From 6ce8d4683ec452d20870fe4e3ab13b0ac69b41ea Mon Sep 17 00:00:00 2001 From: Pubudu Gunatilaka Date: Sat, 30 Mar 2024 20:07:14 +0530 Subject: [PATCH] Add in-place upgrade for APK upgrading --- helm-charts/README.md | 1 + helm-charts/Version-Upgrade.md | 28 +- ...e-values.yaml => crds-upgrade-values.yaml} | 1 + helm-charts/in-place-upgrade-values.yaml | 408 ++++++++++++++++++ .../adapter-server-certificate.yaml | 2 +- .../common-controller-server-certificate.yaml | 2 +- .../config-deployer-server-certificate.yaml | 2 +- .../enforcer-server-certificate.yaml | 2 +- .../gateway-server-certificate.yaml | 2 +- .../certificates/gw-listener-certificate.yaml | 2 +- .../idp-listener-certificate.yaml | 2 +- .../certificates/idp-server-certificate.yaml | 2 +- .../idp-ui-server-certificate.yaml | 2 +- .../localhost-listener-certificate.yaml | 2 +- .../ratelimiter-server-certificate.yaml | 2 +- .../runtime-domain-server-certificate.yaml | 2 +- .../system-api-listener-certificate.yaml | 2 +- .../webhook-server-certificate.yaml | 2 +- .../issuers/self-signed-issuer.yaml | 2 +- .../config-deployer/config-ds-configmap.yaml | 11 +- .../config-deployer/config-ds-deployment.yaml | 9 + .../data-plane/gateway-api/gateway-api.yaml | 4 + .../gateway-components/adapter/gateway.yaml | 2 +- .../idp/idp-ds/idp-ds-deployment.yaml | 9 + .../templates/postgres/initdb-conf.yaml | 2 +- helm-charts/values.yaml | 3 +- helm-charts/values.yaml.template | 2 +- idp/idp-domain-service/docker/Dockerfile | 1 + idp/idp-domain-service/docker/idp/idp.sh | 8 +- .../config-deployer-service/docker/Dockerfile | 1 + .../docker/config-deployer/config.sh | 8 +- 31 files changed, 501 insertions(+), 27 deletions(-) rename helm-charts/{version-upgrade-values.yaml => crds-upgrade-values.yaml} (97%) create mode 100644 helm-charts/in-place-upgrade-values.yaml diff --git a/helm-charts/README.md b/helm-charts/README.md index bd5e3c3836..0c00883428 100644 --- a/helm-charts/README.md +++ b/helm-charts/README.md @@ -317,6 +317,7 @@ A Helm chart for APK components | gatewaySystem.enableServiceAccountCreation | bool | `true` | | | gatewaySystem.enableClusterRoleCreation | bool | `true` | | | gatewaySystem.serviceAccountName | string | `"gateway-api-admission"` | | +| gatewaySystem.applyGatewayWehbhookJobs | bool | `true` | | | certmanager.enabled | bool | `true` | Enable certificate manager to generate certificates | | certmanager.enableClusterIssuer | bool | `true` | Enable cluster issuer to generate certificates | | certmanager.enableRootCa | bool | `true` | Enable root CA to generate certificates | diff --git a/helm-charts/Version-Upgrade.md b/helm-charts/Version-Upgrade.md index fd96a0725f..a320bd1ed0 100644 --- a/helm-charts/Version-Upgrade.md +++ b/helm-charts/Version-Upgrade.md @@ -1,3 +1,27 @@ -# Version Upgrade APK +# Updating APK Version -helm template test . -f version-upgrade-values.yaml && helm show crds . > t.yaml \ No newline at end of file +This guide outlines the process of upgrading from APK v1.0.0 installation to APK v1.1.0 installation. + +## In-Place Upgrade + +The in-place upgrade process transitions your existing APK v1.0.0 installation to APK v1.1.0. Prior to implementing these steps in a production environment, it is advised to apply and validate them in lower environments. + +- Ensure APK v1.0.0 is currently installed in the cluster. + + **Note:** The steps provided below assume that APK v1.0.0 is installed in the `default` namespace under the release name `apk`. Replace the dot (.) with the appropriate APK v1.1.0 Helm chart name and version, which is `wso2apk/apk-helm --version 1.1.0`. + +- Install/Update CRDs for APK v1.1.0. + + ```bash + (helm template apk . -f crds-upgrade-values.yaml -n default && helm show crds .) > apk-v1.1.0-crds.yaml + + kubectl apply -f apk-v1.1.0-crds.yaml + ``` + +- Upgrade the existing APK v1.0.0 installation to APK v1.1.0. + + ```bash + helm upgrade --reuse-values apk . -f ./in-place-upgrade-values.yaml --set skipCrds=true + ``` + +These steps will seamlessly transition your APK installation to the latest version, ensuring continued functionality and compatibility. \ No newline at end of file diff --git a/helm-charts/version-upgrade-values.yaml b/helm-charts/crds-upgrade-values.yaml similarity index 97% rename from helm-charts/version-upgrade-values.yaml rename to helm-charts/crds-upgrade-values.yaml index a405606fc0..b91ebdbf8e 100644 --- a/helm-charts/version-upgrade-values.yaml +++ b/helm-charts/crds-upgrade-values.yaml @@ -35,6 +35,7 @@ gatewaySystem: enabled: false enableServiceAccountCreation: false enableClusterRoleCreation: false + applyGatewayWehbhookJobs: false certmanager: enabled: false diff --git a/helm-charts/in-place-upgrade-values.yaml b/helm-charts/in-place-upgrade-values.yaml new file mode 100644 index 0000000000..62afed3137 --- /dev/null +++ b/helm-charts/in-place-upgrade-values.yaml @@ -0,0 +1,408 @@ +# Copyright (c) 2022, WSO2 LLC. (https://www.wso2.com) All Rights Reserved. +# +# WSO2 LLC. licenses this file to you under the Apache License, +# Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +wso2: + subscription: + imagePullSecrets: "" + + apk: + webhooks: + validatingwebhookconfigurations: true + mutatingwebhookconfigurations: true + auth: + enabled: true + enableServiceAccountCreation: true + enableClusterRoleCreation: true + serviceAccountName: wso2apk-platform + roleName: wso2apk-role + listener: + hostname: "api.am.wso2.com" + port: 9095 + # secretName: "idp-tls" + idp: + issuer: "https://idp.am.wso2.com/token" + usernameClaim: "sub" + organizationClaim: "organization" + groupsClaim: "groups" + consumerKeyClaim: "clientId" + # organizationResolver: "controlPlane" # controlplane,none + # tls: + # secretName: "wso2apk-idp-certificates" + # fileName: "idp.crt" + # signing: + # jwksEndpoint: "https://idp.am.wso2.com:9095/oauth2/jwks" + # secretName: "wso2apk-idp-signing" + # fileName: "idp.crt" + dp: + enabled: true + gateway: + name: default + listener: + hostname: "gw.wso2.com" + # secretName: "idp-tls" + # partitionServer: + # enabled: false + # host: "https://control-plane-wso2-apk-partition-server.control-plane.svc.cluster.local" + # serviceBasePath: "/api/publisher/v1" + # partitionName: "default" + # hostnameVerificationEnable: true + # tls: + # secretName: "partition-server-cert" + # fileName: "certificate.crt" + # headers: + # - name: "apiKey" + # value: "123-456-789" + configdeployer: + enabled: true + deployment: + + resources: + requests: + memory: "512Mi" + cpu: "200m" + limits: + memory: "1024Mi" + cpu: "500m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-config-deployer-service:latest + # configs: + # tls: + # secretName: "my-secret" + # certKeyFilename: "tls.key" + # certFilename: "certchain.crt" + adapter: + deployment: + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "200m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-adapter:latest + security: + sslHostname: "adapter" + # logging: + # level: "INFO" # LogLevels can be "DEBG", "FATL", "ERRO", "WARN", "INFO", "PANC" + # # logFormat: "TEXT" # Values can be "JSON", "TEXT" + # configs: + # apiNamespaces: + # - "apk-v12" + # tls: + # secretName: "adapter-cert" + # certKeyFilename: "" + # certFilename: "" + commonController: + deployment: + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "200m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-common-controller:latest + security: + sslHostname: "commoncontroller" +# controlplane: +# enabled: true +# host: "apim-apk-agent-service.apk.svc.cluster.local" +# skipSSLVerification: true + # configs: + # apiNamespaces: + # - "apk-v12" + ratelimiter: + enabled: true + deployment: + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "128Mi" + cpu: "100m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-ratelimiter:latest + security: + sslHostname: "ratelimiter" + # configs: + # tls: + # secretName: "ratelimiter-cert" + # certKeyFilename: "" + # certFilename: "" + # certCAFilename: "" + gatewayRuntime: + deployment: + replicas: 1 + router: + resources: + requests: + memory: "128Mi" + cpu: "200m" + limits: + memory: "1028Mi" + cpu: "1000m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + imagePullPolicy: Always + image: wso2/apk-router:latest + # configs: + # tls: + # secretName: "router-cert" + # certKeyFilename: "" + # certFilename: "" + # logging: + # wireLogs: + # enable: true + # accessLogs: + # enable: true + # env: + # TRAILING_ARGS: "--log-level trace" + enforcer: + resources: + requests: + memory: "512Mi" + cpu: "500m" + limits: + memory: "1028Mi" + cpu: "1000m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + imagePullPolicy: Always + image: wso2/apk-enforcer:latest + security: + sslHostname: "enforcer" +# logging: +# level: DEBUG +# configs: +# tls: +# secretName: "router-cert" +# certKeyFilename: "" +# certFilename: "" +# JWKSClient: +# skipSSLVerification: false +# hostnameVerifier: "AllowAll" + + metrics: + enabled: false + # configDSBalHost: 0.0.0.0 + # idpDSBalHost: 0.0.0.0 + # statsd: + # image: + # repository: prom/statsd-exporter + # tag: v0.26.0 + # imagePullPolicy: IfNotPresent + # resources: + # limits: + # memory: 128Mi + # requests: + # cpu: 0.1 + # memory: 64Mi +idp: + enabled: true + listener: + hostname: "idp.am.wso2.com" + # secretName: "idp-tls" + database: + driver: "org.postgresql.Driver" + url: "jdbc:postgresql://wso2apk-db-service:5432/WSO2AM_DB" + host: "wso2apk-db-service" + port: 5432 + databaseName: "WSO2AM_DB" + username: "wso2carbon" + secretName: "apk-db-secret" + secretKey: "DB_PASSWORD" + validationQuery: "SELECT 1" + validationTimeout: 250 + idpds: + configs: + issuer: "https://idp.am.wso2.com/token" + keyId: "gateway_certificate_alias" + hostname: "idp.am.wso2.com" + loginPageURl: "https://idp.am.wso2.com:9095/authenticationEndpoint/login" + loginErrorPageUrl: "https://idp.am.wso2.com:9095/authenticationEndpoint/error" + loginCallBackURl: "https://idp.am.wso2.com:9095/authenticationEndpoint/login-callback" + deployment: + resources: + requests: + memory: "512Mi" + cpu: "200m" + limits: + memory: "1024Mi" + cpu: "500m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-idp-domain-service:latest + idpui: + deployment: + resources: + requests: + memory: "64Mi" + cpu: "50m" + limits: + memory: "256Mi" + cpu: "100m" + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 20 + failureThreshold: 5 + strategy: RollingUpdate + replicas: 1 + imagePullPolicy: Always + image: wso2/apk-idp-ui:latest + configs: + idpLoginUrl: "https://idp.am.wso2.com:9095/commonauth/login" + idpAuthCallBackUrl: "https://idp.am.wso2.com:9095/oauth2/auth-callback" + +gatewaySystem: + enabled: true + enableServiceAccountCreation: true + enableClusterRoleCreation: true + serviceAccountName: gateway-api-admission + applyGatewayWehbhookJobs: false + +certmanager: + enabled: true + enableClusterIssuer: true + enableRootCa: true + rootCaSecretName: "apk-root-certificate" + +postgresql: + enabled: true + fullnameOverride: "wso2apk-db-service" + auth: + database: WSO2AM_DB + postgresPassword: wso2carbon + username: wso2carbon + password: wso2carbon + primary: + extendedConfiguration: | + max_connections = 400 + initdb: + scriptsConfigMap: postgres-initdb-scripts-configmap + user: wso2carbon + password: wso2carbon + service: + ports: + postgresql: 5432 + podSecurityContext: + enabled: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containerSecurityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsUser: null + + image: + debug: true + +redis: + enabled: true + architecture: standalone + fullnameOverride: redis + primary: + service: + ports: + redis: 6379 + master: + podSecurityContext: + enabled: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + containerSecurityContext: + enabled: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + runAsUser: null + auth: + enabled: false + image: + debug: true diff --git a/helm-charts/templates/cert-manager/certificates/adapter-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/adapter-server-certificate.yaml index d0d5ef6c93..264fbf7bd5 100644 --- a/helm-charts/templates/cert-manager/certificates/adapter-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/adapter-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-adapter-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/common-controller-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/common-controller-server-certificate.yaml index 37c7e76ba3..3fe1cc3888 100644 --- a/helm-charts/templates/cert-manager/certificates/common-controller-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/common-controller-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-common-controller-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/config-deployer-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/config-deployer-server-certificate.yaml index 9f3411769a..4a33b3675b 100644 --- a/helm-charts/templates/cert-manager/certificates/config-deployer-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/config-deployer-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-config-ds-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/enforcer-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/enforcer-server-certificate.yaml index b52002d2c2..92887d6591 100644 --- a/helm-charts/templates/cert-manager/certificates/enforcer-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/enforcer-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-enforcer-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/gateway-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/gateway-server-certificate.yaml index a187729cab..3171c1ce80 100644 --- a/helm-charts/templates/cert-manager/certificates/gateway-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/gateway-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-gateway-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/gw-listener-certificate.yaml b/helm-charts/templates/cert-manager/certificates/gw-listener-certificate.yaml index 751e94101c..509a2b3c73 100644 --- a/helm-charts/templates/cert-manager/certificates/gw-listener-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/gw-listener-certificate.yaml @@ -31,7 +31,7 @@ spec: {{ if .Values.certmanager.listeners -}} name: {{ .Values.certmanager.listeners.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-gw-listener-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/idp-listener-certificate.yaml b/helm-charts/templates/cert-manager/certificates/idp-listener-certificate.yaml index f84e3a86a0..f797b7776d 100644 --- a/helm-charts/templates/cert-manager/certificates/idp-listener-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/idp-listener-certificate.yaml @@ -32,7 +32,7 @@ spec: {{ if .Values.certmanager.listeners -}} name: {{ .Values.certmanager.listeners.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-idp-listener-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/idp-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/idp-server-certificate.yaml index cb49548fc3..1017d6731a 100644 --- a/helm-charts/templates/cert-manager/certificates/idp-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/idp-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-idp-ds-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/idp-ui-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/idp-ui-server-certificate.yaml index 615eea64dc..be6bc5accf 100644 --- a/helm-charts/templates/cert-manager/certificates/idp-ui-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/idp-ui-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-idp-ui-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/localhost-listener-certificate.yaml b/helm-charts/templates/cert-manager/certificates/localhost-listener-certificate.yaml index 59119c08f9..5063ec4cf7 100644 --- a/helm-charts/templates/cert-manager/certificates/localhost-listener-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/localhost-listener-certificate.yaml @@ -31,7 +31,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-localhost-listener-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/ratelimiter-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/ratelimiter-server-certificate.yaml index 158e4db28d..3c3b0475d7 100644 --- a/helm-charts/templates/cert-manager/certificates/ratelimiter-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/ratelimiter-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-ratelimiter-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/runtime-domain-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/runtime-domain-server-certificate.yaml index 9c92767ba5..83b442579f 100644 --- a/helm-charts/templates/cert-manager/certificates/runtime-domain-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/runtime-domain-server-certificate.yaml @@ -37,7 +37,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-runtime-ds-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/system-api-listener-certificate.yaml b/helm-charts/templates/cert-manager/certificates/system-api-listener-certificate.yaml index 9277e1846b..be83de81c7 100644 --- a/helm-charts/templates/cert-manager/certificates/system-api-listener-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/system-api-listener-certificate.yaml @@ -32,7 +32,7 @@ spec: {{ if .Values.certmanager.listeners -}} name: {{ .Values.certmanager.listeners.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-system-api-listener-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/certificates/webhook-server-certificate.yaml b/helm-charts/templates/cert-manager/certificates/webhook-server-certificate.yaml index 9dff750b5a..63da23056e 100644 --- a/helm-charts/templates/cert-manager/certificates/webhook-server-certificate.yaml +++ b/helm-charts/templates/cert-manager/certificates/webhook-server-certificate.yaml @@ -32,7 +32,7 @@ spec: {{ if .Values.certmanager.servers -}} name: {{ .Values.certmanager.servers.issuerName | default "selfsigned-issuer" }} {{- else -}} - name: "selfsigned-issuer" + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer {{- end }} secretName: {{ template "apk-helm.resource.prefix" . }}-webhook-server-cert {{- end -}} diff --git a/helm-charts/templates/cert-manager/issuers/self-signed-issuer.yaml b/helm-charts/templates/cert-manager/issuers/self-signed-issuer.yaml index 746617d26d..85adf96364 100644 --- a/helm-charts/templates/cert-manager/issuers/self-signed-issuer.yaml +++ b/helm-charts/templates/cert-manager/issuers/self-signed-issuer.yaml @@ -17,7 +17,7 @@ apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: selfsigned-issuer + name: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer spec: ca: secretName: {{.Values.certmanager.rootCaSecretName}} diff --git a/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml b/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml index bf2f22fb39..30d074d214 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-ds-configmap.yaml @@ -28,15 +28,18 @@ data: traceLogConsole = false {{if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled}} [ballerina.observe] - metricsEnabled=true - metricsReporter="prometheus" + metricsEnabled = true + metricsReporter = "prometheus" [ballerinax.prometheus] port=18006 {{if .Values.wso2.apk.metrics.configDSBalHost}} - host="{{ .Values.wso2.apk.metrics.configDSBalHost}}" + host = "{{ .Values.wso2.apk.metrics.configDSBalHost}}" {{else}} - host="0.0.0.0" + host = "0.0.0.0" {{end}} + {{else}} + [ballerina.observe] + metricsEnabled = false {{end}} [wso2.config_deployer_service.keyStores.tls] keyFilePath = "/home/wso2apk/config-deployer/security/config.key" diff --git a/helm-charts/templates/data-plane/config-deployer/config-ds-deployment.yaml b/helm-charts/templates/data-plane/config-deployer/config-ds-deployment.yaml index 09db2721f7..8108175a34 100644 --- a/helm-charts/templates/data-plane/config-deployer/config-ds-deployment.yaml +++ b/helm-charts/templates/data-plane/config-deployer/config-ds-deployment.yaml @@ -48,6 +48,11 @@ spec: - containerPort: 18007 protocol: "TCP" {{ end }} +{{ include "apk-helm.deployment.env" .Values.wso2.apk.dp.configdeployer.deployment.env | indent 10 }} + {{ if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} + - name: METRICS_ENABLED + value: "true" + {{ end }} readinessProbe: httpGet: path: /health @@ -67,9 +72,11 @@ spec: - mountPath: /home/wso2apk/config-deployer/conf/Config.toml name: config-toml-volume subPath: Config.toml + {{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} - name: prometheus-jmx-config-volume mountPath: /tmp/metrics/prometheus-jmx-config-configds.yml subPath: prometheus-jmx-config-configds.yml + {{- end }} - name: config-ds-tls-volume mountPath: /home/wso2apk/config-deployer/security/config.key {{- if and .Values.wso2.apk.dp.configdeployer.deployment.configs .Values.wso2.apk.dp.configdeployer.deployment.configs.tls }} @@ -114,9 +121,11 @@ spec: - name: config-toml-volume configMap: name: {{ template "apk-helm.resource.prefix" . }}-config-ds-configmap + {{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} - name: prometheus-jmx-config-volume configMap: name: prometheus-jmx-config-configds + {{- end }} - name: config-ds-tls-volume secret: {{ if and .Values.wso2.apk.dp.configdeployer.deployment.configs .Values.wso2.apk.dp.configdeployer.deployment.configs.tls }} diff --git a/helm-charts/templates/data-plane/gateway-api/gateway-api.yaml b/helm-charts/templates/data-plane/gateway-api/gateway-api.yaml index afc1ba11bc..66b2f0dba5 100644 --- a/helm-charts/templates/data-plane/gateway-api/gateway-api.yaml +++ b/helm-charts/templates/data-plane/gateway-api/gateway-api.yaml @@ -192,6 +192,7 @@ subjects: name: gateway-api-admission namespace: {{ .Release.Namespace }} --- +{{ if and .Values.gatewaySystem .Values.gatewaySystem.applyGatewayWehbhookJobs}} apiVersion: batch/v1 kind: Job metadata: @@ -242,7 +243,9 @@ spec: runAsNonRoot: true seccompProfile: type: "RuntimeDefault" +{{ end }} --- +{{ if and .Values.gatewaySystem .Values.gatewaySystem.applyGatewayWehbhookJobs}} apiVersion: batch/v1 kind: Job metadata: @@ -295,4 +298,5 @@ spec: runAsNonRoot: true runAsUser: 2000 runAsGroup: 2000 +{{ end }} {{- end -}} \ No newline at end of file diff --git a/helm-charts/templates/data-plane/gateway-components/adapter/gateway.yaml b/helm-charts/templates/data-plane/gateway-components/adapter/gateway.yaml index 9d496f349b..f90068d11f 100644 --- a/helm-charts/templates/data-plane/gateway-components/adapter/gateway.yaml +++ b/helm-charts/templates/data-plane/gateway-components/adapter/gateway.yaml @@ -5,7 +5,7 @@ metadata: name: {{ .Values.wso2.apk.dp.gateway.name | default "wso2-apk-default" }} namespace: {{ .Release.Namespace }} annotations: - cert-manager.io/issuer: selfsigned-issuer + cert-manager.io/issuer: {{ template "apk-helm.resource.prefix" . }}-selfsigned-issuer spec: {{- if .Values.wso2.apk.dp.gatewayClass }} gatewayClassName: {{ .Values.wso2.apk.dp.gatewayClass.name | default "wso2-apk-default" }} diff --git a/helm-charts/templates/idp/idp-ds/idp-ds-deployment.yaml b/helm-charts/templates/idp/idp-ds/idp-ds-deployment.yaml index 466b4da4a1..7ea0722d01 100644 --- a/helm-charts/templates/idp/idp-ds/idp-ds-deployment.yaml +++ b/helm-charts/templates/idp/idp-ds/idp-ds-deployment.yaml @@ -56,6 +56,11 @@ spec: protocol: "TCP" - containerPort: 18007 protocol: "TCP" + {{ end }} +{{ include "apk-helm.deployment.env" .Values.idp.idpds.deployment.env | indent 10 }} + {{ if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} + - name: METRICS_ENABLED + value: "true" {{ end }} readinessProbe: httpGet: @@ -82,9 +87,11 @@ spec: - mountPath: /home/wso2apk/idp/security/wso2carbon.pem name: idp-signing-keystore-volume subPath: wso2carbon.pem + {{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} - name: prometheus-jmx-config-volume mountPath: /tmp/metrics/prometheus-jmx-config-idpds.yml subPath: prometheus-jmx-config-idpds.yml + {{- end }} - name: idp-ds-tls-volume mountPath: /home/wso2apk/idp/security/idp.key {{- if and .Values.idp.idpds.configs .Values.idp.idpds.configs.tls }} @@ -120,9 +127,11 @@ spec: - name: config-toml-volume configMap: name: {{ template "apk-helm.resource.prefix" . }}-idp-ds-configmap + {{- if and .Values.wso2.apk.metrics .Values.wso2.apk.metrics.enabled }} - name: prometheus-jmx-config-volume configMap: name: prometheus-jmx-config-idpds + {{- end }} - name: idp-signing-keystore-volume secret: secretName: {{ template "apk-helm.resource.prefix" . }}-idp-signing-keystore-secret diff --git a/helm-charts/templates/postgres/initdb-conf.yaml b/helm-charts/templates/postgres/initdb-conf.yaml index e94313fc7e..27fefd708b 100644 --- a/helm-charts/templates/postgres/initdb-conf.yaml +++ b/helm-charts/templates/postgres/initdb-conf.yaml @@ -18,7 +18,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: postgres-initdb-scripts-configmap + name: {{ .Values.postgresql.primary.initdb.scriptsConfigMap }} namespace: {{ .Release.Namespace }} data: setup1.sql: | diff --git a/helm-charts/values.yaml b/helm-charts/values.yaml index 7791378189..6e287fc05c 100644 --- a/helm-charts/values.yaml +++ b/helm-charts/values.yaml @@ -339,7 +339,8 @@ gatewaySystem: enableServiceAccountCreation: true enableClusterRoleCreation: true serviceAccountName: gateway-api-admission - + applyGatewayWehbhookJobs: true + certmanager: enabled: true enableClusterIssuer: true diff --git a/helm-charts/values.yaml.template b/helm-charts/values.yaml.template index 977c2ae8d4..ae100a3c6a 100644 --- a/helm-charts/values.yaml.template +++ b/helm-charts/values.yaml.template @@ -764,7 +764,7 @@ gatewaySystem: enableServiceAccountCreation: true enableClusterRoleCreation: true serviceAccountName: gateway-api-admission - + applyGatewayWehbhookJobs: true certmanager: # -- Enable certificate manager to generate certificates diff --git a/idp/idp-domain-service/docker/Dockerfile b/idp/idp-domain-service/docker/Dockerfile index f07cf74987..2ae43f2e33 100644 --- a/idp/idp-domain-service/docker/Dockerfile +++ b/idp/idp-domain-service/docker/Dockerfile @@ -60,6 +60,7 @@ RUN set -eux; \ ENV JAVA_HOME=/opt/java/openjdk \ PATH="/opt/java/openjdk/bin:$PATH" +ENV METRICS_ENABLED=false ARG USER=wso2apk ARG USER_ID=10001 diff --git a/idp/idp-domain-service/docker/idp/idp.sh b/idp/idp-domain-service/docker/idp/idp.sh index dc8c6e8bc1..33c97227a2 100755 --- a/idp/idp-domain-service/docker/idp/idp.sh +++ b/idp/idp-domain-service/docker/idp/idp.sh @@ -97,11 +97,17 @@ if [ -z "$JVM_MEM_OPTS" ]; then fi echo "Using Java memory options: $JVM_MEM_OPTS" +JAVA_AGENT="" +if [ "$METRICS_ENABLED" = "true" ]; then + echo "METRICS_ENABLED is set to true." + JAVA_AGENT="-javaagent:/home/wso2apk/lib/jmx_prometheus_javaagent-0.20.0.jar=18007:/tmp/metrics/prometheus-jmx-config-idpds.yml" +fi + $JAVACMD \ $JVM_MEM_OPTS \ $JAVA_OPTS \ -classpath "$CLASSPATH" \ -Djava.io.tmpdir="$IDP_HOME/tmp" \ - -javaagent:/home/wso2apk/lib/jmx_prometheus_javaagent-0.20.0.jar=18007:/tmp/metrics/prometheus-jmx-config-idpds.yml \ + $JAVA_AGENT \ -jar idp_domain_service.jar $* status=$? diff --git a/runtime/config-deployer-service/docker/Dockerfile b/runtime/config-deployer-service/docker/Dockerfile index a7df677089..25c55b529a 100644 --- a/runtime/config-deployer-service/docker/Dockerfile +++ b/runtime/config-deployer-service/docker/Dockerfile @@ -41,6 +41,7 @@ RUN set -eux; \ ENV JAVA_HOME=/opt/java/openjdk \ PATH="/opt/java/openjdk/bin:$PATH" +ENV METRICS_ENABLED=false ARG USER=wso2apk ARG USER_ID=10001 diff --git a/runtime/config-deployer-service/docker/config-deployer/config.sh b/runtime/config-deployer-service/docker/config-deployer/config.sh index 3d9253f7e7..e80aecf5b4 100644 --- a/runtime/config-deployer-service/docker/config-deployer/config.sh +++ b/runtime/config-deployer-service/docker/config-deployer/config.sh @@ -98,11 +98,17 @@ if [ -z "$JVM_MEM_OPTS" ]; then fi echo "Using Java memory options: $JVM_MEM_OPTS" +JAVA_AGENT="" +if [ "$METRICS_ENABLED" = "true" ]; then + echo "METRICS_ENABLED is set to true." + JAVA_AGENT="-javaagent:/home/wso2apk/lib/jmx_prometheus_javaagent-0.20.0.jar=18007:/tmp/metrics/prometheus-jmx-config-configds.yml" +fi + $JAVACMD \ $JVM_MEM_OPTS \ $JAVA_OPTS \ -classpath "$CLASSPATH" \ -Djava.io.tmpdir="$RUNTIME_HOME/tmp" \ - -javaagent:/home/wso2apk/lib/jmx_prometheus_javaagent-0.20.0.jar=18007:/tmp/metrics/prometheus-jmx-config-configds.yml \ + $JAVA_AGENT \ -jar config_deployer_service.jar $* status=$?