Merge pull request #187 from ksrinimba/master

Refactor OES helm chart
OpsMx · Sep 6, 2021 · 0a49387 · 0a49387
2 parents d315593 + 30f5cf2
commit 0a49387
Show file tree

Hide file tree

Showing 38 changed files with 491 additions and 234 deletions.
diff --git a/charts/oes/README.md b/charts/oes/README.md
@@ -49,7 +49,7 @@ Install OpsMx Enterprise for Spinnaker
 
 - Your Kubernetes cluster shall support persistent volumes
 
-- It is assumed that an nginx ingress controller is installed on the cluster, by default ingress resources are created for oes-ui, oes-gate, spin-deck and spin-gate services. Customize the hosts for OES using the options in the values.yaml under oesUI, oesGate, spinDeck, spinGate. If any other ingress controller is installed, set createIngress flag to false and configure your ingress.
+- It is assumed that an nginx ingress controller is installed on the cluster, by default ingress resources are created for oes-ui, oes-gate, spin-deck and spin-gate services. Customize the hosts for OES using the options in the values.yaml under global.oesUI, oesGate, spinDeck, spinGate. If any other ingress controller is installed, set createIngress flag to false and configure your ingress.
 
 - To enable mutual TLS for Spinnaker Services and SSL features provided by Spinnaker Life Cycle Management (LCM), it is required to install nginx ingress from kubernetes community and cert-manager before installing OES. Please refer the table below for options to be enabled for LCM
   Instructions to install nginx ingress
@@ -110,10 +110,10 @@ Parameter | Description | Default
 `global.spinGate.host` | Host using which spinnaker gate needs to be accessed | `gate.spinnaker.example.org`
 `global.spinGate.ingress.annotations` | Annotations for spinnaker gate ingress resource | ``
 `global.spinGate.ingress.tls.secretName` | Change this value if your own certificate is put into a specific secret | `gate-authtls`
-`oesUI.protocol` | Change this to https if TLS is enabled for ingress endpoint | `http`
-`oesUI.host` | Host using which UI needs to be accessed | `oes.domain.com`
-`oesGate.protocol` | Change this to https if TLS is enabled for ingress endpoint | `http`
-`oesGate.host` | Host using which Gate needs to be accessed | `oes-api.domain.com`
+`global.oesUI.protocol` | Change this to https if TLS is enabled for ingress endpoint | `http`
+`global.oesUI.host` | Host using which UI needs to be accessed | `oes.domain.com`
+`global.oesGate.protocol` | Change this to https if TLS is enabled for ingress endpoint | `http`
+`global.oesGate.host` | Host using which Gate needs to be accessed | `oes-api.domain.com`
 `k8sServiceType` | Service Type of oes-ui, oes-gate, spin-deck-ui, spin-gate | `LoadBalancer`
 `installRedis` | If true, OES will install its own Redis for caching. This option is mutually exclusive with installSpinnaker | `false`
 `redis.url` | Set custom URL if installRedis is set to false | `redis://{{ .Release.Name }}-redis-master:6379`
@@ -127,7 +127,7 @@ Parameter | Description | Default
 `autopilot.config.ssl.keyStoreType` | SSL keystore type | `PKCS12`
 `autopilot.config.ssl.keyAlias` | SSL key alias | `tomcat`
 `dashboard.spinnakerLink` | Specify if dashboard needs to be configured with a different spinnaker | `{{ .Values.spinnaker.ingress.protocol }}://{{ .Values.spinnaker.ingress.host }}`
-`gate.config.oesUIcors` | Regex of OES-UI URL to prevent cross origin attacks | `^https?://(?:localhost|OES_UI_LOADBALANCER_IP|opsmx.com)(?::[1-9]\d*)?/?`
+`gate.config.global.oesUIcors` | Regex of OES-UI URL to prevent cross origin attacks | `^https?://(?:localhost|OES_UI_LOADBALANCER_IP|opsmx.com)(?::[1-9]\d*)?/?`
 `gate.config.fileBasedAuthentication` | Set it to true to disable LDAP authentication and enable file based authentication | `false`
 `gate.config.saml` | SAML configuration for oes gate authn and authz | ``
 `gate.config.saml.jksSecretName` | Set this value to use an existing secret in which saml jks exists | `oes-saml-jks`

diff --git a/charts/oes/charts/openldap/templates/deployment.yaml b/charts/oes/charts/openldap/templates/deployment.yaml
@@ -39,7 +39,7 @@ spec:
       {{- end }}
       {{- if .Values.customLdifFiles }}
       - name: {{ .Chart.Name }}-init-ldif
-        image: busybox
+        image: {{ .Values.global.customImages.registry }}/busybox:1.28
         command: ['sh', '-c', 'cp /customldif/* /ldifworkingdir']
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         volumeMounts:
@@ -52,7 +52,7 @@ spec:
       {{- end }}
       {{- if .Values.tls.enabled }}
       - name: {{ .Chart.Name }}-init-tls
-        image: busybox
+        image: {{ .Values.global.customImages.registry }}/busybox:1.28
         command: ['sh', '-c', 'cp /tls/* /certs']
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         volumeMounts:
@@ -64,7 +64,7 @@ spec:
 {{ toYaml .Values.initResources | indent 10 }}
       {{- if .Values.tls.CA.enabled }}
       - name: {{ .Chart.Name }}-init-catls
-        image: busybox
+        image: {{ .Values.global.customImages.registry }}/busybox:1.28
         command: ['sh', '-c', 'cp /catls/ca.crt /certs']
         volumeMounts:
           - name: catls
@@ -78,6 +78,14 @@ spec:
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          lifecycle:
+            postStart:
+              exec:
+                command:
+                - /bin/sh
+                - -c
+                - until service slapd status; do sleep 10 ;done;ldapadd -x -D 'cn=admin,dc=example,dc=org'
+                  -w opsmxadmin123 -f /container/service/slapd/assets/config/bootstrap/ldif/custom/10-users.ldif
           imagePullPolicy: {{ .Values.image.pullPolicy }}
 {{- if .Values.customLdifFiles }}
           args: [--copy-service]

diff --git a/charts/oes/charts/spinnaker/charts/redis-10.5.3.tgz b/charts/oes/charts/spinnaker/charts/redis-10.5.3.tgz
diff --git a/charts/oes/charts/spinnaker/requirements.yaml b/charts/oes/charts/spinnaker/requirements.yaml
@@ -1,8 +1,4 @@
 dependencies:
-- name: redis
-  version: 10.5.3
-  repository: https://charts.bitnami.com/bitnami
-  condition: redis.enabled
 - name: minio
   version: 8.0.9
   repository: https://helm.min.io/

diff --git a/charts/oes/charts/spinnaker/templates/configmap/halyard-config.yaml b/charts/oes/charts/spinnaker/templates/configmap/halyard-config.yaml
@@ -183,10 +183,14 @@ data:
     {{- else }}
     $HAL_COMMAND config security ui edit --no-validate --override-base-url {{ .Values.global.spinDeck.protocol }}://{{ .Values.global.spinDeck.host }}
     {{- end }}
-    {{- if .Values.global.spinGate.port }}
+    {{- if and (.Values.global.spinGate.port) (not .Values.global.commonGate.enabled) }}
     $HAL_COMMAND config security api edit --no-validate --override-base-url {{ .Values.global.spinGate.protocol }}://{{ .Values.global.spinGate.host }}:{{ .Values.global.spinGate.port }}
-    {{- else }}
+    {{- else if (not .Values.global.commonGate.enabled) }}
     $HAL_COMMAND config security api edit --no-validate --override-base-url {{ .Values.global.spinGate.protocol }}://{{ .Values.global.spinGate.host }}
+    {{- else if and (.Values.global.commonGate.enabled) (.Values.global.oesGate.port) }}
+    $HAL_COMMAND config security api edit --no-validate --override-base-url {{ .Values.global.oesGate.protocol }}://{{ .Values.global.oesGate.host }}:{{ .Values.global.oesGate.port }}
+    {{- else if (.Values.global.commonGate.enabled) }}
+    $HAL_COMMAND config security api edit --no-validate --override-base-url {{ .Values.global.oesGate.protocol }}://{{ .Values.global.oesGate.host }}
     {{- end }}
     {{- end }}
     {{- range $index, $feature := .Values.spinnakerFeatureFlags }}

diff --git a/charts/oes/charts/spinnaker/templates/configmap/halyard-init-script.yaml b/charts/oes/charts/spinnaker/templates/configmap/halyard-init-script.yaml
@@ -50,7 +50,7 @@ data:
     {{- if or (eq .Values.gitopsHalyard.repo.type "git") (eq .Values.gitopsHalyard.repo.type "stash") }}
     #!/bin/bash -x
     rm -rf /tmp/spinnaker/.hal
-    git clone $GIT_CLONE_PARAM /tmp/spinnaker/test
+    git -c {{ .Values.gitopsHalyard.repo.configArgs }} clone $GIT_CLONE_PARAM /tmp/spinnaker/test
     cp -pr /tmp/spinnaker/test/{{ .Values.gitopsHalyard.repo.halConfigPath }} /tmp/spinnaker/.hal
     if [ -d "/tmp/spinnaker/test/pipeline-promotion/" ]
     then

diff --git a/charts/oes/charts/spinnaker/templates/configmap/halyard-overrideurl.yaml b/charts/oes/charts/spinnaker/templates/configmap/halyard-overrideurl.yaml
@@ -164,7 +164,11 @@ data:
       spin-gate-overrideurl-gitops)
         ## Configured ingress host url as override url
           echo "Substituting gate url"
+          {{- if .Values.global.commonGate.enabled }}
+          sed -i 's,OVERRIDE_API_URL,{{ tpl .Values.global.oesGate.host . }},g' /tmp/spinnaker/.hal/config
+          {{- else }}
           sed -i 's,OVERRIDE_API_URL,{{ tpl .Values.global.spinGate.host . }},g' /tmp/spinnaker/.hal/config
+          {{- end }}
         ;;
 
       spin-deck-overrideurl-gitops)

diff --git a/charts/oes/charts/spinnaker/templates/configmap/spin-pipeline-import.yaml b/charts/oes/charts/spinnaker/templates/configmap/spin-pipeline-import.yaml
@@ -35,7 +35,7 @@ data:
         then
              echo \"Spinnaker is Installed and ready\"
              mkdir -p /tmp/config/git/
-             git clone https://github.com/OpsMx/sample-pipelines.git /tmp/config/git/
+             git -c {{ .Values.gitopsHalyard.repo.configArgs }} clone https://github.com/OpsMx/sample-pipelines.git /tmp/config/git/
              cd /tmp/config/git
              cp -p /tmp/config/spin/config .
              sed 's/$/ --config config/' create-app.sh >create-app1.sh
@@ -45,7 +45,7 @@ data:
         then
              echo \"Spinnaker and OES is Installed and ready\"
              mkdir -p /tmp/config/git/
-             git clone https://github.com/OpsMx/sample-pipelines.git /tmp/config/git/
+             git -c {{ .Values.gitopsHalyard.repo.configArgs }} clone https://github.com/OpsMx/sample-pipelines.git /tmp/config/git/
              cd /tmp/config/git
              cp -p /tmp/config/spin/config .
              sed 's/$/ --config config/' create-app.sh >create-app1.sh
@@ -58,7 +58,7 @@ data:
     else
         if [ $wait_period -gt 1800 ];
         then
-            echo \"Script is timed as the Spinnaker is not ready yet.......\"
+            echo \"Script is timed out as the Spinnaker is not ready in 30 min.......\"
             break
         else
             echo \"Waiting for Spinnaker services to be ready\"

diff --git a/charts/oes/charts/spinnaker/templates/hooks/install-using-hal.yaml b/charts/oes/charts/spinnaker/templates/hooks/install-using-hal.yaml
@@ -154,7 +154,7 @@ spec:
         - bash
         - /tmp/config/spin-pipeline-import.sh
         name: sample-pipeline-install
-        image: quay.io/opsmxpublic/spin-sample-pipeline:1.0
+        image: {{ .Values.global.customImages.registry }}/spin-sample-pipeline:1.0
         volumeMounts:         
         - name: spin-pipeline-config
           mountPath: /tmp/config/git

diff --git a/charts/oes/charts/spinnaker/templates/ingress/gate.yaml b/charts/oes/charts/spinnaker/templates/ingress/gate.yaml
@@ -1,4 +1,4 @@
-{{- if and (.Values.global.createIngress) (not .Values.gitopsHalyard.mTLS.enabled) }}
+{{- if and (.Values.global.createIngress) (not .Values.gitopsHalyard.mTLS.enabled) (not .Values.global.commonGate.enabled) }}
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:

diff --git a/charts/oes/charts/spinnaker/templates/statefulsets/halyard.yaml b/charts/oes/charts/spinnaker/templates/statefulsets/halyard.yaml
@@ -40,7 +40,7 @@ spec:
       initContainers:
       - name: "create-halyard-local"
       {{- if .Values.gitopsHalyard.enabled }}
-        image: quay.io/opsmxpublic/awsgit:v2
+        image: {{ .Values.global.customImages.registry }}/awsgit:v2
       {{- else }}
         image: {{ .Values.halyard.image.repository }}:{{ .Values.halyard.image.tag }}
       {{- end }}
@@ -126,8 +126,8 @@ spec:
         {{- end }}
         - name: halyard-initscript
           mountPath: /tmp/initscript
-        {{- if .Values.halyard.customCerts.enabled }}
-        - mountPath: /etc/ssl/certs/java/cacerts
+        {{- if .Values.global.customCerts.enabled }}
+        - mountPath: /etc/pki/ca-trust/extracted/java/cacerts
           subPath: cacerts
           name: cacerts
         {{- end }}
@@ -140,7 +140,7 @@ spec:
         command:
         - sh
         - /tmp/akv2k8s/run.sh
-        image: quay.io/opsmxpublic/k8s-decoder:hal
+        image: {{ .Values.global.customImages.registry }}/k8s-decoder:hal
         imagePullPolicy: IfNotPresent
         resources: {}
         volumeMounts:
@@ -160,7 +160,7 @@ spec:
             fieldRef:
               apiVersion: v1
               fieldPath: status.hostIP
-        image: bitnami/kubectl:1.18.5
+        image: {{ .Values.global.customImages.registry }}/bitnami-kubectl:1.18.5
         imagePullPolicy: IfNotPresent
         resources: {}
         volumeMounts:
@@ -182,8 +182,8 @@ spec:
         {{- end }}
         - name: halyard-initscript
           mountPath: /tmp/initscript
-        {{- if .Values.halyard.customCerts.enabled }}
-        - mountPath: /etc/ssl/certs/java/cacerts
+        {{- if .Values.global.customCerts.enabled }}
+        - mountPath: /etc/pki/ca-trust/extracted/java/cacerts
           subPath: cacerts
           name: cacerts
         {{- end }}
@@ -279,10 +279,10 @@ spec:
       - name: halyard-initscript
         configMap:
           name: {{ template "spinnaker.fullname" . }}-halyard-init-script
-      {{- if .Values.halyard.customCerts.enabled }}
+      {{- if .Values.global.customCerts.enabled }}
       - name: cacerts
         secret:
-          secretName: {{ .Values.halyard.customCerts.secretName }}
+          secretName: {{ .Values.global.customCerts.secretName }}
           items:
           - key: cacerts
             path: cacerts
@@ -336,8 +336,8 @@ spec:
           mountPath: /opt/halyard/config
         - name: reg-secrets
           mountPath: /opt/registry/passwords
-        {{- if .Values.halyard.customCerts.enabled }}
-        - mountPath: /etc/ssl/certs/java/cacerts
+        {{- if .Values.global.customCerts.enabled }}
+        - mountPath: /etc/pki/ca-trust/extracted/java/cacerts
           subPath: cacerts
           name: cacerts
         {{- end }}

diff --git a/charts/oes/config/oes-autopilot/autopilot.properties b/charts/oes/config/oes-autopilot/autopilot.properties
@@ -19,14 +19,14 @@ server.ssl.keyStoreType={{ .Values.autopilot.config.ssl.keyStoreType }}
 server.ssl.keyAlias={{ .Values.autopilot.config.ssl.keyAlias }}
 {{- end }}
 
-{{- if .Values.oesUI.port }}
-server.host.dns.name={{ .Values.oesUI.protocol }}://{{ .Values.oesUI.host }}:{{ .Values.oesUI.port }}
+{{- if .Values.global.oesUI.port }}
+server.host.dns.name={{ .Values.global.oesUI.protocol }}://{{ .Values.global.oesUI.host }}:{{ .Values.global.oesUI.port }}
 {{- else }}
-server.host.dns.name={{ .Values.oesUI.protocol }}://{{ .Values.oesUI.host }}
+server.host.dns.name={{ .Values.global.oesUI.protocol }}://{{ .Values.global.oesUI.host }}
 {{- end }}
 
-{{- if .Values.oesGate.port }}
-gate.url={{ .Values.oesGate.protocol }}://{{ .Values.oesGate.host }}:{{ .Values.oesGate.port }}
+{{- if .Values.global.oesGate.port }}
+gate.url={{ .Values.global.oesGate.protocol }}://{{ .Values.global.oesGate.host }}:{{ .Values.global.oesGate.port }}
 {{- else }}
-gate.url={{ .Values.oesGate.protocol }}://{{ .Values.oesGate.host }}
+gate.url={{ .Values.global.oesGate.protocol }}://{{ .Values.global.oesGate.host }}
 {{- end }}
diff --git a/charts/oes/config/oes-gate/gate.yml b/charts/oes/config/oes-gate/gate.yml
@@ -16,12 +16,12 @@ services:
     baseUrl: http://oes-visibility:8096
     enabled: true
   oesui:
-  {{- if .Values.oesUI.port }}
-    externalUrl: {{ .Values.oesUI.protocol }}://{{ .Values.oesUI.host }}:{{ .Values.oesUI.port }}
+  {{- if .Values.global.oesUI.port }}
+    externalUrl: {{ .Values.global.oesUI.protocol }}://{{ .Values.global.oesUI.host }}:{{ .Values.global.oesUI.port }}
   {{- else }}
-    externalUrl: {{ .Values.oesUI.protocol }}://{{ .Values.oesUI.host }}
+    externalUrl: {{ .Values.global.oesUI.protocol }}://{{ .Values.global.oesUI.host }}
   {{- end }}
-{{- if .Values.gate.config.commonGate.enabled }}
+{{- if .Values.global.commonGate.enabled }}
   keel:
     enabled: false
   clouddriver:
@@ -52,7 +52,11 @@ services:
   deck:
     host: 0.0.0.0
     port: 9000
+    {{- if .Values.global.spinDeck.port }}
+    baseUrl: {{ .Values.global.spinDeck.protocol }}://{{ .Values.global.spinDeck.host }}:{{ .Values.global.spinDeck.port }}
+    {{- else }}
     baseUrl: {{ .Values.global.spinDeck.protocol }}://{{ .Values.global.spinDeck.host }}
+    {{- end }}
     enabled: true
   echo:
     host: 0.0.0.0
@@ -82,7 +86,11 @@ services:
   gate:
     host: 0.0.0.0
     port: 8084
-    baseUrl: {{ .Values.oesGate.protocol }}://{{ .Values.oesGate.host }}
+    {{- if .Values.global.oesGate.port }}
+    baseUrl: {{ .Values.global.oesGate.protocol }}://{{ .Values.global.oesGate.host }}:{{ .Values.global.oesGate.port }}
+    {{- else }}
+    baseUrl: {{ .Values.global.oesGate.protocol }}://{{ .Values.global.oesGate.host }}
+    {{- end }}
     enabled: true
   igor:
     host: 0.0.0.0
@@ -101,8 +109,8 @@ services:
     enabled: true
   redis:
     host: 0.0.0.0
-    port: 6379
-    baseUrl: redis://:password@{{ .Release.Name}}-redis-master:6379
+    port: {{ .Values.redis.port }}
+    baseUrl: {{ tpl .Values.redis.url . }}:{{ .Values.redis.port }}
     enabled: true
   rosco:
     host: 0.0.0.0
@@ -112,10 +120,10 @@ services:
 {{- end }}
   user: {}
 cors:
-  {{- if .Values.gate.config.commonGate.enabled }}
-  allowed-origins-pattern: ^https?://(?:localhost|{{ .Values.oesUI.host }}|{{ .Values.global.spinDeck.host }}|opsmx.com)(?::[1-9]\d*)?/?
+  {{- if .Values.global.commonGate.enabled }}
+  allowed-origins-pattern: ^https?://(?:localhost|{{ .Values.global.oesUI.host }}|{{ .Values.global.spinDeck.host }}|opsmx.com)(?::[1-9]\d*)?/?
   {{ else }}
-  allowed-origins-pattern: ^https?://(?:localhost|{{ .Values.oesUI.host }}|opsmx.com)(?::[1-9]\d*)?/?
+  allowed-origins-pattern: ^https?://(?:localhost|{{ .Values.global.oesUI.host }}|opsmx.com)(?::[1-9]\d*)?/?
   {{- end }}
 ldap:
   enabled: {{ .Values.global.ldap.enabled }}
@@ -145,18 +153,45 @@ file:
 authn:
   mode: session
 google: {}
-logging:
-  level:
-    com.netflix.spinnaker.gate.security: INFO
-    org.springframework.security: INFO
-    org.springframework.web: INFO
 redis:
-  connection: {{ tpl .Values.redis.url . }}
+  connection: {{ tpl .Values.redis.url . }}:{{ .Values.redis.port }}
 server:
   session:
     timeoutInSeconds: {{ .Values.gate.config.server.session.timeoutInSeconds }}
   tomcat:
     protocolHeader: X-Forwarded-Proto
     remoteIpHeader: X-Forwarded-For
     internalProxies: .*
+{{- if .Values.global.commonGate.enabled }}
+spinnaker:
+  extensibility:
+    plugins:
+    deck-proxy:
+      enabled: true
+      plugins:
+        Opsmx.VerificationGatePlugin:
+          enabled: true
+          version: 1.0.1
+        Opsmx.TestVerificationGatePlugin:
+          enabled: true
+          version: 1.0.1
+        Opsmx.PolicyGatePlugin:
+          enabled: true
+          version: 1.0.1
+        Opsmx.VisibilityApprovalPlugin:
+          enabled: true
+          version: 1.0.1
+    repositories:
+        opsmx-repo:
+          url: https://raw.githubusercontent.com/OpsMx/spinnakerPluginRepository/v3.9.0/plugins.json
+{{- end }}
+
+logging:
+  level:
+    com.netflix.spinnaker.gate.security: INFO
+    org.springframework.security: INFO
+    org.springframework.web: INFO
+    #com.netflix.spinnaker.gate.security: DEBUG
+    #org.springframework.security: DEBUG
+    #org.springframework.web: DEBUG