Release 0.4.1 - PingAccess Cluster Support, Sprint 2101 (#76)

* Adding testing framework

* Adding internal certificates for private hostnames

* Changed enabled to generate

* Latest private-cert changes

* Adding pingaccess clustering

* Adding 0.4.1 release notes

* Issue #72 - Changing tag to 2101. Adding comments for pingaccess waitfor

* adding additional docs and examples

* adding example to release notes

charts/ping-devops/Chart.yaml

@@ -31,8 +31,9 @@ name: ping-devops
 # 0.3.8 - Refer to http://helm.pingidentity.com/release-notes/#release-038
 # 0.3.9 - Refer to http://helm.pingidentity.com/release-notes/#release-039
 # 0.4.0 - Refer to http://helm.pingidentity.com/release-notes/#release-040
+# 0.4.1 - Refer to http://helm.pingidentity.com/release-notes/#release-041
 ########################################################################
-version: 0.4.0
+version: 0.4.1
 description: All Ping Identity product images with integration
 type: application
 home: https://devops.pingidentity.com/

charts/ping-devops/templates/NOTES.txt

@@ -3,7 +3,7 @@
 #
 #  {{ printf $format " " "       Product       " " Workload  " " Ing "}}
 #  {{ printf $format " " "---------------------" "-----------" "-----"}}
-{{- $products := list "pingaccess" "pingdataconsole" "pingdatagovernance" "pingdatasync" "pingdelegator" "pingdirectory" "pingfederate-admin" "pingfederate-engine" "---" "ldap-sdk-tools" "pd-replication-timing" }}
+{{- $products := list "pingaccess-admin" "pingaccess-engine" "pingdataconsole" "pingdatagovernance" "pingdatasync" "pingdelegator" "pingdirectory" "pingfederate-admin" "pingfederate-engine" "---" "ldap-sdk-tools" "pd-replication-timing" }}
 {{- range $prodName := $products }}
 {{- if eq $prodName "---" }}
 #

charts/ping-devops/templates/global/configmap.yaml

@@ -6,10 +6,8 @@
 {{- $top := index . 0 -}}
 {{- $v := index . 1 -}}
 data:
-  {{/* Remove the pingaccess when we move to an engine/admin */}}
-  {{ include "global.private.host.port" (list $top $v "PA_ENGINE" "pingaccess") }}
-  {{ include "global.private.host.port" (list $top $v "PA_ENGINE" "pingaccess-engine") }}
   {{ include "global.private.host.port" (list $top $v "PA_ADMIN" "pingaccess-admin") }}
+  {{ include "global.private.host.port" (list $top $v "PA_ENGINE" "pingaccess-engine") }}
   {{ include "global.private.host.port" (list $top $v "PD_CONSOLE" "pingdataconsole") }}
   {{ include "global.private.host.port" (list $top $v "PDS_ENGINE" "pingdatasync") }}
   {{ include "global.private.host.port" (list $top $v "PDG_ENGINE" "pingdatagovernance") }}
@@ -20,10 +18,8 @@ data:
   {{ include "global.private.host.port" (list $top $v "PF_ENGINE" "pingfederate-engine") }}
   {{ include "global.private.host.port" (list $top $v "PF_ADMIN" "pingfederate-admin") }}
 
-  {{/* Remove the pingaccess when we move to an engine/admin */}}
-  {{ include "global.public.host.port" (list $top $v "PA_ENGINE" "pingaccess") }}
-  {{ include "global.public.host.port" (list $top $v "PA_ENGINE" "pingaccess-engine") }}
   {{ include "global.public.host.port" (list $top $v "PA_ADMIN" "pingaccess-admin") }}
+  {{ include "global.public.host.port" (list $top $v "PA_ENGINE" "pingaccess-engine") }}
   {{ include "global.public.host.port" (list $top $v "PD_CONSOLE" "pingdataconsole") }}
   {{ include "global.public.host.port" (list $top $v "PDS_ENGINE" "pingdatasync") }}
   {{ include "global.public.host.port" (list $top $v "PDG_ENGINE" "pingdatagovernance") }}

charts/ping-devops/templates/global/secret-cert.yaml

@@ -0,0 +1,15 @@
+{{- range (list "pingaccess-admin" "pingaccess-engine" "pingdatagovernance" "pingdatasync" "pingdirectory" "pingfederate-admin" "pingfederate-engine" ) }}
+    {{- if (merge (index $.Values . ) $.Values.global).privateCert.generate }}
+        {{- include "pinglib.private-cert" (list $ .) }}
+---
+    {{- end }}
+{{- end }}
+
+
+{{- define "pingaccess-admin.private-cert" -}}{{- end -}}
+{{- define "pingaccess-engine.private-cert" -}}{{- end -}}
+{{- define "pingdatagovernance.private-cert" -}}{{- end -}}
+{{- define "pingdatasync.private-cert" -}}{{- end -}}
+{{- define "pingdirectory.private-cert" -}}{{- end -}}
+{{- define "pingfederate-admin.private-cert" -}}{{- end -}}
+{{- define "pingfederate-engine.private-cert" -}}{{- end -}}

charts/ping-devops/templates/pingaccess-admin/configmap.yaml

@@ -0,0 +1,8 @@
+{{- include "pinglib.configmap" (list . "pingaccess-admin") -}}
+
+
+
+{{- define "pingaccess-admin.configmap" -}}
+data:
+  OPERATIONAL_MODE: CLUSTERED_CONSOLE
+{{- end -}}

charts/ping-devops/templates/pingaccess-admin/ingress.yaml

@@ -0,0 +1,8 @@
+{{- if (merge (index .Values "pingaccess-admin") .Values.global).ingress.enabled }}
+{{- include "pinglib.ingress" (list . "pingaccess-admin") -}}
+{{- end -}}
+
+
+
+{{- define "pingaccess-admin.ingress" -}}
+{{- end -}}

charts/ping-devops/templates/pingaccess-admin/service.yaml

@@ -0,0 +1,6 @@
+{{- include "pinglib.service" (list . "pingaccess-admin") -}}
+
+
+
+{{- define "pingaccess-admin.service" -}}
+{{- end -}}

charts/ping-devops/templates/pingaccess-admin/workload.yaml

@@ -0,0 +1,5 @@
+{{- include "pinglib.workload" (list . "pingaccess-admin") -}}
+
+
+{{- define "pingaccess-admin.workload" -}}
+{{- end -}}

charts/ping-devops/templates/pingaccess-engine/configmap.yaml

@@ -0,0 +1,8 @@
+{{- include "pinglib.configmap" (list . "pingaccess-engine") -}}
+
+
+
+{{- define "pingaccess-engine.configmap" -}}
+data:
+  OPERATIONAL_MODE: CLUSTERED_ENGINE
+{{- end -}}

charts/ping-devops/templates/pingaccess-engine/ingress.yaml

@@ -0,0 +1,8 @@
+{{- if (merge (index .Values "pingaccess-engine") .Values.global).ingress.enabled }}
+{{- include "pinglib.ingress" (list . "pingaccess-engine") -}}
+{{- end -}}
+
+
+
+{{- define "pingaccess-engine.ingress" -}}
+{{- end -}}

charts/ping-devops/templates/pingaccess-engine/service.yaml

@@ -0,0 +1,6 @@
+{{- include "pinglib.service" (list . "pingaccess-engine") -}}
+
+
+
+{{- define "pingaccess-engine.service" -}}
+{{- end -}}

charts/ping-devops/templates/pingaccess-engine/workload.yaml

@@ -0,0 +1,5 @@
+{{- include "pinglib.workload" (list . "pingaccess-engine") -}}
+
+
+{{- define "pingaccess-engine.workload" -}}
+{{- end -}}

charts/ping-devops/templates/pinglib/_private_cert.tpl

@@ -0,0 +1,23 @@
+{{- define "pinglib.private-cert.tpl" -}}
+{{- $top := index . 0 -}}
+{{- $v := index . 1 -}}
+apiVersion: v1
+kind: Secret
+metadata: {{ include "pinglib.metadata.labels" .  | nindent 2  }}
+  labels:
+    alt-names: {{ include "pinglib.addreleasename" (append . $v.name) }}
+  name: {{ include "pinglib.fullname" . }}-private-cert
+  annotations:
+    "helm.sh/hook": "pre-install"
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+type: kubernetes.io/tls
+data:
+{{ ( include "pinglib.gen-cert" . ) | indent 2 }}
+{{- end -}}
+
+
+{{- define "pinglib.private-cert" -}}
+  {{- include "pinglib.merge.templates" (append . "private-cert") -}}
+{{- end -}}
+
+

charts/ping-devops/templates/pinglib/_test_postman.tpl

@@ -0,0 +1,59 @@
+{{- define "pinglib.test.postman" -}}
+{{- $top := index . 0 -}}
+{{- $v := index . 1 -}}
+{{- $testName := index . 2 -}}
+{{- $test := index $top.Values.testFramework $testName -}}
+{{- $containerName := print "test-" $testName -}}
+{{- $waitFor := $test.waitFor -}}
+apiVersion: v1
+kind: Pod
+metadata: {{ include "pinglib.metadata.labels" .  | nindent 2 }}
+  annotations:
+    "helm.sh/hook": test
+  name: {{ include "pinglib.addreleasename" (list $top $v $containerName) }}
+spec:
+  restartPolicy: Never
+  initContainers: {{ include "pinglib.workload.init.waitfor" (list $top $v $waitFor) | nindent 4 }}
+  containers:
+  - name: {{ $containerName }}
+    env: []
+
+    {{/*--------------------- Image -------------------------*/}}
+    image: "postman/newman:5-alpine"
+    imagePullPolicy: IfNotPresent
+
+
+    {{/*--------------------- Command -----------------------*/}}
+    command:
+      - newman
+      - run
+      - {{ $test.collection }}
+      - --insecure
+      - --ignore-redirects
+
+    {{/*--------------------- Environment -----------------*/}}
+    envFrom:
+    - configMapRef:
+        name: {{ $top.Release.Name }}-global-env-vars
+        optional: true
+    - configMapRef:
+        name: {{ $top.Release.Name }}-{{ $testName }}-env-vars
+        optional: true
+
+    resources:
+      limits:
+        cpu: 500m
+        memory: 128Mi
+      requests:
+        cpu: 250m
+        memory: 64Mi
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
+      runAsGroup: 1000
+      runAsNonRoot: true
+      runAsUser: 100
+{{- end }}

charts/ping-devops/templates/pinglib/_workload.tpl

@@ -48,7 +48,9 @@ spec:
       {{- end }}
       nodeSelector: {{ toYaml $v.container.nodeSelector | nindent 8 }}
       tolerations: {{ toYaml $v.container.tolerations | nindent 8 }}
-      initContainers: {{ include "pinglib.workload.init.waitfor" (append . $v.container.waitFor) | nindent 6 }}
+      initContainers:
+        {{ include "pinglib.workload.init.waitfor" (append . $v.container.waitFor) | nindent 6 }}
+        {{ include "pinglib.workload.init.genPrivateCert" . | nindent 6 }}
       containers:
       - name: {{ $v.name }}
         env: []
@@ -124,13 +126,20 @@ spec:
 
         {{/*--------------------- Resources ------------------*/}}
         resources: {{ toYaml $v.container.resources | nindent 10 }}
-        {{- if and (eq $v.workload.type "StatefulSet") $v.workload.statefulSet.persistentvolume.enabled }}
+        {{- if or (and (eq $v.workload.type "StatefulSet") $v.workload.statefulSet.persistentvolume.enabled) $v.privateCert.generate }}
         volumeMounts:
+        {{- if eq $v.workload.type "StatefulSet" }}
         {{- range $volName, $val := $v.workload.statefulSet.persistentvolume.volumes }}
         - name: {{ $volName }}{{ if eq "none" $v.addReleaseNameToResource }}-{{ $top.Release.Name }}{{ end }}
           mountPath: {{ .mountPath }}
         {{- end }}
         {{- end }}
+        {{- if $v.privateCert.generate }}
+        - name: private-keystore
+          mountPath: /run/secrets/private-keystore
+          readOnly: true
+        {{- end }}
+        {{- end }}
 
         {{/*---------------- Security Context -------------*/}}
         {{/* Futures: Support for container securityContexts */}}
@@ -141,14 +150,24 @@ spec:
       securityContext: {{ toYaml $v.workload.securityContext | nindent 8 }}
 
       {{/*--------------------- Volumes ------------------*/}}
-      {{- if and (eq $v.workload.type "StatefulSet") $v.workload.statefulSet.persistentvolume.enabled }}
+      {{- if or (and (eq $v.workload.type "StatefulSet") $v.workload.statefulSet.persistentvolume.enabled) $v.privateCert.generate }}
       volumes:
+      {{- if eq $v.workload.type "StatefulSet" }}
       {{- range $volName, $val := $v.workload.statefulSet.persistentvolume.volumes }}
       - name: {{ $volName }}{{ if eq "none" $v.addReleaseNameToResource }}-{{ $top.Release.Name }}{{ end }}
         persistentVolumeClaim:
           claimName: {{ $volName }}{{ if eq "none" $v.addReleaseNameToResource }}-{{ $top.Release.Name }}{{ end }}
       {{- end }}
       {{- end }}
+      {{- if $v.privateCert.generate }}
+      volumes:
+      - name: private-keystore
+        emptyDir: {}
+      - name: private-cert
+        secret:
+          secretName: {{ include "pinglib.fullname" . }}-private-cert
+      {{- end }}
+      {{- end }}
 
   {{/*----------------- VolumeClameTemplates ------------------*/}}
   {{- if and (eq $v.workload.type "StatefulSet") $v.workload.statefulSet.persistentvolume.enabled }}
@@ -172,7 +191,7 @@ spec:
 {{- $v := index . 1 -}}
 {{- $waitFor := index . 2 -}}
 {{- range $prod, $val := $waitFor }}
-  {{- if (index $top.Values $prod).enabled }}
+  {{- if or $top.Values.enabled (index $top.Values $prod).enabled }}
     {{- $host := include "pinglib.addreleasename" (list $top $v $prod) }}
     {{- $waitForServices := (index $top.Values $prod).services }}
     {{- $port := (index $waitForServices $val.service).servicePort | quote }}
@@ -181,22 +200,63 @@ spec:
   imagePullPolicy: {{ $v.image.pullPolicy }}
   image: {{ $v.externalImage.pingtoolkit }}
   command: ['sh', '-c', 'echo "Waiting for {{ $server }}..." && wait-for {{ $server }} -- echo "{{ $server }} running"']
-  resources:
-    limits:
-      cpu: 500m
-      memory: 128Mi
-    requests:
-      cpu: 250m
-      memory: 64Mi
-  securityContext:
-    allowPrivilegeEscalation: false
-    capabilities:
-      drop:
-      - ALL
-    readOnlyRootFilesystem: true
-    runAsGroup: 1000
-    runAsNonRoot: true
-    runAsUser: 100
+  {{ include "pinglib.workload.init.default.resources" . | nindent 2 }}
+  {{ include "pinglib.workload.init.default.securityContext" . | nindent 2 }}
     {{- end }}
   {{- end }}
+{{- end -}}
+
+
+{{- define "pinglib.workload.init.genPrivateCert" -}}
+{{- $top := index . 0 -}}
+{{- $v := index . 1 -}}
+{{- if $v.privateCert.generate }}
+- name: generate-private-cert-init
+  imagePullPolicy: {{ $v.image.pullPolicy }}
+  image: {{ $v.externalImage.pingtoolkit }}
+  command: ["/bin/sh"]
+  args:
+    - -c
+    - >-
+        _certPath=/run/secrets/private-cert &&
+        _certEnv=/run/secrets/private-keystore/keystore.env &&
+        echo "Generating ${_certEnv}" &&
+        PRIVATE_KEYSTORE_PIN=$(openssl rand -base64 32) &&
+        PRIVATE_KEYSTORE_TYPE=pkcs12 &&
+        PRIVATE_KEYSTORE=$(openssl ${PRIVATE_KEYSTORE_TYPE} -export -inkey ${_certPath}/tls.key -in ${_certPath}/tls.crt -password pass:${PRIVATE_KEYSTORE_PIN} | base64 | tr -d \\n) &&
+        echo "PRIVATE_KEYSTORE_TYPE=${PRIVATE_KEYSTORE_TYPE}">>${_certEnv} &&
+        echo "PRIVATE_KEYSTORE_PIN=${PRIVATE_KEYSTORE_PIN}">>${_certEnv} &&
+        echo "PRIVATE_KEYSTORE=${PRIVATE_KEYSTORE}">>${_certEnv}
+  {{ include "pinglib.workload.init.default.resources" . | nindent 2 }}
+  {{ include "pinglib.workload.init.default.securityContext" . | nindent 2 }}
+  {{/*--------------------- Resources ------------------*/}}
+  volumeMounts:
+  - name: private-cert
+    mountPath: /run/secrets/private-cert
+  - name: private-keystore
+    mountPath: /run/secrets/private-keystore
+{{- end }}
+{{- end -}}
+
+
+{{- define "pinglib.workload.init.default.resources" -}}
+resources:
+  limits:
+    cpu: 500m
+    memory: 128Mi
+  requests:
+    cpu: 250m
+    memory: 64Mi
+{{- end -}}
+
+{{- define "pinglib.workload.init.default.securityContext" -}}
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsGroup: 1000
+  runAsNonRoot: true
+  runAsUser: 100
 {{- end -}}