_LOCATION_SPLITTED[*]}; do
-  VALUES_FILES_FLAGS+=("-f" $VALUE_FILE)
+    VALUES_FILES_FLAGS+=("-f" $VALUE_FILE)
 done
 EXTRA_VALUES_FLAGS=()
 IFS=',' read -ra EXTRA_VALUES_SPLITTED <<< "$EXTRA_VALUES"
 for EXTRA_VALUE in ${EXTRA_VALUES_SPLITTED[*]}; do
-  EXTRA_VALUES_FLAGS+=("--set" $EXTRA_VALUE)
+    EXTRA_VALUES_FLAGS+=("--set" $EXTRA_VALUE)
 done
 
-if [[ "$USE_SEPARATE_OWGW_LB" == "true" ]]; then
+if [[ "$USE_SEPARATE_OWGW_LB" == "true" ]] ; then
   export HAPROXY_SERVICE_DNS_RECORDS="sec-${NAMESPACE}.${DOMAIN},fms-${NAMESPACE}.${DOMAIN},prov-${NAMESPACE}.${DOMAIN},analytics-${NAMESPACE}.${DOMAIN},sub-${NAMESPACE}.${DOMAIN}"
   export OWGW_SERVICE_DNS_RECORDS="gw-${NAMESPACE}.${DOMAIN}"
 else
@@ -163,21 +161,13 @@ else
   export OWGW_SERVICE_DNS_RECORDS=""
 fi
 
-echo "Deploying into openwifi-${NAMESPACE} with the following values files:"
-echo ${VALUES_FILES_FLAGS[*]}
-echo
-envsubst < values.custom.tpl.yaml > values.custom-${NAMESPACE}.yaml
+envsubst < values.custom.tpl.yaml > _values.custom-${NAMESPACE}.yaml
 
-echo "Using configuration:"
-echo "---"
-cat values.custom-${NAMESPACE}.yaml
-echo "---"
-set -x
 helm upgrade --install --create-namespace --wait --timeout 60m \
   --namespace openwifi-${NAMESPACE} \
   ${VALUES_FILES_FLAGS[*]} \
   ${EXTRA_VALUES_FLAGS[*]} \
-  -f values.custom-${NAMESPACE}.yaml \
+  -f _values.custom-${NAMESPACE}.yaml \
   --set-file owgw.certs."restapi-cert\.pem"=$CERT_LOCATION \
   --set-file owgw.certs."restapi-key\.pem"=$KEY_LOCATION \
   --set-file owgw.certs."websocket-cert\.pem"=$CERT_LOCATION \

chart/environment-values/values.aws.yaml

@@ -15,8 +15,8 @@ owgwui:
   ingresses:
     default:
       enabled: true
+      className: alb
       annotations:
-        kubernetes.io/ingress.class: alb
         alb.ingress.kubernetes.io/scheme: internet-facing
         alb.ingress.kubernetes.io/group.name: wlan-cicd
         alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c
@@ -65,8 +65,8 @@ owprovui:
   ingresses:
     default:
       enabled: true
+      className: alb
       annotations:
-        kubernetes.io/ingress.class: alb
         alb.ingress.kubernetes.io/scheme: internet-facing
         alb.ingress.kubernetes.io/group.name: wlan-cicd
         alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c

chart/environment-values/values.base.insecure.yaml

@@ -77,10 +77,33 @@ owprovui:
     REACT_APP_UCENTRALSEC_URL: http://localhost:16001
 
 kafka:
-  heapOpts: -Xmx512m -Xms512m
+  volumePermissions:
+    enabled: true
+  commonAnnotations:
+    cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
   readinessProbe:
     initialDelaySeconds: 45
   livenessProbe:
     initialDelaySeconds: 60
+  kraft:
+    enabled: true
+  heapOpts: -Xmx1024m -Xms1024m
   zookeeper:
-    heapSize: 256
+    enabled: false
+  controller:
+    replicaCount: 1
+    extraConfig: |-
+      maxMessageBytes = 1048588
+    extraEnvVars:
+      - name: ALLOW_PLAINTEXT_LISTENER
+        value: "yes"
+  listeners:
+    client:
+      protocol: PLAINTEXT
+      containerPort: 9092
+    controller:
+      protocol: "PLAINTEXT"
+  broker:
+    persistence:
+      size: 20Gi
+    replicaCount: 2

chart/environment-values/values.base.secure.yaml

@@ -323,13 +323,43 @@ owprovui:
     REACT_APP_UCENTRALSEC_URL: https://localhost:16001
 
 kafka:
-  heapOpts: -Xmx512m -Xms512m
+  volumePermissions:
+    enabled: true
+  commonAnnotations:
+    cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
+  #resources:
+  #  requests:
+  #    cpu: 100m
+  #    memory: 512Mi
+  #  limits:
+  #    cpu: 500m
+  #    memory: 1Gi
   readinessProbe:
     initialDelaySeconds: 45
   livenessProbe:
     initialDelaySeconds: 60
+  kraft:
+    enabled: true
+  heapOpts: -Xmx1024m -Xms1024m
   zookeeper:
-    heapSize: 256
+    enabled: false
+  controller:
+    replicaCount: 1
+    extraConfig: |-
+      maxMessageBytes = 1048588
+    extraEnvVars:
+      - name: ALLOW_PLAINTEXT_LISTENER
+        value: "yes"
+  listeners:
+    client:
+      protocol: PLAINTEXT
+      containerPort: 9092
+    controller:
+      protocol: "PLAINTEXT"
+  broker:
+    persistence:
+      size: 20Gi
+    replicaCount: 2
 
 restapiCerts:
   enabled: true

chart/environment-values/values.openwifi-dev03.yaml

@@ -0,0 +1,22 @@
+owgwui:
+  ingresses:
+    default:
+      annotations:
+        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be
+
+owprovui:
+  ingresses:
+    default:
+      annotations:
+        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be
+
+owrrm:
+  services:
+    owrrm:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be
+
+haproxy:
+  service:
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be

chart/environment-values/values.openwifi-qa.disable-radiusproxy.yaml

@@ -0,0 +1,7 @@
+owgw:
+  configProperties:
+    radius.proxy.enable: "false"
+    radius.proxy.accounting.port: 1813
+    radius.proxy.authentication.port: 1812
+    radius.proxy.coa.port: 3799
+    radsec.keepalive: 120

chart/environment-values/values.openwifi-qa.owls-external.yaml

@@ -12,25 +12,43 @@ owgw:
         service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16002,16003,17002"
 
   configProperties:
-    simulatorid: 53494D020202
-    storage.type: postgresql
-    storage.type.postgresql.host: owgw-pgsql
-    storage.type.postgresql.database: owgw
-    storage.type.postgresql.username: owgw
-    storage.type.postgresql.password: owgw
-    openwifi.certificates.allowmismatch: "true"
+    # done by default for owgw now:
+    #simulatorid: 53494D020202
+    # on a host with more CPUs you may need to bump this up from default of 64
+    storage.type.postgresql.maxsessions: 120
+    # this actually disables websocket logging:
+    logging.websocket: true
+    # consider lowering the # of days to keep archives in the database
+    #archiver.db.0.name = healthchecks
+    #archiver.db.0.keep = 1
+    #archiver.db.1.name = statistics
+    #archiver.db.1.keep = 1
+    #archiver.db.2.name = devicelogs
+    #archiver.db.2.keep = 1
+    #archiver.db.3.name = commandlist
+    #archiver.db.3.keep = 1
 
   resources:
     requests:
       cpu: 2000m
-      memory: 3000Mi
+      memory: 3Gi
     limits:
       cpu: 2000m
-      memory: 3000Mi
+      memory: 5Gi
 
-  postgresql:
-    enabled: true
-    fullnameOverride: owgw-pgsql
-    postgresqlDatabase: owgw
-    postgresqlUsername: owgw
-    postgresqlPassword: owgw
+# Postgres tuning for larger # of APs
+#postgresql:
+#  primary:
+#    resourcesPreset: large
+#    persistence:
+#      size: 120Gi
+
+owprov:
+  # consider providing more memory to owprov
+  resources:
+    requests:
+      cpu: 10m
+      memory: 20Mi
+    limits:
+      cpu: 100m
+      memory: 4Gi

chart/environment-values/values.openwifi-qa.single-external-db.yaml

@@ -1,7 +1,8 @@
 owgw:
   configProperties:
+    simulatorid: 53494D020202
     storage.type: postgresql
-    storage.type.postgresql.host: pgsql-pgpool
+    storage.type.postgresql.host: pgsql
     storage.type.postgresql.database: owgw
     storage.type.postgresql.username: owgw
     storage.type.postgresql.password: owgw
@@ -9,7 +10,7 @@ owgw:
 owsec:
   configProperties:
     storage.type: postgresql
-    storage.type.postgresql.host: pgsql-pgpool
+    storage.type.postgresql.host: pgsql
     storage.type.postgresql.database: owsec
     storage.type.postgresql.username: owsec
     storage.type.postgresql.password: owsec
@@ -17,7 +18,7 @@ owsec:
 owfms:
   configProperties:
     storage.type: postgresql
-    storage.type.postgresql.host: pgsql-pgpool
+    storage.type.postgresql.host: pgsql
     storage.type.postgresql.database: owfms
     storage.type.postgresql.username: owfms
     storage.type.postgresql.password: owfms
@@ -25,7 +26,7 @@ owfms:
 owprov:
   configProperties:
     storage.type: postgresql
-    storage.type.postgresql.host: pgsql-pgpool
+    storage.type.postgresql.host: pgsql
     storage.type.postgresql.database: owprov
     storage.type.postgresql.username: owprov
     storage.type.postgresql.password: owprov
@@ -33,7 +34,7 @@ owprov:
 owanalytics:
   configProperties:
     storage.type: postgresql
-    storage.type.postgresql.host: pgsql-pgpool
+    storage.type.postgresql.host: pgsql
     storage.type.postgresql.database: owanalytics
     storage.type.postgresql.username: owanalytics
     storage.type.postgresql.password: owanalytics
@@ -41,21 +42,43 @@ owanalytics:
 owsub:
   configProperties:
     storage.type: postgresql
-    storage.type.postgresql.host: pgsql-pgpool
+    storage.type.postgresql.host: pgsql
     storage.type.postgresql.database: owsub
     storage.type.postgresql.username: owsub
     storage.type.postgresql.password: owsub
 
-postgresql-ha:
+postgresql:
   enabled: true
   initDbScriptSecret:
     enabled: true
+    initdbScriptsSecret: tip-openwifi-initdb-scripts
+  volumePermissions:
+    enabled: true
+  global:
+    postgresql:
+      auth:
+        postgresPassword: postgres
+  auth:
+    postgresPassword: postgres
+  primary:
+    # Consider using this resource model for small installations
+    #resourcesPreset: medium
+    extendedConfiguration: |-
+      max_connections = 550
+      shared_buffers = 128MB
+    initdb:
+      scriptsSecret: tip-openwifi-initdb-scripts
+    # Consider using this disk size for small installations
+    #persistence:
+    #  size: 30Gi
+
+postgresql-ha:
+  enabled: false
+  initDbScriptSecret:
+    enabled: false
+    initdbScriptsSecret: tip-openwifi-initdb-scripts
   pgpool:
     adminPassword: admin
-#    configuration:
-#      childLifeTime: 0
-#      maxPool: 8
-#      numInitChildren : 48
     resources:
       requests:
         cpu: 250m
@@ -65,13 +88,12 @@ postgresql-ha:
         memory: 1024Mi
     initdbScriptsSecret: tip-openwifi-initdb-scripts
   postgresql:
-    replicaCount: 1 # TODO change after tests
-    password: password
+    replicaCount: 1
+    password: postgres
     postgresPassword: postgres
     repmgrPassword: repmgr
-#    configuration:
-#      maxConnections: 475
-#      sharedBuffers: 256MB
+    maxConnections: 1000
+
     resources:
       requests:
         cpu: 250m

chart/environment-values/values.openwifi-qa.yaml

@@ -357,7 +357,6 @@ owgwui:
     default:
       enabled: true
       annotations:
-        kubernetes.io/ingress.class: alb
         alb.ingress.kubernetes.io/scheme: internet-facing
         alb.ingress.kubernetes.io/group.name: wlan-cicd
         alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c
@@ -565,7 +564,6 @@ owprovui:
     default:
       enabled: true
       annotations:
-        kubernetes.io/ingress.class: alb
         alb.ingress.kubernetes.io/scheme: internet-facing
         alb.ingress.kubernetes.io/group.name: wlan-cicd
         alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c
@@ -813,31 +811,50 @@ owrrm:
         memory: 512Mi
 
 kafka:
+  volumePermissions:
+    enabled: true
   commonAnnotations:
     cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
-  heapOpts: -Xmx512m -Xms512m
-  resources:
-    requests:
-      cpu: 100m
-      memory: 512Mi
-    limits:
-      cpu: 500m
-      memory: 1Gi
   readinessProbe:
     initialDelaySeconds: 45
   livenessProbe:
     initialDelaySeconds: 60
+  heapOpts: -Xmx1024m -Xms1024m
+  kraft:
+    enabled: true
   zookeeper:
-    commonAnnotations:
-      cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
-    heapSize: 256
+    enabled: false
+  controller:
+    replicaCount: 1
+    extraConfig: |-
+      maxMessageBytes = 1048588
+    extraEnvVars:
+      - name: ALLOW_PLAINTEXT_LISTENER
+        value: "yes"
     resources:
       requests:
-        cpu: 100m
-        memory: 256Mi
+        cpu: 500m
+        memory: 512Mi
       limits:
-        cpu: 200m
-        memory: 384Mi
+        cpu: 750m
+        memory: 2Gi
+  listeners:
+    client:
+      protocol: PLAINTEXT
+      containerPort: 9092
+    controller:
+      protocol: "PLAINTEXT"
+  broker:
+    persistence:
+      size: 20Gi
+    replicaCount: 2
+    resources:
+      requests:
+        cpu: 500m
+        memory: 512Mi
+      limits:
+        cpu: 750m
+        memory: 2Gi
 
 clustersysteminfo:
   enabled: true
@@ -846,11 +863,11 @@ clustersysteminfo:
 haproxy:
   resources:
     requests:
-      cpu: 10m
-      memory: 20Mi
+      cpu: 50m
+      memory: 50Mi
     limits:
-      cpu: 10m
-      memory: 20Mi
+      cpu: 50m
+      memory: 50Mi
   service:
     annotations:
       service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl

chart/environment-values/values.openwifi-qa03.yaml

@@ -0,0 +1,29 @@
+
+owgw:
+  services:
+    owgw:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be
+
+owgwui:
+  ingresses:
+    default:
+      annotations:
+        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be
+
+owprovui:
+  ingresses:
+    default:
+      annotations:
+        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be
+
+owrrm:
+  services:
+    owrrm:
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be
+
+haproxy:
+  service:
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be

chart/templates/_initdb_sql.tpl

@@ -0,0 +1,13 @@
+{{- define "openwifi.user_creation_script_sql" -}}
+{{- $root := . -}}
+{{- $postgresqlBase := index .Values "postgresql" }}
+{{- $postgresqlEmulatedRoot := (dict "Values" $postgresqlBase "Chart" (dict "Name" "postgresql") "Release" $.Release) }}
+{{ range index .Values "postgresql" "initDbScriptSecret" "services" }}
+CREATE USER {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }};
+ALTER USER {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }} WITH ENCRYPTED PASSWORD '{{ index $root "Values" . "configProperties" "storage.type.postgresql.password" }}';
+CREATE DATABASE {{ index $root "Values" . "configProperties" "storage.type.postgresql.database" }};
+GRANT ALL PRIVILEGES ON DATABASE {{ index $root "Values" . "configProperties" "storage.type.postgresql.database" }} TO {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }};
+ALTER DATABASE {{ index $root "Values" . "configProperties" "storage.type.postgresql.database" }} OWNER TO {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }};
+{{ end }}
+{{- end -}}
+

chart/templates/secret-pgpool-initdb.yaml

@@ -1,16 +0,0 @@
-{{- $root := . -}}
-{{- if index .Values "postgresql-ha" "initDbScriptSecret" "enabled" }}
----
-apiVersion: v1
-metadata:
-  labels:
-    app.kuberentes.io/name: {{ include "openwifi.name" . }}
-    helm.sh/chart: {{ include "openwifi.chart" . }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  name: {{ include "openwifi.fullname" . }}-initdb-scripts
-kind: Secret
-type: Opaque
-data:
-  users_creation.sh: {{ include "openwifi.user_creation_script" . | b64enc | quote }}
-{{- end }}

chart/templates/secret-postgresql-initdb.yaml

@@ -0,0 +1,31 @@
+{{- $root := . -}}
+{{- if index .Values "postgresql-ha" "initDbScriptSecret" "enabled" }}
+---
+apiVersion: v1
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ include "openwifi.name" . }}
+    helm.sh/chart: {{ include "openwifi.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ include "openwifi.fullname" . }}-initdb-scripts
+kind: Secret
+type: Opaque
+data:
+  users_creation.sh: {{ include "openwifi.user_creation_script" . | b64enc | quote }}
+{{- end }}
+{{- if index .Values "postgresql" "initDbScriptSecret" "enabled" }}
+---
+apiVersion: v1
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ include "openwifi.name" . }}
+    helm.sh/chart: {{ include "openwifi.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ include "openwifi.fullname" . }}-initdb-scripts
+kind: Secret
+type: Opaque
+data:
+  initdb.sql: {{ include "openwifi.user_creation_script_sql" . | b64enc | quote }}
+{{- end }}

chart/values.yaml

@@ -1,7 +1,6 @@
 # OpenWIFI Gateway (https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/)
 owgw:
   fullnameOverride: owgw
-
   configProperties:
     openwifi.kafka.enable: "true"
     openwifi.kafka.brokerlist: kafka:9092
@@ -9,7 +8,6 @@ owgw:
 # OpenWIFI Security (https://github.com/Telecominfraproject/wlan-cloud-ucentralsec)
 owsec:
   fullnameOverride: owsec
-
   configProperties:
     openwifi.kafka.enable: "true"
     openwifi.kafka.brokerlist: kafka:9092
@@ -17,7 +15,6 @@ owsec:
 # OpenWIFI Firmware (https://github.com/Telecominfraproject/wlan-cloud-ucentralfms)
 owfms:
   fullnameOverride: owfms
-
   configProperties:
     openwifi.kafka.enable: "true"
     openwifi.kafka.brokerlist: kafka:9092
@@ -25,7 +22,6 @@ owfms:
 # OpenWIFI Provisioning (https://github.com/Telecominfraproject/wlan-cloud-owprov/)
 owprov:
   fullnameOverride: owprov
-
   configProperties:
     openwifi.kafka.enable: "true"
     openwifi.kafka.brokerlist: kafka:9092
@@ -33,7 +29,6 @@ owprov:
 # OpenWIFI Analytics (https://github.com/Telecominfraproject/wlan-cloud-analytics)
 owanalytics:
   fullnameOverride: owanalytics
-
   configProperties:
     openwifi.kafka.enable: "true"
     openwifi.kafka.brokerlist: kafka:9092
@@ -49,7 +44,6 @@ owprovui:
 # OpenWIFI Subscription (https://github.com/Telecominfraproject/wlan-cloud-userportal/)
 owsub:
   fullnameOverride: owsub
-
   configProperties:
     openwifi.kafka.enable: "true"
     openwifi.kafka.brokerlist: kafka:9092
@@ -57,31 +51,18 @@ owsub:
 # OpenWIFI radio resource management (https://github.com/Telecominfraproject/wlan-cloud-rrm/)
 owrrm:
   fullnameOverride: owrrm
-
   mysql:
     enabled: true
 
 # kafka (https://github.com/bitnami/charts/blob/master/bitnami/kafka/)
 kafka:
   enabled: true
-
   fullnameOverride: kafka
 
-  image:
-    registry: docker.io
-    repository: bitnami/kafka
-    tag: 2.8.0-debian-10-r43
-
-  minBrokerId: 100
-
-  zookeeper:
-    fullnameOverride: zookeeper
-
 # clustersysteminfo check
 clustersysteminfo:
   enabled: false
   delay: 0 # number of seconds to delay clustersysteminfo execution
-
   images:
     clustersysteminfo:
       repository: tip-tip-wlan-cloud-ucentral.jfrog.io/clustersysteminfo
@@ -103,23 +84,17 @@ clustersysteminfo:
     # limits:
     #  cpu: 100m
     #  memory: 128Mi
-
   nodeSelector: {}
-
   tolerations: []
-
   affinity: {}
-
   public_env_variables:
     FLAGS: "-s --connect-timeout 3"
     OWSEC: owsec-owsec:16001
     CHECK_RETRIES: 30
-
   secret_env_variables:
     OWSEC_DEFAULT_USERNAME: tip@ucentral.com
     OWSEC_DEFAULT_PASSWORD: openwifi
     #OWSEC_NEW_PASSWORD: "" # Set this value in order for the check to work. Password must comply https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationvalidationexpression
-
   activeDeadlineSeconds: 2400
   backoffLimit: 5
   restartPolicy: OnFailure
@@ -127,9 +102,7 @@ clustersysteminfo:
 # OpenWIFI Load Simulator (https://github.com/Telecominfraproject/wlan-cloud-owls)
 owls:
   enabled: false
-
   fullnameOverride: owls
-
   configProperties:
     openwifi.kafka.enable: "true"
     openwifi.kafka.brokerlist: kafka:9092
@@ -137,17 +110,13 @@ owls:
 # OpenWIFI Load Simulator UI (https://github.com/Telecominfraproject/wlan-cloud-owls-ui)
 owlsui:
   enabled: false
-
   fullnameOverride: owlsui
 
 # HAproxy (https://github.com/bitnami/charts/tree/master/bitnami/haproxy)
 haproxy:
   enabled: true
-
   fullnameOverride: proxy
-
-  replicaCount: 3
-
+  replicaCount: 1
   service:
     type: LoadBalancer
     ports:
@@ -428,7 +397,6 @@ haproxy:
 # Cert-manager RESTAPI certs
 restapiCerts:
   enabled: false
-
   services:
     - owgw-owgw
     - owsec-owsec
@@ -438,9 +406,22 @@ restapiCerts:
     - owanalytics-owanalytics
     - owsub-owsub
     - owrrm-owrrm
-
   clusterDomain: cluster.local
 
+postgresql:
+  enabled: false
+  nameOverride: pgsql
+  fullnameOverride: pgsql
+  initDbScriptSecret:
+    enabled: false
+    services:
+      - owgw
+      - owsec
+      - owfms
+      - owprov
+      - owanalytics
+      - owsub
+
 postgresql-ha:
   enabled: false
   nameOverride: pgsql

docker-compose/.env

@@ -8,7 +8,7 @@ OWPROV_TAG=main
 OWPROVUI_TAG=main
 OWANALYTICS_TAG=main
 OWSUB_TAG=main
-KAFKA_TAG=latest
+KAFKA_TAG=2.8.0-debian-10-r43
 ZOOKEEPER_TAG=3.8
 POSTGRESQL_TAG=15.0
 MYSQL_TAG=latest

docker-compose/.env.letsencrypt

@@ -9,7 +9,7 @@ OWPROVUI_TAG=main
 OWANALYTICS_TAG=main
 OWSUB_TAG=main
 OWRRM_TAG=main
-KAFKA_TAG=latest
+KAFKA_TAG=2.8.0-debian-10-r43
 ZOOKEEPER_TAG=3.8
 ACMESH_TAG=latest
 TRAEFIK_TAG=latest

docker-compose/.env.selfsigned

@@ -9,7 +9,7 @@ OWPROVUI_TAG=main
 OWANALYTICS_TAG=main
 OWSUB_TAG=main
 OWRRM_TAG=main
-KAFKA_TAG=latest
+KAFKA_TAG=2.8.0-debian-10-r43
 ZOOKEEPER_TAG=3.8
 ACMESH_TAG=latest
 TRAEFIK_TAG=latest

docker-compose/owls/.env

@@ -3,7 +3,7 @@ COMPOSE_PROJECT_NAME=owls
 OWSEC_TAG=main
 OWLS_TAG=main
 OWLSUI_TAG=master
-KAFKA_TAG=latest
+KAFKA_TAG=2.8.0-debian-10-r43
 ZOOKEEPER_TAG=latest
 
 # Microservice root/config directories