-
Notifications
You must be signed in to change notification settings - Fork 91
Expand file tree
/
Copy pathdeploy-zenko.sh
More file actions
executable file
·154 lines (128 loc) · 5.43 KB
/
deploy-zenko.sh
File metadata and controls
executable file
·154 lines (128 loc) · 5.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#!/usr/bin/env bash
set -exu
DIR="$(dirname "$0")"
REPOSITORY_DIR="${DIR}/../../.."
export ZENKO_NAME=${1:-end2end}
export NAMESPACE=${2:-default}
export ZENKO_CR_PATH=${3:-'./configs/zenko.yaml'}
export ZENKOVERSION_PATH=${4:-"${REPOSITORY_DIR}/solution/zenkoversion.yaml"}
export DEPS_PATH=${5:-"${REPOSITORY_DIR}/solution/deps.yaml"}
export ZENKO_VERSION_NAME="${ZENKO_NAME}-version"
export ZENKO_ANNOTATIONS=""
export ZENKO_MONGODB_SECRET_NAME=${ZENKO_MONGODB_SECRET_NAME:-'mongodb-db-creds'}
export ZENKO_IAM_INGRESS=${ZENKO_IAM_INGRESS:-'iam.zenko.local'}
export ZENKO_STS_INGRESS=${ZENKO_STS_INGRESS:-'sts.zenko.local'}
export ZENKO_MANAGEMENT_INGRESS=${ZENKO_MANAGEMENT_INGRESS:-'management.zenko.local'}
export ZENKO_S3_INGRESS=${ZENKO_S3_INGRESS:-'s3.zenko.local'}
export ZENKO_SUR_INGRESS=${ZENKO_SUR_INGRESS:-'utilization.zenko.local'}
export BACKBEAT_LCC_CRON_RULE=${BACKBEAT_LCC_CRON_RULE:-'*/5 * * * * *'}
ENABLE_KEYCLOAK_HTTPS=${ENABLE_KEYCLOAK_HTTPS:-'false'}
if [ ${ENABLE_KEYCLOAK_HTTPS} == 'true' ]; then
export ZENKO_INGRESS_ANNOTATIONS="annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 0m
nginx.ingress.kubernetes.io/ssl-redirect: 'false'"
export ZENKO_INGRESS_CERTIFICATES="certificates:
- hosts:
- ${ZENKO_MANAGEMENT_INGRESS}
- ${ZENKO_IAM_INGRESS}
- ${ZENKO_STS_INGRESS}
- ${ZENKO_SUR_INGRESS}"
else
export ZENKO_INGRESS_ANNOTATIONS="annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 0m"
export ZENKO_INGRESS_CERTIFICATES='certificates: []'
fi
# TODO: use kustomize
export ZENKO_ANNOTATIONS="annotations:"
export ZENKO_MONGODB_ENDPOINT="data-db-mongodb-sharded.default.svc.cluster.local:27017"
export ZENKO_MONGODB_CONFIG="writeConcern: 'majority'
enableSharding: true"
export ZENKO_MONGODB_DATABASE="${ZENKO_MONGODB_DATABASE:-datadb}"
if [ "${TIME_PROGRESSION_FACTOR}" -gt 1 ]; then
export ZENKO_ANNOTATIONS="$ZENKO_ANNOTATIONS
zenko.io/time-progression-factor: \"${TIME_PROGRESSION_FACTOR}\""
fi
export ZENKO_ANNOTATIONS="${ZENKO_ANNOTATIONS:-annotations:}
zenko.io/dns-service-address: \"kube-dns.kube-system.svc\""
function dependencies_image_env()
{
yq eval '.[] | .envsubst + "=" + (.sourceRegistry // "docker.io") + "/" + .image' ${DEPS_PATH} |
sed 's/_TAG=/_IMAGE=/g'
}
function dependencies_dashboard_env()
{
yq eval '.[] | .envsubst + "=" + (.sourceRegistry // "docker.io") + "/" + .dashboard' ${DEPS_PATH} |
sed 's/_TAG=/_DASHBOARD=/g'
}
function dependencies_policy_env()
{
yq eval '.[] | .envsubst + "=" + (.sourceRegistry // "docker.io") + "/" + .policy' ${DEPS_PATH} |
sed 's/_TAG=/_POLICY=/g'
}
function dependencies_config_env()
{
yq eval '.[] | .envsubst + "=" + (.sourceRegistry // "docker.io") + "/" + .config' ${DEPS_PATH} |
sed 's/_TAG=/_CONFIG=/g'
}
function dependencies_versions_env()
{
yq eval '.[] | .envsubst + "=" + .tag' ${DEPS_PATH}
source <( "${REPOSITORY_DIR}/solution/kafka_build_vars.sh" )
echo "KAFKA_BUILD_TREE_HASH=${BUILD_TREE_HASH}"
}
function dependencies_env()
{
echo $(dependencies_versions_env)
echo $(dependencies_image_env)
echo $(dependencies_dashboard_env)
echo $(dependencies_policy_env)
echo $(dependencies_config_env)
echo "ZENKO_VERSION_NAME=${ZENKO_VERSION_NAME}"
}
create_encryption_secret()
{
PUBLIC=$(mktemp zenko-key.pub.XXXXXX)
PRIVATE=$(mktemp zenko-key.XXXXXX)
trap 'rm -f "$PUBLIC" "$PRIVATE"' EXIT INT HUP TERM
if kubectl get secret ${ZENKO_NAME}-keypair.v0 --namespace ${NAMESPACE} >/dev/null 2>/dev/null; then
kubectl get secret ${ZENKO_NAME}-keypair.v0 --namespace ${NAMESPACE} \
-o jsonpath='{.data.publicKey}' | base64 -d > "$PUBLIC"
else
# Get the OpenSSL version
OPENSSL_VERSION=$(openssl version | awk '{print $2}')
# Check if OpenSSL 3.x is being used
if [[ $OPENSSL_VERSION =~ ^3\..* ]]; then
# Use the "-traditional" flag for OpenSSL 3.x
openssl genrsa -out "$PRIVATE" -traditional
else
openssl genrsa -out "$PRIVATE"
fi
openssl rsa -in "$PRIVATE" -pubout -out "$PUBLIC"
# Zkop expects PKCS#1 format, but with a type of 'PRIVATE KEY' as generated with older openssl
sed -i 's/RSA PRIVATE KEY/PRIVATE KEY/' "$PRIVATE"
kubectl create secret generic ${ZENKO_NAME}-keypair.v0 \
--namespace ${NAMESPACE} \
--from-file=publicKey="$PUBLIC" \
--from-file=privateKey="$PRIVATE"
fi
AZURE_SECRET_KEY_ENCRYPTED="$(
printf '%s' "${AZURE_SECRET_KEY}" \
| openssl pkeyutl -encrypt -pubin -inkey "$PUBLIC" \
-pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 \
| base64 -w 0
)"
export AZURE_SECRET_KEY_ENCRYPTED
}
create_encryption_secret
env $(dependencies_env) envsubst < ${ZENKOVERSION_PATH} | \
yq "del(.spec.dashboards[] | select(.tag == \"${ZENKO_VERSION_NAME}\"))" | \
kubectl -n ${NAMESPACE} apply -f -
env $(dependencies_env) envsubst < ${ZENKO_CR_PATH} | kubectl -n ${NAMESPACE} apply -f -
retries=120
while ! kubectl wait --for condition=Available --timeout 5s --namespace ${NAMESPACE} zenko/${ZENKO_NAME} && [ $retries -gt 0 ]; do
retries=$(($retries - 1))
# Debug log to ease understanding of failures in the CI
kubectl get pods -A
kubectl -n ${NAMESPACE} get zenko/${ZENKO_NAME} -o "jsonpath={.status.conditions}" || true
done
[ $retries -gt 0 ]