Merge remote-tracking branch 'origin/main'

helm/.gitignore

@@ -0,0 +1 @@
+*.swp

helm/.helmignore

@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Kubernetes
+name: ucentralsec
+version: 0.1.0

helm/templates/_config.tpl

@@ -0,0 +1,5 @@
+{{- define "ucentralsec.config" -}}
+{{- range $key, $value := .Values.configProperties }}
+{{ $key }} = {{ $value }}
+{{- end }}
+{{- end -}}

helm/templates/_helpers.tpl

@@ -0,0 +1,32 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ucentralsec.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ucentralsec.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ucentralsec.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}

helm/templates/deployment.yaml

@@ -0,0 +1,114 @@
+{{- $root := . -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ucentralsec.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "ucentralsec.name" . }}
+    helm.sh/chart: {{ include "ucentralsec.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  strategy:
+    type: {{ .Values.strategyType }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ucentralsec.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      {{- with .Values.services.ucentralsec.labels }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include "ucentralsec.config" . | sha256sum }}
+      labels:
+        app.kubernetes.io/name: {{ include "ucentralsec.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- with .Values.services.ucentralsec.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+
+      containers:
+
+        - name: ucentralsec
+          image: "{{ .Values.images.ucentralsec.repository }}:{{ .Values.images.ucentralsec.tag }}"
+          imagePullPolicy: {{ .Values.images.ucentralsec.pullPolicy }}
+
+          env:
+            - name: KUBERNETES_DEPLOYED
+              value: "{{ now }}"
+          {{- range $key, $value := .Values.public_env_variables }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+          {{- end }}
+          {{- range $key, $value := .Values.secret_env_variables }}
+            - name: {{ $key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "ucentralsec.fullname" $root }}-env
+                  key: {{ $key }}
+          {{- end }}
+
+          ports:
+          {{- range $port, $portValue := .Values.services.ucentralsec.ports }}
+            - name: {{ $port }}
+              containerPort: {{ $portValue.targetPort }}
+              protocol: {{ $portValue.protocol }}
+          {{- end }}
+
+          volumeMounts:
+          {{- range .Values.volumes.ucentralsec }}
+          - name: {{ .name }}
+            mountPath: {{ .mountPath }}
+            {{- if .subPath }}
+            subPath: {{ .subPath }}
+            {{- end }}
+          {{- end }}
+
+          {{- if .Values.checks.ucentralsec.liveness }}
+          livenessProbe:
+            {{- toYaml .Values.checks.ucentralsec.liveness | nindent 12 }}
+          {{- end }}
+          {{- if .Values.checks.ucentralsec.readiness }}
+          readinessProbe:
+            {{- toYaml .Values.checks.ucentralsec.readiness | nindent 12 }}
+          {{- end }}
+
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+
+      imagePullSecrets:
+      {{- range $image, $imageValue := .Values.images }}
+        {{- if $imageValue.regcred }}
+      - name: {{ include "ucentralsec.fullname" $root }}-{{ $image }}-regcred
+        {{- end }}
+      {{- end }}
+
+      volumes:
+      {{- range $container, $containerVolumes := .Values.volumes }}
+      {{- range $containerVolumes }}
+      - name: {{ .name }}
+        {{- tpl .volumeDefinition $root | nindent 8 }}
+      {{- end }}
+      {{- end }}
+
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

helm/templates/ingress.yaml

@@ -0,0 +1,47 @@
+{{- $root := . -}}
+{{- range $ingress, $ingressValue := .Values.ingresses }}
+{{- if $ingressValue.enabled }}
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ include "ucentralsec.fullname" $root }}-{{ $ingress }}
+  labels:
+    app.kubernetes.io/name: {{ include "ucentralsec.name" $root }}
+    helm.sh/chart: {{ include "ucentralsec.chart" $root }}
+    app.kubernetes.io/instance: {{ $root.Release.Name }}
+    app.kubernetes.io/managed-by: {{ $root.Release.Service }}
+  {{- with $ingressValue.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+
+spec:
+
+{{- if $ingressValue.tls }}
+  tls:
+  {{- range $ingressValue.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ tpl .secretName $root }}
+  {{- end }}
+{{- end }}
+
+  rules:
+  {{- range $ingressValue.hosts }}
+  - host: {{ . | quote }}
+    http:
+      paths:
+      {{- range $ingressValue.paths }}
+        - path: {{ .path }}
+          backend:
+            serviceName: {{ include "ucentralsec.fullname" $root }}-{{ .serviceName }}
+            servicePort: {{ .servicePort }}
+      {{- end }}
+  {{- end }}
+
+{{- end }}
+
+{{- end }}

helm/templates/pvc.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.persistence.enabled }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ template "ucentralsec.fullname" . }}-pvc
+  labels:
+    app.kubernetes.io/name: {{ include "ucentralsec.name" . }}
+    helm.sh/chart: {{ include "ucentralsec.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  {{- with .Values.persistence.annotations  }}
+  annotations:
+{{ toYaml . | indent 4 }}
+  {{- end }}
+spec:
+  accessModes:
+    {{- range .Values.persistence.accessModes }}
+    - {{ . | quote }}
+    {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- if .Values.persistence.storageClassName  }}
+  storageClassName: {{ .Values.persistence.storageClassName }}
+{{- end }}
+{{- end }}

helm/templates/secret-certs.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+metadata:
+  labels:
+    app.kuberentes.io/name: {{ include "ucentralsec.name" . }}
+    helm.sh/chart: {{ include "ucentralsec.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ include "ucentralsec.fullname" . }}-certs
+kind: Secret
+type: Opaque
+data:
+  {{- range $key, $value := .Values.certs }}
+  {{ $key }}: {{ $value | b64enc | quote }}
+  {{- end }}

helm/templates/secret-config.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+metadata:
+  labels:
+    app.kuberentes.io/name: {{ include "ucentralsec.name" . }}
+    helm.sh/chart: {{ include "ucentralsec.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ include "ucentralsec.fullname" . }}-config
+kind: Secret
+type: Opaque
+data:
+  ucentralsec.properties: {{ include "ucentralsec.config" . | b64enc }}

helm/templates/secret-env.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+metadata:
+  labels:
+    app.kuberentes.io/name: {{ include "ucentralsec.name" . }}
+    helm.sh/chart: {{ include "ucentralsec.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ include "ucentralsec.fullname" . }}-env
+kind: Secret
+type: Opaque
+data:
+  # Secret env variables
+  {{- range $key, $value := .Values.secret_env_variables }}
+  {{ $key }}: {{ $value | b64enc | quote }}
+  {{- end }}
+

helm/templates/secret-regcred.yaml

@@ -0,0 +1,21 @@
+{{- define "imagePullSecret" }}
+{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
+{{- end }}
+{{- $root := . -}}
+{{- range $image, $imageValue := .Values.images }}
+{{- if $imageValue.regcred }}
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+metadata:
+  labels:
+    app.kuberentes.io/name: {{ include "ucentralsec.name" $root }}
+    helm.sh/chart: {{ include "ucentralsec.chart" $root }}
+    app.kubernetes.io/instance: {{ $root.Release.Name }}
+    app.kubernetes.io/managed-by: {{ $root.Release.Service }}
+  name: {{ include "ucentralsec.fullname" $root }}-{{ $image }}-regcred
+data:
+  .dockerconfigjson: {{ template "imagePullSecret" $imageValue.regcred }}
+{{- end }}
+{{- end }}

helm/templates/service.yaml

@@ -0,0 +1,48 @@
+{{- $root := . -}}
+{{- range $service, $serviceValue := .Values.services }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ucentralsec.fullname" $root }}-{{ $service }}
+  {{- with $serviceValue.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ include "ucentralsec.name" $root }}
+    helm.sh/chart: {{ include "ucentralsec.chart" $root }}
+    app.kubernetes.io/instance: {{ $root.Release.Name }}
+    app.kubernetes.io/managed-by: {{ $root.Release.Service }}
+
+    {{- with $serviceValue.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+    {{- if $serviceValue.serviceMonitor }}
+
+    {{- range $selector, $selectorValue := $serviceValue.serviceMonitor.serviceSelector }}
+    {{ $selector }}: {{ tpl $selectorValue $root }}
+    {{- end }}
+    {{- end }}
+spec:
+  type: {{ $serviceValue.type }}
+  ports:
+
+  {{- range $service_service, $service_value := $serviceValue.ports }}
+    - name: {{ $service_service }}
+      targetPort: {{ $service_value.targetPort }}
+      protocol: {{ $service_value.protocol }}
+      port: {{ $service_value.servicePort }}
+      {{- if and (eq "NodePort" $serviceValue.type) $service_value.nodePort }}
+      nodePort: {{ $service_value.nodePort }}
+      {{- end }}
+  {{- end }}
+  selector:
+    app.kubernetes.io/name: {{ include "ucentralsec.name" $root }}
+    app.kubernetes.io/instance: {{ $root.Release.Name }}
+    {{- with $serviceValue.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+{{- end }}

helm/values.yaml

@@ -0,0 +1,213 @@
+# System
+replicaCount: 1
+strategyType: Recreate
+
+nameOverride: ""
+fullnameOverride: ""
+
+images:
+  ucentralsec:
+    repository: tip-tip-wlan-cloud-ucentral.jfrog.io/ucentralsec
+    tag: main
+    pullPolicy: Always
+#    regcred:
+#      registry: tip-tip-wlan-cloud-ucentral.jfrog.io
+#      username: username
+#      password: password
+
+services:
+  ucentralsec:
+    type: LoadBalancer
+    ports:
+      restapi:
+        servicePort: 16001
+        targetPort: 16001
+        protocol: TCP
+      restapiinternal:
+        servicePort: 17001
+        targetPort: 17001
+        protocol: TCP
+
+checks:
+  ucentralsec:
+    liveness:
+      httpGet:
+        path: /
+        port: 16101
+    readiness:
+      httpGet:
+        path: /
+        port: 16101
+
+ingresses:
+  restapi:
+    enabled: false
+    annotations: {}
+      # kubernetes.io/ingress.class: nginx
+      # kubernetes.io/tls-acme: "true"
+    hosts:
+    - restapi.chart-example.local
+    paths:
+    - path: /
+      serviceName: ucentralsec
+      servicePort: restapi
+
+volumes:
+  ucentralsec:
+    - name: config
+      mountPath: /ucentralsec-data/ucentralsec.properties
+      subPath: ucentralsec.properties
+      # Template below will be rendered in template
+      volumeDefinition: |
+        secret:
+          secretName: {{ include "ucentralsec.fullname" . }}-config
+    - name: certs
+      mountPath: /ucentralsec-data/certs
+      volumeDefinition: |
+        secret:
+          secretName: {{ include "ucentralsec.fullname" . }}-certs
+    # Change this if you want to use another volume type
+    - name: persist
+      mountPath: /ucentralsec-data/persist
+      volumeDefinition: |
+        persistentVolumeClaim:
+          claimName: {{ template "ucentralsec.fullname" . }}-pvc
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # requests:
+  #  cpu: 100m
+  #  memory: 128Mi
+  # limits:
+  #  cpu: 100m
+  #  memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+persistence:
+  enabled: true
+  # storageClassName: "-"
+  accessModes:
+    - ReadWriteOnce
+  size: 10Gi
+  annotations: {}
+
+# Application
+public_env_variables:
+  UCENTRALSEC_ROOT: /ucentralsec-data
+  UCENTRALSEC_CONFIG: /ucentralsec-data
+
+secret_env_variables: {}
+
+configProperties:
+  # -> Public part
+  # REST API
+  ucentral.restapi.host.0.backlog: 100
+  ucentral.restapi.host.0.security: relaxed
+  ucentral.restapi.host.0.rootca: $UCENTRALSEC_ROOT/certs/restapi-ca.pem
+  ucentral.restapi.host.0.address: "*"
+  ucentral.restapi.host.0.port: 16001
+  ucentral.restapi.host.0.cert: $UCENTRALSEC_ROOT/certs/restapi-cert.pem
+  ucentral.restapi.host.0.key: $UCENTRALSEC_ROOT/certs/restapi-key.pem
+  ucentral.restapi.wwwassets: $UCENTRALSEC_ROOT/wwwassets
+  ucentral.internal.restapi.host.0.backlog: 100
+  ucentral.internal.restapi.host.0.security: relaxed
+  ucentral.internal.restapi.host.0.rootca: $UCENTRALSEC_ROOT/certs/restapi-ca.pem
+  ucentral.internal.restapi.host.0.address: "*"
+  ucentral.internal.restapi.host.0.port: 17001
+  ucentral.internal.restapi.host.0.cert: $UCENTRALSEC_ROOT/certs/restapi-cert.pem
+  ucentral.internal.restapi.host.0.key: $UCENTRALSEC_ROOT/certs/restapi-key.pem
+  # Authentication
+  authentication.enabled: true
+  authentication.default.access: master
+  authentication.service.type: internal
+  # Mailer
+  mailer.hostname: smtp.gmail.com
+  mailer.loginmethod: login
+  mailer.port: 587
+  mailer.templates: $UCENTRALSEC_ROOT/templates
+  # ALB
+  alb.enable: "true"
+  alb.port: 16101
+  # Kafka
+  ucentral.kafka.enable: "false"
+  ucentral.kafka.group.id: security
+  ucentral.kafka.client.id: security1
+  ucentral.kafka.brokerlist: localhost:9092
+  ucentral.kafka.auto.commit: false
+  ucentral.kafka.queue.buffering.max.ms: 50
+  # Storage
+  storage.type: sqlite # (sqlite|postgresql|mysql|odbc)
+  ## SQLite
+  storage.type.sqlite.db: devices.db
+  storage.type.sqlite.idletime: 120
+  storage.type.sqlite.maxsessions: 128
+  ## PostgreSQL
+  storage.type.postgresql.maxsessions: 64
+  storage.type.postgresql.idletime: 60
+  storage.type.postgresql.host: localhost
+  storage.type.postgresql.database: ucentral
+  storage.type.postgresql.port: 5432
+  storage.type.postgresql.connectiontimeout: 60
+  ## MySQL
+  storage.type.mysql.maxsessions: 64
+  storage.type.mysql.idletime: 60
+  storage.type.mysql.host: localhost
+  storage.type.mysql.database: ucentral
+  storage.type.mysql.port: 3306
+  storage.type.mysql.connectiontimeout: 60
+  # System
+  ucentral.service.key: $UCENTRALSEC_ROOT/certs/restapi-key.pem
+  ucentral.system.data: $UCENTRALSEC_ROOT/persist
+  ucentral.system.debug: "true"
+  ucentral.system.uri.private: https://localhost:17001
+  ucentral.system.uri.public: https://localhost:16001
+  ucentral.system.uri.ui: https://localhost
+  ucentral.system.commandchannel: /tmp/app_ucentralsec
+  # Logging
+  logging.formatters.f1.class: PatternFormatter
+  logging.formatters.f1.pattern: "%s: [%p] %t"
+  logging.formatters.f1.times: UTC
+  logging.channels.c1.class: ConsoleChannel
+  logging.channels.c1.formatter: f1
+  logging.channels.c2.class: FileChannel
+  logging.channels.c2.path: /dev/stdout
+  logging.channels.c2.formatter.class: PatternFormatter
+  logging.channels.c2.formatter.pattern: "%Y-%m-%d %H:%M:%S %s: [%p] %t"
+  logging.channels.c2.rotation: "20 M"
+  logging.channels.c2.archive: timestamp
+  logging.channels.c2.purgeCount: 20
+  logging.channels.c3.class: ConsoleChannel
+  logging.channels.c3.pattern: "%s: [%p] %t"
+  logging.loggers.root.channel: c2
+  logging.loggers.root.level: debug
+
+  # -> Secret part
+  # REST API
+  ucentral.restapi.host.0.key.password: mypassword
+  ucentral.internal.restapi.host.0.key.password: mypassword
+  # Authentication
+  authentication.default.username: tip@ucentral.com
+  authentication.default.password: 13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf
+  # Mailer
+  mailer.username: no-reply@arilia.com
+  mailer.password: "**************************"
+  # Storage
+  ## PostgreSQL
+  storage.type.postgresql.username: stephb
+  storage.type.postgresql.password: snoopy99
+  ## MySQL
+  storage.type.mysql.username: stephb
+  storage.type.mysql.password: snoopy99
+
+certs:
+  # restapi-ca.pem: ""
+  # restapi-cert.pem: ""
+  # restapi-key.pem: ""