templated user/passwd for cassandra

minor refactoring of duplicated healthchecks

README.md

@@ -45,3 +45,129 @@ This repository contains helm charts for various deployment types of the tip wla
  - Run the following command under tip-wlan-helm directory _after_ the components are running:
  	- helm test <RELEASE_NAME> -n default
 	(For more details add --debug flag to the above command) 
+
+
+# Local environment
+
+In `wlan-pki-cert-scripts` repository edit the following files and add/replace strings as specified below:
+
+```
+mqtt-server.cnf:
+
+-commonName_default   = opensync-mqtt-broker.zone1.lab.wlan.tip.build
++commonName_default   = opensync-mqtt-broker.wlan.local
+
+
+openssl-server.cnf:
+-DNS.1  = opensync-redirector.zone1.lab.wlan.tip.build
+-DNS.2  = opensync-controller.zone1.lab.wlan.tip.build
++DNS.1  = opensync-redirector.wlan.local
++DNS.2  = opensync-controller.wlan.local
+ DNS.3  = tip-wlan-postgresql
+-DNS.4  = ftp.example.com
+```
+
+In `wlan-pki-cert-scripts` repository run `./generate_all.sh` to generate CA and certificates, then run `./copy-certs-to-helm.sh <local path to wlan-cloud-helm repo>` in order to copy certificates to helm charts.
+
+Optionally, in order to speedup first and subsequent runs, you may cache some images:
+
+```
+minikube cache add zookeeper:3.5.5
+minikube cache add bitnami/postgresql:11.8.0-debian-10-r58
+minikube cache add postgres:latest
+minikube cache add gcr.io/k8s-minikube/storage-provisioner:v3
+minikube cache add eclipse-mosquitto:latest
+minikube cache add opsfleet/depends-on
+```
+
+These images may occasionally need to be updated with these commands:
+
+```
+minikube cache reload ## reload images from the upstream
+eval $( minikube docker-env )
+for img in $( docker images --format '{{.Repository}}:{{.Tag}}' | egrep 'busybox|alpine|confluentinc/cp-kafka|zookeeper|k8s.gcr.io/pause|nginx/nginx-ingress|bitnami/cassandra|bitnami/postgresql|postgres|bitnami/minideb' ); do
+	minikube cache add $img;
+done
+```
+
+Run minikube:
+
+```minikube start --memory=10g --cpus=4 --driver=virtualbox --extra-config=kubelet.serialize-image-pulls=false --extra-config=kubelet.image-pull-progress-deadline=3m0s --docker-opt=max-concurrent-downloads=10```
+
+Deploy CloudSDK chart:
+
+```helm install tip-wlan tip-wlan -f tip-wlan/resources/environments/dev-local.yaml -n default```
+
+Wait a few minutes, when all pods are in `Running` state, obtain web ui link with `minikube service tip-wlan-wlan-cloud-static-portal -n tip --url`, open in the browser. Importing or trusting certificate might be needed.
+
+Services may be exposed to the local machine and local network with ssh, kubectl or kubefwd port forwarding, needs to be repeated for each service, please examples below:
+
+Kubefwd:
+
+Download latest release from https://github.com/eugenetaranov/kubefwd/releases and run the binary.
+
+Forward to all interfaces:
+
+```
+sudo kubefwd services --namespace tip -l "app.kubernetes.io/name in (nginx-ingress-controller,wlan-portal-service,opensync-gw-cloud,opensync-mqtt-broker)" --allinterfaces --extrahosts wlan-ui-graphql.wlan.local,wlan-ui.wlan.local
+```
+
+Kubectl forwarding:
+```
+kubectl -n tip port-forward --address 0.0.0.0 $(kubectl -n tip get pods -l app=tip-wlan-nginx-ingress-controller -o jsonpath='{.items[0].metadata.name}') 443:443 &
+kubectl -n tip port-forward --address 0.0.0.0 $(kubectl -n tip get pods -l app.kubernetes.io/name=wlan-portal-service -o jsonpath='{.items[0].metadata.name}') 9051:9051 &
+kubectl -n tip port-forward --address 0.0.0.0 $(kubectl -n tip get pods -l app.kubernetes.io/name=opensync-gw-cloud -o jsonpath='{.items[0].metadata.name}') 6643:6643 &
+kubectl -n tip port-forward --address 0.0.0.0 $(kubectl -n tip get pods -l app.kubernetes.io/name=opensync-gw-cloud -o jsonpath='{.items[0].metadata.name}') 6640:6640 &
+kubectl -n tip port-forward --address 0.0.0.0 $(kubectl -n tip get pods -l app.kubernetes.io/name=opensync-mqtt-broker -o jsonpath='{.items[0].metadata.name}') 1883:1883 &
+```
+
+Add certificate to the trust store.
+
+Firefox:
+
+1. Open settings, `Privacy and security`, `View certificates`.
+
+2. Click on `Add Exception...`, enter `https://wlan-ui.wlan.local` into Location field, click on `Get certificate`, check `Permanently store this exception` and click on `Confirm Security Exception`.
+Repeat the step for `https://wlan-ui-graphql.wlan.local`
+
+
+Chrome and other browsers using system certificate store:
+
+1. Save certificate below into the file `wlan-ui-graphql.wlan.local.crt` (it is the one defined at tip-wlan/resources/environments/dev-local.yaml:143):
+
+```
+-----BEGIN CERTIFICATE-----
+MIIFWjCCA0KgAwIBAgIUQNaP/spvRHtBTAKwYRNwbxRfFAswDQYJKoZIhvcNAQEL
+BQAwHTEbMBkGA1UEAwwSd2xhbi11aS53bGFuLmxvY2FsMB4XDTIwMDgyNzIwMjY1
+NloXDTMwMDgyNTIwMjY1NlowHTEbMBkGA1UEAwwSd2xhbi11aS53bGFuLmxvY2Fs
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwRagiDWzCNYBtWwBcK+f
+TkkQmMt+QAgTjYr0KS8DPJCJf6KkPfZHCu3w4LvrxzY9Nmieh2XU834amdJxIuCw
+6IbNo6zskjsyfoO8wFDmlLVWLeg5H9G9doem+WTeKPaEHi3oquzNgt6wLs3mvvOA
+TviTIoc88ELjk4dSR2T4dhh0qKCCj+HdXBA6V/9biru+jV+/kxEQuL2zM39DvVd8
+9ks35zMVUze36lD4ICOnl7hgaTNBi45O9sdLD0YaUmjiFwQltJUdmPKpaAdbvjUO
+nsupnDYjm+Um+9aEpqM4te23efC8N8j1ukexzJrE2GeF/WB/Y1LFIG2wjqVnsPcs
+nFF4Yd9EBRRne1EZeXBu3FELFy6lCOHI146oBcc/Ib617rdTKXqxtv/2NL6/TqFk
+ns/EEjve6kQYzlBZwWHWpZwQfg3mo6NaoFZpTag98Myu5rZoOofTcxXH6pLm5Px1
+OAzgLna9O+2FmA4FjrgHcMY1NIzynZL+DH8fibt1F/v2F2MA+R9vo84vR5ROGNdD
+va2ApevkLcjQg/LwsXv0gTopQ/XIzejh6bdUkOrKSwJzT2C9/e9GQn0gppV8LBuK
+1zQHoROLnA41MCFvQLQHo+Xt8KGw+Ubaly6hOxBZF51L/BbqjkDH9AEFaJLptiEy
+qn1E5v+3whgFS5IZT8IW5uUCAwEAAaOBkTCBjjAdBgNVHQ4EFgQUy2bAUyNPXHS9
+3VTSD+woN7t3q8EwHwYDVR0jBBgwFoAUy2bAUyNPXHS93VTSD+woN7t3q8EwDwYD
+VR0TAQH/BAUwAwEB/zA7BgNVHREENDAyghp3bGFuLXVpLWdyYXBocWwud2xhbi5s
+b2NhbIIOYXBpLndsYW4ubG9jYWyHBMCoAAEwDQYJKoZIhvcNAQELBQADggIBAKH+
+bqJee11n34SYgBDvgoZ8lJLQRwsFnqExcSr/plZ7GVIGFH5/Q2Kyo9VyEiTPwrIs
+KsErC1evH6xt1URfMzp05zVQ0LYM5+ksamRDagAg3M1cm7oKOdms/dqzPe2gZfGJ
+pVdtVW1CHrL0RLTR93h7kgSiBlSEIYMoeKfN5H9AavJ4KryygQs63kkGQ5M9esAp
+u6bB307zyfzgS3tmQsU01rgJfhEHQ/Y+Ak9wDuOgvmfx0TWgAOGbKq6Tu8MKYdej
+Ie7rV1G5Uv7KfgozVX76g2KdnTVBfspSKo3zyrZkckzApvUu9IefHdToe4JMEU0y
+fk7lEU/exzByyNxp+6hdu/ZIg3xb1yA1oVY8NEd1rL1zAViPe351SENEKeJpRanC
+kCL3RAFkbxQ7Ihacjox8belR+gmo8cyFZpj9XaoPlSFScdwz573CT0h97v76A7sw
+yC+CiSp85gWEV5vgBitNJ7R9onjBdsuH2lgEtMD3JNOs8cCSRihYxriwZSqhT7o/
+tcIlcJ84W5m6X6zHJ3GmtuKG3QPNOms0/VVoDTp9qdpL+Ek17uB2A41Npxz3US+l
+6yK+pdQQj7ALzKuRfOyg80XbNw2v4SnpI5qbXFBRum52f86sPemFq1KcuNWe4EVC
+xDG3eKlu+dllUtKx/PN6yflbT5xcGgcdmrwzRaWS
+-----END CERTIFICATE-----
+
+```
+
+2. Double click on it, enter the system admin password, if prompted.

tip-wlan/charts/opensync-gw-cloud/templates/deployment.yaml

@@ -28,138 +28,45 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
-        - name: {{ include "common.name" . }}-mqtt-readiness
-          image: eclipse-mosquitto:latest
-          imagePullPolicy: {{ .Values.global.pullPolicy }}
-          command:
-          - sh
-          - -c
-          - |
-            mosquitto_pub -h {{ $mqtt }} -p 1883 --cafile /certs/cacert.pem --cert /certs/clientcert.pem --key /certs/clientkey.pem --insecure -t "/ap/test" -q 0 -m "CheckingMQTTAliveness"
-            status=$(echo $?)
-            echo mosquitto_pub response of the request = $status
-            counter=0
-            while [ $counter -lt 10 ] && [ $status -ne 0 ]
-            do
-              echo {{ $mqtt }} service isnt ready. Tried $counter times
-              sleep 2
-              counter=`expr $counter + 1`
-              mosquitto_pub -h {{ $mqtt }} -p 1883 --cafile /certs/cacert.pem --cert /certs/clientcert.pem --key /certs/clientkey.pem --insecure -t "/ap/test" -q 0 -m "CheckingMQTTAliveness"
-              status=$(echo $?)
-              echo mosquitto_pub response of the request = $status
-            done
-            if [ $status -eq 0 ]
-            then
-              echo {{ $mqtt }} service is ready!
-            else
-              echo {{ $mqtt }} service failed to respond after 20 secs
-              exit 1
-            fi
-          volumeMounts:
-          - mountPath: /certs/cacert.pem
-            name: certificates
-            subPath: cacert.pem
-          - mountPath: /certs/clientcert.pem
-            name: certificates
-            subPath: clientcert.pem
-          - mountPath: /certs/clientkey.pem
-            name: certificates
-            subPath: clientkey.pem
+      - name: wait-for-services
+        image: opsfleet/depends-on
+        args:
+        - "-service={{ .Release.Name }}-opensync-mqtt-broker"
+        - "-service={{ .Release.Name }}-wlan-prov-service"
+        - "-service={{ .Release.Name }}-wlan-ssc-service"
+        - -check_interval=5
       {{- if .Values.global.integratedDeployment }}
-        - name: {{ include "common.name" . }}-readiness-int-cloud
-          image: alpine
-          imagePullPolicy: {{ .Values.global.pullPolicy }}
-          command:
-          - sh
-          - -c
-          - |
-            if [ {{ $cloudeployment }} = false ]
-            then            
-              echo "151.101.112.249 dl-cdn.alpinelinux.org" >> /etc/hosts
-              echo "Added name-resolution for local deployments"
-            fi
-            apk add curl
-            url=https://{{ $icc }}/ping
-            counter=0
+      - name: {{ include "common.name" . }}-readiness-int-cloud
+        image: alpine
+        imagePullPolicy: {{ .Values.global.pullPolicy }}
+        command:
+        - sh
+        - -c
+        - |
+          if [ {{ $cloudeployment }} = false ]
+          then            
+            echo "151.101.112.249 dl-cdn.alpinelinux.org" >> /etc/hosts
+            echo "Added name-resolution for local deployments"
+          fi
+          apk add curl
+          url=https://{{ $icc }}/ping
+          counter=0
+          status=$(curl --insecure --head --location --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${url});
+          while [ $counter -lt 10 ] && [ $status -ne 200 ] 
+          do
+            echo ${url} service isnt ready. Tried $counter times
+            sleep 5
+            counter=`expr $counter + 1`
             status=$(curl --insecure --head --location --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${url});
-            while [ $counter -lt 10 ] && [ $status -ne 200 ] 
-            do
-              echo ${url} service isnt ready. Tried $counter times
-              sleep 5
-              counter=`expr $counter + 1`
-              status=$(curl --insecure --head --location --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${url});
-              echo Http Response code of ping request = $status
-            done
-            if [ $status -eq 200 ]
-            then
-              echo ${url} service is ready!
-            else
-              echo ${url} service failed to respond after 50 secs
-              exit 1
-            fi 
-      {{- else }}
-        - name: {{ include "common.name" . }}-readiness-prov
-          image: alpine
-          imagePullPolicy: {{ .Values.global.pullPolicy }}
-          command:
-          - sh
-          - -c
-          - |
-            if [ {{ $cloudeployment }} = false ]
-            then          
-              echo "151.101.112.249 dl-cdn.alpinelinux.org" >> /etc/hosts
-              echo "Added name-resolution for local deployments"
-            fi
-            apk add curl
-            url=https://{{ $prov }}/ping
-            counter=0
-            status=$(curl --insecure --head --location --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${url});
-            while [ $counter -lt 10 ] && [ $status -ne 200 ] 
-            do
-              echo ${url} service isnt ready. Tried $counter times
-              sleep 5
-              counter=`expr $counter + 1`
-              status=$(curl --insecure --head --location --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${url});
-              echo Http Response code of ping request = $status
-            done
-            if [ $status -eq 200 ]
-            then
-              echo ${url} service is ready!
-            else
-              echo ${url} service failed to respond after 50 secs
-              exit 1
-            fi
-        - name: {{ include "common.name" . }}-readiness-ssc
-          image: alpine
-          imagePullPolicy: {{ .Values.global.pullPolicy }}
-          command:
-          - sh
-          - -c
-          - |
-            if [ {{ $cloudeployment }} = false ]
-            then          
-              echo "151.101.112.249 dl-cdn.alpinelinux.org" >> /etc/hosts
-              echo "Added name-resolution for local deployments"
-            fi
-            apk add curl
-            url=https://{{ $ssc }}/ping
-            counter=0
-            status=$(curl --insecure --head --location --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${url});
-            while [ $counter -lt 10 ] && [ $status -ne 200 ] 
-            do
-              echo ${url} service isnt ready. Tried $counter times
-              sleep 5
-              counter=`expr $counter + 1`
-              status=$(curl --insecure --head --location --connect-timeout 5 --write-out %{http_code} --silent --output /dev/null ${url});
-              echo Http Response code of ping request = $status
-            done
-            if [ $status -eq 200 ]
-            then
-              echo ${url} service is ready!
-            else
-              echo ${url} service failed to respond after 50 secs
-              exit 1
-            fi        
+            echo Http Response code of ping request = $status
+          done
+          if [ $status -eq 200 ]
+          then
+            echo ${url} service is ready!
+          else
+            echo ${url} service failed to respond after 50 secs
+            exit 1
+          fi 
       {{- end }}
       containers:
         - name: {{ .Chart.Name }}

tip-wlan/charts/opensync-gw-cloud/templates/rbac.yaml

@@ -0,0 +1,24 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: opensync-gw-cloud-depends-on-role
+  namespace: {{ include "common.namespace" . }}
+rules:
+- apiGroups: ["batch", "apps", ""]
+  resources: ["pods", "services", "jobs"]
+  verbs: ["get", "list", "watch"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: opensync-gw-cloud-depends-on-role-binding
+  namespace: {{ include "common.namespace" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "common.serviceAccountName" . }}
+roleRef:
+  kind: Role
+  name: opensync-gw-cloud-depends-on-role
+  apiGroup: rbac.authorization.k8s.io

tip-wlan/charts/opensync-mqtt-broker/templates/statefulset.yaml

@@ -76,13 +76,35 @@ spec:
           readinessProbe:
             tcpSocket:
               port: {{ .Values.service.port1 }}
-            initialDelaySeconds: {{ .Values.probes.readinessProbe.initialDelaySeconds }}
+            initialDelaySeconds: {{ .Values.probes.readinessProbe.initialDelaySeconds }}  
             timeoutSeconds: {{ .Values.probes.readinessProbe.timeoutSeconds }}
             failureThreshold: {{ .Values.probes.readinessProbe.failureThreshold }}
             periodSeconds: {{ .Values.probes.readinessProbe.periodSeconds }}
             successThreshold: {{ .Values.probes.readinessProbe.successThreshold }}
+          startupProbe:
+            exec:
+              command:
+              - ash
+              - -c
+              - >
+                mosquitto_pub -h 127.0.0.1 -p {{ .Values.service.port1 }} 
+                --cafile /certs/cacert.pem
+                --cert /certs/clientcert.pem
+                --key /certs/clientkey.pem
+                --insecure
+                -t "/ap/test"
+                -q 0
+                -m "CheckingMQTTAliveness"
+            failureThreshold: {{ .Values.probes.readinessProbe.failureThreshold }}
+            periodSeconds: {{ .Values.probes.readinessProbe.periodSeconds }}
           {{- end }}
           volumeMounts:
+          - mountPath: /certs/clientcert.pem
+            name: certificates
+            subPath: clientcert.pem
+          - mountPath: /certs/clientkey.pem
+            name: certificates
+            subPath: clientkey.pem
           - mountPath: /certs/cacert.pem
             name: opensync-mqtt-broker-truststore
             subPath: cacert.pem
@@ -127,6 +149,9 @@ spec:
       - name: opensync-mqtt-broker-conf
         configMap:
             name: mosquitto-config
+      - name: certificates
+        secret:
+          secretName: {{ .Release.Name }}-opensync-gw-cloud-certs
       {{- if not .Values.persistence.enabled }}
       - name: db
         emptyDir: {}

tip-wlan/charts/wlan-prov-service/resources/config/datasource.properties

@@ -1,11 +0,0 @@
-singleDataSource.url=jdbc:postgresql://tip-wlan-postgresql:5432/prov_db
-singleDataSource.username=DUMMY_POSTGRES_TIP_USER
-singleDataSource.password=DUMMY_POSTGRES_TIP_PASSWORD
-singleDataSource.driverClass=org.postgresql.Driver
-singleDataSource.ssl=true
-singleDataSource.sslmode=verify-ca
-singleDataSource.sslcert=/opt/tip-wlan/certs/postgresclientcert.pem
-singleDataSource.sslfactory=org.postgresql.ssl.LibPQFactory
-singleDataSource.sslkey=/opt/tip-wlan/certs/postgresclient.p12
-singleDataSource.sslrootcert=/opt/tip-wlan/certs/cacert.pem
-singleDataSource.sslkeypassword=DUMMY_SSL_KEY_PASSWORD

tip-wlan/charts/wlan-prov-service/templates/configmap.yaml

@@ -4,4 +4,16 @@ metadata:
   name: {{ include "common.fullname" . }}-log-config
   namespace: {{ include "common.namespace" . }}
 data:
+  datasource.properties: |-
+    singleDataSource.url=jdbc:postgresql://tip-wlan-postgresql:5432/prov_db
+    singleDataSource.username={{ .Values.creds.postgres.singleDataSourceUsername }}
+    singleDataSource.password={{ .Values.creds.postgres.singleDataSourcePassword }}
+    singleDataSource.driverClass=org.postgresql.Driver
+    singleDataSource.ssl=true
+    singleDataSource.sslmode=verify-ca
+    singleDataSource.sslcert=/opt/tip-wlan/certs/postgresclientcert.pem
+    singleDataSource.sslfactory=org.postgresql.ssl.LibPQFactory
+    singleDataSource.sslkey=/opt/tip-wlan/certs/postgresclient.p12
+    singleDataSource.sslrootcert=/opt/tip-wlan/certs/cacert.pem
+    singleDataSource.sslkeypassword=DUMMY_PASSWORD
 {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}

tip-wlan/charts/wlan-prov-service/templates/deployment.yaml

@@ -24,10 +24,11 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       initContainers:
-        - name: {{ include "common.name" . }}-readiness
-          image: busybox:1.28
-          imagePullPolicy: {{ .Values.global.pullPolicy }}
-          command: ['sh', '-c', "until nslookup {{ $pg }}.{{ $ns }}.svc.cluster.local; do echo waiting for POSTGRES; sleep 2; done"]
+        - name: wait-for-services
+          image: opsfleet/depends-on
+          args:
+          - "-service={{ $pg }}"
+          - -check_interval=5
         - name: {{ include "common.name" . }}-create-db-schema
           env:
           - name: POSTGRESQL_PORT_NUMBER

tip-wlan/charts/wlan-prov-service/templates/rbac.yaml

@@ -0,0 +1,24 @@
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: wlan-prov-service-depends-on-role
+  namespace: {{ include "common.namespace" . }}
+rules:
+- apiGroups: ["batch", "apps", ""]
+  resources: ["pods", "services", "jobs"]
+  verbs: ["get", "list", "watch"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: wlan-prov-service-depends-on-role-binding
+  namespace: {{ include "common.namespace" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "common.serviceAccountName" . }}
+roleRef:
+  kind: Role
+  name: wlan-prov-service-depends-on-role
+  apiGroup: rbac.authorization.k8s.io

tip-wlan/charts/wlan-ssc-service/resources/config/cassandra-application.conf

@@ -1,27 +0,0 @@
-# The options in this file are overrides for the default configuration.
-# They can also be overridden by the java system properties using -Dproperty=value
-#
-# For more details see https://docs.datastax.com/en/developer/java-driver/4.7/manual/core/configuration/reference/
-#
-datastax-java-driver {
-    basic {
-        contact-points = [ "tip-wlan-cassandra-headless:9042" ]
-        load-balancing-policy.local-datacenter = datacenter1
-        session-keyspace = tip_wlan_keyspace
-    }
-  
-    advanced.ssl-engine-factory {
-        class = DefaultSslEngineFactory    
-        hostname-validation = false
-        truststore-path = /opt/tip-wlan/certs/truststore.jks
-        truststore-password = DUMMY_PASSWORD
-        keystore-path = /opt/tip-wlan/certs/cassandra_server_keystore.jks
-        keystore-password = DUMMY_PASSWORD
-    }
-    
-    advanced.auth-provider {
-        class = PlainTextAuthProvider
-        username = DUMMY_TIP_USER
-        password = DUMMY_TIP_PASSWORD
-    }
-}

tip-wlan/charts/wlan-ssc-service/templates/configmap.yaml

@@ -4,4 +4,30 @@ metadata:
   name: {{ include "common.fullname" . }}-ssc-config
   namespace: {{ include "common.namespace" . }}
 data:
+  cassandra-application.conf: |-
+    # The options in this file are overrides for the default configuration.
+    # They can also be overridden by the java system properties using -Dproperty=value
+    # For more details see https://docs.datastax.com/en/developer/java-driver/4.7/manual/core/configuration/reference/
+    datastax-java-driver {
+      basic {
+        contact-points = [ "tip-wlan-cassandra-headless:9042" ]
+        load-balancing-policy.local-datacenter = datacenter1
+        session-keyspace = tip_wlan_keyspace
+      }
+
+      advanced.ssl-engine-factory {
+        class = DefaultSslEngineFactory    
+        hostname-validation = false
+        truststore-path = /opt/tip-wlan/certs/truststore.jks
+        truststore-password = {{ .Values.creds.sslTruststorePassword }}
+        keystore-path = /opt/tip-wlan/certs/cassandra_server_keystore.jks
+        keystore-password = {{ .Values.creds.sslKeystorePassword }}
+      }
+
+      advanced.auth-provider {
+        class = PlainTextAuthProvider
+        username = {{ .Values.creds.cassandra.tip_user }}
+        password = {{ .Values.creds.cassandra.tip_password }}
+      }
+    }
 {{ tpl (.Files.Glob "resources/config/*").AsConfig . | indent 2 }}

tip-wlan/resources/environments/dev-local.yaml

@@ -0,0 +1,179 @@
+# This is a development override file.
+# It overrides the default Tip-Wlan parent chart behaviour
+#
+# It can be tweaked, based on the need to support different
+# dev environments.
+# This file expects to have a GlusterFS storage solution running
+# before "helm install" is performed. 
+#################################################################
+# Global configuration overrides.
+#
+# These overrides will affect all helm charts (ie. applications)
+# that are listed below and are 'enabled'.
+#################################################################
+global:
+  # Change to an unused port prefix range to prevent port conflicts
+  # with other instances running within the same k8s cluster
+  nodePortPrefix: 302
+  nsPrefix: tip
+  # image pull policy
+  pullPolicy: Always
+
+  repository: tip-tip-wlan-cloud-docker-repo.jfrog.io
+  # override default mount path root directory
+  # referenced by persistent volumes and log files
+  persistence:
+
+  # flag to enable debugging - application support required
+  debugEnabled: true
+
+# Annotations for namespace
+annotations: {
+    "helm.sh/resource-policy": keep
+}
+
+# createReleaseNamespace: false
+
+# Docker registry secret
+dockerRegistrySecret: ewoJImF1dGhzIjogewoJCSJ0aXAtdGlwLXdsYW4tY2xvdWQtZG9ja2VyLXJlcG8uamZyb2cuaW8iOiB7CgkJCSJhdXRoIjogImRHbHdMWEpsWVdRNmRHbHdMWEpsWVdRPSIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTkuMDMuOCAobGludXgpIgoJfQp9
+#################################################################
+# Enable/disable and configure helm charts (ie. applications)
+# to customize the TIP-WLAN deployment.
+#################################################################
+opensync-gw-static:
+  enabled: false
+opensync-gw-cloud:
+  enabled: true
+  externalhostaddress:
+    ovsdb: opensync-controller.wlan.local
+    mqtt: opensync-mqtt-broker.wlan.local
+  persistence:
+    enabled: true
+  filestore:
+    url: "https://wlan-filestore.wlan.local"
+opensync-mqtt-broker:
+  enabled: true
+  replicaCount: 1
+  persistence:
+    enabled: true
+    storageClass: standard
+wlan-cloud-graphql-gw:
+  enabled: true
+  env:
+    portalsvc: tip-wlan-wlan-portal-service:9051
+  ingress:
+    hosts:
+      - host: wlan-ui-graphql.wlan.local
+        paths: [
+           /
+          ]
+    tls:
+    - hosts:
+      - wlan-ui-graphql.wlan.local
+      secretName: nginx-ingress-controller-default-server-secret
+wlan-cloud-static-portal:
+  enabled: true
+  env:
+    graphql: https://wlan-ui-graphql.wlan.local
+  service:
+    # type: LoadBalancer
+    type: NodePort
+  ingress:
+    hosts:
+      - host: wlan-ui.wlan.local
+        paths: [
+           /
+          ]
+    tls:
+    - hosts:
+      - wlan-ui.wlan.local
+      secretName: nginx-ingress-controller-default-server-secret
+wlan-portal-service:
+  enabled: true
+  persistence:
+    enabled: true
+    storageClass: standard
+    filestoreSize: 1Gi
+wlan-prov-service:
+  enabled: true
+  creds:
+    enabled: true
+    db:
+      postgresUser:
+        password: postgres
+      tipUser:
+        password: tip_password
+    schema_repo:
+      username: tip-read
+      password: tip-read
+    postgres:
+      singleDataSourceUsername: tip_user
+      singleDataSourcePassword: tip_password
+wlan-ssc-service:
+  enabled: true
+  creds:
+    sslKeyPassword: mypassword
+    sslKeystorePassword: mypassword
+    sslTruststorePassword: mypassword
+    cassandra:
+      tip_user: tip_user
+      tip_password: tip_password 
+    schema_repo:
+      username: tip-read
+      password: tip-read
+wlan-spc-service:
+  enabled: true
+  creds:
+    sslKeyPassword: mypassword
+    sslKeystorePassword: mypassword
+    sslTruststorePassword: mypassword
+nginx-ingress-controller:
+  enabled: true
+  controller:
+    service:
+      type: LoadBalancer
+    config:
+      externalStatusAddress: "api.wlan.local"
+    defaultTLS:
+      cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZXakNDQTBLZ0F3SUJBZ0lVUU5hUC9zcHZSSHRCVEFLd1lSTndieFJmRkFzd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0hURWJNQmtHQTFVRUF3d1NkMnhoYmkxMWFTNTNiR0Z1TG14dlkyRnNNQjRYRFRJd01EZ3lOekl3TWpZMQpObG9YRFRNd01EZ3lOVEl3TWpZMU5sb3dIVEViTUJrR0ExVUVBd3dTZDJ4aGJpMTFhUzUzYkdGdUxteHZZMkZzCk1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBd1JhZ2lEV3pDTllCdFd3QmNLK2YKVGtrUW1NdCtRQWdUallyMEtTOERQSkNKZjZLa1BmWkhDdTN3NEx2cnh6WTlObWllaDJYVTgzNGFtZEp4SXVDdwo2SWJObzZ6c2tqc3lmb084d0ZEbWxMVldMZWc1SDlHOWRvZW0rV1RlS1BhRUhpM29xdXpOZ3Q2d0xzM212dk9BClR2aVRJb2M4OEVMams0ZFNSMlQ0ZGhoMHFLQ0NqK0hkWEJBNlYvOWJpcnUralYrL2t4RVF1TDJ6TTM5RHZWZDgKOWtzMzV6TVZVemUzNmxENElDT25sN2hnYVROQmk0NU85c2RMRDBZYVVtamlGd1FsdEpVZG1QS3BhQWRidmpVTwpuc3VwbkRZam0rVW0rOWFFcHFNNHRlMjNlZkM4TjhqMXVrZXh6SnJFMkdlRi9XQi9ZMUxGSUcyd2pxVm5zUGNzCm5GRjRZZDlFQlJSbmUxRVplWEJ1M0ZFTEZ5NmxDT0hJMTQ2b0JjYy9JYjYxN3JkVEtYcXh0di8yTkw2L1RxRmsKbnMvRUVqdmU2a1FZemxCWndXSFdwWndRZmczbW82TmFvRlpwVGFnOThNeXU1clpvT29mVGN4WEg2cExtNVB4MQpPQXpnTG5hOU8rMkZtQTRGanJnSGNNWTFOSXp5blpMK0RIOGZpYnQxRi92MkYyTUErUjl2bzg0dlI1Uk9HTmRECnZhMkFwZXZrTGNqUWcvTHdzWHYwZ1RvcFEvWEl6ZWpoNmJkVWtPcktTd0p6VDJDOS9lOUdRbjBncHBWOExCdUsKMXpRSG9ST0xuQTQxTUNGdlFMUUhvK1h0OEtHdytVYmFseTZoT3hCWkY1MUwvQmJxamtESDlBRUZhSkxwdGlFeQpxbjFFNXYrM3doZ0ZTNUlaVDhJVzV1VUNBd0VBQWFPQmtUQ0JqakFkQmdOVkhRNEVGZ1FVeTJiQVV5TlBYSFM5CjNWVFNEK3dvTjd0M3E4RXdId1lEVlIwakJCZ3dGb0FVeTJiQVV5TlBYSFM5M1ZUU0Qrd29ON3QzcThFd0R3WUQKVlIwVEFRSC9CQVV3QXdFQi96QTdCZ05WSFJFRU5EQXlnaHAzYkdGdUxYVnBMV2R5WVhCb2NXd3VkMnhoYmk1cwpiMk5oYklJT1lYQnBMbmRzWVc0dWJHOWpZV3lIQk1Db0FBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnSUJBS0grCmJxSmVlMTFuMzRTWWdCRHZnb1o4bEpMUVJ3c0ZucUV4Y1NyL3BsWjdHVklHRkg1L1EyS3lvOVZ5RWlUUHdySXMKS3NFckMxZXZINnh0MVVSZk16cDA1elZRMExZTTUra3NhbVJEYWdBZzNNMWNtN29LT2Rtcy9kcXpQZTJnWmZHSgpwVmR0VlcxQ0hyTDBSTFRSOTNoN2tnU2lCbFNFSVlNb2VLZk41SDlBYXZKNEtyeXlnUXM2M2trR1E1TTllc0FwCnU2YkIzMDd6eWZ6Z1MzdG1Rc1UwMXJnSmZoRUhRL1krQWs5d0R1T2d2bWZ4MFRXZ0FPR2JLcTZUdThNS1lkZWoKSWU3clYxRzVVdjdLZmdvelZYNzZnMktkblRWQmZzcFNLbzN6eXJaa2NrekFwdlV1OUllZkhkVG9lNEpNRVUweQpmazdsRVUvZXh6Qnl5TnhwKzZoZHUvWklnM3hiMXlBMW9WWThORWQxckwxekFWaVBlMzUxU0VORUtlSnBSYW5DCmtDTDNSQUZrYnhRN0loYWNqb3g4YmVsUitnbW84Y3lGWnBqOVhhb1BsU0ZTY2R3ejU3M0NUMGg5N3Y3NkE3c3cKeUMrQ2lTcDg1Z1dFVjV2Z0JpdE5KN1I5b25qQmRzdUgybGdFdE1EM0pOT3M4Y0NTUmloWXhyaXdaU3FoVDdvLwp0Y0lsY0o4NFc1bTZYNnpISjNHbXR1S0czUVBOT21zMC9WVm9EVHA5cWRwTCtFazE3dUIyQTQxTnB4ejNVUytsCjZ5SytwZFFRajdBTHpLdVJmT3lnODBYYk53MnY0U25wSTVxYlhGQlJ1bTUyZjg2c1BlbUZxMUtjdU5XZTRFVkMKeERHM2VLbHUrZGxsVXRLeC9QTjZ5ZmxiVDV4Y0dnY2Rtcnd6UmFXUwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
+      key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRUUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Nzd2dna25BZ0VBQW9JQ0FRREJGcUNJTmJNSTFnRzEKYkFGd3I1OU9TUkNZeTM1QUNCT05pdlFwTHdNOGtJbC9vcVE5OWtjSzdmRGd1K3ZITmowMmFKNkhaZFR6ZmhxWgowbkVpNExEb2hzMmpyT3lTT3pKK2c3ekFVT2FVdFZZdDZEa2YwYjEyaDZiNVpONG85b1FlTGVpcTdNMkMzckF1CnplYSs4NEJPK0pNaWh6endRdU9UaDFKSFpQaDJHSFNvb0lLUDRkMWNFRHBYLzF1S3U3Nk5YNytURVJDNHZiTXoKZjBPOVYzejJTemZuTXhWVE43ZnFVUGdnSTZlWHVHQnBNMEdMams3Mngwc1BSaHBTYU9JWEJDVzBsUjJZOHFsbwpCMXUrTlE2ZXk2bWNOaU9iNVNiNzFvU21vemkxN2JkNThMdzN5UFc2UjdITW1zVFlaNFg5WUg5alVzVWdiYkNPCnBXZXc5eXljVVhoaDMwUUZGR2Q3VVJsNWNHN2NVUXNYTHFVSTRjalhqcWdGeHo4aHZyWHV0MU1wZXJHMi8vWTAKdnI5T29XU2V6OFFTTzk3cVJCak9VRm5CWWRhbG5CQitEZWFqbzFxZ1ZtbE5xRDN3eks3bXRtZzZoOU56RmNmcQprdWJrL0hVNERPQXVkcjA3N1lXWURnV091QWR3eGpVMGpQS2RrdjRNZngrSnUzVVgrL1lYWXdENUgyK2p6aTlICmxFNFkxME85cllDbDYrUXR5TkNEOHZDeGUvU0JPaWxEOWNqTjZPSHB0MVNRNnNwTEFuTlBZTDM5NzBaQ2ZTQ20KbFh3c0c0clhOQWVoRTR1Y0RqVXdJVzlBdEFlajVlM3dvYkQ1UnRxWExxRTdFRmtYblV2OEZ1cU9RTWYwQVFWbwprdW0ySVRLcWZVVG0vN2ZDR0FWTGtobFB3aGJtNVFJREFRQUJBb0lDQUMyR2hEc1pUaWtiTERQMlR6Q2VkOVVoCmJRUlpsbDdLaUxHcXZYNm9VdjhJcFNLdTJrS3h1blpkTzVvQk5NbzNnNTg4YzRSQkFrQ1d6dmJObzFjeDJ3UTQKSkd3ZTdYaGM5TDdYbUwxUFZjNWlJdnVYOFVBTFY3eUdwMXZONklPSC9BYVJsSFlZZHl3UURVSTcwZGZiMmJqRQo2d3dORHRVbk1Ea3NncjNLbExwamNiNEFla2dxWE9MRUFMMld1Nkt1T1hOankrdUU3b2hnVWN3bWlYWXZGb3VMCm1KYXVlS3l5U202NHdJZnpZQ1JwbUhHMVlCTGpic0xJb20zcmZYRkl3V1hqMkhBSGFIOFRWOVhyUmpwR2tEZm8KbFFqN3l0R0s2ZkllMWcva0ZBN3hDWDE2d1NYMS85bjM1WGYwVmMwZ08zdE9NVHJkM1JTVVNEaVp6eVR1WWxuZwpETEdmYXZjRS82QXJ5cTlWZ3hyUXdXbnZhd0hIcWxBWUtxVHpJYkRJS0Y3SjRYTE9FckFtRE50T1I2Lzc1WjJ3CnVPQlFYT0N3NFM1dWxWdzhIZUM0NGlFTmxJYU5lNDNWTkZUTGtRM3lCeW96VVlYWTN2eEJXMWpURFpFOTB5YTUKZzk4cmFiYWhIS0lockpGYzNXYTE0RWhicUE2TVVLSXRRTkk4K1N1Rk1KV3R4VW1iM1cxK2dHbXJvTmo1TU9kYQpzdjV5OThTYS93UUc4dGc0cmdNQ0xpQVNHL3hudDB3RURrNXFDVUUxRzRSdkdOeUYxU09zNk82c1BTOTg4Umd4CnJuamQvWWZoME5xVnhHcHFGNnhpQVgvZXkyU0NGUWNybEtmNnhGREF4YjI4RTdaNnRQSUZCTWxpQ1IrbzdYR3MKZDNvUWVuMThCalM1NjdtR2ZmNkJBb0lCQVFEanFFcHZqOVhJVVB3bk1RZitRY3R0R1pXZEp2bFZSa1BSMW9maApSVWI2UHdFRkEwdVQyM011ZmFvNGI4bWIrM2Vra1BkYTZmbWJqUGFUckQrbk5YNGxyRE5oYytvcVY4aFVEQnA0CmpVcEg3OXorTVNUZVVQclpnS3VMeEdqaDJiK0FWYVZjZTI2STVYUXVoUnR6ZHFYZDlIeSs4YXpYRTltbHlPQ00KMUpEK2VHZWxhaVJMbEZBbVRDNDNoNlV5T0Q5SmZOSW1oWDQ2WDJRRlFsbGc1cWxVdWQ4Ukx3eFViZTJoYzhTWQp4VnVvYVZSSUdBSmhqRkd3ZVhnRjdzc0tQNXBZMHRkTlNvSGsxeHRnUmVJTlllZFU1cmtpKzloZTN0cStqWUdJCmxVcVVzYzNzN3c4cUk1UXk5NGdmcUI5Lzd4K3BFdGEvak9leE4yL1pGOFJGSXVucEFvSUJBUURaSUpUaUUxKzkKc2xnQ0NGVllLR3Z5aE5odkppck94enlOUWU3YjIvZmxQNzVHd0pTTWpZZTdoTmhGK3JrZHRJcXF5dWxyeGF3YgpPbWliU0FCSG5kT20ycDRMdDhaK20vQXZaRUgzVklLdWkwY0xVbTlKRXNsWURVcFIrdG5BemloNzdrS2FlVzlnCk1wdlpiUzZGdXE2ZlBZQUJyK3dXeU1IazR0UnRNZ3duUFRtSzZQTW85b3FIUURTSVJjL3N0N2hBTUwwMDdtNlEKOTJkRXRqNTNtSTBURTRISVhtY3hZbjV5NGVJLy85aEFMb2xFa0ZHWDU0SmNMdWpDWWkwQ3RIU0xDcnNmQkJwZgpDS2NaMk5sWFNiYVREU1prZWhnQWFWTlM2OVp1K1o2eGFvNmZZMjVxSnNmeXlaUkNjSzJYY0FoUDV2QWNUbWhQClNKUFJZc1dSNXZ1ZEFvSUJBRmtRRXFiWWg1TkprNHdsazNIMS9ZYWVGcmtYY1QzYU1sZ2FiS2hGdVFIWHVpZGkKNWFOZm5BMFpIb25idWV6ckVTQnhra09mKzRYT1BQMEN5eGc0UmpTb3pLVVlld2k3dE9Ta280cDhCQTVtbVhkYwpkSWNBK1ZJMEUyaW5tenlZT21JVG41Q3h2VW1UTXNPc1VWUDNtK1pjYXAwczRTaDNYSk9PSmNNU3VmTEQyaENOCm1NdDBwM0tFSlNTV1RadDdBODlWSk1YclBibktiYy9jNkNpUHRMa3Z5a1BudXhRZ3VYR0xYK05BZXA1RkxyTFIKcWNUTjUzdDUyZW5BUlBDcWQxQytrM3BxWnF6SE5xK1FSMkppNWVTQ0t2V3p2eTlHVWg5d0xyZm5aL2tLSW56SgovWTNIdzRlNDdTa3RWYjF3S0Z1MXdndklMVEJZZHNwZ2tPbFhRbGtDZ2dFQUtKYVJuazFXMldRc1ZYenZUMEtICkkxZTRDZGNOcTRmTkJ1N3JVc2drNkFMcGM5cHVLblFPaW54RDNaa0gzOGl2SDB3OUpEdFlkK0tNU1hMRk1wNEwKUWFhZVlyeGc2NndFMHljZnViZGZrbmRRdVlvWWFZV01nOXhBSjJFSU1hV1lKY3FkUXJrdW04SDZKa1BsclhQLwpUcDgxZlp0QU8rWWRjTWNDUk1OVlNFU0dyRFB0dUp1VnU4REIwVE9Uc2NHS1BOMmZrUFI5VUxZZTVOWllpUXpJCldtZU1IRU9oY0xiandsLzlaazlTUW5Vd2pkT1luUmZXNDVxVlFqa09CdkpxMHM4WHVhMlBySEkyb250SjdhcEcKNmVoTVkvMzYzS0RUeGExMmNWcFNVd0lEVlVKR0VxdmJOc1I5NVltZ3VhMWtzR01RUVlwYXIyOTJ5bTUzVmxYaQpkUUtDQVFCTUFYS0RaNVZobHBRR1VlUk1FNVhqVm1KOE1WdlZTUzV3NzBGOC9CS0ZnZFBJNnR2Nkx5UGh3OTRPCmxZVldoOXJmdUpmbWllK1ZJSWhaeSthUVNpVVhGQUtTdjZFTWJ1bXdjN1pUNEkyYitDTXQxUEhaTEZtUEN0OXAKOEorUDdoaDlRYWRBYzZqZEdSa0NMNkpMU3VoeWhMbW90SG9IS0ZJazdhNENNZGl2QnB3SVdxMWVScHd0aWRrNwpIdytrdlJ5YW5DMUJVU1dYNGxJcW1LanAyR1B2UDVVdVV2RUlPNitqaWFyWTJDTUNKb3BtcVJ2WWQzNGtSVkF1CjZueFl4a05neEFQSnVWN2tkZVVzQXg5Q1FZcFQ1blFmendtdlVGa0FraHJoTmw5dUJRUDhMdkZORFQ0cWU0bFcKUWw0cXRFZFNiZDVxVWVVdkgzOG5JMmpTVDVMawotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
+zookeeper:
+  enabled: true
+  replicaCount: 1
+  persistence:
+    enabled: true
+    storageClass: standard
+kafka:
+  enabled: true
+  replicaCount: 1
+  persistence:
+    enabled: true
+    storageClass: standard
+cassandra:
+  enabled: true
+  image:
+    debug: true
+  cluster:
+    replicaCount: 1
+    seedCount: 1
+  persistence:
+    enabled: true
+    storageClass: standard
+postgresql:
+  enabled: true
+  postgresqlPassword: postgres
+## NOTE: If we are using glusterfs as Storage class, we don't really need 
+## replication turned on, since the data is anyway replicated on glusterfs nodes
+## Replication is useful: 
+## a. When we use HostPath as storage mechanism
+## b. If master goes down and one of the slave is promoted as master
+  replication:
+    enabled: true
+    slaveReplicas: 1
+  persistence:
+    enabled: true
+    storageClass: standard
+  readinessProbe:
+    initialDelaySeconds: 30
+  livenessProbe:
+    initialDelaySeconds: 30