[DSD-5936] (#297)

* [DSD-5936] added deployment script for keymanager and keygen

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>

* [DSD-5936] added helm chart for keymanager and keygen

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>

---------

Signed-off-by: ckm007 <chandrakeshavmishra@gmail.com>

Author: ckm007

.github/workflows/chart-lint-publish.yml

@@ -0,0 +1,62 @@
+name: Validate / Publish helm charts
+
+on:
+  release:
+    types: [published]
+  pull_request:
+    types: [opened, reopened, synchronize]
+    paths:
+      - 'helm/**'
+  workflow_dispatch:
+    inputs:
+      IGNORE_CHARTS:
+        description: 'Provide list of charts to be ignored separated by pipe(|)'
+        required: false
+        default: '""'
+        type: string
+      CHART_PUBLISH:
+        description: 'Chart publishing to gh-pages branch'
+        required: false
+        default: 'NO'
+        type: string
+        options:
+          - YES
+          - NO
+      INCLUDE_ALL_CHARTS:
+        description: 'Include all charts for Linting/Publishing (YES/NO)'
+        required: false
+        default: 'NO'
+        type: string
+        options:
+          - YES
+          - NO
+  push:
+    branches:
+      - '!release-branch'
+      - '!master'
+      - 1.*
+      - 0.*
+      - develop
+      - release*
+    paths:
+      - 'helm/**'
+
+jobs:
+  chart-lint-publish:
+    uses: mosip/kattu/.github/workflows/chart-lint-publish.yml@master
+    with:
+      CHARTS_DIR: ./helm
+      CHARTS_URL: https://mosip.github.io/mosip-helm
+      REPOSITORY: mosip-helm
+      BRANCH: gh-pages
+      INCLUDE_ALL_CHARTS: "${{ inputs.INCLUDE_ALL_CHARTS || 'NO' }}"
+      IGNORE_CHARTS: "${{ inputs.IGNORE_CHARTS || '\"\"' }}"
+      CHART_PUBLISH: "${{ inputs.CHART_PUBLISH || 'YES' }}"
+      LINTING_CHART_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-schema.yaml"
+      LINTING_LINTCONF_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/lintconf.yaml"
+      LINTING_CHART_TESTING_CONFIG_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-testing-config.yaml"
+      LINTING_HEALTH_CHECK_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/health-check-schema.yaml"
+      DEPENDENCIES: "mosip,https://mosip.github.io/mosip-helm;"
+    secrets:
+      TOKEN: ${{ secrets.ACTION_PAT }}
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

deploy/README.md

@@ -0,0 +1,12 @@
+# Key Manager
+
+## Overview
+[Key Manager](https://docs.mosip.io/1.2.0/modules/keymanager) runs in a separate namespace from other [Kernel modules](https://docs.mosip.io/1.2.0/modules/commons) (for security, access restrictions). Before running Key Manager, [Base keys](https://docs.mosip.io/1.2.0/modules/keymanager#key-hierarchy) need to be generated.  This is done by [key generation job](https://docs.mosip.io/1.2.0/modules/keymanager#key-generation-process). The job creates Base keys in HSM/Softhsm. These keys must be kept intact throughout the project. It is assumed that HSM/Softhsm is already installed and properties in [`application-default.properties`](https://docs.mosip.io/1.2.0/modules/module-configuration#config-server) and `kernel-default.properties` are appropriately set to generate your organization's certificates.
+
+## Install
+The key generator job and Key Manager installation is done by running the below script:
+```
+./install.sh
+```
+
+

deploy/copy_cm.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# Copy configmaps from other namespaces
+# DST_NS: Destination (current) namespace
+
+function copying_cm() {
+  UTIL_URL=https://github.com/mosip/mosip-infra/blob/master/deployment/v3/utils/copy_cm_func.sh
+  COPY_UTIL=./copy_cm_func.sh
+  DST_NS=keymanager
+
+  wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh
+
+  $COPY_UTIL configmap global default $DST_NS
+  $COPY_UTIL configmap artifactory-share artifactory $DST_NS
+  $COPY_UTIL configmap config-server-share config-server $DST_NS
+  $COPY_UTIL configmap softhsm-kernel-share softhsm $DST_NS
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+copying_cm   # calling function
+
+
+

deploy/delete.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# Uninstalls keymanager
+## Usage: ./delete.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+function deleting_keymanager() {
+  NS=keymanager
+  while true; do
+      read -p "Are you sure you want to delete keymanager helm chart?(Y/n) " yn
+      if [ $yn = "Y" ]
+        then
+          helm -n $NS delete kernel-keygen
+          helm -n $NS delete keymanager
+          break
+        else
+          break
+      fi
+  done
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+deleting_keymanager   # calling function

deploy/idle_timeout_envoyfilter.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: idle-timeout-inbound-filter
+spec:
+  configPatches:
+  - applyTo: NETWORK_FILTER
+    match:
+      context: SIDECAR_INBOUND
+      listener:
+        filterChain:
+          filter:
+            name: envoy.filters.network.tcp_proxy
+    patch:
+      operation: MERGE
+      value:
+        name: envoy.filters.network.tcp_proxy
+        typed_config:
+          '@type': type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy
+          idle_timeout: 0s

deploy/install.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+# Installs keymanager
+## Usage: ./install.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+NS=keymanager
+CHART_VERSION=12.1.0-develop
+
+echo Creating $NS namespace
+kubectl create ns $NS
+
+function installing_keymanager() {
+  echo Istio label
+  kubectl label ns $NS istio-injection=enabled --overwrite
+  kubectl apply -n $NS -f idle_timeout_envoyfilter.yaml
+  helm repo update
+
+  echo Copy configmaps
+  sed -i 's/\r$//' copy_cm.sh
+  ./copy_cm.sh
+
+  echo Running keygenerator. This may take a few minutes..
+  helm -n $NS install kernel-keygen mosip/keygen --wait --wait-for-jobs --version $CHART_VERSION -f keygen_values.yaml
+
+  echo Installing keymanager
+  helm -n $NS install keymanager mosip/keymanager --version $CHART_VERSION
+
+  kubectl -n $NS  get deploy -o name |  xargs -n1 -t  kubectl -n $NS rollout status
+  echo Installed keymanager services
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+installing_keymanager   # calling function

deploy/keygen_values.yaml

@@ -0,0 +1,2 @@
+springConfigNameEnv: kernel
+softHsmCM: softhsm-kernel-share

deploy/restart.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# Restart the keymanager
+## Usage: ./restart.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+function Restarting_keymanager() {
+  NS=keymanager
+  kubectl -n $NS rollout restart deploy keymanager
+
+  kubectl -n $NS  get deploy -o name |  xargs -n1 -t  kubectl -n $NS rollout status
+
+  echo Restarted keymanager service
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+Restarting_keymanager   # calling function

helm/keygen/.gitignore

@@ -0,0 +1,2 @@
+charts/
+Charts.lock

helm/keygen/.helmignore

@@ -0,0 +1,21 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj