Merge pull request #249 from CAAPIM/develop/otk

charts/gateway OTK Release 4.6.2

charts/gateway/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 appVersion: "11.0.00"
 description: This Helm Chart deploys the Layer7 Gateway in Kubernetes.
 name: gateway
-version: 3.0.16
+version: 3.0.17
 type: application
 home: https://github.com/CAAPIM/apim-charts
 maintainers:

charts/gateway/bundles/otk-healthcheck.bundle

@@ -43,8 +43,8 @@
     <wsp:All wsp:Usage="Required">
         <L7p:SslAssertion/>
         <L7p:RemoteIpAddressRange>
-            <L7p:NetworkMask stringValue="16"/>
-            <L7p:StartIp stringValue="240.224.2.1"/>
+            <L7p:NetworkMask stringValue="{{ default "16" .Values.otk.networkMask}}"/>
+            <L7p:StartIp stringValue="{{ default "240.224.2.1" .Values.otk.startIP }}"/>
         </L7p:RemoteIpAddressRange>
         <L7p:SetVariable>
             <L7p:Base64Expression stringValue="YWR2YW5jZWQ="/>

charts/gateway/production-values.yaml

@@ -485,36 +485,107 @@ service:
 # This enables/disables otk install or upgrade.
 # Prerequisites.
 #  1. OTK DB is installed.
-#  2. restman is enabled. Can be disabled once the install/upgrage is complete (management.restman.enabled: true)
-# Note: In dual gateway installation, restart the pods after OTK install or upgrade.
+#  2. Restman is enabled for DB backed Gateway. Can be disabled once the install/upgrade is complete (management.restman.enabled: true)
+#  Note: In dual gateway installation, restart the pods after OTK install or upgrade.
 otk:
   enabled: false
   # OTK installation type - SINGLE, DMZ or INTERNAL
   type: SINGLE
 
-  # Force install or upgrade by uninstalling existing otk soluction kit and install.
-  # forceInstallOrUpgrade: false
+  # Force install or upgrade by uninstalling existing otk solution kit and install.
+  forceInstallOrUpgrade: false
 
   # Not applicable for DMZ and INTERNAL OTK types
-  # enablePortalIngeration: false
-  # skipPostInstallationTasks: false
+  enablePortalIntegration: false
+  skipPostInstallationTasks: false
+  skipInternalServerTools: false
+
+  # Restman host and port (optional). Valid only for db backed gateways
+  # Default - gateway service
+  # restmanHost:
+  # Default -  installSolutionKits.restmanPort
+  # restmanPort:
 
   # Specify internal gateway host and port for DMZ OTK type
   # internalGatewayHost:
   # internalGatewayPort:
 
-  # Specify DMZ gateway host and port for interal OTK type
+  # Specify DMZ gateway host and port for internal OTK type
   # dmzGatewayHost:
   # dmzGatewayPort:
 
-  # List of comma seperated sub soluction Kits to install or upgrade.
+  # Network mask and startIP used in the 'Restrict Access to IP Address Range Assertion' to protect the schedule jobs and health checks.
+  # The db maintenance and health check services can accessible based on the IP address.
+  # https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/policy-assertions/assertion-palette/service-availability-assertions/restrict-access-to-ip-address-range-assertion.html
+  # networkMask: 16
+  # startIP: 240.224.2.1
+
+  cert:
+    # Specify DMZ gateway certificates that needs to be imported to Internal GW (for ephemeral gateway)
+    # dmzGatewayCert:
+    # dmzGatewayIssuer:
+    # dmzGatewaySerial:
+    # dmzGatewaySubject:
+
+    # Specify Internal gateway certificates that needs to be imported for DMZ GW (for ephemeral gateway)
+    # internalGatewayCert:
+    # internalGatewayIssuer:
+    # internalGatewaySerial:
+    # internalGatewaySubject:
+
+  # List of comma separated sub solution Kits to install or upgrade.
   # subSolutionKitNames:
 
+  customizations:
+
+    # This mounts one or more bundles that exist as secrets or configmaps in your Kubernetes Cluster.
+    # When creating these secrets/configmaps the format should be
+    # key: bundle1.bundle value: <xml value>
+    # Each bundle that you create as a ConfigMap can not exceed 1MB in size.
+    # Ephemeral Gateway: Copies the bundles into Gateways bundle folder (/opt/SecureSpan/Gateway/node/default/etc/bootstrap/bundle/000OTK)
+    # DB backed Gateway: Applies bundles to the Gateway using Restman calls (PUT /restman/1.0/bundle)
+    existingBundle:
+      enabled: false
+      configMaps: []
+      # - name: otkbundle1
+      #   configMap:
+      #     defaultMode: 420
+      #     optional: false
+      #     name: otkbundle1
+      # - name: otkbundle1
+
+      secrets: []
+      # - name: secretotkbundle1
+      #   csi:
+      #     driver: secrets-store.csi.k8s.io
+      #     readOnly: true
+      #     volumeAttributes:
+      #       secretProviderClass: "secret-provider-class-name"
+      # - name: secretotkbundle2
+
   job:
     image:
       repository: caapim/otk-install
-      tag: 4.6.1
+      tag: 4.6.2
       pullPolicy: IfNotPresent
+    imagePullSecret:
+      enabled: false
+
+    # Valid only for ephemeral gateway. Creates cronJobs for each OTK DB maintenance schedule tasks.
+    scheduledTasks:
+      - name: client
+        schedule: "*/31 * * * *"
+      - name: idtoken
+        schedule: "*/29 * * * *"
+      - name: sessions
+        schedule: "*/7 * * * *"
+      - name: token
+        schedule: "*/5 * * * *"
+      - name: trl
+        schedule: "0 */1 * * *"
+      - name: miscellaneous
+        schedule: "*/5 * * * *"
+
     labels: {}
     # nodeSelector: {}
     # tolerations: []
@@ -528,47 +599,93 @@ otk:
 
     resources:
       requests:
-        memory: 32Mi
+        memory: 64Mi
         cpu: 200m
       limits:
-        memory: 64Mi
+        memory: 128Mi
         cpu: 250m
 
   database:
     # OTK database type - mysql/oracle/cassandra
     type: mysql
     connectionName: OAuth
-    # existingSecretName: otkdb-secret
-    username: root
-    password: 7layer
+    dbUpgrade: true
+    useDemoDb: true
+
+    # OTK database user name and password used to create Gateway Database/cassandra connection.
+    username: otk_user
+    password: mypassword
+
+    # existingSecretName: otkDbSecret
+
+    # Database connection properties
     properties: {"maximumPoolSize":15, "minimumPoolSize":3}
+
+    # For Cassandra driverConfig is supported from GW 11.0. Either otk.database.cassandra.driverConfig or otk.database.properties should be provided
     # properties: {"localDataCenterName" : "DC1"}
+
+    # Update database connection properties during helm upgrade.
+    updateConnection: true
+
+    # If using existing non liquibase OTK DB then perform manual OTK DB upgrade and set 'changeLogSync' to true.
+    # This is a onetime activity to initialize liquibase related tables on OTK DB. Set to false for successive helm upgrade.
+    changeLogSync: false
+
     sql:
+
+      # If provided, used to create OTK schema and tables.
+      # ddlUsername:
+      # ddlPassword:
+
       # jdbcURL: jdbc:mysql://<host>:<port>/<database>
       jdbcURL:
-      jdbcDriverClass: com.l7tech.jdbc.mysql.MySQLDriver
+      jdbcDriverClass: com.mysql.jdbc.Driver
+      # Oracle database name or MySQL demo db name
+      databaseName: otk_db
+
+      # c3p0 connection properties.
+      # connectionProperties: {"c3p0.maxConnectionAge":"100","c3p0.maxIdleTime":"1000"}
+
+      # For mysql & oracle setup test clients
+      createTestClients: false
+      # Test clients redirect Url prefix. Required if createTestClients is true.
+      testClientsRedirectUrlPrefix:
+
+    cassandra:
+      # connectionPoints:
+      # port:
+      # keyspace:
+      # For Cassandra driverConfig is supported from GW 11.0. Either otk.database.cassandra.driverConfig or otk.database.properties should be provided
+      # driverConfig: {"localDataCenterName" : "DC1"}
+
+    # Optionally configure read only database connection for MySQL/Oracle.
+    readOnlyConnection:
+      enabled: false
+      # connectionName: OAuth_ReadOnly
+      # existingSecretName: otkReadOnlyDbSecret
+      # username: root
+      # password: 7layer
+      # properties: {"maximumPoolSize":15, "minimumPoolSize":3}
+      # connectionProperties: {"c3p0.maxConnectionAge":"100","c3p0.maxIdleTime":"1000"}
+
+      jdbcURL: jdbc:mysql://<host>:<port>/<database>
+      jdbcDriverClass: com.mysql.jdbc.Driver
       # Oracle database name
-      # databaseName:
-    # cassandra:
-    #   connectionPoints: localhost
-    #   port:
-    #   keyspace:
-    # For Cassandra driverConfig is supported from GW 11.0. Either otk.database.cassandra.driverConfig or otk.database.properties should be provided
-    #   driverConfig: {"localDataCenterName" : "DC1"}
+      databaseName:
 
   # Install OTK Health check bundle on gateway. Uses config map.
   # Alternatively the bundle can be loaded using config map external to helm (useExisting: true)
   # The bundle content can be found at https://github.com/CAAPIM/apim-charts/blob/stable/charts/gateway/bundles/otk-healthcheck.bundle
   healthCheckBundle:
-    enabled: true
+    enabled: false
     useExisting: false
     name: otk-health-check-bundle-config
 
   # OTK Specific configuration:
   # - The liveliness probe is not supported for OTK 4.6 & below versions.
   # - Only valid for SINGLE and INTERNAL OTK types. Not be enabled for a DMZ OTK type.
-  # - In a dual gateway OTK setup, it is recomended enable liveness probe after the pods restart.
-  # - Should be enabled after otk installation.
+  # - In a dual gateway OTK setup, it is recommended enable liveness probe after the pods restart.
+  # - Should be enabled after OTK installation.
   # - otk.livenessProbe.type as httpGet
   # - otk.livenessProbe.path /auth/oauth/health
   # - otk.livenessProbe.port 8443
@@ -577,13 +694,14 @@ otk:
     enabled: false
     type: httpGet
     httpGet:
-      path:
-      port:
+      path: /auth/oauth/health
+      port: 8443
+
   # OTK Specific configuration:
   # - The readinessProbe probe is not supported for OTK 4.6 & below versions.
   # - Only valid for SINGLE and INTERNAL OTK types. Not be enabled for a DMZ OTK type.
-  # - In a dual gateway OTK setup, it is recomended enable readiness probe after the pods restart.
-  # - Should be enabled after otk installation.
+  # - In a dual gateway OTK setup, it is recommended enable readiness probe after the pods restart.
+  # - Should be enabled after OTK installation.
   # - otk.readinessProbe.type as httpGet
   # - otk.readinessProbe.path /auth/oauth/health
   # - otk.readinessProbe.port 8443
@@ -592,8 +710,8 @@ otk:
     enabled: false
     type: httpGet
     httpGet:
-      path:
-      port:
+      path: /auth/oauth/health
+      port: 8443
 
 
 # This project does not currently support Google's GCE controller.
@@ -884,6 +1002,13 @@ mysql:
       port=3306
       socket=/opt/bitnami/mysql/tmp/mysql.sock
       pid-file=/opt/bitnami/mysql/tmp/mysqld.pid
+    persistence:
+      annotations:
+        helm.sh/hook: pre-install
+        helm.sh/hook-weight: "-10"
+  commonAnnotations:
+    helm.sh/hook: pre-install
+    helm.sh/hook-weight: "-10"
 
 # Settings for Hazelcast - https://github.com/hazelcast/charts/blob/master/stable/hazelcast/values.yaml
 # The Gateway currently supports Hazelcast 4.x & 5.x servers

charts/gateway/templates/_helpers.tpl

@@ -93,6 +93,15 @@ Create Image Pull Secret
 {{- end }}
 {{- end }}
 
+{{/*
+Create OTK Image Pull Secret
+*/}}
+{{- define "otkImagePullSecret" }}
+{{- if not .Values.otk.job.imagePullSecret.existingSecretName }}
+{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"auth\":\"%s\"}}}" .Values.otk.job.image.registry .Values.otk.job.imagePullSecret.username .Values.otk.job.imagePullSecret.password (printf "%s:%s" .Values.otk.job.imagePullSecret.username .Values.otk.job.imagePullSecret.password | b64enc) | b64enc }}
+{{- end }}
+{{- end }}
+
 {{/*
 Define Image Pull Secret Name
 */}}
@@ -104,6 +113,19 @@ Define Image Pull Secret Name
 {{- end -}}
 {{- end -}}
 
+{{/*
+Define OTK Image Pull Secret Name
+*/}}
+{{- define "otkImagePullSecretName" -}}
+{{- if .Values.otk.job.imagePullSecret.existingSecretName -}}
+    {{ .Values.otk.job.imagePullSecret.existingSecretName }}
+{{- else -}}
+    {{- printf "%s-%s" (include "gateway.fullname" .) "otk-image-pull-secret" -}}
+{{- end -}}
+{{- end -}}
+
+
+
 {{/*
  Define Gateway TLS Secret Name
  */}}
@@ -175,4 +197,47 @@ Define Image Pull Secret Name
 {{- else -}}
     {{- printf "%s-%s" (include "gateway.fullname" .) "otkdb-secret" -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}
+
+{{/*
+ Define OTK database ReadOnly Connection Secret Name
+ */}}
+{{- define "otk.dbSecretName.readOnly" -}}
+{{- if .Values.otk.database.readOnlyConnection.existingSecretName -}}
+    {{ .Values.otk.database.readOnlyConnection.existingSecretName }}
+{{- else -}}
+    {{- printf "%s-%s" (include "gateway.fullname" .) "rconn-otkdb-secret" -}}
+{{- end -}}
+{{- end -}}
+{{/*
+ Define OTK install image pullSecret
+ */}}
+{{- define "otk.imagePullSecret" -}}
+{{- if .Values.otk.job.imagePullSecret.enabled -}}
+    {{- printf "%s" (include "otkImagePullSecretName" .) -}}
+{{- else -}}
+    {{- printf "%s" (include "gateway.imagePullSecret" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ Define OTK install image
+ */}}
+{{- define "otk.image" -}}
+{{- if empty .Values.otk.job.image.registry -}}
+    {{- printf "%s/%s:%s" .Values.image.registry .Values.otk.job.image.repository .Values.otk.job.image.tag -}}
+{{- else -}}
+    {{- printf "%s/%s:%s" .Values.otk.job.image.registry .Values.otk.job.image.repository .Values.otk.job.image.tag -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ Define OTK Restman host
+ */}}
+{{- define "otk.restmanhost" -}}
+{{- if empty .Values.otk.restmanHost -}}
+    {{- printf "%s" (include "gateway.fullname" .) -}}
+{{- else -}}
+    {{- printf "%s" .Values.otk.restmanHost -}}
+{{- end -}}
+{{- end -}}