Chg: update image tag in helm values to v4.2.0

Slight adjustment for os-shell image for older kafka helm chart

.github/workflows/ci.yml

@@ -44,7 +44,7 @@ jobs:
         echo "tag=$(git tag | grep -v RC | tail -2 | head -1)" >> $GITHUB_OUTPUT
 
   trigger-docker-compose-testing:
-    if: startsWith(github.ref, 'refs/pull/')
+    if: startsWith(github.ref, 'DISABLEDrefs/pull/')
     runs-on: ubuntu-latest
     needs: envs
     steps:
@@ -67,7 +67,7 @@ jobs:
         inputs: '{"deployment_version": "${{ env.PR_BRANCH }}", "microservice": "all"}'
 
   trigger-k8s-testing:
-    if: startsWith(github.ref, 'refs/pull/')
+    if: startsWith(github.ref, 'DISABLEDrefs/pull/')
     runs-on: ubuntu-latest
     needs: envs
     steps:
@@ -90,7 +90,7 @@ jobs:
         inputs: '{"deployment_version": "${{ env.PR_BRANCH }}", "microservice": "all"}'
 
   trigger-docker-compose-upgrade-testing:
-    if: startsWith(github.ref, 'refs/tags/v')
+    if: startsWith(github.ref, 'DISABLEDrefs/tags/v')
     runs-on: ubuntu-latest
     needs: envs
     steps:

.github/workflows/clustersysteminfo_image_ci.yml

@@ -17,7 +17,7 @@ defaults:
 
 jobs:
   docker:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     env:
       DOCKER_REGISTRY_URL: tip-tip-wlan-cloud-ucentral.jfrog.io
       DOCKER_REGISTRY_USERNAME: ucentral

.gitignore

@@ -2,6 +2,6 @@
 chart/charts/*
 chart/Chart.lock
 chart/environment-values/wlan-cloud-ucentral-deploy/
-/docker-compose/certs/
-/docker-compose/*_data
-/docker-compose/owls/*_data
+docker-compose/certs/websocket*pem
+docker-compose/*_data
+docker-compose/owls/*_data

README.PKI2.0.md

@@ -0,0 +1,60 @@
+# PKI 2.0 Upgrade
+
+## Checklist when upgrading or installing a new OpenWiFi Cloud SDK
+For PKI 2.0 support we will need to:
+- [ ] Upgrade to the latest version of the OpenWiFi Cloud SDK.
+- [ ] Switch to using the Insta certificates for the server certificate when all APs are updated to 4.1.0+.
+
+### Upgrade OpenWiFi Cloud SDK
+The latest version of the OpenWiFi Cloud SDK is available at https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main. This is also the location for this README.PKI2.0.md file.
+
+### Docker Compose
+The file `docker-compose/certs/clientcas.pem` already contains the Insta Chain certificates (along with the previous Digicert ones.)
+
+**Do this only once all APs have been upgraded to support PKI2.0**:
+Once you receive your server certificate package from Insta, please update the `websocket-cert.pem` and `websocket-key.pem` files in the same directory.
+Restart the SDK by running the appropriate `docker-compose` command: `./dco stop && ./dco start`.
+
+Once the switch-over to Insta is complete, TIP will update the `docker-compose/certs/cert.pem` and `key.pem` files to contain the Insta versions of the `*.wlan.local` certificate. This is only a concern if you are using *wlan.local* has your host name. The Digicert chain certificates will also be removed at this time.
+
+## Advanced
+
+## Checklist when updating an existing deployment (4.0.0+)
+If you have a recent 4.0.0 based deployment already running.
+- [ ] Switch to using the Insta chain certificates.
+- [ ] Update 2 SDK components.
+- [ ] Switch to using the Insta certificates for the server certificate when all APs are updated to 4.1.0+.
+
+### Switch to using the Insta chain certificates
+
+#### Docker Compose
+The file `docker-compose/certs/clientcas.pem` contains the Insta Chain certificates (along with the previous Digicert ones.) This file needs to be updated locally.
+
+#### Kubernetes
+The file `charts/environment-values/values.openwifi-qa.yaml` under `clientcas.pem` already contains the Insta Chain certificates (along with the previous Digicert ones.) Please make sure that this file gets updated in any existing deployments. It should be reflected in the `owgw-certs` secret under `clientcas.pem`.
+
+### Update 2 SDK components
+Make sure the image for OWGW is `tip-tip-wlan-cloud-ucentral.jfrog.io/owgw:master` or a specific tag like `v4.1.0` (when version 4.1.0 is released.)
+Use `tip-tip-wlan-cloud-ucentral.jfrog.io/owgwui:main` for owgwui.
+
+#### Docker Compose
+Change your .env file to set the tags (use the release tag once available `v4.1.0`):
+```bash
+OWGW_TAG=master
+OWGWUI_TAG=main
+```
+Restart the stack by running the appropriate `docker-compose` command: `./dco stop && ./dco start`.
+
+#### Kubernetes
+If you are already running the 'main' version of the SDK, you can delete the owgw and owgw-ui pods and a new version should be retrieved. Otherwise change your deployment to switch to the images specified above, either by editing your deployments directly or upgrading the 2 respective helm charts of owgw to master owgw-ui to main (or *v4.1.0* release tag when available.)
+
+### Switch to using the Insta certificates for the server certificate
+*Do this only once all APs have been upgraded to support PKI2.0!*
+
+#### Docker Compose
+Once you receive your server certificate package from Insta, please update the `websocket-cert.pem` and `websocket-key.pem` secrets in the same location. If you are making a change to the secret then a GW restart is also required (by deleting the owgw pod.)
+
+#### Kubernetes
+Make sure you update the certificate and key referred to as `websocket-cert` and `websocket-key` in the `owgw-certs` secret. This is done by setting the following helm variables:
+- owgw.certs."websocket-cert\\.pem"
+- owgw.certs."websocket-key\\.pem"

cgw/README.md

@@ -22,12 +22,9 @@ certs:
   websocket-cert.pem: 5c0lvd0RRWUpLb1pJa...
   websocket-key.pem: V6WEFqWEhNVFk3RGda...
 ```
-To generate (with the two websocket pem files available):
+To generate this file manually (with the two websocket pem files available):
 ```
-echo "certs:" > values/certs.device.yaml
-kubectl create secret generic certs --dry-run=client -o yaml \
-    --from-file=websocket-key.pem --from-file=websocket-cert.pem \
-    | grep websocket- >> values/certs.device.yaml
+./mkcertconfig websocket-cert.pem websocket-key.pem > values/certs.device.yaml
 ```
 
 ## Installation

cgw/helmfile.yaml

@@ -19,7 +19,9 @@ environments:
           password: 123
     - cgw:
         enabled: true
-        tag: main
+        tag: next
+    - cgw2:
+        enabled: true
   cgw01:
     values:
     - global:
@@ -40,7 +42,9 @@ environments:
           password: openlancgw
     - cgw:
         enabled: true
-        tag: main
+        tag: next
+    - cgw2:
+        enabled: true
 
 ---
 
@@ -59,6 +63,20 @@ releases:
     group: base
     app: kafka
   values:
+    - image:
+        repository: bitnamilegacy/kafka
+    - defaultInitContainers:
+        volumePermissions:
+          image:
+            repository: bitnamilegacy/os-shell
+    - autoDiscovery:
+        volumePermissions:
+          image:
+            repository: bitnamilegacy/kubectl
+    - metrics:
+        jmx:
+          image:
+            repository: bitnamilegacy/jmx-exporter
     - fullnameOverride: kafka
     - volumePermissions:
         enabled: true
@@ -127,6 +145,14 @@ releases:
     group: base
     app: postgres
   values:
+    - image:
+        repository: bitnamilegacy/postgresql
+    - volumePermissions:
+        image:
+          repository: bitnamilegacy/os-shell
+    - metrics:
+        image:
+          repository: bitnamilegacy/postgres-exporter
     - fullnameOverride: pgsql
     # workaround for: postgresql.conf file not detected. Generating it...
     # cp: cannot create regular file '/bitnami/postgresql/conf/postgresql.conf': Permission denied
@@ -169,6 +195,23 @@ releases:
     group: base
     app: redis
   values:
+    - image:
+        repository: bitnamilegacy/redis
+    - sentinel:
+        image:
+          repository: bitnamilegacy/redis-sentinel
+    - metrics:
+        image:
+          repository: bitnamilegacy/redis-exporter
+    - volumePermissions:
+        image:
+          repository: bitnamilegacy/os-shell
+    - kubectl:
+        image:
+          repository: bitnamilegacy/kubectl
+    - sysctl:
+        image:
+          repository: bitnamilegacy/os-shell
     - architecture: standalone
     - auth:
         enabled: false
@@ -192,35 +235,51 @@ releases:
     - values/certs.tip.yaml
     # this one is generated from GH secrets:
     - values/certs.device.yaml
+    - values/cgw.yaml
+    - values/cgw-{{ .Environment.Values.global.name }}-1.yaml
     - images:
         cgw:
           tag: {{ .Environment.Values.cgw.tag }}
     - public_env_variables:
-        CGW_DB_HOST: pgsql
-        CGW_DB_PORT: "5432"
+        CGW_ID: 0
         CGW_DB_USERNAME: "{{ .Environment.Values.postgres.cgwUser.name }}"
-        CGW_KAFKA_HOST: kafka
-        CGW_KAFKA_PORT: "9092"
-        CGW_REDIS_HOST: redis-master
-        CGW_REDIS_PORT: "6379"
-        CGW_ALLOW_CERT_MISMATCH: "yes"
-        # use (#cpus * 2) - 2
-        DEFAULT_WSS_THREAD_NUM: "4"
-        # Useful for debugging:
-        #CGW_LOG_LEVEL: "debug"
-        #RUST_BACKTRACE: "full"
+        CGW_GRPC_PUBLIC_HOST: cgw-cgw
+        CGW_GRPC_PUBLIC_PORT: 50051
     - secret_env_variables:
         CGW_DB_PASSWORD: "{{ .Environment.Values.postgres.cgwUser.password }}"
     - services:
         cgw:
-          type: LoadBalancer
           annotations:
             external-dns.alpha.kubernetes.io/hostname: cgw-{{ .Environment.Values.global.name }}.{{ .Environment.Values.global.domain }}
-            #service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip
-            service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
-            service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
             service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Environment.Values.global.certificateARN }}
-            service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "15003"
-            service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true
-            service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16002"
-            alb.ingress.kubernetes.io/healthcheck-path: /health
+
+- name: cgw2
+  namespace: {{ .Environment.Values.global.namespace }}
+  chart: ../../openlan-cgw/helm
+  #chart: "git+https://github.com/Telecominfraproject/openlan-cgw@helm?ref=main"
+  version: 0.1.0
+  condition: cgw2.enabled
+  labels:
+    group: apps
+    app: cgw2
+  values:
+    - values/certs.tip.yaml
+    # this one is generated from GH secrets:
+    - values/certs.device.yaml
+    - values/cgw.yaml
+    - values/cgw-{{ .Environment.Values.global.name }}-2.yaml
+    - images:
+        cgw:
+          tag: {{ .Environment.Values.cgw.tag }}
+    - public_env_variables:
+        CGW_ID: 1
+        CGW_DB_USERNAME: "{{ .Environment.Values.postgres.cgwUser.name }}"
+        CGW_GRPC_PUBLIC_HOST: cgw2-cgw2
+        CGW_GRPC_PUBLIC_PORT: 50051
+    - secret_env_variables:
+        CGW_DB_PASSWORD: "{{ .Environment.Values.postgres.cgwUser.password }}"
+    - services:
+        cgw:
+          annotations:
+            external-dns.alpha.kubernetes.io/hostname: cgw2-{{ .Environment.Values.global.name }}.{{ .Environment.Values.global.domain }}
+            service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Environment.Values.global.certificateARN }}

cgw/values/cgw-cgw01-1.yaml

@@ -0,0 +1 @@
+# set the node affinity and tolerations here

cgw/values/cgw-cgw01-2.yaml

@@ -0,0 +1 @@
+# set the node affinity and tolerations here

cgw/values/cgw-devcgw-1.yaml

@@ -0,0 +1,16 @@
+# set the node affinity and tolerations here
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: alpha.eksctl.io/nodegroup-name
+          operator: In
+          values:
+          - gwm5lrg
+
+tolerations:
+- effect: NoSchedule
+  key: type
+  operator: Equal
+  value: onlygwm5lrg

cgw/values/cgw-devcgw-2.yaml

@@ -0,0 +1,16 @@
+# set the node affinity and tolerations here
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: alpha.eksctl.io/nodegroup-name
+          operator: In
+          values:
+          - gwmed
+
+tolerations:
+- effect: NoSchedule
+  key: type
+  operator: Equal
+  value: onlygwmed

cgw/values/cgw.yaml

@@ -0,0 +1,24 @@
+public_env_variables:
+  CGW_DB_HOST: pgsql
+  CGW_DB_PORT: "5432"
+  CGW_KAFKA_HOST: kafka
+  CGW_KAFKA_PORT: "9092"
+  CGW_REDIS_HOST: redis-master
+  CGW_REDIS_PORT: "6379"
+  CGW_ALLOW_CERT_MISMATCH: "yes"
+  # use (#cpus * 2) - 2
+  DEFAULT_WSS_THREAD_NUM: "4"
+  # Useful for debugging:
+  #CGW_LOG_LEVEL: "debug"
+  #RUST_BACKTRACE: "full"
+services:
+  cgw:
+    type: LoadBalancer
+    annotations:
+      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: metrics
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: /health
+      service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: http
+      service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true
+      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16002"

chart/Chart.yaml

@@ -2,31 +2,31 @@ apiVersion: v2
 name: openwifi
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
-version: 3.2.0-RC3
+version: 4.2.0
 dependencies:
 - name: owgw
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=v3.2.0-RC3"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=v4.2.0"
   version: 0.1.0
 - name: owsec
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=v3.2.0-RC2"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=v4.1.0"
   version: 0.1.0
 - name: owfms
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=v3.2.0-RC1"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=v3.2.0"
   version: 0.1.0
 - name: owprov
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=v3.2.0-RC2"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=v4.1.0"
   version: 0.1.0
 - name: owanalytics
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-analytics@helm?ref=v3.2.0-RC2"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-analytics@helm?ref=v3.2.0"
   version: 0.1.0
 - name: owgwui
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=v3.1.0"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=v4.2.0"
   version: 0.1.0
 - name: owprovui
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=v3.1.0"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=v4.0.0"
   version: 0.1.0
 - name: owsub
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-userportal@helm?ref=v3.2.0-RC1"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-userportal@helm?ref=v3.2.0"
   version: 0.1.0
 - name: owls
   repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owls@helm?ref=main"

chart/README.md

@@ -144,7 +144,7 @@ The following table lists the configurable parameters that overrides microservic
 | `kafka.enabled` | boolean | Enables [kafka](https://github.com/bitnami/charts/blob/master/bitnami/kafka/) deployment | `true` |
 | `kafka.fullnameOverride` | string | Overrides Kafka Kubernetes service name so it could be predictable and set in microservices configs | `'kafka'` |
 | `kafka.image.registry` | string | Kafka Docker image registry | `'docker.io'` |
-| `kafka.image.repository` | string | Kafka Docker image repository | `'bitnami/kafka'` |
+| `kafka.image.repository` | string | Kafka Docker image repository | `'bitnamilegacy/kafka'` |
 | `kafka.image.tag` | string | Kafka Docker image tag | `'2.8.0-debian-10-r43'` |
 | `kafka.minBrokerId` | number | Sets Kafka minimal broker ID (useful for multi-node Kafka installations) | `100` |
 | `clustersysteminfo.enabled` | boolean | Enables post-install check that makes sure that all services are working correctly using systeminfo RESTAPI method | `false` |

chart/environment-values/values.openwifi-qa.yaml

@@ -106,6 +106,235 @@ owgw:
       L+/DtiR5fDVMNdBSGU89UNTi0wHY9+RFuNlIuvZC+x/swF0V9R5mN+ywquTPtDLA
       5IOM7ItsRmen6u3qu+JXros54e4juQ==
       -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIFbzCCA1egAwIBAgICIjUwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3Bl
+      bkxBTiBEZW1vIFJvb3QgQ0EwHhcNMjUwMjIxMTUwMDAwWhcNMjYwMjIxMTUwMDAw
+      WjAlMSMwIQYDVQQDExpPcGVuTEFOIERlbW8gQ29udHJvbGxlciBDQTCCAiIwDQYJ
+      KoZIhvcNAQEBBQADggIPADCCAgoCggIBAJauwpN+LAd/VubBpX3O3u/E5CXkmxLZ
+      di/F9zOTimAOPqfWP7K046TfbNj4twPYSzVzjawkenRkEK0yZQ1DOXmzkGWVnsih
+      gR/CA+IUUY1yCnmg6t9Dx9l5K0ZnAox90HO/ybIymcoSfRXhotuhle//eDNmGccd
+      XFsndvGdmxshaV1zN1h2POw7biCBZuypCzwvRitFfcpv3pdIk5xTt2G/yMbHPCNo
+      dUJHYHLWotridJIJ7DdhYoir5q+iSqWIqjKfDBlqCsvO7e+KidcW9ctljWspAHvl
+      B3/yHdJwJz816YTZ7r37I/DsXk9gmjj317gWRkGLMTx9fk6SiMfGW4kfUvClfg1v
+      0aRrDGPEcCagHM6ViqbW2+Tc5K38fySgNZKSTBPPI+59iAHd5RADEJDGankEYvzN
+      Le0sgB90RDjhTMleOpp5agtd2Yk/ZVjHtKfCnq13OLJfcgX76iY1Ko6AmKqiaxiE
+      V2zi9/UFVTIURT8S7JgiwF4ZNIZzHmcr4R4n5O7aSgYUlVjwFp/IEMC3ylTAX8cP
+      d4VW0p1f4D3HK7TRcaaqsERuxNh2KVtR48Au2MPGC/8YRKsz/qzH2GfsfFgjKxfF
+      z/mZYOA7913DvgVbDQoR9/6odGXZH0XDwH1e1w59dqbXBnIv2VVzElgZsPimIr+M
+      UxlZXZHMYtL3AgMBAAGjga4wgaswHwYDVR0jBBgwFoAUPMiDx7JMjfFzgDZHrR/w
+      dqeEFkMwHQYDVR0OBBYEFKqr/2rLqvEtxLDRsPCJ1L8WMr7VMA4GA1UdDwEB/wQE
+      AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6
+      Ly9kZW1vLmNlcnRpZmljYXRlLmZpL2NybC9PcGVuTEFORGVtb1Jvb3RDQS5jcmww
+      DQYJKoZIhvcNAQELBQADggIBAEyp07YjNm3WsMQo85OUcKp8kA5TJPKPxw0WgXBR
+      5RqfEV8u4b5FPJ1GjvHQqEXNxi0hlNit6oQpMafHrDSsnXR0rSquYeRBZWGig0PU
+      n8XHN8IlwsE8orGs7HkJTkQ/5Os7eGYhKCnMUyehoDHQPCPgsCawp6HnKAkntG6F
+      0AiOrhmh+ng0+9nKl6Vj11OSh9nw54G3HtQqnhWrDw8JRYp6kkzRIPcrlq/AavjW
+      g5aWBcyUSH7PscyIMGW5ICRM/5J1DXMcl/jXQhvSjv1Z6fUCrbpGyUiJ4mjmAOo+
+      M11ln5dedBRyRXEBg+0dKxe6758wWkJF2el44pgNx+xO00eKUY60lWRxkDExa6nh
+      rVRfEyvcCMfoFKBWreTyAcPyEJ0XR8wu+lfkerhYupE+m+YxUxhYywClfPdv/+m9
+      70/gKFR3IyBW+9aYl7xUapyuEYfMFA2iGD73HGqA3QcxCwxB8RFuHuVh7WUyMvJK
+      xd8qUNxVXGFzyY5qUUjt+D/OeDIHKn4uQWKpaSNdkumrTvj6/QhsstF2H0XoQv+v
+      fuI4IdnzoVVkPbf+Cyg7ZkW0Wu+sutyhsuN4eDOsiy8NxPkbRjnDQxUiNAK96Bkx
+      tDpSJgwSP4sPHfNgq6zv/Wu9IaBGIYmNsJBoKpOOITUl7n6DcsEvkcsRMJpuK60b
+      rHa2
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIFIDCCAwigAwIBAgICDnkwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3Bl
+      bkxBTiBEZW1vIFJvb3QgQ0EwHhcNMjUwMjIxMTUwMDAwWhcNMjYwMjIxMTUwMDAw
+      WjAfMR0wGwYDVQQDDBRPcGVuTEFOIERlbW8gUm9vdCBDQTCCAiIwDQYJKoZIhvcN
+      AQEBBQADggIPADCCAgoCggIBAMjExylKdJWoJu9mOHPJ6yZFXKe1lE467G65acpS
+      2FKIWnPVFjNCmATMpkMOIFzEFwyFdbQjzOidtiL+73zlE52lOJpXCfOcxDFqDYDJ
+      J8//J1/gQWsBaKpSvgLiHU/0awkQg+yJYZpj8YZa4NkFe+zTjQScSfOsqPPb3rZ7
+      DOQ2BKAhjVShKmVbtNil0iO0zm8vE8DNkktTNMREp2pzb8MbCAgfOkwlrby6T+rV
+      3TvmjThGdFUb5lWDFxWtlF8W0SUII9qj7p5TdGpryeLsO0nZTBtS4HxZNdvmKOHf
+      gcRHmSZIJigB2NzKLNrXF9JBW0WnUSwZJZAG2C1RTx6lADILPueuusyfR/hZ3koK
+      i4PHnSiTwQghzia9K9QjNHq5z9R9ZoCnhBg1VyU4LKmp862L0sIp2vgnOYunEIi9
+      aCYBaDwo+0FuVjZuXyDIatwVuA7TN5IWPHA6XLdOt1mmkeYy1Ldr4XHjdondhtOy
+      eei1UFXmyyLm2+kmRYfTm91TqYmNzRgbRV2NHO50AmsnBknX4Rv3gishGe0+dV5y
+      FcUwZud0z2rSCkuoai5tKrPT+6Y6NqkT9u9HFifIBXnLwEzVUqHRtW6SuWj2DClV
+      QIXIUZtFnhY4GuTuf6DlzgnXO58oDVCZmCW4ULIpbqGeRsvBHR8Sw5JXP/1+TMUY
+      hE8TAgMBAAGjZjBkMB8GA1UdIwQYMBaAFDzIg8eyTI3xc4A2R60f8HanhBZDMB0G
+      A1UdDgQWBBQ8yIPHskyN8XOANketH/B2p4QWQzAOBgNVHQ8BAf8EBAMCAQYwEgYD
+      VR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0BAQsFAAOCAgEAkHZ5KR8IOrdfMFy+
+      iOvauvZxfQ84LL6TpB2FQKDjneJUdd7c29UJJFNW/0mp4Gc6jKZab6J8Dx/pNnbH
+      0RqFjGjeRGtJ4Sk0G7gf9zw1S7qut5WJDcisM9l/wXC+zy/KSKKPQmbt0grWOtU7
+      +NNPh1YU76hIrInq/u2sVZyKH8SXQ957fbJk6BX6JTKyNEn05AB6rNSrbOWo8sy2
+      MlcJ7bBsrWYI1t6GcWFh4b36bLu7/dKJWpyFNXXIkKJsgMEDpEQae56+fSSDo0KR
+      NtYB82fNZDIQlGK81rGJWNzAahM+3GD1tgk/3ZVugfaJhcBpoHHKNOGqZAvtirLA
+      IDocno7AzqoeIz974Rh2Olsl2/arApYPyyfi8PMYuFe/d4h+Wie8n+jh5n48lZ2V
+      e4PK+j+QHD6tTZS4f0bGnPL1puMxzQloltuQWgLDeVfEgrc3snLvjOg8aDzWm/es
+      85lP8XcyW54U4t3JmrNUC2C7v+Uafx7cL7eDeunhs+BRhtGV+IUmjub2IrpqZp3z
+      Zqn+LVRdYJIy/qHhjS5+ImckXkFojOmeWhfmEmYSuNP8Oa6cGuXp829qnbxLh9Qz
+      i3TfXV883KLse4kL5Zl7gBA/4hz2hVMyGJ8fY+VvzbaTuOXyvKJ+rGZCTcRSeotB
+      LnIevVMiL7SqOEwN0j4Mfbznfq8=
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIFbjCCA1agAwIBAgICMJ0wDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3Bl
+      bkxBTiBEZW1vIFJvb3QgQ0EwHhcNMjUwMjIxMTUwMDAwWhcNMjYwMjIxMTUwMDAw
+      WjAkMSIwIAYDVQQDExlPcGVuTEFOIERlbW8gT3BlcmF0aW5nIENBMIICIjANBgkq
+      hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4Q5dx+CWyaPxOlAGUC462FgnO4umYEqF
+      LQCuK31kgg0tBbbfaq0XApUnjH5IOMI1IGtYgZmm48q1noHaRwk4WFxxvr/dyS51
+      hAEa2GFb2S3pkG7VXAF/XYv33yyfM+1K0tyZPRm9tbBShUIfflGFjnrSwxkNhoOH
+      IIOVXxCHLBD/Aor74JAkEGtkIo30FPx2vQ+fg4rnQsm9aSffgWwWua7T590tnSMG
+      ljDMm++nCQIgONFQC7RQXeL0Ruu14FxB639oJxPmwDQhD/R5zQz/wFBhinjHuzYl
+      i0bmxHevdDQluNUxf2lHwJRy6eC/TzdRFOgDUre9kzu929skgNouM0q0y/Rpz7QU
+      bd5s1i8JnKebAqADqMT8Yz1Hph0oCvOT0Dc2joxmjGh3loolWRKufKTVe431pvdv
+      iV/rAooOSnm5Htmd8ClOADudhrheX886cSd9Z5JKucHhW34Lf1ze7uj1LjxoTh3O
+      eo7XedhjmJYcQavpQlVRLTbbY/LJHegPtqJAIvQkrwtOpe05rShl06MxO9wj0BPJ
+      0PFp/MxJd0ESDV0EM9dxWIWgXwZftowPzfj3ai5OQEazpTr1IMRehsbCn3JEJ77N
+      hCqKPaZmRtKRD9e5cu0YiGfRddr7xaXiwtPGId/ZHsNUASbv7NMDdemRv3TiFwv4
+      z8OKCm8QeisCAwEAAaOBrjCBqzAfBgNVHSMEGDAWgBQ8yIPHskyN8XOANketH/B2
+      p4QWQzAdBgNVHQ4EFgQUe/uhewyjB6GNj5Dbq9s+I5mWexMwDgYDVR0PAQH/BAQD
+      AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDov
+      L2RlbW8uY2VydGlmaWNhdGUuZmkvY3JsL09wZW5MQU5EZW1vUm9vdENBLmNybDAN
+      BgkqhkiG9w0BAQsFAAOCAgEAoj6D9yZIbWEP3MobeV5c3KpNyH4k2Ho2keIE0nT1
+      kc2sb1pfHzcZC7qDX1QWdcuKYUctmVEw5xhIWZhOLOy4QONUSx1E5WOHvGKMPfAt
+      l5pS8C2XjiC+SP/8KvbcpYM+iopsoJx2qDLX927OaqP0J+XSMikqaOhP4LW9Fb+Z
+      aRci9Kfd5WeA76mE3b1/9RSE1xxDNv88R6I2gFiLQeDqvdwaYUdYeCWYjg6mx3GD
+      Fc3vf2j/jj606vnbUDrI8uLfL4SDvCdtlmP6IvJGRAS3e48Eao4/C72uCW4LJBxA
+      G9sP7yvFCZhBo6+xIAbU2rhZeqiJQi7uK4LjPCck4QK6N32qEVyGpksuA3GXlJGC
+      fNDQ7PNA+r4AhCKs1b5xMUJH9O40Oq3vVfH1HhcGt5Pyl0LHFg0ml5PmCpTSPLBP
+      x26EizoF7vQmCdZ7HvPPY/L4DkiY//jhp4yBLWFP5MQm9TLjZ6uEj07S/oFCa3vW
+      dScZDtJ/AuojDMoDPvrSGuDHPBg1NBvs4mICx90DKjEZNHo5l7nMT7/KF8D6v2Rt
+      dRU8vfmPo6R0wbGV6suItRPUG5qpnHL4wc/iK0hRBl4nIgH1SwE4YHlx42FJTJej
+      EGAlrLr3LG0BxQaB3JEx82lGDlxz7Y3pCk2uiaVUnqWY5HglOdxdtAaox3HBgMa9
+      tHk=
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIGBjCCA+6gAwIBAgICAxMwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3Bl
+      bkxBTiBSb290IENBMB4XDTI1MDUxNDA4NDcyNVoXDTQ1MDUxNDA5MTcyNVowIzEh
+      MB8GA1UEAwwYT3BlbkxBTiBCaXJ0aCBJc3N1aW5nIENBMIICIjANBgkqhkiG9w0B
+      AQEFAAOCAg8AMIICCgKCAgEAqkekr6rYqlnicopx8WgKhEUctfrMD3J8jC2YshEI
+      hlVFI6lRbA9EFjv1hq0BhXhOY52lwOTOQtIgdn7HNcViSoiKqrVBYRskbhVqIA+7
+      nPhwB/4BYYZnbzCELjROHnMn/drFScNUaUvf+EDh9WmO4vZHD5xstK729RDZE51n
+      vLlFwe5O4ckekPH17r4WojoVSczkXXRhKJXV3GXdrA/epoIUn0poUM6bCjddiEbJ
+      NPknqqkS8Z9a8GYt2IX33kZD3NdHjTQRnMd7g+xroJiQ/faZ9zc0ul6l85sl1G43
+      AqriEI2aOWYhSxY7sDleuy5ggz8UA5lR6/z6ZIR8IfMSJag8aVkvxt51Gx2aDaVu
+      PixyMFoXyhKQPSP+cL3rzSF/767iXqINw4oOb83Jy77Ocwgp2cfW06KI4l4CTymy
+      83wCBEZ6pvLmjCmbz0DIg7V7yGPGjEePNyxYG0sM+aHQEpJnaib2yza9adiXlJ4s
+      M+UEMnLjEu0i8Xy15hvItgo7FYTZgWh89LIhE63HDk6qteV836K2oL9PWtVUEg9v
+      pElapnq+v+8BUsvmY6Nr8eYeAnCPyW2e49a91/vCP8B1Ydbe5ms3mYcGO3Kdx/k5
+      QWLquKnt5ZAeJ2werO/8mUabq8eyt4EH9tZzDKJvV/xbmhluKmamfSg4GHCpOUl1
+      +IcCAwEAAaOCAUswggFHMB8GA1UdIwQYMBaAFJRoW6g4+ThAsHJk/juSPinUhsIm
+      MB0GA1UdDgQWBBRO5RI5Dr0FesZ3+QQ9ugAapLBaeDAOBgNVHQ8BAf8EBAMCAYYw
+      EgYDVR0TAQH/BAgwBgEB/wIBADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3Js
+      LmNlcnRpZmljYXRlcy5vcGVuLWxhbi5vcmcvb3BlbmxhbnJvb3RjYS5jcmwwgZcG
+      CCsGAQUFBwEBBIGKMIGHMEQGCCsGAQUFBzAChjhodHRwOi8vY2VydHMuY2VydGlm
+      aWNhdGVzLm9wZW4tbGFuLm9yZy9vcGVubGFucm9vdGNhLmNlcjA/BggrBgEFBQcw
+      AYYzaHR0cDovL29jc3AuY2VydGlmaWNhdGVzLm9wZW4tbGFuLm9yZy9vcGVubGFu
+      cm9vdGNhMA0GCSqGSIb3DQEBCwUAA4ICAQBQq28kQUcK88zs5YzZ3b6Y3t77yrSF
+      lZLWsbNE/KVlvEuTIrtkRMX9PAC4tRjOpV0oxp6NdrqUKJ35gt4EKjw1vbtyXZD0
+      VQwimBv1qapZEuNe5lwNssyySAnXxUIyhCV6QVD4G9vmRPzNVtIwssjffVPjjpZ9
+      LBQdliOG3FBbcCWGuRiUMysVxHxdO2rokoFuO1ye+oURrqe9zeDtE0k9QNzAi36F
+      FhuWYQnn+2QHfTX58cpMb1Aql3yTO/pz5fQRUF/hmfTuuk+dLlkWoem55oRGfMVL
+      coAnW3We251iEawqrR9ZDgcIWlmloZFSNylpZ/iIZOIQdYFqreRo0DiSZG4kPxcW
+      RKQTSJ9F3v2j0BZan2xxaSE1tJ54IJUPUND/O6ITVQLfexVLIggRfeIAsURdhPn9
+      1KUrZu3HoIYX6kcpuhl++BQgOx3qr6RomAVDhXSGRVRQ2B76N0N1ZC+mEEhJUYbb
+      0DlZntDp7q2ZDzn6gFYOnrGhoXe55Yrx8c45wMOBZmz0Q6xzc0jydgZoAG9/20l8
+      6S9G2j+UuMYRBCSzouILsGwTloU7XR3qIuO2WbYcG+UV0o/3lVOkAk5992HPG7DT
+      hZ1qNe72WFHmtKVwfYJTcQG/TucWFvplUE3hMDMqS80tmx9TrXiRdI4R5IrTxfsS
+      znGN0LCQ5YzAAw==
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIGBzCCA++gAwIBAgICBAYwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3Bl
+      bkxBTiBSb290IENBMB4XDTI1MDUxNDA4NTQwNVoXDTQ1MDUxNDA5MjQwNVowJDEi
+      MCAGA1UEAwwZT3BlbkxBTiBEZXZpY2UgSXNzdWluZyBDQTCCAiIwDQYJKoZIhvcN
+      AQEBBQADggIPADCCAgoCggIBALrPh3nxxKWaPQbcQeZdihRrGwJNYgdrzz/YAsss
+      EbKXYKAOwb/EJKSv52eUysI59lcvfJrsqn4wyUaXQvgYxJUatCSpmCCKEzftgudS
+      UAlPY8L/4qeqUvxz6CN3qiKivxQ31Z7SJTLgR7OTXxk5ckXHkc8QPB2GPWkU3BzV
+      RbBNKcVxwMK6JaZbB0ZlR6r1ImnLnsDUI0qkgSV8NBO7bJd1yvqfn04yc0/pIo+1
+      9uX/gh7AA0RsZeXw1SO3wCfUO5Cr65X+MW2T3LsbnBPbKOqHnF0YWJGx5RPOWVIS
+      wudAy4zlqdwPInrb4BCMkJUoZlRhhx7vvNmP9HwNwCp8+COjE77caAEAi+0VHamY
+      spu9IgDZCr5FmgHBMu9WiaWpB3RxxbFa6UdVl3sMzRFS6SEHhs6RCAXwQj7KiZLf
+      tb3UCRps5XMlhmjAApyDKsJEXKnd5cSpSYxCQQlOB9BCG6QVc6vQLdu/uq8X6Z+2
+      0EcP7NVyzMDgHdozp4jP+M4Sow6pv7KE4SZaBfpbgM+Ht22sYoBwMouRYbzSAhJS
+      8qBH+IiDqwMRWyox8TuhCsn9WJr9t6l8p3O1pUB0IccraUTVo7XydZWaprtrvMTf
+      RtudowCxea9Iz6md9zlqNZAQu2QNUpH9YQT408N02qukp2uaAGvQjbSfAtnWduTD
+      F6AbAgMBAAGjggFLMIIBRzAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbC
+      JjAdBgNVHQ4EFgQUVRP31JMaQoUd6psw0tjQpKbhmvUwDgYDVR0PAQH/BAQDAgGG
+      MBIGA1UdEwEB/wQIMAYBAf8CAQAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2Ny
+      bC5jZXJ0aWZpY2F0ZXMub3Blbi1sYW4ub3JnL29wZW5sYW5yb290Y2EuY3JsMIGX
+      BggrBgEFBQcBAQSBijCBhzBEBggrBgEFBQcwAoY4aHR0cDovL2NlcnRzLmNlcnRp
+      ZmljYXRlcy5vcGVuLWxhbi5vcmcvb3BlbmxhbnJvb3RjYS5jZXIwPwYIKwYBBQUH
+      MAGGM2h0dHA6Ly9vY3NwLmNlcnRpZmljYXRlcy5vcGVuLWxhbi5vcmcvb3Blbmxh
+      bnJvb3RjYTANBgkqhkiG9w0BAQsFAAOCAgEALMFsYRqB8NDMMWZV8NqbjNT5QA3Y
+      O3ODxYOuFC4NjSzUSh3Lh73f5+Ec4slQNFuOQeqhqFJaDAPIxUI5ekKtVjzmt7St
+      crbW1dE47+ZHkPXrWVRwRmlV1qP5TqS5oTH6dvpEpEcSxT/IKGQB1cwQ1C+Qp3dd
+      3rZnylXfL5dimIpKDGHYqiHyltktlv3uMWnQhUwrKjt2GW0TnF7bVJ0OJko7aDL7
+      wdY0TGUH9eLQOoz/a0e9sKSsqOxrq9grN7npbUHOr23CdQBnSjF1Q5dXKvza8kRj
+      +agDJW5h/fyBvZ5I4U6m4jFyUnAKso6Xd0+feejPCH7f6kYY+pT7NKO4dVqaRLrj
+      yDmtXGsMza6C0h8wBgYwg4d7jxTqOx6iJfJLyLGWKT94HeChiWOL2X0HpF+Gn9Uf
+      C7rtLO4QwQzGHdEGyFlw/pBTs6g3wTYVv7ZZfh8DJ9PIedqJmUdwMVE89ThEpu4Z
+      q1bFfqENwDmrj2erS3fweEY3G+w2m8f24tJiLWOW/hBRcR3fm+73C8svmtwVGo5Q
+      2i6yJxQ12Q42oa1sfsohr22J2NxotqbQz0gq1J9QparEJ5qUjMKkO9Rj3s24KW2t
+      E6WIb5d1WpIxownlqOgFE7FftxXmQdJNJ2t4XyUMWhwXbOxfc2RlLek0LtnHPA8N
+      hCFqyfjUtMPqafk=
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIFFTCCAv2gAwIBAgICAxIwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3Bl
+      bkxBTiBSb290IENBMCAXDTI1MDUxNDA4NDcxMFoYDzIwNTUwNTE0MDg0NzEwWjAa
+      MRgwFgYDVQQDDA9PcGVuTEFOIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+      DwAwggIKAoICAQDGibJ04A55kSURTBSKgcBmLnND2I5wws1taKqqU9aaRhB7NtvM
+      Hwh2voH9b1brUiulZaZwTN/9kzd4AnXeKQ+0u5tV7Ofk0fzF2MK47n17TS30Yenq
+      c4NuQEKdpKK/pM3VvOEppR/bqtgyLtDmbDnmFOx+zTj/+smTgouwA+Iier0P4s5O
+      ohYxn/bjOqwQbHbU79VpGBIWv6/kt55AhH7zvsqqKHkrzTxnsRBv3SBIufrjJr9P
+      IhZBLDrqr56P6KgAi0eoutNt2ToiJbE0WfjU7GI1RSiSN5bGj1zXhjNVzQWs1H9Q
+      zRf3c9pl3+haHQZ7FZ1UqiTRewmbNrQ6I9k81au3SttUlb87MyAuDSzatkiq7CjQ
+      8VE1J6te6ZBt2zWpUhHsR/Lg7g3eOw5dL4oZJdK5GgGu/MUajLUXifIqM13Mvg0V
+      TzDhN69VLXLSL0gPcicsQCwJuAza1IC/VqmBGx19fAkyJhOurCXWOgisi0g1+xzP
+      KRphUNwMPUf8vBVOM/Vc6xDIvwVGE3+eWXyhixneFlSpAI03nWWjpwWXihTBoxbf
+      RXO3Y/ilJqrgFN+U4PJcCPA+Wo7ThH0mgX6bOTPcgXMUzT3v3FF6Bx5/PNV3kYrw
+      2yLzribUiS6AGvVGnW4hX2Z6OQvA/aHME8KF+6y6m4pC7FkUjVaRlzWu/wIDAQAB
+      o2MwYTAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbCJjAdBgNVHQ4EFgQU
+      lGhbqDj5OECwcmT+O5I+KdSGwiYwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
+      MAMBAf8wDQYJKoZIhvcNAQELBQADggIBAB+/RUC2X6eVoPsFNMkaXO5Iib/ub0Jo
+      WhODQm8j2Mr5dpGXESSpXjfDcqDOLuJbWWoflXBLdr8BsVCBqOA9YgCX0H8Br7dU
+      WmCScixxLW0he592/424EvdwifxcKHZLjv9CKV5Txhqnm2djc5RY/nTH5MYVrIh/
+      If2TNO5ydDP6+vgy9GQ4en04VK7rz+PW17O8l7k9/lOmYptZmHgSDAPj/cT3PlG+
+      McqaI5rMSHeEHlzH+PvgWjtSeEhF4FwFBXroDl4/yb4l2JB8bqAZ3vsOXSkigFcZ
+      h5MXPe+zuSSW+G8iLr4xoi0CFsP2DaHEyxgqP4B1FtE9nFPo6cvWbwqTVT7QSzqf
+      H+jPJuQvpFXeRF5UFegNZTFT5/uFFPamihakFslEYxeJey1y+OJdLcP6ef87ruSt
+      8amsq56OAETYpnW4JFowlEh0C+QwLGHGGY6WrOgHY/90hJmPgXBdBVg/IoOhzbvk
+      5A+LqZDvxV2/rLNfClw8Kr3g5e8obcB6dWgMCy2z+us0H79ucnmhzQKsjpxM9T1n
+      cHovAQfiD3jVqfHULY53avh0wIAjosoTGbe8dyx80quHe+16qWan7C9idXeAYYJX
+      bZt5hs6hLw4I8M1LsjTg6vwsqiaHZpsmDyyQLdFjNJldG7aosfS9F+BIpuwijF+1
+      dashL0CPsbIJ
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIGBzCCA++gAwIBAgICCQYwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3Bl
+      bkxBTiBSb290IENBMB4XDTI1MDUxNDA4NTY0MVoXDTQ1MDUxNDA5MjY0MVowJDEi
+      MCAGA1UEAwwZT3BlbkxBTiBTZXJ2ZXIgSXNzdWluZyBDQTCCAiIwDQYJKoZIhvcN
+      AQEBBQADggIPADCCAgoCggIBALSdJpzwPfQM9oHBGt6w8UDLDJNznxI7cpfl0u0x
+      VCHN1YY7onpwxFVkFRzUx/JrQ/tbEGZH19XtngaCZ91KbGbqVao9S32H0tyn2t3e
+      TJ5h+klJ7+7YAbZr8UfOi3nG4bZzNSa5dDBPaNPvI51byKDN7siXXnALV3f0l6lZ
+      gDpLQco/E7ANU3lslUVjVNALfFUEonDyP7XV+lFAyidpjIn6dRn7oYs3SUwkzZUn
+      tYJAhAykmxXMWox+85gDkdb+2O3G8ci0uHVbb0A9LP+MeIhzxHgnnAMfWLfEZexd
+      mEd2PwVHaz/D2Xp/gYrpPDTsbqWjQ9NmgdASwqN5j8BuJ8vHDVBVCztVDltm6JPw
+      3Y6GQPN1LmiSLUzst7VYpydUJRDHYIAKJhT9DYxQ126VfiyMo6Xl4IQO8YZ/J6r8
+      yR7gyvyUiBW+wvvC1bCY5+VuI4P/cY+6iA1qwC1SOWjYlccy+tbfGj9zr32Qf27e
+      9RXSAkcATHen1rc/9AGEeAuSpKrzhmZIIvM4+EtYgbBvf91NkP51zbGpvsAbfWN/
+      ecNmqH9SeyrrVgv68Z34hMijCcvJNyIvloo3nkb/gHYV4tAiwTTrX13Rio/8qNF4
+      nwHLsjw0t7jEyRiXdOciePyhGbtdicuiUxrShzbGY7ID0yNwyTKcJYhorL/8r+YF
+      psXrAgMBAAGjggFLMIIBRzAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbC
+      JjAdBgNVHQ4EFgQUBwUkiaCh5hdY+ZH6O8NmEE/nH5EwDgYDVR0PAQH/BAQDAgGG
+      MBIGA1UdEwEB/wQIMAYBAf8CAQAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2Ny
+      bC5jZXJ0aWZpY2F0ZXMub3Blbi1sYW4ub3JnL29wZW5sYW5yb290Y2EuY3JsMIGX
+      BggrBgEFBQcBAQSBijCBhzBEBggrBgEFBQcwAoY4aHR0cDovL2NlcnRzLmNlcnRp
+      ZmljYXRlcy5vcGVuLWxhbi5vcmcvb3BlbmxhbnJvb3RjYS5jZXIwPwYIKwYBBQUH
+      MAGGM2h0dHA6Ly9vY3NwLmNlcnRpZmljYXRlcy5vcGVuLWxhbi5vcmcvb3Blbmxh
+      bnJvb3RjYTANBgkqhkiG9w0BAQsFAAOCAgEAqEk5ZJdpMVr2U0YhmqEU6gqxEeih
+      9MWKcQfmsT/lhf5m5V7VuLMc3r+EBCsPssw60umdQcAU2IPlJXLAeWwdRyY7ZNNw
+      QVgl9GBI/CM2b7x18+12/llCdXW9FOagdChTuuhwRnGTt71jcrJkleQyEYhqwwIE
+      N82hxq4HSZO6XJDev4IsMRF00+qt8biJcf7OVGOSLoyiU6Dm/EzxoB+DZf3HdUc0
+      vzfVjD4Im+yYzqXuwWV6c9oIBQH6obzaqlpg926CtEBFR8E1LQe93ahMvF7pExpI
+      OkE5PTuqONvy7Xn3Ui8NRxHhmm8j/unql6bUTGENz9s68n8Im7weq6awC9Hfu8aG
+      WjcnXI7tsDY5uJEguP5fSwCUrdTE85XgPgPHeKaIwBZsyRZTqVSvbky+c15Yv6IT
+      XLWoA0AUxz9ste3WpqiWCNJVI90MCruSYKdpXGV0KU3QQXJDMKhHJBF5DLpuKibo
+      Ffh9O8pB7B4/tJ76JpAc6Z0rfaQUo2vxSpb3Sbd/IHNcL08zB8Ay+YUBULspxe+1
+      StKthmCzCHI9DOhIgeASyNBpcL7uZPjCXiYGhUuzsFGv4sQ+d267Jyvql/Piw/vY
+      g1k2aVBfdIoIU4TpIEVyQqPz4aAW+0SgL7OM+/zD9jxn3gVdusCpmHcoTzOfZRri
+      H0FGIeDSQydpOJU=
+      -----END CERTIFICATE-----
     issuer.pem: |
       -----BEGIN CERTIFICATE-----
       MIIEnDCCA4SgAwIBAgIUVpyCUx1MUeUwxg+7I1BvGFTz7HkwDQYJKoZIhvcNAQEL

chart/values.yaml

@@ -52,6 +52,19 @@ owsub:
 kafka:
   enabled: true
   fullnameOverride: kafka
+  image:
+    repository: bitnamilegacy/kafka
+  volumePermissions:
+    image:
+      repository: bitnamilegacy/os-shell
+  autoDiscovery:
+    volumePermissions:
+      image:
+        repository: bitnamilegacy/kubectl
+  metrics:
+    jmx:
+      image:
+        repository: bitnamilegacy/jmx-exporter
 
 # clustersysteminfo check
 clustersysteminfo:
@@ -60,7 +73,7 @@ clustersysteminfo:
   images:
     clustersysteminfo:
       repository: tip-tip-wlan-cloud-ucentral.jfrog.io/clustersysteminfo
-      tag: v3.2.0-RC3
+      tag: v4.2.0
       pullPolicy: Always
 #      regcred:
 #        registry: tip-tip-wlan-cloud-ucentral.jfrog.io
@@ -108,6 +121,8 @@ owlsui:
 
 # HAproxy (https://github.com/bitnami/charts/tree/master/bitnami/haproxy)
 haproxy:
+  image:
+    repository: bitnamilegacy/haproxy
   enabled: true
   fullnameOverride: proxy
   replicaCount: 1
@@ -402,6 +417,14 @@ restapiCerts:
   clusterDomain: cluster.local
 
 postgresql:
+  image:
+    repository: bitnamilegacy/postgresql
+  volumePermissions:
+    image:
+      repository: bitnamilegacy/os-shell
+  metrics:
+    image:
+      repository: bitnamilegacy/postgres-exporter
   enabled: false
   nameOverride: pgsql
   fullnameOverride: pgsql
@@ -416,6 +439,18 @@ postgresql:
       - owsub
 
 postgresql-ha:
+  postgresql:
+    image:
+      repository: bitnamilegacy/postgresql-repl
+  pgpool:
+    image:
+      repository: bitnamilegacy/pgpool
+  volumePermissions:
+    image:
+      repository: bitnamilegacy/os-shell
+  metrics:
+    image:
+      repository: bitnamilegacy/postgres-exporter
   enabled: false
   nameOverride: pgsql
   fullnameOverride: pgsql

docker-compose/.env

@@ -1,16 +1,18 @@
 COMPOSE_PROJECT_NAME=openwifi
 # set either default, selfsigned or letsencrypt
+# if not default then please look at .env.letsencrypt or .env.selfsigned
+# instead for configuration!
 DEPLOY_TYPE=default
 
 # Image tags
-OWGW_TAG=v3.2.0-RC3
-OWGWUI_TAG=v3.1.0
-OWSEC_TAG=v3.2.0-RC2
-OWFMS_TAG=v3.2.0-RC1
-OWPROV_TAG=v3.2.0-RC2
-OWPROVUI_TAG=v3.1.0
-OWANALYTICS_TAG=v3.2.0-RC2
-OWSUB_TAG=v3.2.0-RC1
+OWGW_TAG=v4.2.0
+OWGWUI_TAG=v4.2.0
+OWSEC_TAG=v4.1.0
+OWFMS_TAG=v3.2.0
+OWPROV_TAG=v4.1.0
+OWPROVUI_TAG=v4.0.0
+OWANALYTICS_TAG=v3.2.0
+OWSUB_TAG=v3.2.0
 
 KAFKA_TAG=3.7-debian-12
 POSTGRESQL_TAG=15.0

docker-compose/.env.letsencrypt

@@ -1,14 +1,14 @@
 COMPOSE_PROJECT_NAME=openwifi
 
 # Image tags
-OWGW_TAG=v3.2.0-RC3
-OWGWUI_TAG=v3.1.0
-OWSEC_TAG=v3.2.0-RC2
-OWFMS_TAG=v3.2.0-RC1
-OWPROV_TAG=v3.2.0-RC2
-OWPROVUI_TAG=v3.1.0
-OWANALYTICS_TAG=v3.2.0-RC2
-OWSUB_TAG=v3.2.0-RC1
+OWGW_TAG=v4.2.0
+OWGWUI_TAG=v4.2.0
+OWSEC_TAG=v4.1.0
+OWFMS_TAG=v3.2.0
+OWPROV_TAG=v4.1.0
+OWPROVUI_TAG=v4.0.0
+OWANALYTICS_TAG=v3.2.0
+OWSUB_TAG=v3.2.0
 
 KAFKA_TAG=3.7-debian-12
 POSTGRESQL_TAG=15.0

docker-compose/.env.selfsigned

@@ -1,14 +1,14 @@
 COMPOSE_PROJECT_NAME=openwifi
 
 # Image tags
-OWGW_TAG=v3.2.0-RC3
-OWGWUI_TAG=v3.1.0
-OWSEC_TAG=v3.2.0-RC2
-OWFMS_TAG=v3.2.0-RC1
-OWPROV_TAG=v3.2.0-RC2
-OWPROVUI_TAG=v3.1.0
-OWANALYTICS_TAG=v3.2.0-RC2
-OWSUB_TAG=v3.2.0-RC1
+OWGW_TAG=v4.2.0
+OWGWUI_TAG=v4.2.0
+OWSEC_TAG=v4.1.0
+OWFMS_TAG=v3.2.0
+OWPROV_TAG=v4.1.0
+OWPROVUI_TAG=v4.0.0
+OWANALYTICS_TAG=v3.2.0
+OWSUB_TAG=v3.2.0
 
 KAFKA_TAG=3.7-debian-12
 POSTGRESQL_TAG=15.0

docker-compose/certs/clientcas.pem

@@ -47,3 +47,232 @@ PSNHL2emogy1bl1lLTAoj8nxg2wVKPDSHBGviQ5LR9fsWUIJDv9Bs5k0qWugWYSj
 L+/DtiR5fDVMNdBSGU89UNTi0wHY9+RFuNlIuvZC+x/swF0V9R5mN+ywquTPtDLA
 5IOM7ItsRmen6u3qu+JXros54e4juQ==
 -----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFbzCCA1egAwIBAgICIjUwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3Bl
+bkxBTiBEZW1vIFJvb3QgQ0EwHhcNMjUwMjIxMTUwMDAwWhcNMjYwMjIxMTUwMDAw
+WjAlMSMwIQYDVQQDExpPcGVuTEFOIERlbW8gQ29udHJvbGxlciBDQTCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAJauwpN+LAd/VubBpX3O3u/E5CXkmxLZ
+di/F9zOTimAOPqfWP7K046TfbNj4twPYSzVzjawkenRkEK0yZQ1DOXmzkGWVnsih
+gR/CA+IUUY1yCnmg6t9Dx9l5K0ZnAox90HO/ybIymcoSfRXhotuhle//eDNmGccd
+XFsndvGdmxshaV1zN1h2POw7biCBZuypCzwvRitFfcpv3pdIk5xTt2G/yMbHPCNo
+dUJHYHLWotridJIJ7DdhYoir5q+iSqWIqjKfDBlqCsvO7e+KidcW9ctljWspAHvl
+B3/yHdJwJz816YTZ7r37I/DsXk9gmjj317gWRkGLMTx9fk6SiMfGW4kfUvClfg1v
+0aRrDGPEcCagHM6ViqbW2+Tc5K38fySgNZKSTBPPI+59iAHd5RADEJDGankEYvzN
+Le0sgB90RDjhTMleOpp5agtd2Yk/ZVjHtKfCnq13OLJfcgX76iY1Ko6AmKqiaxiE
+V2zi9/UFVTIURT8S7JgiwF4ZNIZzHmcr4R4n5O7aSgYUlVjwFp/IEMC3ylTAX8cP
+d4VW0p1f4D3HK7TRcaaqsERuxNh2KVtR48Au2MPGC/8YRKsz/qzH2GfsfFgjKxfF
+z/mZYOA7913DvgVbDQoR9/6odGXZH0XDwH1e1w59dqbXBnIv2VVzElgZsPimIr+M
+UxlZXZHMYtL3AgMBAAGjga4wgaswHwYDVR0jBBgwFoAUPMiDx7JMjfFzgDZHrR/w
+dqeEFkMwHQYDVR0OBBYEFKqr/2rLqvEtxLDRsPCJ1L8WMr7VMA4GA1UdDwEB/wQE
+AwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6
+Ly9kZW1vLmNlcnRpZmljYXRlLmZpL2NybC9PcGVuTEFORGVtb1Jvb3RDQS5jcmww
+DQYJKoZIhvcNAQELBQADggIBAEyp07YjNm3WsMQo85OUcKp8kA5TJPKPxw0WgXBR
+5RqfEV8u4b5FPJ1GjvHQqEXNxi0hlNit6oQpMafHrDSsnXR0rSquYeRBZWGig0PU
+n8XHN8IlwsE8orGs7HkJTkQ/5Os7eGYhKCnMUyehoDHQPCPgsCawp6HnKAkntG6F
+0AiOrhmh+ng0+9nKl6Vj11OSh9nw54G3HtQqnhWrDw8JRYp6kkzRIPcrlq/AavjW
+g5aWBcyUSH7PscyIMGW5ICRM/5J1DXMcl/jXQhvSjv1Z6fUCrbpGyUiJ4mjmAOo+
+M11ln5dedBRyRXEBg+0dKxe6758wWkJF2el44pgNx+xO00eKUY60lWRxkDExa6nh
+rVRfEyvcCMfoFKBWreTyAcPyEJ0XR8wu+lfkerhYupE+m+YxUxhYywClfPdv/+m9
+70/gKFR3IyBW+9aYl7xUapyuEYfMFA2iGD73HGqA3QcxCwxB8RFuHuVh7WUyMvJK
+xd8qUNxVXGFzyY5qUUjt+D/OeDIHKn4uQWKpaSNdkumrTvj6/QhsstF2H0XoQv+v
+fuI4IdnzoVVkPbf+Cyg7ZkW0Wu+sutyhsuN4eDOsiy8NxPkbRjnDQxUiNAK96Bkx
+tDpSJgwSP4sPHfNgq6zv/Wu9IaBGIYmNsJBoKpOOITUl7n6DcsEvkcsRMJpuK60b
+rHa2
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFIDCCAwigAwIBAgICDnkwDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3Bl
+bkxBTiBEZW1vIFJvb3QgQ0EwHhcNMjUwMjIxMTUwMDAwWhcNMjYwMjIxMTUwMDAw
+WjAfMR0wGwYDVQQDDBRPcGVuTEFOIERlbW8gUm9vdCBDQTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAMjExylKdJWoJu9mOHPJ6yZFXKe1lE467G65acpS
+2FKIWnPVFjNCmATMpkMOIFzEFwyFdbQjzOidtiL+73zlE52lOJpXCfOcxDFqDYDJ
+J8//J1/gQWsBaKpSvgLiHU/0awkQg+yJYZpj8YZa4NkFe+zTjQScSfOsqPPb3rZ7
+DOQ2BKAhjVShKmVbtNil0iO0zm8vE8DNkktTNMREp2pzb8MbCAgfOkwlrby6T+rV
+3TvmjThGdFUb5lWDFxWtlF8W0SUII9qj7p5TdGpryeLsO0nZTBtS4HxZNdvmKOHf
+gcRHmSZIJigB2NzKLNrXF9JBW0WnUSwZJZAG2C1RTx6lADILPueuusyfR/hZ3koK
+i4PHnSiTwQghzia9K9QjNHq5z9R9ZoCnhBg1VyU4LKmp862L0sIp2vgnOYunEIi9
+aCYBaDwo+0FuVjZuXyDIatwVuA7TN5IWPHA6XLdOt1mmkeYy1Ldr4XHjdondhtOy
+eei1UFXmyyLm2+kmRYfTm91TqYmNzRgbRV2NHO50AmsnBknX4Rv3gishGe0+dV5y
+FcUwZud0z2rSCkuoai5tKrPT+6Y6NqkT9u9HFifIBXnLwEzVUqHRtW6SuWj2DClV
+QIXIUZtFnhY4GuTuf6DlzgnXO58oDVCZmCW4ULIpbqGeRsvBHR8Sw5JXP/1+TMUY
+hE8TAgMBAAGjZjBkMB8GA1UdIwQYMBaAFDzIg8eyTI3xc4A2R60f8HanhBZDMB0G
+A1UdDgQWBBQ8yIPHskyN8XOANketH/B2p4QWQzAOBgNVHQ8BAf8EBAMCAQYwEgYD
+VR0TAQH/BAgwBgEB/wIBATANBgkqhkiG9w0BAQsFAAOCAgEAkHZ5KR8IOrdfMFy+
+iOvauvZxfQ84LL6TpB2FQKDjneJUdd7c29UJJFNW/0mp4Gc6jKZab6J8Dx/pNnbH
+0RqFjGjeRGtJ4Sk0G7gf9zw1S7qut5WJDcisM9l/wXC+zy/KSKKPQmbt0grWOtU7
++NNPh1YU76hIrInq/u2sVZyKH8SXQ957fbJk6BX6JTKyNEn05AB6rNSrbOWo8sy2
+MlcJ7bBsrWYI1t6GcWFh4b36bLu7/dKJWpyFNXXIkKJsgMEDpEQae56+fSSDo0KR
+NtYB82fNZDIQlGK81rGJWNzAahM+3GD1tgk/3ZVugfaJhcBpoHHKNOGqZAvtirLA
+IDocno7AzqoeIz974Rh2Olsl2/arApYPyyfi8PMYuFe/d4h+Wie8n+jh5n48lZ2V
+e4PK+j+QHD6tTZS4f0bGnPL1puMxzQloltuQWgLDeVfEgrc3snLvjOg8aDzWm/es
+85lP8XcyW54U4t3JmrNUC2C7v+Uafx7cL7eDeunhs+BRhtGV+IUmjub2IrpqZp3z
+Zqn+LVRdYJIy/qHhjS5+ImckXkFojOmeWhfmEmYSuNP8Oa6cGuXp829qnbxLh9Qz
+i3TfXV883KLse4kL5Zl7gBA/4hz2hVMyGJ8fY+VvzbaTuOXyvKJ+rGZCTcRSeotB
+LnIevVMiL7SqOEwN0j4Mfbznfq8=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFbjCCA1agAwIBAgICMJ0wDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UEAwwUT3Bl
+bkxBTiBEZW1vIFJvb3QgQ0EwHhcNMjUwMjIxMTUwMDAwWhcNMjYwMjIxMTUwMDAw
+WjAkMSIwIAYDVQQDExlPcGVuTEFOIERlbW8gT3BlcmF0aW5nIENBMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4Q5dx+CWyaPxOlAGUC462FgnO4umYEqF
+LQCuK31kgg0tBbbfaq0XApUnjH5IOMI1IGtYgZmm48q1noHaRwk4WFxxvr/dyS51
+hAEa2GFb2S3pkG7VXAF/XYv33yyfM+1K0tyZPRm9tbBShUIfflGFjnrSwxkNhoOH
+IIOVXxCHLBD/Aor74JAkEGtkIo30FPx2vQ+fg4rnQsm9aSffgWwWua7T590tnSMG
+ljDMm++nCQIgONFQC7RQXeL0Ruu14FxB639oJxPmwDQhD/R5zQz/wFBhinjHuzYl
+i0bmxHevdDQluNUxf2lHwJRy6eC/TzdRFOgDUre9kzu929skgNouM0q0y/Rpz7QU
+bd5s1i8JnKebAqADqMT8Yz1Hph0oCvOT0Dc2joxmjGh3loolWRKufKTVe431pvdv
+iV/rAooOSnm5Htmd8ClOADudhrheX886cSd9Z5JKucHhW34Lf1ze7uj1LjxoTh3O
+eo7XedhjmJYcQavpQlVRLTbbY/LJHegPtqJAIvQkrwtOpe05rShl06MxO9wj0BPJ
+0PFp/MxJd0ESDV0EM9dxWIWgXwZftowPzfj3ai5OQEazpTr1IMRehsbCn3JEJ77N
+hCqKPaZmRtKRD9e5cu0YiGfRddr7xaXiwtPGId/ZHsNUASbv7NMDdemRv3TiFwv4
+z8OKCm8QeisCAwEAAaOBrjCBqzAfBgNVHSMEGDAWgBQ8yIPHskyN8XOANketH/B2
+p4QWQzAdBgNVHQ4EFgQUe/uhewyjB6GNj5Dbq9s+I5mWexMwDgYDVR0PAQH/BAQD
+AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDov
+L2RlbW8uY2VydGlmaWNhdGUuZmkvY3JsL09wZW5MQU5EZW1vUm9vdENBLmNybDAN
+BgkqhkiG9w0BAQsFAAOCAgEAoj6D9yZIbWEP3MobeV5c3KpNyH4k2Ho2keIE0nT1
+kc2sb1pfHzcZC7qDX1QWdcuKYUctmVEw5xhIWZhOLOy4QONUSx1E5WOHvGKMPfAt
+l5pS8C2XjiC+SP/8KvbcpYM+iopsoJx2qDLX927OaqP0J+XSMikqaOhP4LW9Fb+Z
+aRci9Kfd5WeA76mE3b1/9RSE1xxDNv88R6I2gFiLQeDqvdwaYUdYeCWYjg6mx3GD
+Fc3vf2j/jj606vnbUDrI8uLfL4SDvCdtlmP6IvJGRAS3e48Eao4/C72uCW4LJBxA
+G9sP7yvFCZhBo6+xIAbU2rhZeqiJQi7uK4LjPCck4QK6N32qEVyGpksuA3GXlJGC
+fNDQ7PNA+r4AhCKs1b5xMUJH9O40Oq3vVfH1HhcGt5Pyl0LHFg0ml5PmCpTSPLBP
+x26EizoF7vQmCdZ7HvPPY/L4DkiY//jhp4yBLWFP5MQm9TLjZ6uEj07S/oFCa3vW
+dScZDtJ/AuojDMoDPvrSGuDHPBg1NBvs4mICx90DKjEZNHo5l7nMT7/KF8D6v2Rt
+dRU8vfmPo6R0wbGV6suItRPUG5qpnHL4wc/iK0hRBl4nIgH1SwE4YHlx42FJTJej
+EGAlrLr3LG0BxQaB3JEx82lGDlxz7Y3pCk2uiaVUnqWY5HglOdxdtAaox3HBgMa9
+tHk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGBjCCA+6gAwIBAgICAxMwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3Bl
+bkxBTiBSb290IENBMB4XDTI1MDUxNDA4NDcyNVoXDTQ1MDUxNDA5MTcyNVowIzEh
+MB8GA1UEAwwYT3BlbkxBTiBCaXJ0aCBJc3N1aW5nIENBMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAqkekr6rYqlnicopx8WgKhEUctfrMD3J8jC2YshEI
+hlVFI6lRbA9EFjv1hq0BhXhOY52lwOTOQtIgdn7HNcViSoiKqrVBYRskbhVqIA+7
+nPhwB/4BYYZnbzCELjROHnMn/drFScNUaUvf+EDh9WmO4vZHD5xstK729RDZE51n
+vLlFwe5O4ckekPH17r4WojoVSczkXXRhKJXV3GXdrA/epoIUn0poUM6bCjddiEbJ
+NPknqqkS8Z9a8GYt2IX33kZD3NdHjTQRnMd7g+xroJiQ/faZ9zc0ul6l85sl1G43
+AqriEI2aOWYhSxY7sDleuy5ggz8UA5lR6/z6ZIR8IfMSJag8aVkvxt51Gx2aDaVu
+PixyMFoXyhKQPSP+cL3rzSF/767iXqINw4oOb83Jy77Ocwgp2cfW06KI4l4CTymy
+83wCBEZ6pvLmjCmbz0DIg7V7yGPGjEePNyxYG0sM+aHQEpJnaib2yza9adiXlJ4s
+M+UEMnLjEu0i8Xy15hvItgo7FYTZgWh89LIhE63HDk6qteV836K2oL9PWtVUEg9v
+pElapnq+v+8BUsvmY6Nr8eYeAnCPyW2e49a91/vCP8B1Ydbe5ms3mYcGO3Kdx/k5
+QWLquKnt5ZAeJ2werO/8mUabq8eyt4EH9tZzDKJvV/xbmhluKmamfSg4GHCpOUl1
++IcCAwEAAaOCAUswggFHMB8GA1UdIwQYMBaAFJRoW6g4+ThAsHJk/juSPinUhsIm
+MB0GA1UdDgQWBBRO5RI5Dr0FesZ3+QQ9ugAapLBaeDAOBgNVHQ8BAf8EBAMCAYYw
+EgYDVR0TAQH/BAgwBgEB/wIBADBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vY3Js
+LmNlcnRpZmljYXRlcy5vcGVuLWxhbi5vcmcvb3BlbmxhbnJvb3RjYS5jcmwwgZcG
+CCsGAQUFBwEBBIGKMIGHMEQGCCsGAQUFBzAChjhodHRwOi8vY2VydHMuY2VydGlm
+aWNhdGVzLm9wZW4tbGFuLm9yZy9vcGVubGFucm9vdGNhLmNlcjA/BggrBgEFBQcw
+AYYzaHR0cDovL29jc3AuY2VydGlmaWNhdGVzLm9wZW4tbGFuLm9yZy9vcGVubGFu
+cm9vdGNhMA0GCSqGSIb3DQEBCwUAA4ICAQBQq28kQUcK88zs5YzZ3b6Y3t77yrSF
+lZLWsbNE/KVlvEuTIrtkRMX9PAC4tRjOpV0oxp6NdrqUKJ35gt4EKjw1vbtyXZD0
+VQwimBv1qapZEuNe5lwNssyySAnXxUIyhCV6QVD4G9vmRPzNVtIwssjffVPjjpZ9
+LBQdliOG3FBbcCWGuRiUMysVxHxdO2rokoFuO1ye+oURrqe9zeDtE0k9QNzAi36F
+FhuWYQnn+2QHfTX58cpMb1Aql3yTO/pz5fQRUF/hmfTuuk+dLlkWoem55oRGfMVL
+coAnW3We251iEawqrR9ZDgcIWlmloZFSNylpZ/iIZOIQdYFqreRo0DiSZG4kPxcW
+RKQTSJ9F3v2j0BZan2xxaSE1tJ54IJUPUND/O6ITVQLfexVLIggRfeIAsURdhPn9
+1KUrZu3HoIYX6kcpuhl++BQgOx3qr6RomAVDhXSGRVRQ2B76N0N1ZC+mEEhJUYbb
+0DlZntDp7q2ZDzn6gFYOnrGhoXe55Yrx8c45wMOBZmz0Q6xzc0jydgZoAG9/20l8
+6S9G2j+UuMYRBCSzouILsGwTloU7XR3qIuO2WbYcG+UV0o/3lVOkAk5992HPG7DT
+hZ1qNe72WFHmtKVwfYJTcQG/TucWFvplUE3hMDMqS80tmx9TrXiRdI4R5IrTxfsS
+znGN0LCQ5YzAAw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGBzCCA++gAwIBAgICBAYwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3Bl
+bkxBTiBSb290IENBMB4XDTI1MDUxNDA4NTQwNVoXDTQ1MDUxNDA5MjQwNVowJDEi
+MCAGA1UEAwwZT3BlbkxBTiBEZXZpY2UgSXNzdWluZyBDQTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBALrPh3nxxKWaPQbcQeZdihRrGwJNYgdrzz/YAsss
+EbKXYKAOwb/EJKSv52eUysI59lcvfJrsqn4wyUaXQvgYxJUatCSpmCCKEzftgudS
+UAlPY8L/4qeqUvxz6CN3qiKivxQ31Z7SJTLgR7OTXxk5ckXHkc8QPB2GPWkU3BzV
+RbBNKcVxwMK6JaZbB0ZlR6r1ImnLnsDUI0qkgSV8NBO7bJd1yvqfn04yc0/pIo+1
+9uX/gh7AA0RsZeXw1SO3wCfUO5Cr65X+MW2T3LsbnBPbKOqHnF0YWJGx5RPOWVIS
+wudAy4zlqdwPInrb4BCMkJUoZlRhhx7vvNmP9HwNwCp8+COjE77caAEAi+0VHamY
+spu9IgDZCr5FmgHBMu9WiaWpB3RxxbFa6UdVl3sMzRFS6SEHhs6RCAXwQj7KiZLf
+tb3UCRps5XMlhmjAApyDKsJEXKnd5cSpSYxCQQlOB9BCG6QVc6vQLdu/uq8X6Z+2
+0EcP7NVyzMDgHdozp4jP+M4Sow6pv7KE4SZaBfpbgM+Ht22sYoBwMouRYbzSAhJS
+8qBH+IiDqwMRWyox8TuhCsn9WJr9t6l8p3O1pUB0IccraUTVo7XydZWaprtrvMTf
+RtudowCxea9Iz6md9zlqNZAQu2QNUpH9YQT408N02qukp2uaAGvQjbSfAtnWduTD
+F6AbAgMBAAGjggFLMIIBRzAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbC
+JjAdBgNVHQ4EFgQUVRP31JMaQoUd6psw0tjQpKbhmvUwDgYDVR0PAQH/BAQDAgGG
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2Ny
+bC5jZXJ0aWZpY2F0ZXMub3Blbi1sYW4ub3JnL29wZW5sYW5yb290Y2EuY3JsMIGX
+BggrBgEFBQcBAQSBijCBhzBEBggrBgEFBQcwAoY4aHR0cDovL2NlcnRzLmNlcnRp
+ZmljYXRlcy5vcGVuLWxhbi5vcmcvb3BlbmxhbnJvb3RjYS5jZXIwPwYIKwYBBQUH
+MAGGM2h0dHA6Ly9vY3NwLmNlcnRpZmljYXRlcy5vcGVuLWxhbi5vcmcvb3Blbmxh
+bnJvb3RjYTANBgkqhkiG9w0BAQsFAAOCAgEALMFsYRqB8NDMMWZV8NqbjNT5QA3Y
+O3ODxYOuFC4NjSzUSh3Lh73f5+Ec4slQNFuOQeqhqFJaDAPIxUI5ekKtVjzmt7St
+crbW1dE47+ZHkPXrWVRwRmlV1qP5TqS5oTH6dvpEpEcSxT/IKGQB1cwQ1C+Qp3dd
+3rZnylXfL5dimIpKDGHYqiHyltktlv3uMWnQhUwrKjt2GW0TnF7bVJ0OJko7aDL7
+wdY0TGUH9eLQOoz/a0e9sKSsqOxrq9grN7npbUHOr23CdQBnSjF1Q5dXKvza8kRj
++agDJW5h/fyBvZ5I4U6m4jFyUnAKso6Xd0+feejPCH7f6kYY+pT7NKO4dVqaRLrj
+yDmtXGsMza6C0h8wBgYwg4d7jxTqOx6iJfJLyLGWKT94HeChiWOL2X0HpF+Gn9Uf
+C7rtLO4QwQzGHdEGyFlw/pBTs6g3wTYVv7ZZfh8DJ9PIedqJmUdwMVE89ThEpu4Z
+q1bFfqENwDmrj2erS3fweEY3G+w2m8f24tJiLWOW/hBRcR3fm+73C8svmtwVGo5Q
+2i6yJxQ12Q42oa1sfsohr22J2NxotqbQz0gq1J9QparEJ5qUjMKkO9Rj3s24KW2t
+E6WIb5d1WpIxownlqOgFE7FftxXmQdJNJ2t4XyUMWhwXbOxfc2RlLek0LtnHPA8N
+hCFqyfjUtMPqafk=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFTCCAv2gAwIBAgICAxIwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3Bl
+bkxBTiBSb290IENBMCAXDTI1MDUxNDA4NDcxMFoYDzIwNTUwNTE0MDg0NzEwWjAa
+MRgwFgYDVQQDDA9PcGVuTEFOIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQDGibJ04A55kSURTBSKgcBmLnND2I5wws1taKqqU9aaRhB7NtvM
+Hwh2voH9b1brUiulZaZwTN/9kzd4AnXeKQ+0u5tV7Ofk0fzF2MK47n17TS30Yenq
+c4NuQEKdpKK/pM3VvOEppR/bqtgyLtDmbDnmFOx+zTj/+smTgouwA+Iier0P4s5O
+ohYxn/bjOqwQbHbU79VpGBIWv6/kt55AhH7zvsqqKHkrzTxnsRBv3SBIufrjJr9P
+IhZBLDrqr56P6KgAi0eoutNt2ToiJbE0WfjU7GI1RSiSN5bGj1zXhjNVzQWs1H9Q
+zRf3c9pl3+haHQZ7FZ1UqiTRewmbNrQ6I9k81au3SttUlb87MyAuDSzatkiq7CjQ
+8VE1J6te6ZBt2zWpUhHsR/Lg7g3eOw5dL4oZJdK5GgGu/MUajLUXifIqM13Mvg0V
+TzDhN69VLXLSL0gPcicsQCwJuAza1IC/VqmBGx19fAkyJhOurCXWOgisi0g1+xzP
+KRphUNwMPUf8vBVOM/Vc6xDIvwVGE3+eWXyhixneFlSpAI03nWWjpwWXihTBoxbf
+RXO3Y/ilJqrgFN+U4PJcCPA+Wo7ThH0mgX6bOTPcgXMUzT3v3FF6Bx5/PNV3kYrw
+2yLzribUiS6AGvVGnW4hX2Z6OQvA/aHME8KF+6y6m4pC7FkUjVaRlzWu/wIDAQAB
+o2MwYTAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbCJjAdBgNVHQ4EFgQU
+lGhbqDj5OECwcmT+O5I+KdSGwiYwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggIBAB+/RUC2X6eVoPsFNMkaXO5Iib/ub0Jo
+WhODQm8j2Mr5dpGXESSpXjfDcqDOLuJbWWoflXBLdr8BsVCBqOA9YgCX0H8Br7dU
+WmCScixxLW0he592/424EvdwifxcKHZLjv9CKV5Txhqnm2djc5RY/nTH5MYVrIh/
+If2TNO5ydDP6+vgy9GQ4en04VK7rz+PW17O8l7k9/lOmYptZmHgSDAPj/cT3PlG+
+McqaI5rMSHeEHlzH+PvgWjtSeEhF4FwFBXroDl4/yb4l2JB8bqAZ3vsOXSkigFcZ
+h5MXPe+zuSSW+G8iLr4xoi0CFsP2DaHEyxgqP4B1FtE9nFPo6cvWbwqTVT7QSzqf
+H+jPJuQvpFXeRF5UFegNZTFT5/uFFPamihakFslEYxeJey1y+OJdLcP6ef87ruSt
+8amsq56OAETYpnW4JFowlEh0C+QwLGHGGY6WrOgHY/90hJmPgXBdBVg/IoOhzbvk
+5A+LqZDvxV2/rLNfClw8Kr3g5e8obcB6dWgMCy2z+us0H79ucnmhzQKsjpxM9T1n
+cHovAQfiD3jVqfHULY53avh0wIAjosoTGbe8dyx80quHe+16qWan7C9idXeAYYJX
+bZt5hs6hLw4I8M1LsjTg6vwsqiaHZpsmDyyQLdFjNJldG7aosfS9F+BIpuwijF+1
+dashL0CPsbIJ
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIGBzCCA++gAwIBAgICCQYwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3Bl
+bkxBTiBSb290IENBMB4XDTI1MDUxNDA4NTY0MVoXDTQ1MDUxNDA5MjY0MVowJDEi
+MCAGA1UEAwwZT3BlbkxBTiBTZXJ2ZXIgSXNzdWluZyBDQTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBALSdJpzwPfQM9oHBGt6w8UDLDJNznxI7cpfl0u0x
+VCHN1YY7onpwxFVkFRzUx/JrQ/tbEGZH19XtngaCZ91KbGbqVao9S32H0tyn2t3e
+TJ5h+klJ7+7YAbZr8UfOi3nG4bZzNSa5dDBPaNPvI51byKDN7siXXnALV3f0l6lZ
+gDpLQco/E7ANU3lslUVjVNALfFUEonDyP7XV+lFAyidpjIn6dRn7oYs3SUwkzZUn
+tYJAhAykmxXMWox+85gDkdb+2O3G8ci0uHVbb0A9LP+MeIhzxHgnnAMfWLfEZexd
+mEd2PwVHaz/D2Xp/gYrpPDTsbqWjQ9NmgdASwqN5j8BuJ8vHDVBVCztVDltm6JPw
+3Y6GQPN1LmiSLUzst7VYpydUJRDHYIAKJhT9DYxQ126VfiyMo6Xl4IQO8YZ/J6r8
+yR7gyvyUiBW+wvvC1bCY5+VuI4P/cY+6iA1qwC1SOWjYlccy+tbfGj9zr32Qf27e
+9RXSAkcATHen1rc/9AGEeAuSpKrzhmZIIvM4+EtYgbBvf91NkP51zbGpvsAbfWN/
+ecNmqH9SeyrrVgv68Z34hMijCcvJNyIvloo3nkb/gHYV4tAiwTTrX13Rio/8qNF4
+nwHLsjw0t7jEyRiXdOciePyhGbtdicuiUxrShzbGY7ID0yNwyTKcJYhorL/8r+YF
+psXrAgMBAAGjggFLMIIBRzAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbC
+JjAdBgNVHQ4EFgQUBwUkiaCh5hdY+ZH6O8NmEE/nH5EwDgYDVR0PAQH/BAQDAgGG
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2Ny
+bC5jZXJ0aWZpY2F0ZXMub3Blbi1sYW4ub3JnL29wZW5sYW5yb290Y2EuY3JsMIGX
+BggrBgEFBQcBAQSBijCBhzBEBggrBgEFBQcwAoY4aHR0cDovL2NlcnRzLmNlcnRp
+ZmljYXRlcy5vcGVuLWxhbi5vcmcvb3BlbmxhbnJvb3RjYS5jZXIwPwYIKwYBBQUH
+MAGGM2h0dHA6Ly9vY3NwLmNlcnRpZmljYXRlcy5vcGVuLWxhbi5vcmcvb3Blbmxh
+bnJvb3RjYTANBgkqhkiG9w0BAQsFAAOCAgEAqEk5ZJdpMVr2U0YhmqEU6gqxEeih
+9MWKcQfmsT/lhf5m5V7VuLMc3r+EBCsPssw60umdQcAU2IPlJXLAeWwdRyY7ZNNw
+QVgl9GBI/CM2b7x18+12/llCdXW9FOagdChTuuhwRnGTt71jcrJkleQyEYhqwwIE
+N82hxq4HSZO6XJDev4IsMRF00+qt8biJcf7OVGOSLoyiU6Dm/EzxoB+DZf3HdUc0
+vzfVjD4Im+yYzqXuwWV6c9oIBQH6obzaqlpg926CtEBFR8E1LQe93ahMvF7pExpI
+OkE5PTuqONvy7Xn3Ui8NRxHhmm8j/unql6bUTGENz9s68n8Im7weq6awC9Hfu8aG
+WjcnXI7tsDY5uJEguP5fSwCUrdTE85XgPgPHeKaIwBZsyRZTqVSvbky+c15Yv6IT
+XLWoA0AUxz9ste3WpqiWCNJVI90MCruSYKdpXGV0KU3QQXJDMKhHJBF5DLpuKibo
+Ffh9O8pB7B4/tJ76JpAc6Z0rfaQUo2vxSpb3Sbd/IHNcL08zB8Ay+YUBULspxe+1
+StKthmCzCHI9DOhIgeASyNBpcL7uZPjCXiYGhUuzsFGv4sQ+d267Jyvql/Piw/vY
+g1k2aVBfdIoIU4TpIEVyQqPz4aAW+0SgL7OM+/zD9jxn3gVdusCpmHcoTzOfZRri
+H0FGIeDSQydpOJU=
+-----END CERTIFICATE-----

docker-compose/certs/issuer_insta.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGBzCCA++gAwIBAgICCQYwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3Bl
+bkxBTiBSb290IENBMB4XDTI1MDUxNDA4NTY0MVoXDTQ1MDUxNDA5MjY0MVowJDEi
+MCAGA1UEAwwZT3BlbkxBTiBTZXJ2ZXIgSXNzdWluZyBDQTCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBALSdJpzwPfQM9oHBGt6w8UDLDJNznxI7cpfl0u0x
+VCHN1YY7onpwxFVkFRzUx/JrQ/tbEGZH19XtngaCZ91KbGbqVao9S32H0tyn2t3e
+TJ5h+klJ7+7YAbZr8UfOi3nG4bZzNSa5dDBPaNPvI51byKDN7siXXnALV3f0l6lZ
+gDpLQco/E7ANU3lslUVjVNALfFUEonDyP7XV+lFAyidpjIn6dRn7oYs3SUwkzZUn
+tYJAhAykmxXMWox+85gDkdb+2O3G8ci0uHVbb0A9LP+MeIhzxHgnnAMfWLfEZexd
+mEd2PwVHaz/D2Xp/gYrpPDTsbqWjQ9NmgdASwqN5j8BuJ8vHDVBVCztVDltm6JPw
+3Y6GQPN1LmiSLUzst7VYpydUJRDHYIAKJhT9DYxQ126VfiyMo6Xl4IQO8YZ/J6r8
+yR7gyvyUiBW+wvvC1bCY5+VuI4P/cY+6iA1qwC1SOWjYlccy+tbfGj9zr32Qf27e
+9RXSAkcATHen1rc/9AGEeAuSpKrzhmZIIvM4+EtYgbBvf91NkP51zbGpvsAbfWN/
+ecNmqH9SeyrrVgv68Z34hMijCcvJNyIvloo3nkb/gHYV4tAiwTTrX13Rio/8qNF4
+nwHLsjw0t7jEyRiXdOciePyhGbtdicuiUxrShzbGY7ID0yNwyTKcJYhorL/8r+YF
+psXrAgMBAAGjggFLMIIBRzAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbC
+JjAdBgNVHQ4EFgQUBwUkiaCh5hdY+ZH6O8NmEE/nH5EwDgYDVR0PAQH/BAQDAgGG
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwRwYDVR0fBEAwPjA8oDqgOIY2aHR0cDovL2Ny
+bC5jZXJ0aWZpY2F0ZXMub3Blbi1sYW4ub3JnL29wZW5sYW5yb290Y2EuY3JsMIGX
+BggrBgEFBQcBAQSBijCBhzBEBggrBgEFBQcwAoY4aHR0cDovL2NlcnRzLmNlcnRp
+ZmljYXRlcy5vcGVuLWxhbi5vcmcvb3BlbmxhbnJvb3RjYS5jZXIwPwYIKwYBBQUH
+MAGGM2h0dHA6Ly9vY3NwLmNlcnRpZmljYXRlcy5vcGVuLWxhbi5vcmcvb3Blbmxh
+bnJvb3RjYTANBgkqhkiG9w0BAQsFAAOCAgEAqEk5ZJdpMVr2U0YhmqEU6gqxEeih
+9MWKcQfmsT/lhf5m5V7VuLMc3r+EBCsPssw60umdQcAU2IPlJXLAeWwdRyY7ZNNw
+QVgl9GBI/CM2b7x18+12/llCdXW9FOagdChTuuhwRnGTt71jcrJkleQyEYhqwwIE
+N82hxq4HSZO6XJDev4IsMRF00+qt8biJcf7OVGOSLoyiU6Dm/EzxoB+DZf3HdUc0
+vzfVjD4Im+yYzqXuwWV6c9oIBQH6obzaqlpg926CtEBFR8E1LQe93ahMvF7pExpI
+OkE5PTuqONvy7Xn3Ui8NRxHhmm8j/unql6bUTGENz9s68n8Im7weq6awC9Hfu8aG
+WjcnXI7tsDY5uJEguP5fSwCUrdTE85XgPgPHeKaIwBZsyRZTqVSvbky+c15Yv6IT
+XLWoA0AUxz9ste3WpqiWCNJVI90MCruSYKdpXGV0KU3QQXJDMKhHJBF5DLpuKibo
+Ffh9O8pB7B4/tJ76JpAc6Z0rfaQUo2vxSpb3Sbd/IHNcL08zB8Ay+YUBULspxe+1
+StKthmCzCHI9DOhIgeASyNBpcL7uZPjCXiYGhUuzsFGv4sQ+d267Jyvql/Piw/vY
+g1k2aVBfdIoIU4TpIEVyQqPz4aAW+0SgL7OM+/zD9jxn3gVdusCpmHcoTzOfZRri
+H0FGIeDSQydpOJU=
+-----END CERTIFICATE-----

docker-compose/certs/root_insta.pem

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFFTCCAv2gAwIBAgICAxIwDQYJKoZIhvcNAQELBQAwGjEYMBYGA1UEAwwPT3Bl
+bkxBTiBSb290IENBMCAXDTI1MDUxNDA4NDcxMFoYDzIwNTUwNTE0MDg0NzEwWjAa
+MRgwFgYDVQQDDA9PcGVuTEFOIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4IC
+DwAwggIKAoICAQDGibJ04A55kSURTBSKgcBmLnND2I5wws1taKqqU9aaRhB7NtvM
+Hwh2voH9b1brUiulZaZwTN/9kzd4AnXeKQ+0u5tV7Ofk0fzF2MK47n17TS30Yenq
+c4NuQEKdpKK/pM3VvOEppR/bqtgyLtDmbDnmFOx+zTj/+smTgouwA+Iier0P4s5O
+ohYxn/bjOqwQbHbU79VpGBIWv6/kt55AhH7zvsqqKHkrzTxnsRBv3SBIufrjJr9P
+IhZBLDrqr56P6KgAi0eoutNt2ToiJbE0WfjU7GI1RSiSN5bGj1zXhjNVzQWs1H9Q
+zRf3c9pl3+haHQZ7FZ1UqiTRewmbNrQ6I9k81au3SttUlb87MyAuDSzatkiq7CjQ
+8VE1J6te6ZBt2zWpUhHsR/Lg7g3eOw5dL4oZJdK5GgGu/MUajLUXifIqM13Mvg0V
+TzDhN69VLXLSL0gPcicsQCwJuAza1IC/VqmBGx19fAkyJhOurCXWOgisi0g1+xzP
+KRphUNwMPUf8vBVOM/Vc6xDIvwVGE3+eWXyhixneFlSpAI03nWWjpwWXihTBoxbf
+RXO3Y/ilJqrgFN+U4PJcCPA+Wo7ThH0mgX6bOTPcgXMUzT3v3FF6Bx5/PNV3kYrw
+2yLzribUiS6AGvVGnW4hX2Z6OQvA/aHME8KF+6y6m4pC7FkUjVaRlzWu/wIDAQAB
+o2MwYTAfBgNVHSMEGDAWgBSUaFuoOPk4QLByZP47kj4p1IbCJjAdBgNVHQ4EFgQU
+lGhbqDj5OECwcmT+O5I+KdSGwiYwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggIBAB+/RUC2X6eVoPsFNMkaXO5Iib/ub0Jo
+WhODQm8j2Mr5dpGXESSpXjfDcqDOLuJbWWoflXBLdr8BsVCBqOA9YgCX0H8Br7dU
+WmCScixxLW0he592/424EvdwifxcKHZLjv9CKV5Txhqnm2djc5RY/nTH5MYVrIh/
+If2TNO5ydDP6+vgy9GQ4en04VK7rz+PW17O8l7k9/lOmYptZmHgSDAPj/cT3PlG+
+McqaI5rMSHeEHlzH+PvgWjtSeEhF4FwFBXroDl4/yb4l2JB8bqAZ3vsOXSkigFcZ
+h5MXPe+zuSSW+G8iLr4xoi0CFsP2DaHEyxgqP4B1FtE9nFPo6cvWbwqTVT7QSzqf
+H+jPJuQvpFXeRF5UFegNZTFT5/uFFPamihakFslEYxeJey1y+OJdLcP6ef87ruSt
+8amsq56OAETYpnW4JFowlEh0C+QwLGHGGY6WrOgHY/90hJmPgXBdBVg/IoOhzbvk
+5A+LqZDvxV2/rLNfClw8Kr3g5e8obcB6dWgMCy2z+us0H79ucnmhzQKsjpxM9T1n
+cHovAQfiD3jVqfHULY53avh0wIAjosoTGbe8dyx80quHe+16qWan7C9idXeAYYJX
+bZt5hs6hLw4I8M1LsjTg6vwsqiaHZpsmDyyQLdFjNJldG7aosfS9F+BIpuwijF+1
+dashL0CPsbIJ
+-----END CERTIFICATE-----

docker-compose/certs/websocket-cert.pem

@@ -1,27 +1,27 @@
 -----BEGIN CERTIFICATE-----
-MIIEgDCCA2igAwIBAgIUaKVB2xg9gr/sS6FvzMex0xSbEzswDQYJKoZIhvcNAQEL
+MIIEijCCA3KgAwIBAgIUOmn9ubcITrhJKE6uLJYw9J3CfCkwDQYJKoZIhvcNAQEL
 BQAwbDELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
 dCwgSW5jLjEMMAoGA1UECxMDVElQMSkwJwYDVQQDEyBUZWxlY29tIEluZnJhIFBy
-b2plY3QgSXNzdWluZyBDQTAeFw0yMTA3MDgxMDQ5MTVaFw0yNTA3MDgxMDQ5MTVa
+b2plY3QgSXNzdWluZyBDQTAeFw0yNTA3MTUyMzU3NTlaFw0yNjA0MTMyMjM4NDZa
 MDIxCzAJBgNVBAYTAlVTMQwwCgYDVQQKEwNUSVAxFTATBgNVBAMMDCoud2xhbi5s
-b2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2rlMfV7/Si2Svx
-J1YOEz6KJLvey995/0MkQvAG0RM6TpFwgUNnpYFFozcWME8MGSxws+6hOzDoMmHC
-pgpP/KZ/Fyu9iUdzTxsJMyMxIW9sYbBMkQgBmvjkBlXDk5NfHh+yJBVxb7JlJ6vJ
-oT7EJMzgKpYpFnO+bddalUVsDp3qQIjSvJIxl77vwgZQUJx0qCm17VTBhyM2RTJ3
-jtr7kcWDm3jyyTVUvlM9g3DM9g0hUPMN0R5PP2HuqDdtYoY51krsm2mmVIYYnyAN
-BDawmwYnZJfcC4gFzZJ5wK5NFjSKmd1mYp0damlSh0/uHxPyd4rm2QhUCQH92yKM
-+9qYU70CAwEAAaOCAVIwggFOMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFM0mIZuE
-6aly7ZKXl0KWjprcO9/uMB8GA1UdIwQYMBaAFLMbVLjgR6s98ziA5Dzl/QBhbdHo
-MA4GA1UdDwEB/wQEAwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATCBhgYIKwYB
-BQUHAQEEejB4MCgGCCsGAQUFBzABhhxodHRwOi8vb2NzcC5vbmUuZGlnaWNlcnQu
-Y29tMEwGCCsGAQUFBzAChkBodHRwOi8vY2FjZXJ0cy5vbmUuZGlnaWNlcnQuY29t
-L1RlbGVjb21JbmZyYVByb2plY3RJc3N1aW5nQ0EuY3J0ME0GA1UdHwRGMEQwQqBA
-oD6GPGh0dHA6Ly9jcmwub25lLmRpZ2ljZXJ0LmNvbS9UZWxlY29tSW5mcmFQcm9q
-ZWN0SXNzdWluZ0NBLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAAyb7X9qW0z0QJrl2
-oAalMCh/gSJy5oER3L7iu/pnP3GREbr6bh6+1/MAf2bgnN2CUOKQHbozB7yCkM6V
-8m5RnL4ePKVP5yIrbs48uM5Hl14QFLU4ZtFao6js0haoWWEgMo3sfbeyfOU0ScyW
-ET5zfbDub3gUbWYmlz6hyV5aJoznaFjJTNP7SRQ9CHMTMHh3wAPfVlvG2TdcwwbM
-ZKkdAHpl1NwRxyiBPJfkejGWrY3ZAs10te7u9Lsc9yZZKL8SU9J/mrO9tM5HLeUr
-nCJN4RI7RyTuDw4LdMZW1Ju5QBXoZL9mj4KXIbUkDwryhbAxdQ1OnwD4O/avMChk
-TNJzIw==
------END CERTIFICATE-----
+b2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0vG6Ol1JiIPrSQ
+D046Nj2zmw2lUh00gNFU7rvAzfH+Lj5fKjyi7ejZQL41r9kvfOYJGNVl9Jca4TBJ
+Nyfved/i8LAMyywaAaQyCrITzcFdw3MfnO5Eo4KAAP2kvqsufYKYxbeiNEIyWhHV
+B2iUAX1PLegnPSuHIZeHLrDB/mX/xxmY5z3u0inIVeG/xjbD1deA59xLLzrxhwGx
+pMz/cx9NLWymfAUBJVGfj2M8fJNK9D0wqljzHMFe9r/jCVvBmEpXklTVd0AXvrZr
+4b9BbqU9FT4QIhq0Qi2yIcOaUHZY81NvGcNc8gSJyiDG5zlLfeOU3HfHxViQZYhr
+hbeOj9cCAwEAAaOCAVwwggFYMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDm+cEul
+fwzf7rkuJp25mFzvYKNTMB8GA1UdIwQYMBaAFLMbVLjgR6s98ziA5Dzl/QBhbdHo
+MA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwgYYGCCsGAQUFBwEBBHoweDAoBggrBgEFBQcwAYYcaHR0cDovL29jc3Aub25l
+LmRpZ2ljZXJ0LmNvbTBMBggrBgEFBQcwAoZAaHR0cDovL2NhY2VydHMub25lLmRp
+Z2ljZXJ0LmNvbS9UZWxlY29tSW5mcmFQcm9qZWN0SXNzdWluZ0NBLmNydDBNBgNV
+HR8ERjBEMEKgQKA+hjxodHRwOi8vY3JsLm9uZS5kaWdpY2VydC5jb20vVGVsZWNv
+bUluZnJhUHJvamVjdElzc3VpbmdDQS5jcmwwDQYJKoZIhvcNAQELBQADggEBAKab
+NayATB4dIy5M7spBHHpbT4eqCNHRxXnw+ph7DGtUCx5InjSVjJU7HVzHDHzOTSl5
+TCkxWJ1pCTn6ZodphUWYax+e6Dm7mvOjohAQRvUwvZp+4w7PwqiwjM+wfvCAPM/f
+ln9EfDTvBxTUXk7xGmPWSexAeL2PyoNLbyMJS6MzSiJmHodbocpib8uMXz3a7J4e
+UcqbX1HGXDuDFBZdOcd2pjqBYnnHv5eL6W1hf/wSgkUeKsBRpYkcz7oulSD67eWx
+zXI5Ynmd2WIHVGONsoSySnSkEVW/KlzpZK4bec2hG9hIHbJo1vO2cg4qBvHxmLUs
+bKkYh7fah/VjfkcSuzk=
+-----END CERTIFICATE-----

docker-compose/certs/websocket-key.pem

@@ -1,28 +1,27 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC9q5TH1e/0otkr
-8SdWDhM+iiS73svfef9DJELwBtETOk6RcIFDZ6WBRaM3FjBPDBkscLPuoTsw6DJh
-wqYKT/ymfxcrvYlHc08bCTMjMSFvbGGwTJEIAZr45AZVw5OTXx4fsiQVcW+yZSer
-yaE+xCTM4CqWKRZzvm3XWpVFbA6d6kCI0rySMZe+78IGUFCcdKgpte1UwYcjNkUy
-d47a+5HFg5t48sk1VL5TPYNwzPYNIVDzDdEeTz9h7qg3bWKGOdZK7JtpplSGGJ8g
-DQQ2sJsGJ2SX3AuIBc2SecCuTRY0ipndZmKdHWppUodP7h8T8neK5tkIVAkB/dsi
-jPvamFO9AgMBAAECggEBAJgYoaRmcJfShyhvp8WgX9pE2RQ2o3I/2Gy1BWCJdtte
-ZGbIuz+cO+IgP7QK/Q5Ge2Fht0hizp53dP9kIdYfMlEplSEkSpObahIaHIHaAh/h
-36yKmbq73tQ7tsDLpuoE2pk8Nydi4dlCuL9PXxiAHaqVEFF9/V0vldGd+BnFfyst
-retXgockCH+fqddM5Kp+H0bmjXzLke/b8T9KsdSBz7lg1Z67kmMrHLe14Q4Hgmr/
-pFBkGGWKTFn48OXfncrv+oQAGED7r9c5UEdpOB6SBDxuddfzgkw9urnpKrYC/KOs
-HLBTaGew73O81BsbaZlUiVxTdewrmFk2nG6UIPoGaxkCgYEA7IYOjIfNJOEPIWYP
-zj4eipTy6zFk4L7tX3wX4wsor93rz8ArlF8sgNoyUhbKm6H++ZfVezLs2jcjJJ8Q
-sXLwQ6L/D8aVb6AOVeC1WYJu5+wXIDX0H+1318a5+3bKVPn+hktJGEgCBvplVRnh
-yzpQ+2v1SBp9qEzoSl1sV6gm1tsCgYEAzUnZcjUhHvoXLXJ1lfagCC6QsmjqzpJv
-VdTKJlDuZ0qQGC6Ts+wKfM3MoiOsXW0pByC5lWwE43c/KU8J358j3OSSNafIFeD1
-cxtYzJlMgnw5Y2Zt9tj+QW/1BOMdOftnPSOnsk6rpdCBMW6a2tYubJjbAuge+a2O
-939XGnV0R0cCgYEA0bvmNtNNJAC2LAWWymnnJzgBWHFKZMipMNyXSethPuHo8yYS
-/tSOYAwcRxKSwwMZWDY9RavYv3/ZF+Y9JT0otLFav6B2bq9dRuWlqiOxONLvhs6R
-Faa7eIlt7gBeVpAAFRG5VWC0+38aUCZNRKsHmIsYy8FB3/Winh7NrcUb+7UCgYBi
-egCTZqUixPmFVZjOfWY7Rosm6mlo+pnp5I+sXbpfVkdVMlKsRpipUdfOF6rBjnHV
-937PDOgzbaqg2Ed2PFLpzcPNdVToGefkdcPdMdSf65Nj+WjatzEQlvJEi+YjQFQ/
-4fC5+j8g5apz2gjy3Teb5J96/3qMbxNb6nwQNzO2VQKBgHyHUJOrhvv9+vs7v8nu
-9DgV0b5eNO0g6Q4Ji7oqs24PssPQRA4gMtwmPT8Ha+wWGVzQt2U5LmjsLlrqAO6O
-+Fa3c63sgmt672A8BJ3PL8LI8E2keZiH6rwADSUFp3TZoU2SHamw5NEruNRMIF1R
-0LMsuAs2KEdnwAth2ZmUF2+S
------END PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAvS8bo6XUmIg+tJAPTjo2PbObDaVSHTSA0VTuu8DN8f4uPl8q
+PKLt6NlAvjWv2S985gkY1WX0lxrhMEk3J+953+LwsAzLLBoBpDIKshPNwV3Dcx+c
+7kSjgoAA/aS+qy59gpjFt6I0QjJaEdUHaJQBfU8t6Cc9K4chl4cusMH+Zf/HGZjn
+Pe7SKchV4b/GNsPV14Dn3EsvOvGHAbGkzP9zH00tbKZ8BQElUZ+PYzx8k0r0PTCq
+WPMcwV72v+MJW8GYSleSVNV3QBe+tmvhv0FupT0VPhAiGrRCLbIhw5pQdljzU28Z
+w1zyBInKIMbnOUt945Tcd8fFWJBliGuFt46P1wIDAQABAoIBAGCYyB0UFGxZzOK3
+WAlScdWpendKPZZJ86hvHILjnIR+i7AvOUrCyoWFQKiekw5rT/PJG1QC/hOVlvvn
+tnD+txUZNFo//hGjqcjkAFATCpE8RgrnTmLeyzpcD6VzVCPl1hIz3Wi5OsO+H/1Q
+77p3MBeCsWcDehlao01SqgV42GPNhliYHi4jjtMTYIH6A+UvfJbd9hcvB2dHtVfI
+Vbv2KKCP8NTlVckR38DoriZSrrK8AoocLh2qe7te0EYMn5v59plgODsBgVMQCzvK
+ZiYUqflLu4NpztvDQParL6kzlCOU8Acm6/V8GEb4BB4miFHxglpgvrzwT2ujAWwl
+kD8b07ECgYEA+/KdruR57XN7BBK+R7I31dFWHAcSs0lIJVMvV0ZDEKPrzFTqL9fE
+gsNngWqZOGZfrB/6vrs6f2d9JJ9ofuUIanSp6e/C0W3pnuR4UZWEWfUHQpwYfxzV
+OCbM5qw0bvWQze2DKF9caoDJMCj0VU5Rz0tAFp787T0aSvR/St6E2VkCgYEAwDoQ
+rFFF2jQX6KVM5V22GeETGJoZQk/3Hlkgi0rGLCjkIljA76DvHc9rLEv5Hf1rw/Ci
+g4knGKyRw4YLR0RhYWcA8u/hfg7xdpka9GaFbMYEA3aKx4Jy9WrzqBq3Ykk1uyqM
+a9Js28v/vPtf+yiZbKadB0oXkNCpY/0FmktyXK8CgYEAurKKTnNYNrEAU4BgKFjU
+L0m0eYh0Pw7qu13tEssqH0aZEQ1LjLBjGlMafDg12ilic/YupO+w5YAWp/DISmAF
+4H0a/BODVhYQrIG49xvIu7Bq9N0e+fKvvbBi3fx1zlOCPlbmfiBMJ0/PxjRS+nPT
+A71LfHfMDTDeLvUG7r/9yeECgYBxIrulb8AZCQf5WTDE3j7LRHkkxa2QJdhf+Dz7
+PmscmoSK4onLf4C8ntOJIr3gNMM0c3By0ko8b3TrCv2gWFKoLSOV2DFzLABZuQrw
+RVbKClFaaG6Nte1LHEOD8RV1t3j0S7qRyytewdYmuBxpih+inv1UyPrNtMG9o7Gk
+ejs46QKBgQChL0z/Ezw/57TGqX7Z5pF2Ej2pckGu3BqObWL2SIALvgog5XpdAess
+sF8DMVXWs4g4YjgDV3HA3WB6u3b/YX9LEuWwIFQ7yxAZXn3RQBigf7SZdZZrrY0H
+argG3/1a52PtwAHjCwpu/JlePgMFEOhK8rjaLj+4trBmTRjK+s/VjQ==
+-----END RSA PRIVATE KEY-----

docker-compose/cloudformation/README.md

@@ -3,7 +3,7 @@ With the YAML template included in this directory you can create an OpenWiFi Clo
 The template creates a CloudFormation stack based on the Docker Compose Let's Encrypt deployment (https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/docker-compose#lb-deployment-with-letsencrypt-certificates). The created stack consists of an EC2 instance, and depending on the input parameters, also adds a Route53 hosted zone and a DNS record.  
 ⚠️**Note**: Please be aware that you will be billed for the AWS resources if you create a stack from this template.
 1. Login into the AWS Management Console (https://aws.amazon.com/de/console).
-2. Go to the AWS Systems Manager Parameter Store page and create two parameters according to these instructions https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html: one for your Digicert-signed websocket certificate and the other one for the corresponding key. You can leave the default parameter details: you need two standard parameters with type `String` and data type `text`. Just copy and paste your certificate and key into the `Value` field of the respective parameter and remember the parameter names.
+2. Go to the AWS Systems Manager Parameter Store page and create two parameters according to these instructions https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html: one for your Digicert or Insta signed websocket certificate and the other one for the corresponding key. You can leave the default parameter details: you need two standard parameters with type `String` and data type `text`. Just copy and paste your certificate and key into the `Value` field of the respective parameter and remember the parameter names.
 3. Go to the CloudFormation service page and follow the instructions described here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-using-console-create-stack-template.html to upload a template file and choose the template included in this repository.
 4. In the next step you have to enter multiple input parameters required for a successful deployment. Here's an explanation of all parameters:
 
@@ -15,6 +15,6 @@ The template creates a CloudFormation stack based on the Docker Compose Let's En
 **HostedZoneName**: If you didn't create the hosted zone yet which you want to use for your Route53 record, please specify the domain name of the hosted zone you want to create. Be aware that if you set **CreateRoute53Record** to `True`, you only have to specify either `ExistingHostedZoneId` or `HostedZoneName`. If you decide to create the DNS record yourself, you can leave both parameters empty.  
 **SDKVersion**: The SDK version you want to use for your deployment. You can either use release names (e.g. `v2.6.0`) or Git branch names (for example `release/v2.6.0`).  
 **SDKHostname**: Enter a valid public hostname which you want to use for your deployment. This has to resolve to the public IP address of the created EC2 instance. If you set **CreateRoute53Record** to `False`, don't forget to create a DNS entry manually afterwards.  
-**WebsocketCertParameter**: The name of the AWS Systems Manager parameter containing your Digicert-signed websocket certificate.  
-**WebsocketKeyParameter**: The name of the AWS Systems Manager parameter containing the key to your Digicert-signed websocket certificate.  
+**WebsocketCertParameter**: The name of the AWS Systems Manager parameter containing your Digicert or Insta signed websocket certificate.  
+**WebsocketKeyParameter**: The name of the AWS Systems Manager parameter containing the key to your Digicert or Insta signed websocket certificate.  
 **TraefikAcmeEmail**: Enter a valid email address to complete Let's Encrypt ACME registration.  

docker-compose/dco

@@ -5,6 +5,14 @@
 # It captures $1 == launch or l and runs: ... up -d,
 # but passes everything else straight to the docker-compose command.
 cmd="docker-compose"
+if command -v docker-compose > /dev/null 2>&1 ; then
+    cmd="docker-compose"
+elif command -v docker > /dev/null 2>&1 ; then
+    cmd="docker compose"
+else
+    echo "Could not find docker-compose or docker commands."
+    exit 1
+fi
 deploy_type=$(grep "^DEPLOY_TYPE=" .env | awk -F= '{ print $2 }')
 [ -z "$deploy_type" ] && deploy_type="default"
 if [[ "$deploy_type" == "letsencrypt" ]] ; then
@@ -26,6 +34,11 @@ if [[ "$1" == "clean" ]] ; then
 elif [[ "$1" == "launch" || "$1" == "l" ]] ; then
     set -x
     $cmd up -d
+elif [[ "$1" == "relaunch" || "$1" == "rel" ]] ; then
+    set -x
+    $cmd down
+    sleep 5
+    $cmd up -d
 else
     set -x
     $cmd "$@"

docker-compose/deploy.sh

@@ -40,8 +40,8 @@ usage () {
   echo "- OWSUB_SYSTEM_URI_PUBLIC - public URL to be used for OWSub";
   echo;
   echo "Optional environment variables:"
-  echo "- WEBSOCKET_CERT - Your Digicert-signed websocket certificate"
-  echo "- WEBSOCKET_KEY - The key to your Digicert-signed websocket certificate"
+  echo "- WEBSOCKET_CERT - Your Digicert or Insta signed websocket certificate"
+  echo "- WEBSOCKET_KEY - The key to your Digicert or Insta signed websocket certificate"
   echo;
   echo "- OWSEC_AUTHENTICATION_DEFAULT_USERNAME - username to be used for requests to OWSec";
   echo "- OWSEC_AUTHENTICATION_DEFAULT_PASSWORD - hashed password for OWSec (details on this may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationdefaultpassword)";

docker-compose/docker-compose.lb.letsencrypt.yml

@@ -177,7 +177,7 @@ services:
       - ./certs:/${OWSUB_ROOT}/certs
 
   kafka:
-    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    image: "docker.io/bitnamilegacy/kafka:${KAFKA_TAG}"
     networks:
       openwifi:
     env_file:
@@ -187,7 +187,7 @@ services:
       - kafka_data:/bitnami/kafka
 
   init-kafka:
-    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    image: "docker.io/bitnamilegacy/kafka:${KAFKA_TAG}"
     networks:
       openwifi:
     depends_on:

docker-compose/docker-compose.lb.selfsigned.yml

@@ -175,7 +175,7 @@ services:
       - ./certs:/${OWSUB_ROOT}/certs
 
   kafka:
-    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    image: "docker.io/bitnamilegacy/kafka:${KAFKA_TAG}"
     networks:
       openwifi:
     env_file:
@@ -185,7 +185,7 @@ services:
       - kafka_data:/bitnami/kafka
 
   init-kafka:
-    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    image: "docker.io/bitnamilegacy/kafka:${KAFKA_TAG}"
     networks:
       openwifi:
     depends_on:

docker-compose/docker-compose.yml

@@ -196,7 +196,7 @@ services:
       - "16106:16106"
 
   kafka:
-    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    image: "docker.io/bitnamilegacy/kafka:${KAFKA_TAG}"
     networks:
       openwifi:
     env_file:
@@ -206,7 +206,7 @@ services:
       - kafka_data:/bitnami/kafka
 
   init-kafka:
-    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    image: "docker.io/bitnamilegacy/kafka:${KAFKA_TAG}"
     networks:
       openwifi:
     depends_on:

docker-compose/owls/.env

@@ -3,19 +3,26 @@ COMPOSE_PROJECT_NAME=owls
 # Image tags
 # Currently main branches don't work - owlsui is not compatible with owls.
 #OWSEC_TAG=main
-#OWLS_TAG=main
 #OWLSUI_TAG=master
 OWSEC_TAG=v2.9.0
-OWLS_TAG=v2.9.0
+OWFMS_TAG=v2.9.0
 OWLSUI_TAG=v2.9.0
+OWLS_TAG=main
+
 KAFKA_TAG=3.7-debian-12
+ACMESH_TAG=latest
+TRAEFIK_TAG=v3.1.2
 
 # Microservice root/config directories
 OWSEC_ROOT=/owsec-data
 OWSEC_CONFIG=/owsec-data
+OWFMS_ROOT=/owfms-data
+OWFMS_CONFIG=/owfms-data
 OWLS_ROOT=/owls-data
 OWLS_CONFIG=/owls-data
 
 # Microservice hostnames
 INTERNAL_OWSEC_HOSTNAME=owsec.wlan.local
 INTERNAL_OWLS_HOSTNAME=owls.wlan.local
+INTERNAL_OWFMS_HOSTNAME=owfms.wlan.local
+INTERNAL_OWLSUI_HOSTNAME=owls-ui.wlan.local

docker-compose/owls/README.md

@@ -1,6 +1,6 @@
 # OpenWifi OWLS Docker Compose
 ## Deployment with self-signed certificates
-To run a load simulation you need to generate a specific Digicert-signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations.
+To run a load simulation you need to generate a specific Digicert or Insta signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations.
 Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host.
 1. Copy or move your AP load simulation certificate into the `docker-compose/certs` directory. Don't forget to name the files `device-cert.pem` and `device-key.pem` or adapt the path names in the OWLS configuration if you're using different file names.
 2. To be able to run load simulation tests against your OpenWifi SDK deployment, you'll have to [add the serial number of your generated AP certificate to the gateway configuration](https://github.com/Telecominfraproject/wlan-cloud-owls#prepare-your-openwifi-gateway). You can do that by either editing [owgw.env](../owgw.env) or doing the changes directly in your OWGW configuration file if it is exposed on your Docker host.
@@ -14,3 +14,22 @@ Be aware that since the OWLS deployment partly exposes the same ports on the hos
 10. In the Simulation tab, click on the + sign on the right side to add a load simulation.
 11. Fill out the required fields. MAC prefix is used for the MAC addresses of the simulated devices, so you can use any six-digit hexadecimal number. Specify the remote address of your OpenWifi gateway in the Gateway field, for example `https://openwifi.wlan.local:15002`. Adapt the rest of the settings according to your needs.
 12. Click on the floppy disk icon to save your load simulation. You can run it by clicking the play symbol in the table view.
+
+## Deployment with Let's Encrypt certificates
+To run a load simulation you need to generate a specific Digicert or Insta signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations.  Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host.
+1. Copy or move your AP load simulation certificate into the `docker-compose/certs` directory. Don't forget to name the files `device-cert.pem` and `device-key.pem` or adapt the path names in the OWLS configuration if you're using different file names.
+2. To be able to run load simulation tests against your OpenWifi SDK deployment, you'll have to [add the serial number of your generated AP certificate to the gateway configuration](https://github.com/Telecominfraproject/wlan-cloud-owls#prepare-your-openwifi-gateway). You can do that by either editing [owgw.env](../owgw.env) or doing the changes directly in your OWGW configuration file if it is exposed on your Docker host.
+3. Switch into the project directory with `cd docker-compose/owls`.
+4. Add an entry for `openwifi-owls.wlan.local` in your hosts file which points to `127.0.0.1` or whatever the IP of the host running the OWLS deployment is.
+5. Create an alias `alias dcowls='docker-compose -f docker-compose.lb.letsencrypt.yml`.
+6. Change SDKHOSTNAME in .env to the desired externally reachable host name. This name must resolve to the IP of the host. ie. SDKHOSTNAME=owls.example.com
+7. Change in owls-ui.env: `REACT_APP_UCENTRALSEC_URL=https://owls.example.com:16001`
+8. Change SYSTEM_URI_PUBLIC in owsec.env, owfms.env and owls.env.
+ie. for owls.env: `SYSTEM_URI_PUBLIC=https://owls.example.com:16007 SYSTEM_URI_UI=https://owls.example.com`. Make sure you maintain the correct port for each service in SYSTEM_URI_PUBLIC.
+9. Make sure the following ports are open: 80, 443, 16001, 16004, 16007 (80 is required by the initial Let's Encrypt challenge.)
+10. Spin up the deployment with `dcowls up -d`.
+11. Check if the containers are up and running with `dcowls ps`.
+12. Login to the UI by visiting ie. https://owls.example.com and follow the instructions to change your default password.
+13. In the Simulation tab, click on the + sign on the right side to add a load simulation.
+14. Fill out the required fields. MAC prefix is used for the MAC addresses of the simulated devices, so you can use any six-digit hexadecimal number. Specify the remote address of your OpenWifi gateway in the Gateway field, for example `https://gw.sdk.example.com:15002`. Adapt the rest of the settings according to your needs.
+15. Click on the floppy disk icon to save your load simulation. You can run it by clicking the play symbol in the table view.

docker-compose/owls/docker-compose.lb.letsencrypt.yml

@@ -0,0 +1,136 @@
+volumes:
+  kafka_data:
+    driver: local
+
+networks:
+  owls:
+
+services:
+  owsec:
+    image: "tip-tip-wlan-cloud-ucentral.jfrog.io/owsec:${OWSEC_TAG}"
+    networks:
+      owls:
+        aliases:
+          - ${INTERNAL_OWSEC_HOSTNAME}
+    env_file:
+      - owsec.env
+    depends_on:
+      init-kafka:
+        condition: service_completed_successfully
+    restart: unless-stopped
+    volumes:
+      - "./owsec_data:${OWSEC_ROOT}"
+      - "../certs:/${OWSEC_ROOT}/certs"
+
+  owfms:
+    image: "tip-tip-wlan-cloud-ucentral.jfrog.io/owfms:${OWFMS_TAG}"
+    networks:
+      owls:
+        aliases:
+          - ${INTERNAL_OWFMS_HOSTNAME}
+    env_file:
+      - owfms.env
+    depends_on:
+      init-kafka:
+        condition: service_completed_successfully
+    restart: unless-stopped
+    volumes:
+      - "./owfms_data:${OWFMS_ROOT}"
+      - "../certs:/${OWFMS_ROOT}/certs"
+
+  owls:
+    image: "tip-tip-wlan-cloud-ucentral.jfrog.io/owls:${OWLS_TAG}"
+    networks:
+      owls:
+        aliases:
+          - ${INTERNAL_OWLS_HOSTNAME}
+    env_file:
+      - owls.env
+    depends_on:
+      owsec:
+        condition: service_started
+      init-kafka:
+        condition: service_completed_successfully
+    restart: unless-stopped
+    volumes:
+      - "./owls_data:${OWLS_ROOT}"
+      - "../certs:/${OWLS_ROOT}/certs"
+
+  owls-ui:
+    image: "tip-tip-wlan-cloud-ucentral.jfrog.io/owls-ui:${OWLSUI_TAG}"
+    networks:
+      owls:
+        aliases:
+          - ${INTERNAL_OWLSUI_HOSTNAME}
+    env_file:
+      - owls-ui.env
+    depends_on:
+      - owsec
+      - owfms
+      - owls
+    restart: unless-stopped
+    volumes:
+      - "./owls-ui/default.conf:/etc/nginx/conf.d/default.conf"
+      - "../certs/restapi-cert.pem:/etc/nginx/restapi-cert.pem"
+      - "../certs/restapi-key.pem:/etc/nginx/restapi-key.pem"
+
+  traefik:
+    image: "traefik:${TRAEFIK_TAG}"
+    networks:
+      owls:
+    env_file:
+      - traefik.env
+    depends_on:
+      - owsec
+      - owfms
+      - owls
+      - owls-ui
+    restart: unless-stopped
+    volumes:
+      - "./traefik/openwifi_letsencrypt.yaml:/etc/traefik/openwifi.yaml"
+      - "../certs/restapi-ca.pem:/certs/restapi-ca.pem"
+      - "./letsencrypt_certs:/letsencrypt"
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        timeout 10m sh -c 'until [[ "$$(getent hosts $SDKHOSTNAME)" ]]; do echo "Waiting until DNS record for $SDKHOSTNAME is resolvable"; sleep 5; done' \
+        && ./entrypoint.sh traefik
+    ports:
+      - "80:80"
+      - "443:443"
+      - "8080:8080"
+      - "16001:16001"
+      - "16004:16004"
+      - "16007:16007"
+
+  kafka:
+    image: "docker.io/bitnamilegacy/kafka:${KAFKA_TAG}"
+    networks:
+      owls:
+    env_file:
+      - kafka.env
+    restart: unless-stopped
+    volumes:
+      - kafka_data:/bitnami/kafka
+
+  init-kafka:
+    image: "docker.io/bitnamilegacy/kafka:${KAFKA_TAG}"
+    networks:
+      owls:
+    depends_on:
+      - kafka
+    env_file:
+      - kafka.env
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        echo "Sleeping to allow kafka to start up..."
+        sleep 10
+        echo "Creating all required Kafka topics..."
+        for topic in $$TOPICS; do
+          /opt/bitnami/kafka/bin/kafka-topics.sh \
+          --create --if-not-exists --topic $$topic --replication-factor 1 \
+          --partitions 1 --bootstrap-server kafka:9092
+        done && echo "Successfully created Kafka topics, exiting." && exit 0

docker-compose/owls/docker-compose.yml

@@ -25,6 +25,25 @@ services:
       - "16001:16001"
       - "16101:16101"
 
+  owfms:
+    image: "tip-tip-wlan-cloud-ucentral.jfrog.io/owfms:${OWFMS_TAG}"
+    networks:
+      owls:
+        aliases:
+          - ${INTERNAL_OWFMS_HOSTNAME}
+    env_file:
+      - owfms.env
+    depends_on:
+      init-kafka:
+        condition: service_completed_successfully
+    restart: unless-stopped
+    volumes:
+      - "./owfms_data:${OWFMS_ROOT}"
+      - "../certs:/${OWFMS_ROOT}/certs"
+    ports:
+      - "16004:16004"
+      - "16104:16104"
+
   owls:
     image: "tip-tip-wlan-cloud-ucentral.jfrog.io/owls:${OWLS_TAG}"
     networks:
@@ -55,6 +74,7 @@ services:
     depends_on:
       - owsec
       - owls
+      - owfms
     restart: unless-stopped
     volumes:
       - "./owls-ui/default.conf:/etc/nginx/conf.d/default.conf"
@@ -65,7 +85,7 @@ services:
       - "443:443"
 
   kafka:
-    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    image: "docker.io/bitnamilegacy/kafka:${KAFKA_TAG}"
     networks:
       owls:
     env_file:
@@ -75,7 +95,7 @@ services:
       - kafka_data:/bitnami/kafka
 
   init-kafka:
-    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    image: "docker.io/bitnamilegacy/kafka:${KAFKA_TAG}"
     networks:
       owls:
     depends_on:

docker-compose/owls/environments/create_tip_deploy.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# Create a deploy directory for a particular environment.
+# Only support the letsencrypt setup here!
+# Optionally copy it over.
+
+set -e
+USAGE="$0 environment"
+
+env="$1"
+if [ -z "$env" ] ; then
+    echo $USAGE
+    exit 1
+fi
+dir="$env"
+dhost=""
+if [[ "$env" == "owls1" ]] ; then
+    hostname="owls1.lab.wlan.tip.build"
+    dhost="tipowlsls"
+    destdir="deploy-owls"
+elif [[ "$env" == "owls2" ]] ; then
+    hostname="owls2.lab.wlan.tip.build"
+    dhost="tipowlsgw"
+    destdir="deploy-owls"
+else
+    echo "Unknown environment: $env"
+    exit 1
+fi
+
+# need newer GNU sed (mac one isn't compatible) [on mac install sed using homebrew]
+sed=$(command -v gsed)
+[ -z "$sed" ] && sed="sed"
+
+set -x
+
+
+echo
+echo "Make sure you have created/updated the device-cert.pem and device-key.pem files!"
+echo
+url="https://$hostname"
+[ -d "$dir" ] || mkdir "$dir"
+cd "$dir"
+mkdir -p owls-ui traefik certs/cas || true
+cp ../../.env ../../*.env .
+cp ../../docker-compose.lb.letsencrypt.yml docker-compose.yml
+cp ../../owls-ui/default-lb.conf owls-ui/default.conf
+cp ../../traefik/* traefik
+cp ../../../certs/cas/* certs/cas 2>/dev/null || true
+cp ../../../certs/*.pem certs
+echo "SDKHOSTNAME=$hostname" >> .env
+$sed -i "s~REACT_APP_UCENTRALSEC_URL=.*~REACT_APP_UCENTRALSEC_URL=$url:16001~" owls-ui.env
+$sed -i "s~SYSTEM_URI_PUBLIC=.*~SYSTEM_URI_PUBLIC=$url:16001~" owsec.env
+$sed -i "s~SYSTEM_URI_UI=.*~SYSTEM_URI_UI=$url~" owsec.env
+$sed -i "s~SYSTEM_URI_PUBLIC=.*~SYSTEM_URI_PUBLIC=$url:16004~" owfms.env
+$sed -i "s~SYSTEM_URI_UI=.*~SYSTEM_URI_UI=$url~" owfms.env
+$sed -i "s~SYSTEM_URI_PUBLIC=.*~SYSTEM_URI_PUBLIC=$url:16007~" owls.env
+$sed -i "s~SYSTEM_URI_UI=.*~SYSTEM_URI_UI=$url~" owls.env
+$sed -i "s~../certs:~./certs:~" docker-compose.yml
+
+
+if [[ -n "$dhost" && -n "$destdir" ]] ; then
+    rsync -avh --progress ./ $dhost:$destdir
+fi

docker-compose/owls/owfms.env

@@ -0,0 +1,43 @@
+RUN_CHOWN=true
+TEMPLATE_CONFIG=true
+SELFSIGNED_CERTS=true
+
+OWFMS_ROOT=/owfms-data
+OWFMS_CONFIG=/owfms-data
+
+#RESTAPI_HOST_ROOTCA=$OWFMS_ROOT/certs/restapi-ca.pem
+#RESTAPI_HOST_PORT=16004
+#RESTAPI_HOST_CERT=$OWFMS_ROOT/certs/restapi-cert.pem
+#RESTAPI_HOST_KEY=$OWFMS_ROOT/certs/restapi-key.pem
+#RESTAPI_HOST_KEY_PASSWORD=mypassword
+#INTERNAL_RESTAPI_HOST_ROOTCA=$OWFMS_ROOT/certs/restapi-ca.pem
+#INTERNAL_RESTAPI_HOST_PORT=17004
+#INTERNAL_RESTAPI_HOST_CERT=$OWFMS_ROOT/certs/restapi-cert.pem
+#INTERNAL_RESTAPI_HOST_KEY=$OWFMS_ROOT/certs/restapi-key.pem
+#INTERNAL_RESTAPI_HOST_KEY_PASSWORD=mypassword
+#SERVICE_KEY=$OWFMS_ROOT/certs/restapi-key.pem
+#SERVICE_KEY_PASSWORD=mypassword
+SYSTEM_DATA=$OWFMS_ROOT/persist
+SYSTEM_URI_PRIVATE=https://owfms.wlan.local:17004
+SYSTEM_URI_PUBLIC=https://openwifi.wlan.local:16004
+SYSTEM_URI_UI=https://openwifi.wlan.local
+#SECURITY_RESTAPI_DISABLE=false
+#S3_BUCKETNAME=ucentral-ap-firmware
+#S3_REGION=us-east-1
+S3_SECRET=b0S6EiR5RLIxoe7Xvz9YXPPdxQCoZ6ze37qunTAI
+S3_KEY=AKIAUG47UZG7R6SRLD7F
+#S3_BUCKET_URI=ucentral-ap-firmware.s3.amazonaws.com
+#KAFKA_ENABLE=true
+KAFKA_BROKERLIST=kafka:9092
+#STORAGE_TYPE=postgresql
+#STORAGE_TYPE_POSTGRESQL_HOST=postgresql
+#STORAGE_TYPE_POSTGRESQL_USERNAME=owfms
+#STORAGE_TYPE_POSTGRESQL_PASSWORD=owfms
+#STORAGE_TYPE_POSTGRESQL_DATABASE=owfms
+#STORAGE_TYPE_POSTGRESQL_PORT=5432
+#STORAGE_TYPE_MYSQL_HOST=localhost
+#STORAGE_TYPE_MYSQL_USERNAME=owfms
+#STORAGE_TYPE_MYSQL_PASSWORD=owfms
+#STORAGE_TYPE_MYSQL_DATABASE=owfms
+#STORAGE_TYPE_MYSQL_PORT=3306
+STORAGE_TYPE=sqlite

docker-compose/owls/owls-ui/default-lb.conf

@@ -0,0 +1,41 @@
+server {
+    listen       80;
+    listen  [::]:80;
+
+    # Disable emitting nginx version
+    server_tokens off;
+
+    #return 301 https://$host$request_uri;
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    # redirect server error pages to the static page /50x.html
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}
+
+server {
+    listen       443 ssl;
+    listen       [::]:443 ssl;
+
+    # Disable emitting nginx version
+    server_tokens off;
+
+    ssl_certificate     /etc/nginx/restapi-cert.pem;
+    ssl_certificate_key /etc/nginx/restapi-key.pem;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+
+    # redirect server error pages to the static page /50x.html
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+}

docker-compose/owls/traefik.env

@@ -0,0 +1,15 @@
+TRAEFIK_ENTRYPOINTS_OWLSUIHTTP_ADDRESS=:80
+TRAEFIK_ENTRYPOINTS_OWLSUIHTTP_HTTP_REDIRECTIONS_ENTRYPOINT_TO=owlsuihttps
+TRAEFIK_ENTRYPOINTS_OWLSUIHTTPS_ADDRESS=:443
+TRAEFIK_ENTRYPOINTS_OWSECRESTAPI_ADDRESS=:16001
+TRAEFIK_ENTRYPOINTS_OWLSRESTAPI_ADDRESS=:16007
+TRAEFIK_ENTRYPOINTS_OWFMSRESTAPI_ADDRESS=:16004
+TRAEFIK_PROVIDERS_FILE_FILENAME=/etc/traefik/openwifi.yaml
+TRAEFIK_CERTIFICATESRESOLVERS_OPENWIFI_ACME_EMAIL=
+TRAEFIK_CERTIFICATESRESOLVERS_OPENWIFI_ACME_HTTPCHALLENGE=true
+TRAEFIK_CERTIFICATESRESOLVERS_OPENWIFI_ACME_HTTPCHALLENGE_ENTRYPOINT=owlsuihttp
+TRAEFIK_CERTIFICATESRESOLVERS_OPENWIFI_ACME_STORAGE=/letsencrypt/acme.json
+TRAEFIK_SERVERSTRANSPORT_ROOTCAS=/certs/restapi-ca.pem
+SDKHOSTNAME=owls2.lab.wlan.tip.build
+TRAEFIK_LOG=true
+TRAEFIK_LOG_LEVEL=DEBUG

docker-compose/owls/traefik/openwifi_letsencrypt.yaml

@@ -0,0 +1,50 @@
+log:
+  level: DEBUG
+http:
+  services:
+    owls-ui:
+      loadBalancer:
+        servers:
+          - url: "http://owls-ui.wlan.local:80/"
+    owsec-restapi:
+      loadBalancer:
+        servers:
+          - url: "https://owsec.wlan.local:16001/"
+    owfms-restapi:
+      loadBalancer:
+        servers:
+          - url: "https://owfms.wlan.local:16004/"
+    owls-restapi:
+      loadBalancer:
+        servers:
+          - url: "https://owls.wlan.local:16007/"
+
+  routers:
+    owls-ui-http:
+      entryPoints: "owlsuihttp"
+      service: "owls-ui"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
+    owls-ui-https:
+      entryPoints: "owlsuihttps"
+      service: "owls-ui"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
+      tls:
+        certResolver: "openwifi"
+    owls-restapi:
+      entryPoints: "owlsrestapi"
+      service: "owls-restapi"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
+      tls:
+        certResolver: "openwifi"
+    owsec-restapi:
+      entryPoints: "owsecrestapi"
+      service: "owsec-restapi"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
+      tls:
+        certResolver: "openwifi"
+    owfms-restapi:
+      entryPoints: "owfmsrestapi"
+      service: "owfms-restapi"
+      rule: "Host(`{{env "SDKHOSTNAME"}}`)"
+      tls:
+        certResolver: "openwifi"