Add charts for CENM 1.5

README.md

@@ -9,3 +9,4 @@ Documentation on Corda Enterprise Network Manager (CENM) can be found at [CENM D
 | 1.2           | git checkout v1.2 |
 | 1.3           | git checkout v1.3 |
 | 1.4           | git checkout v1.4 |
+| 1.5           | git checkout v1.5 |

k8s/helm/auth/files/authservice.conf

@@ -47,14 +47,4 @@ server {
             password = "trust-store-password"
         }
     }
-}
-baseline {
-    permission = {
-        baselineClass = "com.r3.appeng.accounts.cenm.PermissionBaselineImpl"
-        baselinePackage = "bin/accounts-baseline-cenm.jar"
-    }
-    role = {
-        baselineClass = "com.r3.appeng.accounts.cenm.RoleBaselineImpl"
-        baselinePackage = "bin/accounts-baseline-cenm.jar"
-    }
 }

k8s/helm/auth/files/run.sh

@@ -11,7 +11,7 @@ then
     echo
     echo "CENM: starting CENM Auth service ..."
     echo
-    java -jar bin/accounts-application.jar --config-file authservice.conf --initial-user-name admin --initial-user-password password --keep-running --verbose
+    java -jar bin/accounts-application.jar --config-file authservice.conf --initial-user-name admin --initial-user-password p4ssWord --keep-running --verbose
     EXIT_CODE=${?}
 else
     echo "Missing Auth service jar file."

k8s/helm/auth/values.yaml

@@ -8,7 +8,7 @@ bashDebug: false
 # Docker images to use by the Auth Service Helm chart
 authImage:
   repository: corda/enterprise-auth
-  tag: 1.0.1-zulu-openjdk8u242
+  tag: 1.5.0-zulu-openjdk8u242
   pullPolicy: Always
 
 # Configuration for database

k8s/helm/bootstrap.cenm

@@ -180,6 +180,9 @@ announce "Bootstrapping CENM Gateway service"
 printf "COMMAND: helm install %s-gateway gateway --set prefix=%s --set acceptLicense=%s\n\n" "${releasePrefix}" "${releasePrefix}" "${acceptLicense}"
 helm install "${releasePrefix}"-gateway gateway --set prefix="${releasePrefix}" --set acceptLicense="${acceptLicense}"
 
+echo "Waiting 300s before starting more services..."
+sleep 300s;
+
 announce "Bootstrapping CENM Zone service"
 printf "COMMAND: helm install %s-zone zone --set prefix=%s --set acceptLicense=%s\n\n" "${releasePrefix}" "${releasePrefix}" "${acceptLicense}"
 helm install "${releasePrefix}"-zone zone --set prefix="${releasePrefix}" --set acceptLicense="${acceptLicense}"

k8s/helm/gateway/files/groups/ca-signers.json

@@ -0,0 +1,7 @@
+{
+  "admin": "false",
+  "autoEnroll": "false",
+  "description": "Can perform CA related operations",
+  "name": "ca-signers",
+  "users": [ "ca-signer" ]
+}

k8s/helm/gateway/files/groups/configuration-maintainers.json

@@ -0,0 +1,7 @@
+{
+  "admin": "false",
+  "autoEnroll": "false",
+  "description": "Can read and update service configurations",
+  "name": "configuration-maintainers",
+  "users": [ "config-maintainer" ]
+}

k8s/helm/gateway/files/groups/configuration-readers.json

@@ -0,0 +1,7 @@
+{
+  "admin": "false",
+  "autoEnroll": "false",
+  "description": "Can read configurations",
+  "name": "configuration-readers",
+  "users": [ "config-reader" ]
+}

k8s/helm/gateway/files/groups/network-maintainers.json

@@ -0,0 +1,7 @@
+{
+  "admin": "false",
+  "autoEnroll": "false",
+  "description": "Can do Network Related operations (Read and Write) including Flag Day",
+  "name": "network-maintainers",
+  "users": [ "network-maintainer" ]
+}

k8s/helm/gateway/files/groups/network-operation-readers.json

@@ -0,0 +1,7 @@
+{
+  "admin": "false",
+  "autoEnroll": "false",
+  "description": "Can read Network Related data",
+  "name": "network-operation-readers",
+  "users": [ "business-reader" ]
+}

k8s/helm/gateway/files/groups/network-operators.json

@@ -0,0 +1,7 @@
+{
+  "admin": "false",
+  "autoEnroll": "false",
+  "description": "Can do Network Related operations (Read and Write) excluding Flag Day",
+  "name": "network-operators",
+  "users": [ "network-operator" ]
+}

k8s/helm/gateway/files/groups/nonca-signers.json

@@ -0,0 +1,7 @@
+{
+  "admin": "false",
+  "autoEnroll": "false",
+  "description": "Can do non-CA signing related operations",
+  "name": "nonca-signers",
+  "users": [ "nonca-signer" ]
+}

k8s/helm/gateway/files/roles/CASigner.json

@@ -0,0 +1,5 @@
+{
+  "groups": [
+    { "entityName": "ca-signers", "objectName": "global" }
+  ]
+}

k8s/helm/gateway/files/roles/ConfigurationMaintainer.json

@@ -0,0 +1,5 @@
+{
+  "groups": [
+    { "entityName": "configuration-maintainers", "objectName": "global" }
+  ]
+}

k8s/helm/gateway/files/roles/ConfigurationReader.json

@@ -0,0 +1,5 @@
+{
+  "groups": [
+    { "entityName": "configuration-readers", "objectName": "global" }
+  ]
+}

k8s/helm/gateway/files/roles/NetworkMaintainer.json

@@ -0,0 +1,5 @@
+{
+  "groups": [
+    { "entityName": "network-maintainers", "objectName": "global" }
+  ]
+}

k8s/helm/gateway/files/roles/NetworkOperationsReader.json

@@ -0,0 +1,5 @@
+{
+  "groups": [
+    { "entityName": "network-operation-readers", "objectName": "global" }
+  ]
+}

k8s/helm/gateway/files/roles/NetworkOperator.json

@@ -0,0 +1,5 @@
+{
+  "groups": [
+    { "entityName": "network-operators", "objectName": "global" }
+  ]
+}

k8s/helm/gateway/files/roles/NonCASigner.json

@@ -0,0 +1,5 @@
+{
+  "groups": [
+    { "entityName": "nonca-signers", "objectName": "global" }
+  ]
+}

k8s/helm/gateway/files/run.sh

@@ -9,8 +9,14 @@ set -x
 if [ -f bin/gateway.jar ]
 then
 {{ if eq .Values.bashDebug true }}
-    sha256sum bin/gateway.jar 
-    cat gateway.conf
+    sha256sum bin/gateway.jar
+    while [ ! -f etc/gateway.conf ];
+      do
+        echo "Waiting for file etc/gateway.conf";
+        ls ets;
+        sleep 5;
+      done
+    cat etc/gateway.conf
 {{ end }}
     echo
     echo "CENM: starting CENM Gateway service ..."

k8s/helm/gateway/files/setupAuth.sh

@@ -1,10 +1,9 @@
 #!/bin/sh
 # log in and cache access token
-set -x
 ACCESS_TOKEN=""
 while [ -z "${ACCESS_TOKEN}" ]
 do
-    TOKEN_RESPONSE="$(curl -X POST --data "grant_type=password" --data "username=admin" --data "password=password" http://${1}:${2}/api/v1/authentication/authenticate)"
+    TOKEN_RESPONSE="$(curl -X POST --data "grant_type=password" --data "username=admin" --data "password=p4ssWord" http://${1}:${2}/api/v1/authentication/authenticate)"
     ACCESS_TOKEN="$(echo ${TOKEN_RESPONSE} | jq -r '.access_token')"
     sleep 5
 done
@@ -16,25 +15,31 @@ echo
 echo "========================= Creating users ========================="
 for i in u/*.json
 do
+    echo
     echo ">>>>>>>> User: ${i}"
     cat ${i}; echo
     curl -X POST -H "Authorization: Bearer $ACCESS_TOKEN" -H "Content-Type: application/json" --data-binary "@${i}" http://${1}:${2}/api/v1/admin/users
+    echo
 done
 
 echo
 echo "========================= Creating groups ========================="
 for i in g/*.json
 do
+    echo
     echo ">>>>>>>> Group: ${i}"
     cat ${i}; echo
     curl -X POST -H "Authorization: Bearer $ACCESS_TOKEN" -H "Content-Type: application/json" --data-binary "@${i}" http://${1}:${2}/api/v1/admin/groups
+    echo
 done
 
 echo
-echo "========================= Creating roles ========================="
-for i in r/*.json
-do
-    echo ">>>>>>>> Role: ${i}"
-    cat ${i}; echo
-    curl -X POST -H "Authorization: Bearer $ACCESS_TOKEN" -H "Content-Type: application/json" --data-binary "@${i}" http://${1}:${2}/api/v1/admin/roles
+echo "========================= Assigning roles to groups ========================="
+for role in "CASigner" "ConfigurationMaintainer" "ConfigurationReader" "NetworkMaintainer" "NetworkOperator" "NetworkOperationsReader" "NonCASigner"; do
+ file='./r/'$role'.json'
+ echo
+ echo ">>>>>>>> Role: ${file}"
+ cat ${file}; echo
+ curl -X PATCH -H "Authorization: Bearer $ACCESS_TOKEN" -H "Content-Type: application/merge-patch+json" --data-binary "@${file}" http://${1}:${2}/api/v1/admin/roles/${role}
+ echo
 done

k8s/helm/gateway/files/users/business-reader.json

@@ -0,0 +1,8 @@
+{
+  "name": "business-reader",
+  "email": "[email protected]",
+  "password": "p4ssWord",
+  "enabled": "true",
+  "groups": [ ],
+  "admin": "false"
+}

k8s/helm/gateway/files/users/ca-signer.json

@@ -0,0 +1,8 @@
+{
+  "name": "ca-signer",
+  "email": "[email protected]",
+  "password": "p4ssWord",
+  "enabled": "true",
+  "groups": [ ],
+  "admin": "false"
+}

k8s/helm/gateway/files/users/config-maintainer.json

@@ -0,0 +1,8 @@
+{
+  "name": "config-maintainer",
+  "email": "[email protected]",
+  "password": "p4ssWord",
+  "enabled": "true",
+  "groups": [ ],
+  "admin": "false"
+}

k8s/helm/gateway/files/users/config-reader.json

@@ -0,0 +1,8 @@
+{
+  "name": "config-reader",
+  "email": "[email protected]",
+  "password": "p4ssWord",
+  "enabled": "true",
+  "groups": [ ],
+  "admin": "false"
+}

k8s/helm/gateway/files/users/network-maintainer.json

@@ -0,0 +1,8 @@
+{
+  "name": "network-maintainer",
+  "email": "[email protected]",
+  "password": "p4ssWord",
+  "enabled": "true",
+  "groups": [ ],
+  "admin": "false"
+}

k8s/helm/gateway/files/users/network-operator.json

@@ -0,0 +1,8 @@
+{
+  "name": "network-operator",
+  "email": "[email protected]",
+  "password": "p4ssWord",
+  "enabled": "true",
+  "groups": [ ],
+  "admin": "false"
+}

k8s/helm/gateway/files/users/nonca-signer.json

@@ -0,0 +1,8 @@
+{
+  "name": "nonca-signer",
+  "email": "[email protected]",
+  "password": "p4ssWord",
+  "enabled": "true",
+  "groups": [ ],
+  "admin": "false"
+}

k8s/helm/gateway/templates/job.yaml

@@ -69,47 +69,68 @@ spec:
             mountPath: /opt/cenm/CM-FILES/setupAuth.sh
             subPath: setupAuth.sh
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/g/editors.json
-            subPath: editors.json
+            mountPath: /opt/cenm/CM-FILES/g/ca-signers.json
+            subPath: ca-signers.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/g/flagDayExecutors.json
-            subPath: flagDayExecutors.json
+            mountPath: /opt/cenm/CM-FILES/g/configuration-maintainers.json
+            subPath: configuration-maintainers.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/g/readers-soft.json
-            subPath: readers-soft.json
+            mountPath: /opt/cenm/CM-FILES/g/configuration-readers.json
+            subPath: configuration-readers.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/g/readers.json
-            subPath: readers.json
+            mountPath: /opt/cenm/CM-FILES/g/network-maintainers.json
+            subPath: network-maintainers.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/g/signers.json
-            subPath: signers.json
+            mountPath: /opt/cenm/CM-FILES/g/network-operation-readers.json
+            subPath: network-operation-readers.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/r/EditAndModify.json
-            subPath: EditAndModify.json
+            mountPath: /opt/cenm/CM-FILES/g/network-operators.json
+            subPath: network-operators.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/r/FlagDayExecute.json
-            subPath: FlagDayExecute.json
+            mountPath: /opt/cenm/CM-FILES/g/nonca-signers.json
+            subPath: nonca-signers.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/r/RadOnlyLockdown.json
-            subPath: RadOnlyLockdown.json
+            mountPath: /opt/cenm/CM-FILES/r/CASigner.json
+            subPath: CASigner.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/r/ReadOnly.json
-            subPath: ReadOnly.json
+            mountPath: /opt/cenm/CM-FILES/r/ConfigurationMaintainer.json
+            subPath: ConfigurationMaintainer.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/r/Signer.json
-            subPath: Signer.json
+            mountPath: /opt/cenm/CM-FILES/r/ConfigurationReader.json
+            subPath: ConfigurationReader.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/u/james-flagday.json
-            subPath: james-flagday.json
+            mountPath: /opt/cenm/CM-FILES/r/NetworkMaintainer.json
+            subPath: NetworkMaintainer.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/u/jenny-editor.json
-            subPath: jenny-editor.json
+            mountPath: /opt/cenm/CM-FILES/r/NetworkOperationsReader.json
+            subPath: NetworkOperationsReader.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/u/johnny-reader.json
-            subPath: johnny-reader.json
+            mountPath: /opt/cenm/CM-FILES/r/NetworkOperator.json
+            subPath: NetworkOperator.json
           - name: gateway-conf
-            mountPath: /opt/cenm/CM-FILES/u/malcolm-signer.json
-            subPath: malcolm-signer.json
+            mountPath: /opt/cenm/CM-FILES/r/NonCASigner.json
+            subPath: NonCASigner.json
+          - name: gateway-conf
+            mountPath: /opt/cenm/CM-FILES/u/business-reader.json
+            subPath: business-reader.json
+          - name: gateway-conf
+            mountPath: /opt/cenm/CM-FILES/u/ca-signer.json
+            subPath: ca-signer.json
+          - name: gateway-conf
+            mountPath: /opt/cenm/CM-FILES/u/config-maintainer.json
+            subPath: config-maintainer.json
+          - name: gateway-conf
+            mountPath: /opt/cenm/CM-FILES/u/config-reader.json
+            subPath: config-reader.json
+          - name: gateway-conf
+            mountPath: /opt/cenm/CM-FILES/u/network-maintainer.json
+            subPath: network-maintainer.json
+          - name: gateway-conf
+            mountPath: /opt/cenm/CM-FILES/u/network-operator.json
+            subPath: network-operator.json
+          - name: gateway-conf
+            mountPath: /opt/cenm/CM-FILES/u/nonca-signer.json
+            subPath: nonca-signer.json
       restartPolicy: OnFailure
       volumes:
         - name: pki-certs-keys