fix: support read only root filesystem (#700)

Author: kalinkrustev

terraform/gitops/generate-files/templates/mcm/configmaps/vault-config-configmap.hcl.tpl

@@ -127,6 +127,8 @@ spec:
               - key: cli-add-dfsp-environment.json
                 path: cli-add-dfsp-environment.json
             defaultMode: 420
+        - name: tmp
+          emptyDir: {}
 
       containers:
         - name: ml-ttk-add-dfsp
@@ -143,9 +145,9 @@ spec:
               https://github.com/mojaloop/testing-toolkit-test-cases/archive/v${onboarding_collection_tag}.zip
               -O downloaded-test-collections.zip;
 
-              mkdir tmp_test_cases;
+              mkdir /tmp/test_cases;
 
-              unzip -d tmp_test_cases -o downloaded-test-collections.zip;
+              unzip -d /tmp/test_cases -o downloaded-test-collections.zip;
 
               fxp_currencies="{{ .Data.fxpCurrencies }}"
 
@@ -154,7 +156,7 @@ spec:
                 npm run cli -- \
                   -c cli-add-dfsp-config.json \
                   -e cli-add-dfsp-environment.json \
-                  -i tmp_test_cases/testing-toolkit-test-cases-${onboarding_collection_tag}/collections/hub/provisioning/new_participants/new_dfsp.json \
+                  -i /tmp/test_cases/testing-toolkit-test-cases-${onboarding_collection_tag}/collections/hub/provisioning/new_participants/new_dfsp.json \
                   -u http://moja-ml-testing-toolkit-backend:5050 \
                   --report-format html \
                   --report-auto-filename-enable true \
@@ -172,7 +174,7 @@ spec:
                   npm run cli -- \
                     -c cli-add-dfsp-config.json \
                     -e fxp.json \
-                    -i tmp_test_cases/testing-toolkit-test-cases-${onboarding_collection_tag}/collections/hub/provisioning/new_participants/new_fxp.json \
+                    -i /tmp/test_cases/testing-toolkit-test-cases-${onboarding_collection_tag}/collections/hub/provisioning/new_participants/new_fxp.json \
                     -u http://moja-ml-testing-toolkit-backend:5050 \
                     --report-format html \
                     --report-auto-filename-enable true \
@@ -193,6 +195,9 @@ spec:
           envFrom:
             - secretRef:
                 name: moja-ml-ttk-test-setup-aws-creds
+          env:
+            - name: NPM_CONFIG_UPDATE_NOTIFIER
+              value: "false"
           resources: {}
           volumeMounts:
             - name: {{ .Data.host }}-ml-ttk-add-dfsp-conf
@@ -201,13 +206,16 @@ spec:
             - name: {{ .Data.host }}-ml-ttk-add-dfsp-conf
               mountPath: /opt/app/cli-add-dfsp-config.json
               subPath: cli-add-dfsp-config.json
+            - name: tmp
+              mountPath: /tmp
           terminationMessagePath: /dev/termination-log
           terminationMessagePolicy: File
           imagePullPolicy: IfNotPresent
       restartPolicy: Never
       terminationGracePeriodSeconds: 30
       dnsPolicy: ClusterFirst
-      securityContext: {}
+      securityContext:
+        readOnlyRootFilesystem: true
       schedulerName: default-scheduler
   completionMode: NonIndexed
   suspend: false

terraform/gitops/generate-files/templates/mojaloop/values-finance-portal.yaml.tpl

@@ -71,16 +71,12 @@ role-assignment-service:
       }
 
 reporting-hub-bop-api-svc:
-  containerSecurityContext:
-    enabled: false
   enabled: true
   ingress:
     enabled: false
 
 
 reporting-legacy-api:
-  containerSecurityContext:
-    enabled: false
   enabled: true
   ingress:
     enabled: false
@@ -157,6 +153,7 @@ reporting-hub-bop-shell:
     enabled: false
 
   config:
+    # images before v2.3.2 use env variables
     env:
       AUTH_MOCK_API: false
       REMOTE_API_BASE_URL: ''
@@ -172,25 +169,74 @@ reporting-hub-bop-shell:
       REMOTE_2_URL: https://${portal_fqdn}/uis/transfers
       REMOTE_3_URL: https://${portal_fqdn}/uis/settlements
       REMOTE_4_URL: https://${portal_fqdn}/uis/positions
+  configFiles:
+    # images after v2.3.2 use config.json and remotes.json
+    config.json:
+      AUTH_API_BASE_URL: ''
+      AUTH_MOCK_API: 'false'
+      REMOTE_API_BASE_URL: ''
+      REMOTE_MOCK_API: 'false'
+      AUTH_ENABLED: 'true'
+      LOGIN_URL: https://${auth_fqdn}/kratos/self-service/login/browser
+      LOGIN_PROVIDER: keycloak
+      LOGOUT_URL: /kratos/self-service/logout/browser?return_to=https%3A%2F%2F${keycloak_fqdn}%2Frealms%2F${keycloak_realm_name}%2Fprotocol%2Fopenid-connect%2Flogout
+      AUTH_TOKEN_URL: /kratos/sessions/whoami
+    remotes.json:
+      roles:
+        path: /iam
+        label: Roles
+        menuComponent: Menu
+        appComponent: App
+        baseUrl: https://${portal_fqdn}/uis/iam
+        url: https://${portal_fqdn}/uis/iam/app.js
+        appName: reporting_hub_bop_role_ui
+      transfers:
+        path: /transfers
+        label: Transfers
+        menuComponent: Menu
+        appComponent: App
+        baseUrl: https://${portal_fqdn}/uis/transfers
+        url: https://${portal_fqdn}/uis/transfers/app.js
+        appName: reporting_hub_bop_trx_ui
+      settlements:
+        path: /settlements
+        label: Settlements
+        menuComponent: Menu
+        appComponent: App
+        baseUrl: https://${portal_fqdn}/uis/settlements
+        url: https://${portal_fqdn}/uis/settlements/app.js
+        appName: reporting_hub_bop_settlements_ui
+      positions:
+        path: /positions
+        label: Financial Positions
+        menuComponent: Menu
+        appComponent: App
+        baseUrl: https://${portal_fqdn}/uis/positions
+        url: https://${portal_fqdn}/uis/positions/app.js
+        appName: reporting_hub_bop_positions_ui
 
 ### Micro-frontends
 reporting-hub-bop-role-ui:
   enabled: true
   ingress:
     enabled: false
-  config:
-    env:
-      REACT_APP_API_BASE_URL: https://${portal_fqdn}/api/iam
-      REACT_APP_MOCK_API: false
+  configFiles:
+    runtime-env.js: |
+      window.roleEnv = {
+        REACT_APP_API_BASE_URL: 'https://${portal_fqdn}/api/iam',
+        REACT_APP_MOCK_API: 'false'
+      };
 
 reporting-hub-bop-trx-ui:
   enabled: true
   ingress:
     enabled: false
-  config:
-    env:
-      REACT_APP_API_BASE_URL: https://${portal_fqdn}/api/transfers
-      REACT_APP_MOCK_API: false
+  configFiles:
+    runtime-env.js: |
+      window.transferEnv = {
+        REACT_APP_API_BASE_URL: 'https://${portal_fqdn}/api/transfers',
+        REACT_APP_MOCK_API: 'false'
+      };
 
 reporting-hub-bop-settlements-ui:
   ## Overriding the image version for bugfix related to https://modusbox.atlassian.net/browse/MBP-639
@@ -199,20 +245,24 @@ reporting-hub-bop-settlements-ui:
     repository: mojaloop/reporting-hub-bop-settlements-ui
     tag: v0.0.19-snapshot.2
   enabled: true
-  config:
-    env:
-      CENTRAL_LEDGER_ENDPOINT: https://${portal_fqdn}/api/central-admin
-      CENTRAL_SETTLEMENTS_ENDPOINT: https://${portal_fqdn}/api/central-settlements
-      REPORTING_API_ENDPOINT: https://${portal_fqdn}/api/transfers
-      REPORTING_TEMPLATE_API_ENDPOINT: https://${portal_fqdn}/api/reports/report-bilateral-settlement
+  configFiles:
+    runtime-env.js: |
+      window.settlementEnv = {
+        CENTRAL_LEDGER_ENDPOINT: 'https://${portal_fqdn}/api/central-admin',
+        CENTRAL_SETTLEMENTS_ENDPOINT: 'https://${portal_fqdn}/api/central-settlements',
+        REPORTING_API_ENDPOINT: 'https://${portal_fqdn}/api/transfers',
+        REPORTING_TEMPLATE_API_ENDPOINT: 'https://${portal_fqdn}/api/reports/report-bilateral-settlement'
+      };
   ingress:
     enabled: false
 
 
 reporting-hub-bop-positions-ui:
   enabled: true
-  config:
-    env:
-      CENTRAL_LEDGER_ENDPOINT: https://${portal_fqdn}/api/central-admin
+  configFiles:
+    runtime-env.js: |
+      window.positionsEnv = {
+        CENTRAL_LEDGER_ENDPOINT: 'https://${portal_fqdn}/api/central-admin'
+      };
   ingress:
     enabled: false

terraform/gitops/generate-files/templates/ory/kustomization.yaml.tpl

@@ -7,8 +7,8 @@ resources:
   - https://raw.githubusercontent.com/ory/k8s/v${oathkeeper_chart_version}/helm/charts/oathkeeper-maester/crds/crd-rules.yaml
   - blank-rule.yaml
   - rbac-role-permissions.yaml
-  - https://raw.githubusercontent.com/mojaloop/charts/v${bof_chart_version}/mojaloop/security-role-perm-operator-svc/crds/mojalooprole-crd.yaml
-  - https://raw.githubusercontent.com/mojaloop/charts/v${bof_chart_version}/mojaloop/security-role-perm-operator-svc/crds/mojaloop-permission-exclusions-crd.yaml
+  - https://raw.githubusercontent.com/mojaloop/charts/v${security_role_chart_version}/mojaloop/security-role-perm-operator-svc/crds/mojalooprole-crd.yaml
+  - https://raw.githubusercontent.com/mojaloop/charts/v${security_role_chart_version}/mojaloop/security-role-perm-operator-svc/crds/mojaloop-permission-exclusions-crd.yaml
 helmCharts:
 - name: oathkeeper
   releaseName: oathkeeper

terraform/gitops/k8s-cluster-config/ory.tf

@@ -42,6 +42,7 @@ module "generate_ory_files" {
     istio_external_wildcard_gateway_name = local.istio_external_wildcard_gateway_name
     istio_internal_wildcard_gateway_name = local.istio_internal_wildcard_gateway_name
     bof_chart_version                    = try(var.app_var_map.bof_chart_version, var.bof_chart_version)
+    security_role_chart_version          = try(var.app_var_map.security_role_chart_version, var.security_role_chart_version)
     bof_release_name                     = local.bof_release_name
     vault_secret_key                     = var.vault_secret_key
     role_assign_svc_secret_name          = join("$", ["", "{${replace(var.role_assign_svc_secret, "-", "_")}}"])
@@ -111,7 +112,12 @@ variable "keycloak_hubop_realm_name" {
 }
 variable "bof_chart_version" {
   type    = string
-  default = "5.1.0"
+  default = "5.1.1"
+}
+
+variable "security_role_chart_version" {
+  type    = string
+  default = "2.1.10"
 }
 
 variable "rbac_permissions_file" {