From 6d0e4361feb87cc60e330ff05525870803095674 Mon Sep 17 00:00:00 2001 From: "ali.alkhalidi" Date: Mon, 31 May 2021 15:58:54 -0400 Subject: [PATCH] chore: group jobs together; addresses #1056 Signed-off-by: ali.alkhalidi --- Makefile | 2 +- k8s/ace-rp/Makefile | 10 +- .../ace-rp/overlays/common/kustomization.yaml | 12 -- .../overlays/local/ace-rp/ace_rp_configure.sh | 103 --------------- .../overlays/local/ace-rp/create-profiles.yml | 68 ---------- .../cms/overlays/common/kustomization.yaml | 16 --- k8s/comparator/Makefile | 9 +- k8s/issuer/Makefile | 3 - .../issuer/overlays/common/kustomization.yaml | 6 - k8s/jobs/Makefile | 118 ++++++++++++++++++ k8s/jobs/README.md | 17 +++ .../kustomize/jobs/overlays/common/.gitignore | 7 ++ .../common/ace-rp}/ace_rp_configure.sh | 0 .../common/ace-rp}/create-profiles.yml | 2 + .../common/adapter-issuer/add-profiles.yml | 54 ++++++++ .../issuer_adapter_configure.sh | 110 ++++++++++++++++ .../common/cms}/oathkeeper/access-rules.tmpl | 0 .../cms}/oathkeeper/process-template.yml | 12 +- .../cms}/oathkeeper/process_template.sh | 0 .../overlays/common/cms}/oathkeeper/role.yml | 0 .../common/cms}/oathkeeper/rolebinding.yml | 0 .../overlays/common/cms}/strapi/user-data.yml | 12 +- .../overlays/common/cms}/strapi/user_data.sh | 0 .../hub-auth/hydra/hydra-create-client.yml | 41 ++++++ .../common/issuer}/register-tenant.sh | 4 +- .../common/issuer}/register-tenant.yml | 14 ++- .../jobs/overlays/common/issuer}/role.yml | 0 .../overlays/common/issuer}/rolebinding.yml | 0 .../jobs/overlays/common/kustomization.yaml | 84 +++++++++++++ .../hydra/hydra-create-client.yml | 6 +- .../overlays/common/rp}/register-tenant.sh | 4 +- .../overlays/common/rp}/register-tenant.yml | 24 ++-- .../jobs/overlays/common/rp}/role.yml | 0 .../jobs/overlays/common/rp}/rolebinding.yml | 0 .../jobs/overlays/common/sedtransform.yml | 11 ++ .../common/vcs/governance/add-profiles.yml | 48 +++++++ .../governance/vcs_governance_configure.sh | 26 ++++ .../common/vcs/holder/add-profiles.yml | 48 +++++++ .../common/vcs/holder/vcs_holder_configure.sh | 68 ++++++++++ .../common/vcs/issuer/add-profiles.yml | 48 +++++++ .../common/vcs/issuer/vcs_issuer_configure.sh | 106 ++++++++++++++++ .../common/vcs/verifier/add-profiles.yml | 48 +++++++ .../vcs/verifier/vcs_verifier_configure.sh | 33 +++++ .../kustomize/jobs/overlays/local/.gitignore | 7 ++ .../jobs/overlays/local/kustomization.yaml | 24 ++++ .../svceng/sedtransformer/SedTransformer | 17 +++ k8s/login-consent/Makefile | 3 - .../overlays/common/kustomization.yaml | 1 - k8s/rp/Makefile | 9 +- .../rp/overlays/common/kustomization.yaml | 6 - k8s/scripts/deploy_all.sh | 3 +- 51 files changed, 963 insertions(+), 281 deletions(-) delete mode 100644 k8s/ace-rp/kustomize/ace-rp/overlays/local/ace-rp/ace_rp_configure.sh delete mode 100644 k8s/ace-rp/kustomize/ace-rp/overlays/local/ace-rp/create-profiles.yml create mode 100644 k8s/jobs/Makefile create mode 100644 k8s/jobs/README.md create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/.gitignore rename k8s/{ace-rp/kustomize/ace-rp/overlays/common => jobs/kustomize/jobs/overlays/common/ace-rp}/ace_rp_configure.sh (100%) rename k8s/{ace-rp/kustomize/ace-rp/overlays/common => jobs/kustomize/jobs/overlays/common/ace-rp}/create-profiles.yml (98%) create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/adapter-issuer/add-profiles.yml create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/adapter-issuer/issuer_adapter_configure.sh rename k8s/{cms/kustomize/cms/overlays/common => jobs/kustomize/jobs/overlays/common/cms}/oathkeeper/access-rules.tmpl (100%) rename k8s/{cms/kustomize/cms/overlays/common => jobs/kustomize/jobs/overlays/common/cms}/oathkeeper/process-template.yml (81%) rename k8s/{cms/kustomize/cms/overlays/common => jobs/kustomize/jobs/overlays/common/cms}/oathkeeper/process_template.sh (100%) rename k8s/{cms/kustomize/cms/overlays/common => jobs/kustomize/jobs/overlays/common/cms}/oathkeeper/role.yml (100%) rename k8s/{cms/kustomize/cms/overlays/common => jobs/kustomize/jobs/overlays/common/cms}/oathkeeper/rolebinding.yml (100%) rename k8s/{cms/kustomize/cms/overlays/common => jobs/kustomize/jobs/overlays/common/cms}/strapi/user-data.yml (76%) rename k8s/{cms/kustomize/cms/overlays/common => jobs/kustomize/jobs/overlays/common/cms}/strapi/user_data.sh (100%) create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/hub-auth/hydra/hydra-create-client.yml rename k8s/{issuer/kustomize/issuer/overlays/common => jobs/kustomize/jobs/overlays/common/issuer}/register-tenant.sh (86%) rename k8s/{issuer/kustomize/issuer/overlays/common => jobs/kustomize/jobs/overlays/common/issuer}/register-tenant.yml (77%) rename k8s/{issuer/kustomize/issuer/overlays/common => jobs/kustomize/jobs/overlays/common/issuer}/role.yml (100%) rename k8s/{issuer/kustomize/issuer/overlays/common => jobs/kustomize/jobs/overlays/common/issuer}/rolebinding.yml (100%) create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/kustomization.yaml rename k8s/{login-consent/kustomize/login-consent/overlays/common => jobs/kustomize/jobs/overlays/common/login-consent}/hydra/hydra-create-client.yml (53%) rename k8s/{rp/kustomize/rp/overlays/common => jobs/kustomize/jobs/overlays/common/rp}/register-tenant.sh (87%) rename k8s/{rp/kustomize/rp/overlays/common => jobs/kustomize/jobs/overlays/common/rp}/register-tenant.yml (67%) rename k8s/{rp/kustomize/rp/overlays/common => jobs/kustomize/jobs/overlays/common/rp}/role.yml (100%) rename k8s/{rp/kustomize/rp/overlays/common => jobs/kustomize/jobs/overlays/common/rp}/rolebinding.yml (100%) create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/sedtransform.yml create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/vcs/governance/add-profiles.yml create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/vcs/governance/vcs_governance_configure.sh create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/vcs/holder/add-profiles.yml create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/vcs/holder/vcs_holder_configure.sh create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/vcs/issuer/add-profiles.yml create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/vcs/issuer/vcs_issuer_configure.sh create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/vcs/verifier/add-profiles.yml create mode 100644 k8s/jobs/kustomize/jobs/overlays/common/vcs/verifier/vcs_verifier_configure.sh create mode 100644 k8s/jobs/kustomize/jobs/overlays/local/.gitignore create mode 100644 k8s/jobs/kustomize/jobs/overlays/local/kustomization.yaml create mode 100755 k8s/jobs/kustomize/plugin/svceng/sedtransformer/SedTransformer diff --git a/Makefile b/Makefile index a9f0b8242..f2ba6eee5 100644 --- a/Makefile +++ b/Makefile @@ -25,7 +25,7 @@ DID_ELEMENT_SIDETREE_REQUEST_URL ?= https://element-did.com/api/v1/sidetree/requ SANDBOX_CLI_IMAGE_NAME ?= trustbloc/sandbox-cli # TrustBloc core k8s deployment scripts https://github.com/trustbloc/k8s -TRUSTBLOC_CORE_K8S_COMMIT=c1f79a5b35d1357ef2a6a636c19d04ead6c37858 +TRUSTBLOC_CORE_K8S_COMMIT=9d468920f28a0c9749336f517be0872d1ad0bfa3 # Tool commands (overridable) ALPINE_VER ?= 3.12 diff --git a/k8s/ace-rp/Makefile b/k8s/ace-rp/Makefile index f210539d9..ee6223f65 100644 --- a/k8s/ace-rp/Makefile +++ b/k8s/ace-rp/Makefile @@ -21,12 +21,10 @@ ARCH = $(shell uname -m | sed 's/x86_64/amd64/') #IMAGES ACE_RP_IMG ?= ghcr.io/trustbloc-cicd/sandbox-ace-rp:0.1.7-snapshot-62aff49 -CLI_IMG ?= ghcr.io/trustbloc-cicd/sandbox-cli:0.1.7-snapshot-62aff49 # do not modify KUSTOMIZE_DIR = kustomize/ace-rp CERTS_OUTPUT_DIR = ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV}/certs -REGISTRY_DIRECTORY = ${KUSTOMIZE_DIR}/base/registry PREFIX ?= KUSTOMIZE_BUILD_OPTS ?= --load-restrictor LoadRestrictionsNone --enable-alpha-plugins export KUSTOMIZE_PLUGIN_HOME = $(abspath .)/kustomize/plugin @@ -75,9 +73,6 @@ set-labels: kustomize set-images: kustomize @pushd ${KUSTOMIZE_DIR}/base &&\ ${KUSTOMIZE} edit set image sandbox-ace-rp=${ACE_RP_IMG} &&\ - popd &&\ - pushd ${KUSTOMIZE_DIR}/overlays/common &&\ - ${KUSTOMIZE} edit set image sandbox-cli=${CLI_IMG} &&\ popd .PHONY: deploy-ace-rp @@ -125,10 +120,7 @@ endif clean: clean-all .PHONY: clean-all -clean-all: clean-certs clean-registry - -.PHONY: clean-no-registry -clean-no-registry: clean-certs +clean-all: clean-certs .PHONY: clean-certs clean-certs: diff --git a/k8s/ace-rp/kustomize/ace-rp/overlays/common/kustomization.yaml b/k8s/ace-rp/kustomize/ace-rp/overlays/common/kustomization.yaml index 95b1289d7..bc121126a 100644 --- a/k8s/ace-rp/kustomize/ace-rp/overlays/common/kustomization.yaml +++ b/k8s/ace-rp/kustomize/ace-rp/overlays/common/kustomization.yaml @@ -33,9 +33,6 @@ configMapGenerator: envs: - benefits-dept/config.env name: benefits-dept-ace-rp-env -- files: - - ace_rp_configure.sh - name: ace-rp-profiles-script secretGenerator: - behavior: merge @@ -55,16 +52,7 @@ resources: - ../ucis - ../cbp - ../benefits-dept -- create-profiles.yml transformers: - sedtransform.yml - sedb64transform.yml - - -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -images: -- name: sandbox-cli - newName: ghcr.io/trustbloc-cicd/sandbox-cli - newTag: 0.1.7-snapshot-62aff49 diff --git a/k8s/ace-rp/kustomize/ace-rp/overlays/local/ace-rp/ace_rp_configure.sh b/k8s/ace-rp/kustomize/ace-rp/overlays/local/ace-rp/ace_rp_configure.sh deleted file mode 100644 index a757bdbe8..000000000 --- a/k8s/ace-rp/kustomize/ace-rp/overlays/local/ace-rp/ace_rp_configure.sh +++ /dev/null @@ -1,103 +0,0 @@ -# -# Copyright SecureKey Technologies Inc. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# - - -validateProfileCreation() -{ - if [ "$1" == "201" ] || [ "$1" == "400" ] - then - echo "$3 profile $4 is created" - else - echo "failed create $2 profile $4 response code $1 - $2" - exit 1 - fi -} - -# ucis - configure comparator -ucisComparatorConfig=$(demo comparator getConfig https://ucis-comparator.||DOMAIN||) -ucisComparatorConfigDID=$(echo "${ucisComparatorConfig}" | jq -r '.did') -ucisComparatorConfigPrivateKey=$(echo "${ucisComparatorConfig}" | jq -r '.privateKey') -ucisComparatorConfigKeyID=$(echo "${ucisComparatorConfig}" | jq -r '.keyID') - -# ucis - create vc issuer profile -vc_issuer_ucis=$(curl -k -o - -s -w "RESPONSE_CODE=%{response_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ - --request POST \ - --data '{"name":"vc-issuer-ucis", "uri":"http://example.com", "signatureType":"Ed25519Signature2018", "did":"'"${ucisComparatorConfigDID}"'","didPrivateKey":"'"${ucisComparatorConfigPrivateKey}"'","didKeyID":"'"${ucisComparatorConfigKeyID}"'","signatureRepresentation":1,"didKeyType":"Ed25519"}' \ - --insecure https://issuer-vcs.||DOMAIN||/profile) - -response=${vc_issuer_ucis//RESPONSE_CODE*/} -code=${vc_issuer_ucis//*RESPONSE_CODE=/} - -validateProfileCreation $code $response vc_issuer vc_issuer_ucis - -# cbp - configure comparator -cbpComparatorConfig=$(demo comparator getConfig https://cbp-comparator.||DOMAIN||) -cbpComparatorConfigDID=$(echo "${cbpComparatorConfig}" | jq -r '.did') -cbpComparatorConfigPrivateKey=$(echo "${cbpComparatorConfig}" | jq -r '.privateKey') -cbpComparatorConfigKeyID=$(echo "${cbpComparatorConfig}" | jq -r '.keyID') - -# cbp - create vc issuer profile -vc_issuer_cbp=$(curl -k -o - -s -w "RESPONSE_CODE=%{response_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ - --request POST \ - --data '{"name":"vc-issuer-cbp", "uri":"http://example.com", "signatureType":"Ed25519Signature2018", "did":"'"${cbpComparatorConfigDID}"'","didPrivateKey":"'"${cbpComparatorConfigPrivateKey}"'","didKeyID":"'"${cbpComparatorConfigKeyID}"'","signatureRepresentation":1,"didKeyType":"Ed25519"}' \ - --insecure https://issuer-vcs.||DOMAIN||/profile) - -response=${vc_issuer_cbp//RESPONSE_CODE*/} -code=${vc_issuer_cbp//*RESPONSE_CODE=/} - -validateProfileCreation $code $response vc_issuer vc_issuer_cbp - -# benefits-dept - configure comparator -benefitsDeptComparatorConfig=$(demo comparator getConfig https://benefits-dept-comparator.||DOMAIN||) -benefitsDeptComparatorConfigDID=$(echo "${benefitsDeptComparatorConfig}" | jq -r '.did') -benefitsDeptComparatorConfigPrivateKey=$(echo "${benefitsDeptComparatorConfig}" | jq -r '.privateKey') -benefitsDeptComparatorConfigKeyID=$(echo "${benefitsDeptComparatorConfig}" | jq -r '.keyID') - -# benefits-dept - create vc issuer profile -vc_issuer_benefits_dept=$(curl -k -o - -s -w "RESPONSE_CODE=%{response_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ - --request POST \ - --data '{"name":"vc-issuer-benefits-dept", "uri":"http://example.com", "signatureType":"Ed25519Signature2018", "did":"'"${benefitsDeptComparatorConfigDID}"'","didPrivateKey":"'"${benefitsDeptComparatorConfigPrivateKey}"'","didKeyID":"'"${benefitsDeptComparatorConfigKeyID}"'","signatureRepresentation":1,"didKeyType":"Ed25519"}' \ - --insecure https://issuer-vcs.||DOMAIN||/profile) - -response=${vc_issuer_benefits_dept//RESPONSE_CODE*/} -code=${vc_issuer_benefits_dept//*RESPONSE_CODE=/} - -validateProfileCreation $code $response vc_issuer vc_issuer_benefits_dept - -# create client with ucis (Utopia Citizenship and Immigration) agent -cbp_dept_act_linking_client=$(curl -k -o - -s -w "RESPONSE_CODE=%{response_code}" --header "Content-Type: application/json" \ - --request POST \ - --data '{"did":"'"${cbpComparatorConfigDID}"'", "callback":"https://cbp-rp.||DOMAIN||"}' \ - --insecure https://ucis-rp.||DOMAIN||/client) - -response=${cbp_dept_act_linking_client//RESPONSE_CODE*/} -code=${cbp_dept_act_linking_client//*RESPONSE_CODE=/} -clientID=$(echo $response | jq -r .clientID) -clientSecret=$(echo $response | jq -r .clientSecret) - -validateProfileCreation $code $response ace_rp_client cbp_dept_act_linking_client - -# create profile for ucis_profile_at_cbp -ucis_profile_at_cbp=$(curl -o /dev/null -s -w "RESPONSE_CODE=%{response_code}" --header "Content-Type: application/json" \ - --request POST \ - --data '{"id":"ucis-profile", "name":"Utopia Citizen and Immigration", "url":"https://ucis-rp.||DOMAIN||", "clientID":"'"${clientID}"'", "clientSecret":"'"${clientSecret}"'", "did":"'"${cbpComparatorConfigDID}"'"}' \ - --insecure https://cbp-rp.||DOMAIN||/profile) - -response=${ucis_profile_at_cbp//RESPONSE_CODE*/} -code=${ucis_profile_at_cbp//*RESPONSE_CODE=/} - -validateProfileCreation $code $response ace_rp_profile ucis_profile_at_cbp - -# create extractor profile for benefits at ucis -benefits_dept_profile_at_ucis=$(curl -o /dev/null -s -w "RESPONSE_CODE=%{response_code}" --header "Content-Type: application/json" \ - --request POST \ - --data '{"id":"benefit-dept-profile", "name":"Benefits Settlement Department", "url":"https://benefits-dept-rp.||DOMAIN||", "did":"'"${benefitsDeptComparatorConfigDID}"'", "callback":"https://benefits-dept-rp.||DOMAIN||"}' \ - --insecure https://ucis-rp.||DOMAIN||/profile) - -response=${benefits_dept_profile_at_ucis//RESPONSE_CODE*/} -code=${benefits_dept_profile_at_ucis//*RESPONSE_CODE=/} - -validateProfileCreation $code $response ace_rp_profile benefits_dept_profile_at_ucis diff --git a/k8s/ace-rp/kustomize/ace-rp/overlays/local/ace-rp/create-profiles.yml b/k8s/ace-rp/kustomize/ace-rp/overlays/local/ace-rp/create-profiles.yml deleted file mode 100644 index e8295ccdc..000000000 --- a/k8s/ace-rp/kustomize/ace-rp/overlays/local/ace-rp/create-profiles.yml +++ /dev/null @@ -1,68 +0,0 @@ -# -# Copyright SecureKey Technologies Inc. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# - ---- -kind: Job -apiVersion: batch/v1 -metadata: - name: ace-rp-profiles -spec: - template: - spec: - volumes: - - name: script - configMap: - name: ace-rp-profiles-script - restartPolicy: Never - initContainers: - - name: ace-rp-ready - image: fedora - imagePullPolicy: IfNotPresent - command: ["/bin/sh"] - args: - - "-c" - - | - ENDPOINTS=(BENEFITS_DEPT_RP_SERVICE_HOST CBP_RP_SERVICE_HOST UCIS_RP_SERVICE_HOST); - for endpoint in "${ENDPOINTS[@]}"; - do while [[ "$(curl -o /dev/null -s -w '%{http_code}' --insecure --connect-timeout 5 http://${!endpoint})" != "200" ]]; - do echo "waiting for ${endpoint} endpoint"; - sleep 5; - done; - done; - - name: comparator-ready - image: fedora - imagePullPolicy: IfNotPresent - command: ["/bin/sh"] - args: - - "-c" - - | - ENDPOINTS=(benefits-dept-comparator cbp-comparator ucis-comparator); - for endpoint in "${ENDPOINTS[@]}"; - do while [[ "$(curl -o /dev/null -s -w '%{http_code}' --insecure --connect-timeout 5 https://${endpoint}.||DOMAIN||/healthcheck)" != "200" ]]; - do echo "waiting for ${endpoint} endpoint"; - sleep 5; - done; - done; - - name: issuer-vcs-ready - image: fedora - imagePullPolicy: IfNotPresent - command: ["/bin/sh"] - args: - - "-c" - - | - while [[ "$(curl -o /dev/null -s -w '%{http_code}' --insecure --connect-timeout 5 https://issuer-vcs.||DOMAIN||/healthcheck)" != "200" ]]; - do echo "waiting for issuer-vcs endpoint"; - sleep 5; - done; - containers: - - name: ace-rp-profiles - image: "sandbox-cli:latest" - imagePullPolicy: IfNotPresent - command: ["/bin/sh"] - args: ["/opt/ace_rp_configure.sh"] - volumeMounts: - - name: script - mountPath: /opt diff --git a/k8s/cms/kustomize/cms/overlays/common/kustomization.yaml b/k8s/cms/kustomize/cms/overlays/common/kustomization.yaml index 8e1137a71..fdff515ef 100644 --- a/k8s/cms/kustomize/cms/overlays/common/kustomization.yaml +++ b/k8s/cms/kustomize/cms/overlays/common/kustomization.yaml @@ -21,13 +21,6 @@ commonLabels: apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: -- strapi/user-data.yml -- oathkeeper/role.yml -- oathkeeper/rolebinding.yml -- oathkeeper/process-template.yml - - transformers: - sedtransform.yml - sedb64transform.yml @@ -37,16 +30,7 @@ components: - ../../components/oathkeeper configMapGenerator: -- files: - - strapi/user_data.sh - name: strapi-user-data-script - behavior: replace files: - oathkeeper/config.yml name: oathkeeper-config -- files: - - oathkeeper/process_template.sh - name: process-template-script -- files: - - oathkeeper/access-rules.tmpl - name: access-rules-template diff --git a/k8s/comparator/Makefile b/k8s/comparator/Makefile index 28b4d5419..66adc99de 100644 --- a/k8s/comparator/Makefile +++ b/k8s/comparator/Makefile @@ -120,15 +120,8 @@ endif clean: clean-all .PHONY: clean-all -clean-all: clean-certs clean-registry - -.PHONY: clean-no-registry -clean-no-registry: clean-certs +clean-all: clean-certs .PHONY: clean-certs clean-certs: @rm -Rf ${CERTS_OUTPUT_DIR} - -.PHONY: clean-registry -clean-registry: - @rm -Rf ${REGISTRY_DIRECTORY} diff --git a/k8s/issuer/Makefile b/k8s/issuer/Makefile index d8876d8a0..0a0bdb018 100644 --- a/k8s/issuer/Makefile +++ b/k8s/issuer/Makefile @@ -121,9 +121,6 @@ clean: clean-all .PHONY: clean-all clean-all: clean-certs -.PHONY: clean-no-registry -clean-no-registry: clean-certs - .PHONY: clean-certs clean-certs: @rm -Rf ${CERTS_OUTPUT_DIR} diff --git a/k8s/issuer/kustomize/issuer/overlays/common/kustomization.yaml b/k8s/issuer/kustomize/issuer/overlays/common/kustomization.yaml index 0aad7a671..769effe2f 100644 --- a/k8s/issuer/kustomize/issuer/overlays/common/kustomization.yaml +++ b/k8s/issuer/kustomize/issuer/overlays/common/kustomization.yaml @@ -25,9 +25,6 @@ configMapGenerator: envs: - config.env name: issuer-env -- files: - - register-tenant.sh - name: issuer-register-tenant-script secretGenerator: - behavior: merge @@ -37,9 +34,6 @@ secretGenerator: resources: - ../../base -- role.yml -- rolebinding.yml -- register-tenant.yml transformers: - sedtransform.yml diff --git a/k8s/jobs/Makefile b/k8s/jobs/Makefile new file mode 100644 index 000000000..a67a6377e --- /dev/null +++ b/k8s/jobs/Makefile @@ -0,0 +1,118 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +SHELL := /bin/bash +CONTAINER_CMD ?= docker +USER_ID = $(shell id -u) +DOCKER_CMD_RUN_OPTS ?= -u $(USER_ID) +CONTAINER_CMD_RUN_OPTS ?= $(if $(findstring docker,$(CONTAINER_CMD)),$(DOCKER_CMD_RUN_OPTS),) + +export DEPLOYMENT_ENV ?= local +export DOMAIN ?= local.trustbloc.dev +export BLOC_DOMAIN ?= testnet.local.trustbloc.dev +# space delimited of Key:Value pairs +COMMON_LABELS := instance:${DEPLOYMENT_ENV} + +OS = $(shell uname -s | tr '[:upper:]' '[:lower:]') +ARCH = $(shell uname -m | sed 's/x86_64/amd64/') + +#IMAGES +CLI_IMG ?= ghcr.io/trustbloc-cicd/sandbox-cli:0.1.7-snapshot-62aff49 + +# do not modify +KUSTOMIZE_DIR = kustomize/jobs +PREFIX ?= +KUSTOMIZE_BUILD_OPTS ?= --load-restrictor LoadRestrictionsNone --enable-alpha-plugins +export KUSTOMIZE_PLUGIN_HOME = $(abspath .)/kustomize/plugin + +.PHONY: setup-no-certs +setup-no-certs: + @echo setup-no-certs + + +.PHONY: all +all: deploy + +.PHONY: deploy +deploy: prechecks kustomize kubectl set-images set-labels deploy-jobs + +.PHONY: prechecks +prechecks: +ifeq (, $(shell stat ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV} 2>/dev/null)) + @echo "Environment not found ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV}" + @exit 1 +endif + +.PHONY: set-labels +set-labels: kustomize + @pushd ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV} &&\ + ${KUSTOMIZE} edit set label ${COMMON_LABELS} &&\ + popd + +.PHONY: set-images +set-images: kustomize + @pushd ${KUSTOMIZE_DIR}/overlays/common &&\ + ${KUSTOMIZE} edit set image sandbox-cli=${CLI_IMG} &&\ + popd + +.PHONY: delete-jobs +delete-jobs: + @echo deleting jobs + $(KUBECTL) -n default delete job \ + ace-rp-profiles \ + adapter-issuer-add-profiles \ + governance-vcs-add-profiles \ + holder-vcs-add-profiles \ + hub-hydra-create-client \ + hydra-create-client \ + issuer-register-tenant \ + issuer-vcs-add-profiles \ + orb-add-followers \ + process-oathkeeper-template \ + rp-register-tenant \ + user-data \ + verifier-vcs-add-profiles \ + --ignore-not-found=true + +.PHONY: deploy-jobs +deploy-jobs: prechecks kustomize kubectl + $(KUSTOMIZE) build ${KUSTOMIZE_BUILD_OPTS} \ + ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV} | $(KUBECTL) apply -f - + +.PHONY: undeploy +undeploy: prechecks kustomize kubectl set-images set-labels undeploy-jobs + +.PHONY: undeploy-jobs +undeploy-jobs: prechecks kustomize kubectl + $(KUSTOMIZE) build ${KUSTOMIZE_BUILD_OPTS} \ + ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV} | $(KUBECTL) delete -f - + +.PHONY: kustomize +kustomize: +ifeq (, $(shell which kustomize 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p bin ;\ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.0.4/kustomize_v4.0.4_$(OS)_$(ARCH).tar.gz | tar xzf - -C bin/ ;\ + } +KUSTOMIZE=$(realpath ./bin/kustomize) +else +KUSTOMIZE=$(shell which kustomize) +endif + +.PHONY: kubectl +kubectl: +ifeq (, $(shell which kubectl 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p bin ;\ + curl -sSL https://storage.googleapis.com/kubernetes-release/release/v1.19.6/bin/$(OS)/$(ARCH)/kubectl -o bin/kubectl ;\ + chmod u+x bin/kubectl ;\ + } +KUBECTL=$(realpath ./bin/kubectl) +else +KUBECTL=$(shell which kubectl) +endif diff --git a/k8s/jobs/README.md b/k8s/jobs/README.md new file mode 100644 index 000000000..093bd1b90 --- /dev/null +++ b/k8s/jobs/README.md @@ -0,0 +1,17 @@ +# [TrustBloc Sandbox Shared DBs]() k8s deployment # + + +## pre-requisits +* [Minikube](https://minikube.sigs.k8s.io/docs/start/). +* (Optional: Gets installed by make) [kustomize](https://kubectl.docs.kubernetes.io/installation/kustomize/). + +## Quick Run +* `make all` +* `make deploy-sandbox` + +## Cleanup +* `make undeploy-sandbox` +* `make clean` + +## options and features +* Will deploy Sandbox MySQL and COUCHDB. diff --git a/k8s/jobs/kustomize/jobs/overlays/common/.gitignore b/k8s/jobs/kustomize/jobs/overlays/common/.gitignore new file mode 100644 index 000000000..4ec9cd00d --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/.gitignore @@ -0,0 +1,7 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +certs/** diff --git a/k8s/ace-rp/kustomize/ace-rp/overlays/common/ace_rp_configure.sh b/k8s/jobs/kustomize/jobs/overlays/common/ace-rp/ace_rp_configure.sh similarity index 100% rename from k8s/ace-rp/kustomize/ace-rp/overlays/common/ace_rp_configure.sh rename to k8s/jobs/kustomize/jobs/overlays/common/ace-rp/ace_rp_configure.sh diff --git a/k8s/ace-rp/kustomize/ace-rp/overlays/common/create-profiles.yml b/k8s/jobs/kustomize/jobs/overlays/common/ace-rp/create-profiles.yml similarity index 98% rename from k8s/ace-rp/kustomize/ace-rp/overlays/common/create-profiles.yml rename to k8s/jobs/kustomize/jobs/overlays/common/ace-rp/create-profiles.yml index fff9ce0bd..e299fc668 100644 --- a/k8s/ace-rp/kustomize/ace-rp/overlays/common/create-profiles.yml +++ b/k8s/jobs/kustomize/jobs/overlays/common/ace-rp/create-profiles.yml @@ -9,6 +9,8 @@ kind: Job apiVersion: batch/v1 metadata: name: ace-rp-profiles + labels: + group: demo spec: template: spec: diff --git a/k8s/jobs/kustomize/jobs/overlays/common/adapter-issuer/add-profiles.yml b/k8s/jobs/kustomize/jobs/overlays/common/adapter-issuer/add-profiles.yml new file mode 100644 index 000000000..dfa573d2b --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/adapter-issuer/add-profiles.yml @@ -0,0 +1,54 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +kind: Job +apiVersion: batch/v1 +metadata: + name: adapter-issuer-add-profiles + labels: + component: adapter + group: services +spec: + template: + spec: + volumes: + - name: script + configMap: + name: adapter-issuer-add-profiles-config + restartPolicy: Never + initContainers: + - name: healthcheck-ready + image: fedora + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - "-c" + - | + while [[ "$(curl -o /dev/null -s -w '%{http_code}' --insecure --connect-timeout 5 http://adapter-issuer/healthcheck)" != "200" ]]; + do echo "waiting for adapter endpoint"; + sleep 5; + done; + - name: trustbloc-ready + image: fedora + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - "-c" + - | + while [[ "$(curl -o /dev/null -s -w '%{http_code}' --insecure --connect-timeout 5 https://||BLOC_DOMAIN||/.well-known/did-orb)" != "200" ]]; + do echo "waiting for BLOC endpoint"; + sleep 5; + done; + containers: + - name: issuer-add-profiles + image: "alpine:latest" + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: ["/opt/issuer_adapter_configure.sh"] + volumeMounts: + - name: script + mountPath: /opt diff --git a/k8s/jobs/kustomize/jobs/overlays/common/adapter-issuer/issuer_adapter_configure.sh b/k8s/jobs/kustomize/jobs/overlays/common/adapter-issuer/issuer_adapter_configure.sh new file mode 100644 index 000000000..049855c57 --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/adapter-issuer/issuer_adapter_configure.sh @@ -0,0 +1,110 @@ +#!/bin/sh +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +apk --no-cache add curl jq + +echo "Adding Issuer Adapter profiles" + +n=0 +maxAttempts=60 +until [ $n -ge $maxAttempts ] +do + response=$(curl -k --header "Content-Type: application/json" \ + --request POST \ + --data '{"id":"tb-cc-issuer", "name":"TrustBloc - Credit Card Data Issuer", "url": "https://demo-issuer.||DOMAIN||/didcomm", "oidcProvider": "https://hydra.||DOMAIN||/", "scopes":["CreditCardStatement"], "supportedVCContexts" : ["https://trustbloc.github.io/context/vc/examples/credit-card-v1.jsonld"]}' \ + --insecure http://adapter-issuer/profile 2>/dev/null) + echo "'created' field from profile tb-cc-issuer response is: $response" + + responseCreatedTime=$(echo ${response} | jq -r '.createdAt' 2>/dev/null ) + responseError=$(echo ${response} | jq -r '.errMessage' 2>/dev/null ) + + if [ -n "$(echo ${responseError} | grep 'already exists')" ] + then + break + fi + + if [ -n "$responseCreatedTime" ] && [ "$responseCreatedTime" != "null" ] + then + break + fi + echo "Invalid 'id' field in the response when trying to create tb-cc-issuer profile (attempt $((n+1))/$maxAttempts)." + + n=$((n+1)) + if [ $n -eq $maxAttempts ] + then + echo "failed to create tb-cc-issuer profile" + exit 1 + fi + sleep 5 +done + +n=0 +maxAttempts=60 +until [ $n -ge $maxAttempts ] +do + response=$(curl -k --header "Content-Type: application/json" \ + --request POST \ + --data '{"id":"tb-cr-issuer", "name":"TrustBloc - Credit Report Issuer", "url":"https://demo-issuer.||DOMAIN||/didcomm", "oidcProvider":"https://hydra.||DOMAIN||/", "scopes":["CreditScore"], "supportedVCContexts" : ["https://trustbloc.github.io/context/vc/examples/credit-score-v1.jsonld"], "requiresBlindedRoute": true}' \ + --insecure http://adapter-issuer/profile 2>/dev/null) + echo "'created' field from profile tb-cr-issuer response is: $response" + + responseCreatedTime=$(echo ${response} | jq -r '.createdAt' 2>/dev/null ) + responseError=$(echo ${response} | jq -r '.errMessage' 2>/dev/null ) + + if [ -n "$(echo ${responseError} | grep 'already exists')" ] + then + break + fi + + if [ -n "$responseCreatedTime" ] && [ "$responseCreatedTime" != "null" ] + then + break + fi + echo "Invalid 'id' field in the response when trying to create tb-cr-issuer profile (attempt $((n+1))/$maxAttempts)." + + n=$((n+1)) + if [ $n -eq $maxAttempts ] + then + echo "failed to create tb-cr-issuer profile" + exit 1 + fi + sleep 5 +done + +n=0 +until [ $n -ge $maxAttempts ] +do + response=$(curl -k --header "Content-Type: application/json" \ + --request POST \ + --data '{"id":"tb-dl-issuer", "name":"TrustBloc - Driving License + Assurance Issuer", "url":"https://demo-issuer.||DOMAIN||/didcomm", "oidcProvider":"https://hydra.||DOMAIN||/", "scopes":["mDL"], "supportedVCContexts" : ["https://trustbloc.github.io/context/vc/examples/driver-license-evidence-v1.jsonld"], "supportsAssuranceCredential" : true, "requiresBlindedRoute": true}' \ + --insecure http://adapter-issuer/profile 2>/dev/null) + echo "'created' field from profile tb-dl-issuer response is: $response" + + responseCreatedTime=$(echo ${response} | jq -r '.createdAt' 2>/dev/null ) + responseError=$(echo ${response} | jq -r '.errMessage' 2>/dev/null ) + + if [ -n "$(echo ${responseError} | grep 'already exists')" ] + then + break + fi + + if [ -n "$responseCreatedTime" ] && [ "$responseCreatedTime" != "null" ] + then + break + fi + echo "Invalid 'id' field in the response when trying to create tb-dl-issuer profile (attempt $((n+1))/$maxAttempts)." + + n=$((n+1)) + if [ $n -eq $maxAttempts ] + then + echo "failed to create tb-dl-issuer profile" + exit 1 + fi + sleep 5 +done + +echo "Finished adding Issuer Adapter profiles" diff --git a/k8s/cms/kustomize/cms/overlays/common/oathkeeper/access-rules.tmpl b/k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/access-rules.tmpl similarity index 100% rename from k8s/cms/kustomize/cms/overlays/common/oathkeeper/access-rules.tmpl rename to k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/access-rules.tmpl diff --git a/k8s/cms/kustomize/cms/overlays/common/oathkeeper/process-template.yml b/k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/process-template.yml similarity index 81% rename from k8s/cms/kustomize/cms/overlays/common/oathkeeper/process-template.yml rename to k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/process-template.yml index cfdab2c52..e5b1eaf38 100644 --- a/k8s/cms/kustomize/cms/overlays/common/oathkeeper/process-template.yml +++ b/k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/process-template.yml @@ -22,11 +22,11 @@ spec: restartPolicy: Never # serviceAccountName: oathkeeper initContainers: - - name: wait - image: busybox - imagePullPolicy: IfNotPresent - command: ["sh"] - args: ["-c", "sleep 90"] +# - name: wait +# image: busybox +# imagePullPolicy: IfNotPresent +# command: ["sh"] +# args: ["-c", "sleep 90"] - name: healthcheck-ready image: busybox imagePullPolicy: IfNotPresent @@ -34,7 +34,7 @@ spec: args: - "-c" - | - while [ "$(wget http://${STRAPI_SERVICE_HOST}/admin -O- -S >/dev/null 2>&1; echo $?)" -ne 0 ]; + while [ "$(wget http://strapi/admin -O- -S >/dev/null 2>&1; echo $?)" -ne 0 ]; do echo "waiting for strapi/admin endpoint"; done containers: diff --git a/k8s/cms/kustomize/cms/overlays/common/oathkeeper/process_template.sh b/k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/process_template.sh similarity index 100% rename from k8s/cms/kustomize/cms/overlays/common/oathkeeper/process_template.sh rename to k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/process_template.sh diff --git a/k8s/cms/kustomize/cms/overlays/common/oathkeeper/role.yml b/k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/role.yml similarity index 100% rename from k8s/cms/kustomize/cms/overlays/common/oathkeeper/role.yml rename to k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/role.yml diff --git a/k8s/cms/kustomize/cms/overlays/common/oathkeeper/rolebinding.yml b/k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/rolebinding.yml similarity index 100% rename from k8s/cms/kustomize/cms/overlays/common/oathkeeper/rolebinding.yml rename to k8s/jobs/kustomize/jobs/overlays/common/cms/oathkeeper/rolebinding.yml diff --git a/k8s/cms/kustomize/cms/overlays/common/strapi/user-data.yml b/k8s/jobs/kustomize/jobs/overlays/common/cms/strapi/user-data.yml similarity index 76% rename from k8s/cms/kustomize/cms/overlays/common/strapi/user-data.yml rename to k8s/jobs/kustomize/jobs/overlays/common/cms/strapi/user-data.yml index 84734e92e..0497288eb 100644 --- a/k8s/cms/kustomize/cms/overlays/common/strapi/user-data.yml +++ b/k8s/jobs/kustomize/jobs/overlays/common/cms/strapi/user-data.yml @@ -18,11 +18,11 @@ spec: name: strapi-user-data-script restartPolicy: Never initContainers: - - name: wait - image: busybox - imagePullPolicy: IfNotPresent - command: ["sh"] - args: ["-c", "sleep 90"] +# - name: wait +# image: busybox +# imagePullPolicy: IfNotPresent +# command: ["sh"] +# args: ["-c", "sleep 90"] - name: healthcheck-ready image: busybox imagePullPolicy: IfNotPresent @@ -30,7 +30,7 @@ spec: args: - "-c" - | - while [ "$(wget http://${STRAPI_SERVICE_HOST}/admin -O- -S >/dev/null 2>&1; echo $?)" -ne 0 ]; + while [ "$(wget http://strapi/admin -O- -S >/dev/null 2>&1; echo $?)" -ne 0 ]; do echo "waiting for strapi/admin endpoint"; done containers: diff --git a/k8s/cms/kustomize/cms/overlays/common/strapi/user_data.sh b/k8s/jobs/kustomize/jobs/overlays/common/cms/strapi/user_data.sh similarity index 100% rename from k8s/cms/kustomize/cms/overlays/common/strapi/user_data.sh rename to k8s/jobs/kustomize/jobs/overlays/common/cms/strapi/user_data.sh diff --git a/k8s/jobs/kustomize/jobs/overlays/common/hub-auth/hydra/hydra-create-client.yml b/k8s/jobs/kustomize/jobs/overlays/common/hub-auth/hydra/hydra-create-client.yml new file mode 100644 index 000000000..635c5ab91 --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/hub-auth/hydra/hydra-create-client.yml @@ -0,0 +1,41 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +kind: Job +apiVersion: batch/v1 +metadata: + name: hub-hydra-create-client + labels: + group: core + component: hub-auth +spec: + template: + spec: + restartPolicy: Never + initContainers: + - name: healthcheck-ready + image: busybox + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - "-c" + - | + while [[ "$(wget -T 5 -S --spider http://hub-hydra-admin/health/ready 2>&1 | grep '200 OK')" == "" ]]; + do echo "waiting for endpoint"; + sleep 5; + done; + containers: + - name: hydra-clients-create + image: "oryd/hydra:v1.3.2-alpine" + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - "-c" + - | + err_resp=$(hydra clients create --endpoint http://hub-hydra-admin --fake-tls-termination --id user-agent --secret user-agent-secret --grant-types authorization_code,refresh_token --response-types code,id_token --scope openid,profile,email --skip-tls-verify --callbacks https://wallet-support.||DOMAIN||/oidc/callback 2>&1 > /dev/null); + echo $err_resp; + if [ -z "$err_resp" ] || [ -n "$(echo ${err_resp} | grep already )" ];then echo "hydra client add successful"; exit 0;else echo "hydra client add failed"; exit 1;fi diff --git a/k8s/issuer/kustomize/issuer/overlays/common/register-tenant.sh b/k8s/jobs/kustomize/jobs/overlays/common/issuer/register-tenant.sh similarity index 86% rename from k8s/issuer/kustomize/issuer/overlays/common/register-tenant.sh rename to k8s/jobs/kustomize/jobs/overlays/common/issuer/register-tenant.sh index 75f5e137d..afdb638a2 100644 --- a/k8s/issuer/kustomize/issuer/overlays/common/register-tenant.sh +++ b/k8s/jobs/kustomize/jobs/overlays/common/issuer/register-tenant.sh @@ -80,9 +80,9 @@ do v=$(cat ${config_map_data} | jq -r $q) echo "$key=$v" | sed -E 's/(^.+)="([^"]*)"/\1=\2/' >> ${config_map_env_file} done -echo "ISSUER_OIDC_CLIENTID=${clientID}" >> ${config_map_env_file} -echo "ISSUER_OIDC_CLIENTSECRET=${clientSecret}" >> ${config_map_env_file} +grep -q '^ISSUER_OIDC_CLIENTID' ${config_map_env_file} && sed -i "s/^ISSUER_OIDC_CLIENTID.*/ISSUER_OIDC_CLIENTID=${clientID}/" ${config_map_env_file} || echo "ISSUER_OIDC_CLIENTID=${clientID}" >> ${config_map_env_file} +grep -q '^ISSUER_OIDC_CLIENTSECRET' ${config_map_env_file} && sed -i "s/^ISSUER_OIDC_CLIENTSECRET.*/ISSUER_OIDC_CLIENTSECRET=${clientSecret}/" ${config_map_env_file} || echo "ISSUER_OIDC_CLIENTSECRET=${clientSecret}" >> ${config_map_env_file} echo "mutating configMap ${config_map_name}" kubectl create cm ${config_map_name} --dry-run=client --from-env-file=${config_map_env_file} -o yaml > ${config_map} diff --git a/k8s/issuer/kustomize/issuer/overlays/common/register-tenant.yml b/k8s/jobs/kustomize/jobs/overlays/common/issuer/register-tenant.yml similarity index 77% rename from k8s/issuer/kustomize/issuer/overlays/common/register-tenant.yml rename to k8s/jobs/kustomize/jobs/overlays/common/issuer/register-tenant.yml index 1999ebef1..de2240444 100644 --- a/k8s/issuer/kustomize/issuer/overlays/common/register-tenant.yml +++ b/k8s/jobs/kustomize/jobs/overlays/common/issuer/register-tenant.yml @@ -9,6 +9,8 @@ kind: Job apiVersion: batch/v1 metadata: name: issuer-register-tenant + labels: + group: demo spec: template: spec: @@ -19,16 +21,16 @@ spec: restartPolicy: Never # serviceAccountName: oathkeeper initContainers: - - name: wait - image: busybox - imagePullPolicy: IfNotPresent - command: ["sh"] - args: ["-c", "sleep 90"] +# - name: wait +# image: busybox +# imagePullPolicy: IfNotPresent +# command: ["sh"] +# args: ["-c", "sleep 90"] - name: healthcheck-ready image: busybox imagePullPolicy: IfNotPresent command: ["wget"] - args: ["-S", "http://$(ISSUER_SERVICE_NAME)", "-O-"] + args: ["-S", "http://issuer", "-O-"] containers: - name: register-tenant image: "alpine:latest" diff --git a/k8s/issuer/kustomize/issuer/overlays/common/role.yml b/k8s/jobs/kustomize/jobs/overlays/common/issuer/role.yml similarity index 100% rename from k8s/issuer/kustomize/issuer/overlays/common/role.yml rename to k8s/jobs/kustomize/jobs/overlays/common/issuer/role.yml diff --git a/k8s/issuer/kustomize/issuer/overlays/common/rolebinding.yml b/k8s/jobs/kustomize/jobs/overlays/common/issuer/rolebinding.yml similarity index 100% rename from k8s/issuer/kustomize/issuer/overlays/common/rolebinding.yml rename to k8s/jobs/kustomize/jobs/overlays/common/issuer/rolebinding.yml diff --git a/k8s/jobs/kustomize/jobs/overlays/common/kustomization.yaml b/k8s/jobs/kustomize/jobs/overlays/common/kustomization.yaml new file mode 100644 index 000000000..25761a7fc --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/kustomization.yaml @@ -0,0 +1,84 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# Adds namespace to all resources. +#namespace: edge-sandbox-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +commonLabels: + project: trustbloc + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +configMapGenerator: +- files: + - rp/register-tenant.sh + name: rp-register-tenant-script +- files: + - issuer/register-tenant.sh + name: issuer-register-tenant-script +- files: + - ace-rp/ace_rp_configure.sh + name: ace-rp-profiles-script +- files: + - cms/strapi/user_data.sh + name: strapi-user-data-script +- files: + - cms/oathkeeper/process_template.sh + name: process-template-script +- files: + - cms/oathkeeper/access-rules.tmpl + name: access-rules-template +- files: + - adapter-issuer/issuer_adapter_configure.sh + name: adapter-issuer-add-profiles-config +- files: + - vcs/issuer/vcs_issuer_configure.sh + name: issuer-vcs-add-profiles-script +- files: + - vcs/verifier/vcs_verifier_configure.sh + name: verifier-vcs-add-profiles-script +- files: + - vcs/holder/vcs_holder_configure.sh + name: holder-vcs-add-profiles-script +- files: + - vcs/governance/vcs_governance_configure.sh + name: governance-vcs-add-profiles-script + +resources: +- adapter-issuer/add-profiles.yml +- hub-auth/hydra/hydra-create-client.yml +- vcs/issuer/add-profiles.yml +- vcs/verifier/add-profiles.yml +- vcs/holder/add-profiles.yml +- vcs/governance/add-profiles.yml +- rp/role.yml +- rp/rolebinding.yml +- rp/register-tenant.yml +- issuer/role.yml +- issuer/rolebinding.yml +- issuer/register-tenant.yml +- ace-rp/create-profiles.yml +- login-consent/hydra/hydra-create-client.yml +- cms/strapi/user-data.yml +- cms/oathkeeper/role.yml +- cms/oathkeeper/rolebinding.yml +- cms/oathkeeper/process-template.yml + +transformers: +- sedtransform.yml + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: sandbox-cli + newName: ghcr.io/trustbloc-cicd/sandbox-cli + newTag: 0.1.7-snapshot-62aff49 diff --git a/k8s/login-consent/kustomize/login-consent/overlays/common/hydra/hydra-create-client.yml b/k8s/jobs/kustomize/jobs/overlays/common/login-consent/hydra/hydra-create-client.yml similarity index 53% rename from k8s/login-consent/kustomize/login-consent/overlays/common/hydra/hydra-create-client.yml rename to k8s/jobs/kustomize/jobs/overlays/common/login-consent/hydra/hydra-create-client.yml index 7d98cd3be..e06f6f4ab 100644 --- a/k8s/login-consent/kustomize/login-consent/overlays/common/hydra/hydra-create-client.yml +++ b/k8s/jobs/kustomize/jobs/overlays/common/login-consent/hydra/hydra-create-client.yml @@ -21,7 +21,7 @@ spec: args: - "-c" - | - while [[ "$(wget -T 5 -S --spider http://${HYDRA_ADMIN_SERVICE_HOST}/health/ready 2>&1 | grep '200 OK')" == "" ]]; + while [[ "$(wget -T 5 -S --spider http://hydra-admin/health/ready 2>&1 | grep '200 OK')" == "" ]]; do echo "waiting for endpoint"; sleep 5; done; @@ -35,11 +35,11 @@ spec: - | echo "Creating clients ..."; - err_resp=$(hydra clients create --endpoint http://${HYDRA_ADMIN_SERVICE_HOST} --fake-tls-termination --id auth-code-client --name "Share Your Credentials" --secret secret --grant-types authorization_code,refresh_token --response-types code,id_token --scope StudentCard,TravelCard,PermanentResidentCard,VaccinationCertificate,CertifiedMillTestReport,CrudeProductCredential,UniversityDegreeCredential,CreditCardStatement,mDL,CreditScore --skip-tls-verify --callbacks https://demo-issuer.||DOMAIN||/callback 2>&1 > /dev/null); + err_resp=$(hydra clients create --endpoint http://hydra-admin --fake-tls-termination --id auth-code-client --name "Share Your Credentials" --secret secret --grant-types authorization_code,refresh_token --response-types code,id_token --scope StudentCard,TravelCard,PermanentResidentCard,VaccinationCertificate,CertifiedMillTestReport,CrudeProductCredential,UniversityDegreeCredential,CreditCardStatement,mDL,CreditScore --skip-tls-verify --callbacks https://demo-issuer.||DOMAIN||/callback 2>&1 > /dev/null); echo $err_resp; if [ -z "$err_resp" ] || [ -n "$(echo ${err_resp} | grep already )" ];then echo "Success client creation"; break;else exit 1;fi; - err_resp=$(hydra clients create --endpoint http://${HYDRA_ADMIN_SERVICE_HOST} --fake-tls-termination --id hub-auth --secret hub-auth-secret --grant-types authorization_code,refresh_token --response-types code,id_token --scope openid,profile,email --skip-tls-verify --callbacks https://hub-auth.||DOMAIN||/oauth2/callback 2>&1 > /dev/null); + err_resp=$(hydra clients create --endpoint http://hydra-admin --fake-tls-termination --id hub-auth --secret hub-auth-secret --grant-types authorization_code,refresh_token --response-types code,id_token --scope openid,profile,email --skip-tls-verify --callbacks https://hub-auth.||DOMAIN||/oauth2/callback 2>&1 > /dev/null); echo $err_resp; if [ -z "$err_resp" ] || [ -n "$(echo ${err_resp} | grep already )" ];then echo "Success client creation"; exit 0;else exit 1;fi; echo "... Finished creating clients" diff --git a/k8s/rp/kustomize/rp/overlays/common/register-tenant.sh b/k8s/jobs/kustomize/jobs/overlays/common/rp/register-tenant.sh similarity index 87% rename from k8s/rp/kustomize/rp/overlays/common/register-tenant.sh rename to k8s/jobs/kustomize/jobs/overlays/common/rp/register-tenant.sh index 0d719ee8c..df75742f4 100644 --- a/k8s/rp/kustomize/rp/overlays/common/register-tenant.sh +++ b/k8s/jobs/kustomize/jobs/overlays/common/rp/register-tenant.sh @@ -81,9 +81,9 @@ do v=$(cat ${config_map_data} | jq -r $q) echo "$key=$v" | sed -E 's/(^.+)="([^"]*)"/\1=\2/' >> ${config_map_env_file} done -echo "RP_OIDC_CLIENTID=${clientID}" >> ${config_map_env_file} -echo "RP_OIDC_CLIENTSECRET=${clientSecret}" >> ${config_map_env_file} +grep -q '^RP_OIDC_CLIENTID' ${config_map_env_file} && sed -i "s/^RP_OIDC_CLIENTID.*/RP_OIDC_CLIENTID=${clientID}/" ${config_map_env_file} || echo "RP_OIDC_CLIENTID=${clientID}" >> ${config_map_env_file} +grep -q '^RP_OIDC_CLIENTSECRET' ${config_map_env_file} && sed -i "s/^RP_OIDC_CLIENTSECRET.*/RP_OIDC_CLIENTSECRET=${clientSecret}/" ${config_map_env_file} || echo "RP_OIDC_CLIENTSECRET=${clientSecret}" >> ${config_map_env_file} echo "mutating configMap ${config_map_name}" kubectl create cm ${config_map_name} --dry-run=client --from-env-file=${config_map_env_file} -o yaml > ${config_map} diff --git a/k8s/rp/kustomize/rp/overlays/common/register-tenant.yml b/k8s/jobs/kustomize/jobs/overlays/common/rp/register-tenant.yml similarity index 67% rename from k8s/rp/kustomize/rp/overlays/common/register-tenant.yml rename to k8s/jobs/kustomize/jobs/overlays/common/rp/register-tenant.yml index f56242fe3..3bdda99f7 100644 --- a/k8s/rp/kustomize/rp/overlays/common/register-tenant.yml +++ b/k8s/jobs/kustomize/jobs/overlays/common/rp/register-tenant.yml @@ -1,14 +1,16 @@ -# -# Copyright SecureKey Technologies Inc. All Rights Reserved. -# -# SPDX-License-Identifier: Apache-2.0 -# +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# --- kind: Job apiVersion: batch/v1 metadata: name: rp-register-tenant + labels: + group: demo spec: template: spec: @@ -19,16 +21,16 @@ spec: restartPolicy: Never # serviceAccountName: oathkeeper initContainers: - - name: wait - image: busybox - imagePullPolicy: IfNotPresent - command: ["sh"] - args: ["-c", "sleep 90"] +# - name: wait +# image: busybox +# imagePullPolicy: IfNotPresent +# command: ["sh"] +# args: ["-c", "sleep 90"] - name: healthcheck-ready image: busybox imagePullPolicy: IfNotPresent command: ["wget"] - args: ["-S", "http://$(RP_SERVICE_NAME)", "-O-"] + args: ["-S", "http://verifier", "-O-"] containers: - name: register-tenant image: "alpine:latest" diff --git a/k8s/rp/kustomize/rp/overlays/common/role.yml b/k8s/jobs/kustomize/jobs/overlays/common/rp/role.yml similarity index 100% rename from k8s/rp/kustomize/rp/overlays/common/role.yml rename to k8s/jobs/kustomize/jobs/overlays/common/rp/role.yml diff --git a/k8s/rp/kustomize/rp/overlays/common/rolebinding.yml b/k8s/jobs/kustomize/jobs/overlays/common/rp/rolebinding.yml similarity index 100% rename from k8s/rp/kustomize/rp/overlays/common/rolebinding.yml rename to k8s/jobs/kustomize/jobs/overlays/common/rp/rolebinding.yml diff --git a/k8s/jobs/kustomize/jobs/overlays/common/sedtransform.yml b/k8s/jobs/kustomize/jobs/overlays/common/sedtransform.yml new file mode 100644 index 000000000..2bccc778c --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/sedtransform.yml @@ -0,0 +1,11 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +apiVersion: svceng +kind: SedTransformer +metadata: + name: sedtransformer +argsOneLiner: s^||DOMAIN||^${DOMAIN}^g s^||DEPLOYMENT_ENV||^${DEPLOYMENT_ENV}^g s^||BLOC_DOMAIN||^${BLOC_DOMAIN}^g diff --git a/k8s/jobs/kustomize/jobs/overlays/common/vcs/governance/add-profiles.yml b/k8s/jobs/kustomize/jobs/overlays/common/vcs/governance/add-profiles.yml new file mode 100644 index 000000000..fc9baca3a --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/vcs/governance/add-profiles.yml @@ -0,0 +1,48 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +kind: Job +apiVersion: batch/v1 +metadata: + name: governance-vcs-add-profiles + labels: + component: governance-vcs + group: services +spec: + template: + spec: + volumes: + - name: script + configMap: + name: governance-vcs-add-profiles-script + restartPolicy: Never + initContainers: +# - name: wait +# image: busybox +# imagePullPolicy: IfNotPresent +# command: ["sh"] +# args: ["-c", "sleep 5"] + - name: healthcheck-ready + image: busybox + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - "-c" + - | + while [[ "$(wget -T 5 -S --spider http://governance-vcs/healthcheck 2>&1 | grep '200 OK')" == "" ]]; + do echo "waiting for endpoint"; + sleep 5; + done; + containers: + - name: governance-vcs-add-profiles + image: "alpine:latest" + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: ["/opt/vcs_governance_configure.sh"] + volumeMounts: + - name: script + mountPath: /opt diff --git a/k8s/jobs/kustomize/jobs/overlays/common/vcs/governance/vcs_governance_configure.sh b/k8s/jobs/kustomize/jobs/overlays/common/vcs/governance/vcs_governance_configure.sh new file mode 100644 index 000000000..371f3bf40 --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/vcs/governance/vcs_governance_configure.sh @@ -0,0 +1,26 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +echo "Adding curl" +apk --no-cache add curl + +trustbloc_governance=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_governance_rw_token" \ + --request POST \ + --data '{"name":"governance", "uri":"http://example.com", "signatureType":"Ed25519Signature2018", "signatureRepresentation":1,"didKeyType":"Ed25519"}' \ + --insecure https://governance-vcs.||DOMAIN||/governance/profile) + +checkProfileIsCreated() +{ + if [ "$1" == "201" ] || [ "$1" == "400" ] + then + echo "governance profile $2 is created" + else + echo "failed create governance profile $2 response code $1" + exit 1 + fi +} + +checkProfileIsCreated $trustbloc_governance trustbloc-governance diff --git a/k8s/jobs/kustomize/jobs/overlays/common/vcs/holder/add-profiles.yml b/k8s/jobs/kustomize/jobs/overlays/common/vcs/holder/add-profiles.yml new file mode 100644 index 000000000..10db8775d --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/vcs/holder/add-profiles.yml @@ -0,0 +1,48 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +kind: Job +apiVersion: batch/v1 +metadata: + name: holder-vcs-add-profiles + labels: + component: holder-vcs + group: services +spec: + template: + spec: + volumes: + - name: script + configMap: + name: holder-vcs-add-profiles-script + restartPolicy: Never + initContainers: +# - name: wait +# image: busybox +# imagePullPolicy: IfNotPresent +# command: ["sh"] +# args: ["-c", "sleep 5"] + - name: healthcheck-ready + image: busybox + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - "-c" + - | + while [[ "$(wget -T 5 -S --spider http://holder-vcs/healthcheck 2>&1 | grep '200 OK')" == "" ]]; + do echo "waiting for endpoint"; + sleep 5; + done; + containers: + - name: holder-vcs-add-profiles + image: "alpine:latest" + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: ["/opt/vcs_holder_configure.sh"] + volumeMounts: + - name: script + mountPath: /opt diff --git a/k8s/jobs/kustomize/jobs/overlays/common/vcs/holder/vcs_holder_configure.sh b/k8s/jobs/kustomize/jobs/overlays/common/vcs/holder/vcs_holder_configure.sh new file mode 100644 index 000000000..0a88f96ca --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/vcs/holder/vcs_holder_configure.sh @@ -0,0 +1,68 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +echo "Adding curl" +apk --no-cache add curl + +vc_holder_interop=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_holder_rw_token" \ + --request POST \ + --data '{"name":"vc-holder-interop", "signatureType":"Ed25519Signature2018", "signatureRepresentation":1, "didKeyType":"Ed25519"}' \ + --insecure https://holder-vcs.||DOMAIN||/holder/profile) + +vc_holder_jsonwebsignature2020_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_holder_rw_token" \ + --request POST \ + --data '{"name":"vc-holder-jsonwebsignature2020-ed25519", "signatureType":"JsonWebSignature2020", "signatureRepresentation":1, "didKeyType":"Ed25519"}' \ + --insecure https://holder-vcs.||DOMAIN||/holder/profile) + + +vc_holder_jsonwebsignature2020_p256=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_holder_rw_token" \ + --request POST \ + --data '{"name":"vc-holder-jsonwebsignature2020-p256", "signatureType":"JsonWebSignature2020", "signatureRepresentation":1, "didKeyType":"P256"}' \ + --insecure https://holder-vcs.||DOMAIN||/holder/profile) + + +vc_holder_didkey=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_holder_rw_token" \ + --request POST \ + --data '{"name":"vc-holder-didkey", "signatureType":"Ed25519Signature2018", "signatureRepresentation":1,"did":"did:key:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd","didPrivateKey":"28xXA4NyCQinSJpaZdSuNBM4kR2GqYb8NPqAtZoGCpcRYWBcDXtzVAzpZ9BAfgV334R2FC383fiHaWWWAacRaYGs","didKeyID":"did:key:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd#z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd", "didKeyType":"Ed25519"}' \ + --insecure https://holder-vcs.||DOMAIN||/holder/profile) + + +# TODO driver-did-v1 latest not working +#vc_holder_didv1=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_holder_rw_token" \ +# --request POST \ +# --data '{"name":"vc-holder-didv1", "signatureType":"Ed25519Signature2018", "signatureRepresentation":1,"uniRegistrar":{"driverURL":"https://uni-registrar-web.||DOMAIN||/1.0/register?driverId=driver-universalregistrar/driver-did-v1"}, "didKeyType":"Ed25519"}' \ +# --insecure https://holder-vcs.||DOMAIN||/holder/profile) + +# TODO enable it +#vc_holder_didsov=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_holder_rw_token" \ +# --request POST \ +# --data '{"name":"vc-holder-didsov", "signatureType":"Ed25519Signature2018","signatureRepresentation":1,"uniRegistrar":{"driverURL":"https://uniregistrar.io/1.0/register?driverId=driver-universalregistrar/driver-did-sov","options": {"network":"danube"}},"didKeyType":"Ed25519"}' \ +# --insecure https://holder-vcs.||DOMAIN||/holder/profile) + + +vc_holder_didelem=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_holder_rw_token" \ + --request POST \ + --data '{"name":"vc-holder-didelem", "signatureType":"Ed25519Signature2018", "signatureRepresentation":1,"did":"did:elem:EiAWdU2yih6NA2IGnLsDhkErZ8aQX6b8yKt7jHMi-ttFdQ","didPrivateKey":"5AcDTQT7Cdg1gBvz8PQpnH3xEbLCE1VQxAJV5NjVHvNjsZSfn4NaLZ77mapoi4QwZeBhcAA7MQzaFYkzJLfGjNnR","didKeyID":"did:elem:ropsten:EiAWdU2yih6NA2IGnLsDhkErZ8aQX6b8yKt7jHMi-ttFdQ#SQ2PY2xs7NOr6B26xq_pJMNpuYk6dOeROlkzKF7909I", "didKeyType":"Ed25519"}' \ + --insecure https://holder-vcs.||DOMAIN||/holder/profile) + +checkProfileIsCreated() +{ + if [ "$1" == "201" ] || [ "$1" == "400" ] + then + echo "holder profile $2 is created" + else + echo "failed create holder profile $2 response code $1" + exit 1 + fi +} + +checkProfileIsCreated $vc_holder_interop vc-holder-interop +checkProfileIsCreated $vc_holder_jsonwebsignature2020_ed25519 vc-holder-jsonwebsignature2020-ed25519 +checkProfileIsCreated $vc_holder_jsonwebsignature2020_p256 vc-holder-jsonwebsignature2020-p256 +checkProfileIsCreated $vc_holder_didkey vc-holder-didkey +#checkProfileIsCreated $vc_holder_didv1 vc-holder-didv1 +#checkProfileIsCreated $vc_holder_didsov vc-holder-didsov +checkProfileIsCreated $vc_holder_didelem vc-holder-didelem diff --git a/k8s/jobs/kustomize/jobs/overlays/common/vcs/issuer/add-profiles.yml b/k8s/jobs/kustomize/jobs/overlays/common/vcs/issuer/add-profiles.yml new file mode 100644 index 000000000..a2a5979d4 --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/vcs/issuer/add-profiles.yml @@ -0,0 +1,48 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +kind: Job +apiVersion: batch/v1 +metadata: + name: issuer-vcs-add-profiles + labels: + component: issuer-vcs + group: services +spec: + template: + spec: + volumes: + - name: script + configMap: + name: issuer-vcs-add-profiles-script + restartPolicy: Never + initContainers: +# - name: wait +# image: busybox +# imagePullPolicy: IfNotPresent +# command: ["sh"] +# args: ["-c", "sleep 5"] + - name: healthcheck-ready + image: busybox + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - "-c" + - | + while [[ "$(wget -T 5 -S --spider http://issuer-vcs/healthcheck 2>&1 | grep '200 OK')" == "" ]]; + do echo "waiting for endpoint"; + sleep 5; + done; + containers: + - name: issuer-vcs-add-profiles + image: "alpine:latest" + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: ["/opt/vcs_issuer_configure.sh"] + volumeMounts: + - name: script + mountPath: /opt diff --git a/k8s/jobs/kustomize/jobs/overlays/common/vcs/issuer/vcs_issuer_configure.sh b/k8s/jobs/kustomize/jobs/overlays/common/vcs/issuer/vcs_issuer_configure.sh new file mode 100644 index 000000000..421c93e74 --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/vcs/issuer/vcs_issuer_configure.sh @@ -0,0 +1,106 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +echo "Adding curl" +apk --no-cache add curl + +checkProfileIsCreated() +{ + if [ "$1" == "201" ] || [ "$1" == "400" ] + then + echo "issuer profile $2 is created" + else + echo "failed create issuer profile $2 response code $1" + exit 1 + fi +} + +trustbloc_ed25519signature2018_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"trustbloc-ed25519signature2018-ed25519", "uri":"http://example.com", "signatureType":"Ed25519Signature2018", "signatureRepresentation":1,"didKeyType":"Ed25519"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + +trustbloc_jsonwebsignature2020_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"trustbloc-jsonwebsignature2020-ed25519", "uri":"http://example.com", "signatureType":"JsonWebSignature2020", "signatureRepresentation":1,"didKeyType":"Ed25519"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + +trustbloc_jsonwebsignature2020_p256=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"trustbloc-jsonwebsignature2020-p256", "uri":"http://vc-issuer-p256.com", "signatureType":"JsonWebSignature2020", "signatureRepresentation":1,"didKeyType":"P256"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + + +interop_ed25519signature2018_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"interop-ed25519signature2018-ed25519", "uri":"http://example.com", "signatureType":"Ed25519Signature2018", "signatureRepresentation":1,"disableVCStatus":true,"didKeyType":"Ed25519"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + + +interop_jsonwebsignature2020_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"interop-jsonwebsignature2020-ed25519", "uri":"http://example.com", "signatureType":"JsonWebSignature2020", "signatureRepresentation":1,"disableVCStatus":true,"didKeyType":"Ed25519"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + + +interop_jsonwebsignature2020_p256=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"interop-jsonwebsignature2020-p256", "uri":"http://example.com", "signatureType":"JsonWebSignature2020", "signatureRepresentation":1,"disableVCStatus":true,"didKeyType":"P256"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + +vc_issuer_interop_key=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"vc-issuer-interop-key", "uri":"http://example.com", "signatureType":"Ed25519Signature2018", "did":"did:key:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd","didPrivateKey":"28xXA4NyCQinSJpaZdSuNBM4kR2GqYb8NPqAtZoGCpcRYWBcDXtzVAzpZ9BAfgV334R2FC383fiHaWWWAacRaYGs","didKeyID":"did:key:z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd#z6MkjRagNiMu91DduvCvgEsqLZDVzrJzFrwahc4tXLt9DoHd","signatureRepresentation":1,"disableVCStatus":true,"didKeyType":"Ed25519"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + + +vc_issuer_interop=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"vc-issuer-interop", "uri":"http://example.com", "signatureType":"Ed25519Signature2018", "signatureRepresentation":1,"disableVCStatus":false,"didKeyType":"Ed25519"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + + +# TODO driver-did-v1 latest not working +#verseone_ed25519signature2018_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ +# --request POST \ +# --data '{"name":"verseone-ed25519signature2018-ed25519", "uri":"http://example.com", "signatureType":"Ed25519Signature2018","signatureRepresentation":1,"uniRegistrar":{"driverURL":"https://uni-registrar-web.||DOMAIN||/1.0/register?driverId=driver-universalregistrar/driver-did-v1","options": {"ledger": "test", "keytype": "ed25519"}},"disableVCStatus":true,"didKeyType":"Ed25519"}' \ +# --insecure https://issuer-vcs.||DOMAIN||/profile) + + +elem_ed25519signature2018_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"elem-ed25519signature2018-ed25519", "uri":"http://example.com", "signatureType":"Ed25519Signature2018", "did":"did:elem:EiAWdU2yih6NA2IGnLsDhkErZ8aQX6b8yKt7jHMi-ttFdQ","didPrivateKey":"5AcDTQT7Cdg1gBvz8PQpnH3xEbLCE1VQxAJV5NjVHvNjsZSfn4NaLZ77mapoi4QwZeBhcAA7MQzaFYkzJLfGjNnR","didKeyID":"did:elem:ropsten:EiAWdU2yih6NA2IGnLsDhkErZ8aQX6b8yKt7jHMi-ttFdQ#SQ2PY2xs7NOr6B26xq_pJMNpuYk6dOeROlkzKF7909I","signatureRepresentation":1,"disableVCStatus":true,"didKeyType":"Ed25519"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + +# TODO enable it +#sov_ed25519signature2018_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ +# --request POST \ +# --data '{"name":"sov-ed25519signature2018-ed25519", "uri":"http://example.com", "signatureType":"Ed25519Signature2018","signatureRepresentation":1,"uniRegistrar":{"driverURL":"https://uniregistrar.io/1.0/register?driverId=driver-universalregistrar/driver-did-sov","options": {"network":"danube"}},"disableVCStatus":true,"didKeyType":"Ed25519"}' \ +# --insecure https://issuer-vcs.||DOMAIN||/profile) + +didkey_ed25519signature2018_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"didkey-ed25519signature2018-ed25519", "uri":"http://example.com", "signatureType":"Ed25519Signature2018", "did":"did:key:z6MkjtF2htvLuxPu3wAuVgu1zZ5Jgwvu7QkJkyvyGX478RrM","didPrivateKey":"5k9LgFFpxYCrHKyKxZWj6CWZNs6rFkPfQiggMUCwRBifjP4wLXZaFuFr1vhwK7Kj9YLowXZr3tQvwpLDonXBJUpm","didKeyID":"did:key:z6MkjtF2htvLuxPu3wAuVgu1zZ5Jgwvu7QkJkyvyGX478RrM#z6MkjtF2htvLuxPu3wAuVgu1zZ5Jgwvu7QkJkyvyGX478RrM","signatureRepresentation":1,"disableVCStatus":true,"didKeyType":"Ed25519"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + +didkey_BbsBlsSignature2020_bls12381G2=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_issuer_rw_token" \ + --request POST \ + --data '{"name":"didkey-bbsblssignature2020-bls12381g2", "uri":"http://example.com", "signatureType":"BbsBlsSignature2020", "did":"did:key:zUC72c7u4BYVmfYinDceXkNAwzPEyuEE23kUmJDjLy8495KH3pjLwFhae1Fww9qxxRdLnS2VNNwni6W3KbYZKsicDtiNNEp76fYWR6HCD8jAz6ihwmLRjcHH6kB294Xfg1SL1qQ","didPrivateKey":"6gsgGpdx7p1nYoKJ4b5fKt1xEomWdnemg9nJFX6mqNCh","didKeyID":"did:key:zUC72c7u4BYVmfYinDceXkNAwzPEyuEE23kUmJDjLy8495KH3pjLwFhae1Fww9qxxRdLnS2VNNwni6W3KbYZKsicDtiNNEp76fYWR6HCD8jAz6ihwmLRjcHH6kB294Xfg1SL1qQ#zUC72c7u4BYVmfYinDceXkNAwzPEyuEE23kUmJDjLy8495KH3pjLwFhae1Fww9qxxRdLnS2VNNwni6W3KbYZKsicDtiNNEp76fYWR6HCD8jAz6ihwmLRjcHH6kB294Xfg1SL1qQ","signatureRepresentation":0,"disableVCStatus":false,"didKeyType":"BLS12381G2"}' \ + --insecure https://issuer-vcs.||DOMAIN||/profile) + +checkProfileIsCreated $trustbloc_ed25519signature2018_ed25519 trustbloc-ed5519signature2018-ed25519 +checkProfileIsCreated $trustbloc_jsonwebsignature2020_ed25519 trustbloc-jsonwebsignature2020-ed25519 +checkProfileIsCreated $trustbloc_jsonwebsignature2020_p256 trustbloc-jsonwebsignature2020-p256 +checkProfileIsCreated $interop_ed25519signature2018_ed25519 interop-ed25519signature2018-ed25519 +checkProfileIsCreated $interop_jsonwebsignature2020_ed25519 interop-jsonwebsignature2020-ed25519 +checkProfileIsCreated $interop_jsonwebsignature2020_p256 interop-jsonwebsignature2020-p256 +checkProfileIsCreated $vc_issuer_interop_key vc-issuer-interop-key +checkProfileIsCreated $vc_issuer_interop vc-issuer-interop +#checkProfileIsCreated $verseone_ed25519signature2018_ed25519 verseone-ed25519signature2018-ed25519 +checkProfileIsCreated $elem_ed25519signature2018_ed25519 elem-ed25519signature2018-ed25519 +#checkProfileIsCreated $sov_ed25519signature2018_ed25519 sov-ed25519signature2018-ed25519 +checkProfileIsCreated $didkey_ed25519signature2018_ed25519 didkey-ed25519signature2018-ed25519 +checkProfileIsCreated $didkey_BbsBlsSignature2020_bls12381G2 didkey-bbsblssignature2020-bls12381g2 diff --git a/k8s/jobs/kustomize/jobs/overlays/common/vcs/verifier/add-profiles.yml b/k8s/jobs/kustomize/jobs/overlays/common/vcs/verifier/add-profiles.yml new file mode 100644 index 000000000..64e58a3ba --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/vcs/verifier/add-profiles.yml @@ -0,0 +1,48 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +kind: Job +apiVersion: batch/v1 +metadata: + name: verifier-vcs-add-profiles + labels: + component: verifier-vcs + group: services +spec: + template: + spec: + volumes: + - name: script + configMap: + name: verifier-vcs-add-profiles-script + restartPolicy: Never + initContainers: +# - name: wait +# image: busybox +# imagePullPolicy: IfNotPresent +# command: ["sh"] +# args: ["-c", "sleep 5"] + - name: healthcheck-ready + image: busybox + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: + - "-c" + - | + while [[ "$(wget -T 5 -S --spider http://verifier-vcs/healthcheck 2>&1 | grep '200 OK')" == "" ]]; + do echo "waiting for endpoint"; + sleep 5; + done; + containers: + - name: verifier-vcs-add-profiles + image: "alpine:latest" + imagePullPolicy: IfNotPresent + command: ["/bin/sh"] + args: ["/opt/vcs_verifier_configure.sh"] + volumeMounts: + - name: script + mountPath: /opt diff --git a/k8s/jobs/kustomize/jobs/overlays/common/vcs/verifier/vcs_verifier_configure.sh b/k8s/jobs/kustomize/jobs/overlays/common/vcs/verifier/vcs_verifier_configure.sh new file mode 100644 index 000000000..53707d7d2 --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/common/vcs/verifier/vcs_verifier_configure.sh @@ -0,0 +1,33 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +echo "Adding curl" +apk --no-cache add curl + + +trustbloc_ed25519signature2018_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_verifier_rw_token" \ + --request POST \ + --data '{"id":"trustbloc-verifier","name":"Verifier", "credentialChecks":["proof","credentialStatus"], "presentationChecks":["proof","credentialStatus"]}' \ + --insecure https://verifier-vcs.||DOMAIN||/verifier/profile) + +interop_ed25519signature2018_ed25519=$(curl -o /dev/null -s -w "%{http_code}" --header "Content-Type: application/json" --header "Authorization: Bearer vcs_verifier_rw_token" \ + --request POST \ + --data '{"id":"vc-verifier-interop","name":"Verifier", "credentialChecks":["proof","credentialStatus"], "presentationChecks":["proof","credentialStatus"]}' \ + --insecure https://verifier-vcs.||DOMAIN||/verifier/profile) + +checkProfileIsCreated() +{ + if [ "$1" == "201" ] || [ "$1" == "400" ] + then + echo "verifier profile $2 is created" + else + echo "failed create verifier profile $2 response code $1" + exit 1 + fi +} + +checkProfileIsCreated $trustbloc_ed25519signature2018_ed25519 trustbloc-ed5519signature2018-ed25519 +checkProfileIsCreated $interop_ed25519signature2018_ed25519 interop_ed25519signature2018_ed25519 diff --git a/k8s/jobs/kustomize/jobs/overlays/local/.gitignore b/k8s/jobs/kustomize/jobs/overlays/local/.gitignore new file mode 100644 index 000000000..4ec9cd00d --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/local/.gitignore @@ -0,0 +1,7 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +certs/** diff --git a/k8s/jobs/kustomize/jobs/overlays/local/kustomization.yaml b/k8s/jobs/kustomize/jobs/overlays/local/kustomization.yaml new file mode 100644 index 000000000..240ef3564 --- /dev/null +++ b/k8s/jobs/kustomize/jobs/overlays/local/kustomization.yaml @@ -0,0 +1,24 @@ +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# Adds namespace to all resources. +#namespace: edge-sandbox-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +commonLabels: + instance: local + project: trustbloc + + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../common diff --git a/k8s/jobs/kustomize/plugin/svceng/sedtransformer/SedTransformer b/k8s/jobs/kustomize/plugin/svceng/sedtransformer/SedTransformer new file mode 100755 index 000000000..598173b5e --- /dev/null +++ b/k8s/jobs/kustomize/plugin/svceng/sedtransformer/SedTransformer @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# https://github.com/kubernetes-sigs/kustomize/blob/master/plugin/someteam.example.com/v1/sedtransformer/SedTransformer +# Skip the config file name argument. +shift +args=() +for arg in "$@"; do + env_expanded=${arg@P} + args+=(-e "$env_expanded") +done + +sed "${args[@]}" diff --git a/k8s/login-consent/Makefile b/k8s/login-consent/Makefile index 5bccefafe..9d26b21a0 100644 --- a/k8s/login-consent/Makefile +++ b/k8s/login-consent/Makefile @@ -125,9 +125,6 @@ clean: clean-all .PHONY: clean-all clean-all: clean-certs -.PHONY: clean-no-registry -clean-no-registry: clean-certs - .PHONY: clean-certs clean-certs: @rm -Rf ${CERTS_OUTPUT_DIR} diff --git a/k8s/login-consent/kustomize/login-consent/overlays/common/kustomization.yaml b/k8s/login-consent/kustomize/login-consent/overlays/common/kustomization.yaml index 404026882..2d54865b8 100644 --- a/k8s/login-consent/kustomize/login-consent/overlays/common/kustomization.yaml +++ b/k8s/login-consent/kustomize/login-consent/overlays/common/kustomization.yaml @@ -40,7 +40,6 @@ configMapGenerator: resources: - ../../base -- hydra/hydra-create-client.yml transformers: - sedtransform.yml diff --git a/k8s/rp/Makefile b/k8s/rp/Makefile index 05db5612b..561ce17b0 100644 --- a/k8s/rp/Makefile +++ b/k8s/rp/Makefile @@ -119,15 +119,8 @@ endif clean: clean-all .PHONY: clean-all -clean-all: clean-certs clean-registry - -.PHONY: clean-no-registry -clean-no-registry: clean-certs +clean-all: clean-certs .PHONY: clean-certs clean-certs: @rm -Rf ${CERTS_OUTPUT_DIR} - -.PHONY: clean-registry -clean-registry: - @rm -Rf ${REGISTRY_DIRECTORY} diff --git a/k8s/rp/kustomize/rp/overlays/common/kustomization.yaml b/k8s/rp/kustomize/rp/overlays/common/kustomization.yaml index 49f0596db..a263bb096 100644 --- a/k8s/rp/kustomize/rp/overlays/common/kustomization.yaml +++ b/k8s/rp/kustomize/rp/overlays/common/kustomization.yaml @@ -25,9 +25,6 @@ configMapGenerator: envs: - config.env name: rp-env -- files: - - register-tenant.sh - name: rp-register-tenant-script secretGenerator: - behavior: merge @@ -37,9 +34,6 @@ secretGenerator: resources: - ../../base -- role.yml -- rolebinding.yml -- register-tenant.yml transformers: - sedtransform.yml diff --git a/k8s/scripts/deploy_all.sh b/k8s/scripts/deploy_all.sh index 56634397d..97d839a09 100755 --- a/k8s/scripts/deploy_all.sh +++ b/k8s/scripts/deploy_all.sh @@ -14,7 +14,7 @@ set -e : ${DOMAIN:=trustbloc.dev} : ${DEPLOYMENT_ENV:=local} ## Should be deployed in the listed order -: ${COMPONENTS=cms comparator login-consent issuer rp ace-rp} +: ${COMPONENTS=cms comparator login-consent issuer rp ace-rp jobs} DEPLOY_LIST=( $COMPONENTS ) ## Map: component --> healthcheck(s) @@ -25,6 +25,7 @@ declare -A HEALTCHECK_URL=( [rp]="https://demo-rp.$DOMAIN/healthcheck" [ace-rp]="https://ucis-rp.$DOMAIN/healthcheck https://cbp-rp.$DOMAIN/healthcheck https://benefits-dept-rp.$DOMAIN/healthcheck" [login-consent]="" + [jobs]="" [LATE]="https://cms.$DOMAIN/" ) ## Map: healthckeck --> http-code