Initial commit for AMT

Author: DevipriyaS17

infra-config/values.yaml

@@ -28,6 +28,11 @@ config:
   orchKeycloak: keycloak.kind.internal:443
   orchTelemetry: telemetry-node.kind.internal:443
   # TODO: remove below two lines
+  orchMPSHost: mps-node.kind.internal:4433
+  orchMPSWHost: mps-webport-node.kind.internal:443
+  orchRPSHost: rps-node.kind.internal:443
+  orchRPSWHost: rps-webport-node.kind.internal:443
+  orchMPSRHost: mpsrouter-node.kind.internal:443
   orchTelemetryHost: telemetry-node.kind.internal
   orchTelemetryPort: 443
   orchRegistry: registry-rs.edgeorchestration.intel.com:9443

infra-onboarding/Chart.yaml

@@ -28,3 +28,7 @@ dependencies:
     condition: import.infra-config.enabled
     version: "0.5.1"
     repository: "file://../infra-config"
+  - name: amt
+    condition: import.amt.enabled
+    version: "0.0.1"
+    repository: "file://../amt"

infra-onboarding/values.yaml

@@ -17,6 +17,8 @@ import:
     enabled: true
   infra-config:
     enabled: true
+  amt:
+    enabled: true
 
 # Global values overrides
 # global:

mi-amt/Chart.yaml

@@ -0,0 +1,26 @@
+---
+# SPDX-FileCopyrightText: (C) 2024 Intel Corporation
+# SPDX-License-Identifier: LicenseRef-Intel
+
+apiVersion: v2
+name: amt
+description: Edge Infrastructure Manager AMT
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
+home: edge-orchestrator.intel.com
+maintainers:
+  - name: Edge Infrastructure Manager Team
+dependencies:
+  - name: mps
+    version: "0.0.1"
+    condition: amt-mps.enabled
+    repository: "file://charts/mps"
+  - name: mpsrouter
+    version: "0.0.1"
+    condition: amt-mpsrouter.enabled
+    repository: "file://charts/mpsrouter"
+  - name: rps
+    version: "0.0.1"
+    condition: amt-rps.enabled
+    repository: "file://charts/rps"

mi-amt/charts/mps/Chart.yaml

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: (C) 2023 Intel Corporation
+# SPDX-License-Identifier: LicenseRef-Intel
+
+apiVersion: v2
+name: mps
+description: Edge Infrastructure Manager AMT MPS
+type: application
+version: 0.0.1
+appVersion: "0.0.1"
+annotations: {}
+home: edge-orchestrator.intel.com
+maintainers:
+  - name: Edge Infrastructure Manager Team

mi-amt/charts/mps/init.sql

@@ -0,0 +1,101 @@
+/*********************************************************************
+* Copyright (c) Intel Corporation 2020
+* SPDX-License-Identifier: Apache-2.0
+**********************************************************************/
+CREATE EXTENSION IF NOT EXISTS citext;
+CREATE USER mpsdb;
+CREATE TABLE IF NOT EXISTS ciraconfigs(
+  cira_config_name citext NOT NULL,
+  mps_server_address varchar(256),
+  mps_port integer,
+  user_name varchar(40),
+  password varchar(63),
+  common_name varchar(256),
+  server_address_format integer,
+  auth_method integer,
+  mps_root_certificate text,
+  proxydetails text,
+  tenant_id varchar(36) NOT NULL,
+  PRIMARY KEY (cira_config_name, tenant_id)
+);
+CREATE TABLE IF NOT EXISTS ieee8021xconfigs(
+    profile_name citext,
+    auth_protocol integer,
+    servername VARCHAR(255),
+    domain VARCHAR(255),
+    username VARCHAR(255),
+    password VARCHAR(255),
+    roaming_identity VARCHAR(255),
+    active_in_s0 BOOLEAN,
+    pxe_timeout integer,
+    wired_interface BOOLEAN NOT NULL,
+    tenant_id varchar(36) NOT NULL,
+    PRIMARY KEY (profile_name, tenant_id)
+);
+CREATE TABLE IF NOT EXISTS wirelessconfigs(
+  wireless_profile_name citext NOT NULL,
+  authentication_method integer,
+  encryption_method integer,
+  ssid varchar(32),
+  psk_value integer,
+  psk_passphrase varchar(63),
+  link_policy int[],
+  creation_date timestamp,
+  created_by varchar(40),
+  tenant_id varchar(36) NOT NULL,
+  ieee8021x_profile_name citext,
+  FOREIGN KEY (ieee8021x_profile_name,tenant_id)  REFERENCES ieee8021xconfigs(profile_name,tenant_id),
+  PRIMARY KEY (wireless_profile_name, tenant_id)
+);
+CREATE TABLE IF NOT EXISTS profiles(
+  profile_name citext NOT NULL,
+  activation varchar(20) NOT NULL,
+  amt_password varchar(40),
+  generate_random_password BOOLEAN NOT NULL,
+  cira_config_name citext,
+  FOREIGN KEY (cira_config_name,tenant_id)  REFERENCES ciraconfigs(cira_config_name,tenant_id),
+  creation_date timestamp,
+  created_by varchar(40),
+  mebx_password varchar(40),
+  generate_random_mebx_password BOOLEAN NOT NULL,
+  tags text[],
+  dhcp_enabled BOOLEAN,
+  ip_sync_enabled BOOLEAN NULL,
+  local_wifi_sync_enabled BOOLEAN NULL,
+  tenant_id varchar(36) NOT NULL,
+  tls_mode integer NULL,
+  user_consent varchar(7) NULL,
+  ider_enabled BOOLEAN NULL,
+  kvm_enabled BOOLEAN NULL,
+  sol_enabled BOOLEAN NULL,
+  tls_signing_authority varchar(40) NULL,
+  ieee8021x_profile_name citext,
+  FOREIGN KEY (ieee8021x_profile_name,tenant_id)  REFERENCES ieee8021xconfigs(profile_name,tenant_id),
+  PRIMARY KEY (profile_name, tenant_id)
+);
+CREATE TABLE IF NOT EXISTS profiles_wirelessconfigs(
+  wireless_profile_name citext,
+  profile_name citext,
+  FOREIGN KEY (wireless_profile_name,tenant_id)  REFERENCES wirelessconfigs(wireless_profile_name,tenant_id),
+  FOREIGN KEY (profile_name,tenant_id)  REFERENCES profiles(profile_name,tenant_id),
+  priority integer,
+  creation_date timestamp,
+  created_by varchar(40),
+  tenant_id varchar(36) NOT NULL,
+  PRIMARY KEY (wireless_profile_name, profile_name, priority, tenant_id)
+);
+CREATE TABLE IF NOT EXISTS domains(
+  name citext NOT NULL,
+  domain_suffix citext NOT NULL,
+  provisioning_cert text,
+  provisioning_cert_storage_format varchar(40),
+  provisioning_cert_key text,
+  creation_date timestamp,
+  expiration_date timestamp,
+  created_by varchar(40),
+  tenant_id varchar(36) NOT NULL,
+  CONSTRAINT domainname UNIQUE (name, tenant_id),
+  CONSTRAINT domainsuffix UNIQUE (domain_suffix, tenant_id),
+  PRIMARY KEY (name, domain_suffix, tenant_id)
+);
+

mi-amt/charts/mps/initMPS.sql

@@ -0,0 +1,25 @@
+/*********************************************************************
+* Copyright (c) Intel Corporation 2021
+* SPDX-License-Identifier: Apache-2.0
+**********************************************************************/
+CREATE DATABASE mpsdb;
+
+\connect mpsdb
+
+CREATE TABLE IF NOT EXISTS devices(
+      guid uuid NOT NULL,
+      tags text[],
+      hostname varchar(256),
+      mpsinstance text, 
+      connectionstatus boolean,
+      mpsusername text,
+      tenantid varchar(36) NOT NULL,
+      friendlyname varchar(256),
+      dnssuffix varchar(256),
+      lastconnected timestamp with time zone,
+      lastseen timestamp with time zone,
+      lastdisconnected timestamp with time zone,
+      deviceinfo JSON,
+      CONSTRAINT device_guid UNIQUE(guid),
+      PRIMARY KEY (guid, tenantid)
+    ); 

mi-amt/charts/mps/templates/_helpers.tpl

@@ -0,0 +1,55 @@
+# SPDX-FileCopyrightText: (C) 2023 Intel Corporation
+# SPDX-License-Identifier: LicenseRef-Intel
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "mps.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "mps.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "mps.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "mps.labels" -}}
+helm.sh/chart: {{ include "mps.chart" . }}
+{{ include "mps.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app: mps
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "mps.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "mps.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app: mps
+{{- end }}

mi-amt/charts/mps/templates/cm.yaml

@@ -0,0 +1,116 @@
+---
+# SPDX-FileCopyrightText: (C) 2024 Intel Corporation
+# SPDX-License-Identifier: LicenseRef-Intel
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: amt-configmap
+data:
+  amt.sh: |
+    #!/bin/bash
+
+    # DO NOT MODIFY - SEE DESCRIPTION
+
+    # Script Name: amt-vault.sh
+    # Description: This script will accquire the service token to login to vault,
+    #              fetch the vault token to create secret.
+    # Usage: ./onboard_fm_credentials.sh <KEYCLOAK_URL> <VAULT_URL>
+    #    -h:             help (optional)
+
+    set -xe
+    set -o pipefail
+
+    HELP=""
+
+    while getopts 'h' flag; do
+      case "${flag}" in
+        h) HELP='true' ;;
+        *) HELP='true' ;;
+      esac
+    done
+    shift $((OPTIND -1))
+
+    function usage {
+        cat >&2 <<EOF
+    Purpose:
+    Creation of secret for MPS and RPS services.
+
+    Usage:
+      $(basename "$0") <KEYCLOAK_URL> <VAULT_URL>
+
+    ex:
+    ./onboard_fm_credentials.sh http://localhost:8090 http://localhost:8200
+
+    Options:
+        -h:             help (optional)
+    EOF
+    }
+
+    KEYCLOAK_URL=$1
+    VAULT_URL=$2
+
+    if [[ "$HELP" || -z "$KEYCLOAK_URL" || -z "$VAULT_URL" || -z "$ADMIN_USER" || -z "$ADMIN_PASS" || -z "$ADMIN_CLIENT" ]]; then
+        usage
+        exit 1
+    fi
+
+    # Operation in vault are retried up to $max_retries times
+    max_retries=5
+    retry_count=0
+    # Login to Vault
+    TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+    while [ "$retry_count" -lt $max_retries ]; do
+      if vault_login_output=$(curl -k -X PUT \
+             "$VAULT_URL/v1/auth/kubernetes/login" \
+             -H "Authorization: Bearer $TOKEN" \
+             -d '{"jwt": "'"${TOKEN}"'", "role": "orch-svc"}') && \
+          [[ ! "$vault_login_output" =~ "errors" ]]; then
+        echo "Vault login successful!"
+        VAULT_TOKEN=$(echo "$vault_login_output" | jq -r  '.auth.client_token')
+        break
+      fi
+      echo "ERROR: $vault_login_output"
+      sleep 10
+      retry_count=$((retry_count + 1))
+    done
+
+    if [ $retry_count -eq $max_retries ]; then
+      echo "ERROR: Too many errors in logging into Vault!"
+      exit 1
+    fi
+
+      retry_count=0
+      while [ "$retry_count" -lt $max_retries ]; do
+        if curl -k -X POST \
+          "https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/orch-infra/secrets" \
+          -H "Authorization: Bearer $TOKEN" \
+          -H "Content-Type: application/json" \
+          -d '{
+              "apiVersion": "v1",
+              "kind": "Secret",
+              "metadata": {
+                "name": "vault-token"
+              },
+              "data": {
+                "vault-token": "'$(echo -n "$VAULT_TOKEN" | base64 -w0)'"
+              }
+            }'; then
+          echo "Vault token secret created successfully!"
+          break
+        else
+          echo "Error creating vault token secret, retrying..."
+          sleep 10
+          retry_count=$((retry_count + 1))
+        fi
+      done
+
+    
+    # If Istio proxy is available, quit sidecar
+    if curl -s -f http://127.0.0.1:15020/healthz/ready; then
+       response=$(curl -o /dev/null -w "%{http_code}" --location  -v --request POST http://127.0.0.1:15000/quitquitquit --header 'Content-Type: text/plain')
+       if [[ ! "${response}" =~ "200" ]]; then
+          echo "ERROR: Error while quiting Istio proxy"
+          exit 1
+       fi
+    fi