From 9fabade72bc371b64efa5efe7cb6e2cff5aad4cf Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Thu, 12 Mar 2026 00:52:05 +0530 Subject: [PATCH 01/28] [MOSIP-44613] updated profiles for helmsman and terrafrom Signed-off-by: bhumi46 --- .github/scripts/configure-backend.sh | 39 +- .github/workflows/helmsman_esignet.yml | 33 +- .github/workflows/helmsman_external.yml | 50 +- .github/workflows/helmsman_mosip.yml | 28 +- .github/workflows/helmsman_testrigs.yml | 28 +- .github/workflows/terraform-destroy.yml | 35 +- .github/workflows/terraform.yml | 33 +- Helmsman/dsf/esignet/esignet-dsf.yaml | 268 ++++ Helmsman/dsf/esignet/external-dsf.yaml | 290 +++++ Helmsman/dsf/{ => esignet}/prereq-dsf.yaml | 0 .../esignet-dsf.yaml | 0 .../external-dsf.yaml | 0 .../mosip-dsf.yaml | 0 .../dsf/mosip-platform-java11/prereq-dsf.yaml | 111 ++ .../testrigs-dsf.yaml | 0 .../mosip-platform-java21/esignet-dsf.yaml | 393 ++++++ .../mosip-platform-java21/external-dsf.yaml | 418 +++++++ .../dsf/mosip-platform-java21/mosip-dsf.yaml | 1110 +++++++++++++++++ .../dsf/mosip-platform-java21/prereq-dsf.yaml | 111 ++ .../mosip-platform-java21/testrigs-dsf.yaml | 182 +++ docs/profile-based-deployment.md | 266 ++++ .../aws/infra/profiles/esignet/aws.tfvars | 96 ++ .../aws/infra/profiles/mosip/aws.tfvars | 99 ++ 23 files changed, 3546 insertions(+), 44 deletions(-) create mode 100644 Helmsman/dsf/esignet/esignet-dsf.yaml create mode 100644 Helmsman/dsf/esignet/external-dsf.yaml rename Helmsman/dsf/{ => esignet}/prereq-dsf.yaml (100%) rename Helmsman/dsf/{ => mosip-platform-java11}/esignet-dsf.yaml (100%) rename Helmsman/dsf/{ => mosip-platform-java11}/external-dsf.yaml (100%) rename Helmsman/dsf/{ => mosip-platform-java11}/mosip-dsf.yaml (100%) create mode 100644 Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml rename Helmsman/dsf/{ => mosip-platform-java11}/testrigs-dsf.yaml (100%) create mode 100644 Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml create mode 100644 Helmsman/dsf/mosip-platform-java21/external-dsf.yaml create mode 100644 Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml create mode 100644 Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml create mode 100644 Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml create mode 100644 docs/profile-based-deployment.md create mode 100644 terraform/implementations/aws/infra/profiles/esignet/aws.tfvars create mode 100644 terraform/implementations/aws/infra/profiles/mosip/aws.tfvars diff --git a/.github/scripts/configure-backend.sh b/.github/scripts/configure-backend.sh index 0ddd61e3..44599e62 100755 --- a/.github/scripts/configure-backend.sh +++ b/.github/scripts/configure-backend.sh @@ -15,6 +15,7 @@ usage() { echo " -c, --component Component: base-infra, infra, observ-infra (required)" echo " -b, --branch Branch name for state key (required for remote)" echo " -r, --remote-config Remote backend config string (required for remote)" + echo " --profile Infrastructure profile (e.g., mosip, esignet) - included in state key" echo " --enable-locking Enable state locking (optional, for production)" echo " -h, --help Show this help message" echo "" @@ -44,6 +45,7 @@ CLOUD_PROVIDER="" COMPONENT="" BRANCH_NAME="" REMOTE_CONFIG="" +PROFILE="" ENABLE_LOCKING=false # Parse command line arguments @@ -73,6 +75,10 @@ while [[ $# -gt 0 ]]; do ENABLE_LOCKING=true shift ;; + --profile) + PROFILE="$2" + shift 2 + ;; -h|--help) usage exit 0 @@ -129,6 +135,7 @@ echo "=== MOSIP Terraform Backend Configuration ===" echo "Backend type: $BACKEND_TYPE" echo "Cloud provider: $CLOUD_PROVIDER" echo "Component: $COMPONENT" +echo "Profile: ${PROFILE:-none}" echo "Branch: $BRANCH_NAME" echo "=============================================" @@ -137,11 +144,18 @@ create_local_backend() { local provider="$1" local component="$2" local branch="$3" + local profile="$4" # Include branch name for consistency and to avoid conflicts # Use 'local' as default branch name if not provided local branch_suffix="${branch:-local}" - local state_file="${provider}-${component}-${branch_suffix}-terraform.tfstate" + local profile="$3" + local state_file + if [ -n "$profile" ]; then + state_file="${provider}-${component}-${profile}-${branch_suffix}-terraform.tfstate" + else + state_file="${provider}-${component}-${branch_suffix}-terraform.tfstate" + fi echo "Configuring local backend..." echo "State file will be: $state_file" @@ -184,7 +198,12 @@ create_aws_backend() { region="$DYNAMIC_REGION" fi - local state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate" + local state_key + if [ -n "$PROFILE" ]; then + state_key="${CLOUD_PROVIDER}-${component}-${PROFILE}-${branch}-terraform.tfstate" + else + state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate" + fi echo "Configuring AWS S3 backend..." echo "Base bucket name: $bucket_base_name" @@ -251,7 +270,12 @@ create_azure_backend() { fi # Include branch name in state key to avoid conflicts - local state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate" + local state_key + if [ -n "$PROFILE" ]; then + state_key="${CLOUD_PROVIDER}-${component}-${PROFILE}-${branch}-terraform.tfstate" + else + state_key="${CLOUD_PROVIDER}-${component}-${branch}-terraform.tfstate" + fi echo "Configuring Azure Storage backend..." echo "Resource Group: $resource_group" @@ -294,7 +318,12 @@ create_gcp_backend() { fi # Include branch name in prefix to avoid conflicts - local state_prefix="terraform/${CLOUD_PROVIDER}-${component}-${branch}" + local state_prefix + if [ -n "$PROFILE" ]; then + state_prefix="terraform/${CLOUD_PROVIDER}-${component}-${PROFILE}-${branch}" + else + state_prefix="terraform/${CLOUD_PROVIDER}-${component}-${branch}" + fi echo "Configuring GCS backend..." echo "Bucket: $bucket_name" @@ -323,7 +352,7 @@ EOF # Main execution main() { if [ "$BACKEND_TYPE" = "local" ]; then - create_local_backend "$CLOUD_PROVIDER" "$COMPONENT" "$BRANCH_NAME" + create_local_backend "$CLOUD_PROVIDER" "$COMPONENT" "$BRANCH_NAME" "$PROFILE" elif [ "$BACKEND_TYPE" = "remote" ]; then # Parse remote configuration diff --git a/.github/workflows/helmsman_esignet.yml b/.github/workflows/helmsman_esignet.yml index 81c4b878..11f8d1ce 100644 --- a/.github/workflows/helmsman_esignet.yml +++ b/.github/workflows/helmsman_esignet.yml @@ -3,6 +3,15 @@ name: Deploy eSignet using Helmsman on: workflow_dispatch: inputs: + profile: + description: "Deployment profile to use" + required: true + default: "mosip-platform-java11" + type: choice + options: + - mosip-platform-java11 + - mosip-platform-java21 + - esignet mode: description: "Choose Helmsman mode: dry-run or apply" required: true @@ -23,7 +32,7 @@ on: type: boolean push: paths: - - Helmsman/dsf/esignet-dsf.yaml + - Helmsman/dsf/**/esignet-dsf.yaml jobs: deploy: @@ -92,7 +101,21 @@ jobs: echo "HELMSMAN_MODE=apply" >> $GITHUB_ENV else echo "HELMSMAN_MODE=${{ github.event.inputs.mode }}" >> $GITHUB_ENV - fi + fi + + - name: Set Profile + run: | + # Determine profile: from workflow input or detect from changed files on push + if [ -n "${{ github.event.inputs.profile }}" ]; then + PROFILE="${{ github.event.inputs.profile }}" + else + # Auto-detect profile from push trigger — extract profile dir name from changed files + CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || echo "") + PROFILE=$(echo "$CHANGED_FILES" | grep 'esignet-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') + PROFILE=${PROFILE:-mosip-platform-java11} + fi + echo "PROFILE=$PROFILE" >> $GITHUB_ENV + echo "📁 Using profile: $PROFILE" - name: Setup ufw firewall run: | @@ -151,7 +174,7 @@ jobs: kubectl cluster-info - name: Check if mosip-dsf label is completed - if: ${{ github.event.inputs.skip_mosip_dsf_check != 'true' && vars.ESIGNET_STANDALONE_MODE != 'true' }} + if: ${{ github.event.inputs.skip_mosip_dsf_check != 'true' && vars.ESIGNET_STANDALONE_MODE != 'true' && github.event.inputs.profile != 'esignet' }} run: | STATUS=$(kubectl get namespace default -o jsonpath='{.metadata.labels.mosip-dsf}' 2>/dev/null || echo "") if [[ "$STATUS" != "completed" ]]; then @@ -329,7 +352,8 @@ jobs: # Run helmsman with the determined mode # --keep-untracked-releases prevents deletion of releases managed by other DSF files (e.g., postgres-init from external-dsf) - helmsman --${HELMSMAN_MODE} --keep-untracked-releases -f $WORKDIR/dsf/esignet-dsf.yaml + echo "Using DSF: $WORKDIR/dsf/$PROFILE/esignet-dsf.yaml" + helmsman --${HELMSMAN_MODE} --keep-untracked-releases -f $WORKDIR/dsf/$PROFILE/esignet-dsf.yaml - name: Label namespace on successful deployment if: success() && env.HELMSMAN_MODE == 'apply' @@ -343,6 +367,7 @@ jobs: echo "==================================" echo "eSignet Deployment Summary" echo "==================================" + echo "Profile: $PROFILE" echo "Mode: $HELMSMAN_MODE" echo "Branch: ${{ github.ref_name }}" echo "Commit: ${{ github.sha }}" diff --git a/.github/workflows/helmsman_external.yml b/.github/workflows/helmsman_external.yml index 7f2f0a8f..44fe3dd6 100644 --- a/.github/workflows/helmsman_external.yml +++ b/.github/workflows/helmsman_external.yml @@ -3,6 +3,15 @@ name: Deploy External services of mosip using Helmsman on: workflow_dispatch: inputs: + profile: + description: "Deployment profile to use" + required: true + default: "mosip-platform-java11" + type: choice + options: + - mosip-platform-java11 + - mosip-platform-java21 + - esignet mode: description: "Choose Helmsman mode: dry-run or apply" required: true @@ -10,11 +19,11 @@ on: type: choice options: - dry-run - - apply + - apply push: paths: - - Helmsman/dsf/prereq-dsf.yaml - - Helmsman/dsf/external-dsf.yaml + - Helmsman/dsf/**/prereq-dsf.yaml + - Helmsman/dsf/**/external-dsf.yaml permissions: actions: write @@ -33,9 +42,17 @@ jobs: - name: Generate workflow matrix id: set-matrix run: | + # Determine profile + if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then + PROFILE="${{ github.event.inputs.profile }}" + else + PROFILE="mosip-platform-java11" + fi + echo "Using profile: $PROFILE" + matrix_json='{"include":[]}' if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then - matrix_json='{"include":[{"dsf_files":"prereq-dsf.yaml","wg_conf":"wg0"},{"dsf_files":"external-dsf.yaml","wg_conf":"wg1"}]}' + matrix_json="{\"include\":[{\"dsf_files\":\"${PROFILE}/prereq-dsf.yaml\",\"wg_conf\":\"wg0\"},{\"dsf_files\":\"${PROFILE}/external-dsf.yaml\",\"wg_conf\":\"wg1\"}]}" else # Handle different event types properly if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then @@ -52,15 +69,18 @@ jobs: changed_files=$(git diff --name-only "$base_sha" "$head_sha" -- 'Helmsman/dsf/' || echo "") entries=() - - # Check for exact file paths - if echo "$changed_files" | grep -qx 'Helmsman/dsf/prereq-dsf.yaml'; then - entries+=('{"dsf_files":"prereq-dsf.yaml","wg_conf":"wg0"}') - fi - - if echo "$changed_files" | grep -qx 'Helmsman/dsf/external-dsf.yaml'; then - entries+=('{"dsf_files":"external-dsf.yaml","wg_conf":"wg1"}') - fi + + # Dynamically detect changed profiles from file paths + changed_profiles=$(echo "$changed_files" | grep 'Helmsman/dsf/' | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|' | sort -u) + for profile_dir in $changed_profiles; do + if echo "$changed_files" | grep -q "Helmsman/dsf/${profile_dir}/prereq-dsf.yaml"; then + entries+=("{\"dsf_files\":\"${profile_dir}/prereq-dsf.yaml\",\"wg_conf\":\"wg0\"}") + fi + + if echo "$changed_files" | grep -q "Helmsman/dsf/${profile_dir}/external-dsf.yaml"; then + entries+=("{\"dsf_files\":\"${profile_dir}/external-dsf.yaml\",\"wg_conf\":\"wg1\"}") + fi + done if [ ${#entries[@]} -gt 0 ]; then matrix_json="{\"include\":[$(IFS=,; echo "${entries[*]}")]}" @@ -68,6 +88,7 @@ jobs: fi echo "matrix=$matrix_json" >> $GITHUB_OUTPUT + echo "PROFILE=$PROFILE" >> $GITHUB_OUTPUT deploy: runs-on: ubuntu-latest needs: set-matrix @@ -241,7 +262,8 @@ jobs: workflow-caller: runs-on: ubuntu-latest needs: deploy - if: ${{ github.event_name == 'workflow_dispatch' }} + # Only trigger MOSIP workflow for mosip-platform profiles, not for standalone esignet + if: ${{ github.event_name == 'workflow_dispatch' && startsWith(github.event.inputs.profile, 'mosip-platform-') }} steps: - name: Trigger helmsman mosip workflow via API env: diff --git a/.github/workflows/helmsman_mosip.yml b/.github/workflows/helmsman_mosip.yml index 242f0aef..d0aa9f9a 100644 --- a/.github/workflows/helmsman_mosip.yml +++ b/.github/workflows/helmsman_mosip.yml @@ -3,6 +3,14 @@ name: Deploy Mosip services of mosip using Helmsman on: workflow_dispatch: inputs: + profile: + description: "Choose MOSIP platform profile" + required: true + default: "mosip-platform-java11" + type: choice + options: + - mosip-platform-java11 + - mosip-platform-java21 mode: description: "Choose Helmsman mode: dry-run or apply" required: true @@ -13,7 +21,7 @@ on: - apply push: paths: - - Helmsman/dsf/mosip-dsf.yaml + - Helmsman/dsf/**/mosip-dsf.yaml jobs: deploy: @@ -63,6 +71,19 @@ jobs: echo "HELMSMAN_MODE=${{ github.event.inputs.mode }}" >> $GITHUB_ENV fi + - name: Set Profile + run: | + if [ -n "${{ github.event.inputs.profile }}" ]; then + echo "PROFILE=${{ github.event.inputs.profile }}" >> $GITHUB_ENV + else + # Auto-detect profile from push trigger — extract profile dir name from changed files + CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || echo "") + PROFILE=$(echo "$CHANGED_FILES" | grep 'mosip-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') + PROFILE=${PROFILE:-mosip-platform-java11} + echo "PROFILE=$PROFILE" >> $GITHUB_ENV + fi + echo "Using profile: $PROFILE" + - name: Setup ufw firewall run: | sudo ufw enable @@ -134,8 +155,9 @@ jobs: echo "Using kubectl: $(which kubectl)" echo "Using kubeconfig: $KUBECONFIG" - # Run helmsman with the determined mode - helmsman --${HELMSMAN_MODE} -f $WORKDIR/dsf/mosip-dsf.yaml + # Run helmsman with the determined mode and profile + echo "Using profile: $PROFILE" + helmsman --${HELMSMAN_MODE} -f $WORKDIR/dsf/${PROFILE}/mosip-dsf.yaml - name: Health Check MOSIP Pods run: | diff --git a/.github/workflows/helmsman_testrigs.yml b/.github/workflows/helmsman_testrigs.yml index 0dac8595..95f2be01 100644 --- a/.github/workflows/helmsman_testrigs.yml +++ b/.github/workflows/helmsman_testrigs.yml @@ -3,6 +3,14 @@ name: Deploy Testrigs of mosip using Helmsman on: workflow_dispatch: inputs: + profile: + description: "Choose MOSIP platform profile" + required: true + default: "mosip-platform-java11" + type: choice + options: + - mosip-platform-java11 + - mosip-platform-java21 mode: description: "Choose Helmsman mode: dry-run or apply" required: true @@ -13,7 +21,7 @@ on: - apply push: paths: - - Helmsman/dsf/testrigs-dsf.yaml + - Helmsman/dsf/**/testrigs-dsf.yaml jobs: deploy: @@ -63,6 +71,19 @@ jobs: echo "HELMSMAN_MODE=${{ github.event.inputs.mode }}" >> $GITHUB_ENV fi + - name: Set Profile + run: | + if [ -n "${{ github.event.inputs.profile }}" ]; then + echo "PROFILE=${{ github.event.inputs.profile }}" >> $GITHUB_ENV + else + # Auto-detect profile from push trigger — extract profile dir name from changed files + CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || echo "") + PROFILE=$(echo "$CHANGED_FILES" | grep 'testrigs-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') + PROFILE=${PROFILE:-mosip-platform-java11} + echo "PROFILE=$PROFILE" >> $GITHUB_ENV + fi + echo "Using profile: $PROFILE" + - name: Setup ufw firewall run: | sudo ufw enable @@ -134,5 +155,6 @@ jobs: echo "Using kubectl: $(which kubectl)" echo "Using kubeconfig: $KUBECONFIG" - # Run helmsman with the determined mode - helmsman --${HELMSMAN_MODE} -f $WORKDIR/dsf/testrigs-dsf.yaml \ No newline at end of file + # Run helmsman with the determined mode and profile + echo "Using profile: $PROFILE" + helmsman --${HELMSMAN_MODE} -f $WORKDIR/dsf/${PROFILE}/testrigs-dsf.yaml \ No newline at end of file diff --git a/.github/workflows/terraform-destroy.yml b/.github/workflows/terraform-destroy.yml index a4278f3b..3bc43842 100644 --- a/.github/workflows/terraform-destroy.yml +++ b/.github/workflows/terraform-destroy.yml @@ -18,7 +18,7 @@ name: terraform destroy # Prevent concurrent destroy runs for same component concurrency: - group: terraform-destroy-${{ github.event.inputs.CLOUD_PROVIDER }}-${{ github.event.inputs.TERRAFORM_COMPONENT }}-${{ github.ref_name }} + group: terraform-destroy-${{ github.event.inputs.CLOUD_PROVIDER }}-${{ github.event.inputs.TERRAFORM_COMPONENT }}-${{ github.event.inputs.INFRA_PROFILE }}-${{ github.ref_name }} cancel-in-progress: false on: @@ -41,6 +41,14 @@ on: - base-infra - observ-infra default: infra + INFRA_PROFILE: + description: 'Infrastructure profile (only for infra component — ignored for base-infra/observ-infra)' + required: false + type: choice + options: + - mosip + - esignet + default: mosip BACKEND_TYPE: description: 'Choose Terraform backend type (must match the one used during creation)' required: true @@ -105,11 +113,17 @@ jobs: exit 1 fi - # Check if tfvars file exists - if [ ! -f "${{ inputs.CLOUD_PROVIDER }}.tfvars" ]; then - echo "Configuration file '${{ inputs.CLOUD_PROVIDER }}.tfvars' not found in current directory." + # Check if tfvars file exists (profile-aware for infra component) + TFVARS_FILE="${{ inputs.CLOUD_PROVIDER }}.tfvars" + if [ "${{ inputs.TERRAFORM_COMPONENT }}" = "infra" ] && [ -n "${{ inputs.INFRA_PROFILE }}" ]; then + TFVARS_FILE="profiles/${{ inputs.INFRA_PROFILE }}/${{ inputs.CLOUD_PROVIDER }}.tfvars" + fi + if [ ! -f "$TFVARS_FILE" ]; then + echo "Configuration file '$TFVARS_FILE' not found in current directory." exit 1 fi + echo "TFVARS_FILE=$TFVARS_FILE" >> $GITHUB_ENV + echo "Using tfvars: $TFVARS_FILE" - name: Check Cloud Storage for Remote State (All Providers) run: | @@ -169,13 +183,18 @@ jobs: - name: Configure Terraform Backend for State Management run: | # Use backend configuration script for cleaner code + PROFILE_ARG="" + if [ "${{ inputs.TERRAFORM_COMPONENT }}" = "infra" ] && [ -n "${{ inputs.INFRA_PROFILE }}" ]; then + PROFILE_ARG="--profile ${{ inputs.INFRA_PROFILE }}" + fi ../../../../.github/scripts/configure-backend.sh \ --type "${{ inputs.BACKEND_TYPE }}" \ --provider "${{ inputs.CLOUD_PROVIDER }}" \ --component "${{ inputs.TERRAFORM_COMPONENT }}" \ --branch "${{ github.ref_name }}" \ --remote-config "${{ inputs.REMOTE_BACKEND_CONFIG }}" \ - ${{ inputs.ENABLE_STATE_LOCKING == true && '--enable-locking' || '' }} + ${{ inputs.ENABLE_STATE_LOCKING == true && '--enable-locking' || '' }} \ + $PROFILE_ARG - name: Skip SSH Host key verification run: | @@ -348,20 +367,20 @@ jobs: fi - name: Terraform refresh - run: terraform refresh -input=false -var-file="${{ inputs.CLOUD_PROVIDER }}.tfvars" -no-color + run: terraform refresh -input=false -var-file="$TFVARS_FILE" -no-color if: "${{ inputs.TERRAFORM_DESTROY == true }}" - name: Terraform Destroy Plan id: destroy-plan run: | echo "Showing what will be destroyed..." - terraform plan -destroy -input=false -var-file="${{ inputs.CLOUD_PROVIDER }}.tfvars" -no-color + terraform plan -destroy -input=false -var-file="$TFVARS_FILE" -no-color if: "${{ inputs.TERRAFORM_DESTROY == true }}" continue-on-error: true - name: Terraform Destroy id: destroy - run: terraform destroy -input=false -var-file="${{ inputs.CLOUD_PROVIDER }}.tfvars" -no-color -auto-approve + run: terraform destroy -input=false -var-file="$TFVARS_FILE" -no-color -auto-approve if: "${{ inputs.TERRAFORM_DESTROY == true }}" continue-on-error: true diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 9813bb54..d1f7d980 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -18,7 +18,7 @@ name: terraform plan / apply # Prevent concurrent runs for same component to avoid state conflicts concurrency: - group: terraform-${{ github.event.inputs.CLOUD_PROVIDER }}-${{ github.event.inputs.TERRAFORM_COMPONENT }}-${{ github.ref_name }} + group: terraform-${{ github.event.inputs.CLOUD_PROVIDER }}-${{ github.event.inputs.TERRAFORM_COMPONENT }}-${{ github.event.inputs.INFRA_PROFILE }}-${{ github.ref_name }} cancel-in-progress: false on: @@ -41,6 +41,14 @@ on: - infra - observ-infra default: infra + INFRA_PROFILE: + description: 'Infrastructure profile (only for infra component — ignored for base-infra/observ-infra)' + required: false + type: choice + options: + - mosip + - esignet + default: mosip BACKEND_TYPE: description: 'Choose Terraform backend type' required: true @@ -106,11 +114,17 @@ jobs: exit 1 fi - # Check if tfvars file exists - if [ ! -f "${{ inputs.CLOUD_PROVIDER }}.tfvars" ]; then - echo "Configuration file '${{ inputs.CLOUD_PROVIDER }}.tfvars' not found in current directory." + # Check if tfvars file exists (profile-aware for infra component) + TFVARS_FILE="${{ inputs.CLOUD_PROVIDER }}.tfvars" + if [ "${{ inputs.TERRAFORM_COMPONENT }}" = "infra" ] && [ -n "${{ inputs.INFRA_PROFILE }}" ]; then + TFVARS_FILE="profiles/${{ inputs.INFRA_PROFILE }}/${{ inputs.CLOUD_PROVIDER }}.tfvars" + fi + if [ ! -f "$TFVARS_FILE" ]; then + echo "Configuration file '$TFVARS_FILE' not found in current directory." exit 1 fi + echo "TFVARS_FILE=$TFVARS_FILE" >> $GITHUB_ENV + echo "Using tfvars: $TFVARS_FILE" - name: Setup Cloud Storage for Remote State (All Providers) run: | @@ -131,13 +145,18 @@ jobs: - name: Configure Terraform Backend for State Management run: | # Use backend configuration script for cleaner code + PROFILE_ARG="" + if [ "${{ inputs.TERRAFORM_COMPONENT }}" = "infra" ] && [ -n "${{ inputs.INFRA_PROFILE }}" ]; then + PROFILE_ARG="--profile ${{ inputs.INFRA_PROFILE }}" + fi ../../../../.github/scripts/configure-backend.sh \ --type "${{ inputs.BACKEND_TYPE }}" \ --provider "${{ inputs.CLOUD_PROVIDER }}" \ --component "${{ inputs.TERRAFORM_COMPONENT }}" \ --branch "${{ github.ref_name }}" \ --remote-config "${{ inputs.REMOTE_BACKEND_CONFIG }}" \ - ${{ inputs.ENABLE_STATE_LOCKING == true && '--enable-locking' || '' }} + ${{ inputs.ENABLE_STATE_LOCKING == true && '--enable-locking' || '' }} \ + $PROFILE_ARG - name: Skip SSH Host key verification run: | @@ -330,12 +349,12 @@ jobs: - name: Terraform Plan id: plan run: | - terraform plan -input=false -var-file="${{ inputs.CLOUD_PROVIDER }}.tfvars" -out ./tf-plan -no-color + terraform plan -input=false -var-file="$TFVARS_FILE" -out ./tf-plan -no-color continue-on-error: true - name: Terraform Apply id: apply - run: terraform apply -input=false -var-file="${{ inputs.CLOUD_PROVIDER }}.tfvars" -no-color -auto-approve + run: terraform apply -input=false -var-file="$TFVARS_FILE" -no-color -auto-approve if: "${{ inputs.TERRAFORM_APPLY == true }}" continue-on-error: true diff --git a/Helmsman/dsf/esignet/esignet-dsf.yaml b/Helmsman/dsf/esignet/esignet-dsf.yaml new file mode 100644 index 00000000..4ee9b61b --- /dev/null +++ b/Helmsman/dsf/esignet/esignet-dsf.yaml @@ -0,0 +1,268 @@ +# ============================================================================= +# eSignet Profile - eSignet Services DSF (Desired State File) +# ============================================================================= +# This DSF deploys eSignet v1.7.1 services for the standalone eSignet profile. +# +# Components (in priority order): +# 1. Keycloak Init (eSignet-specific clients and roles) +# 2. eSignet service v1.7.1 +# 3. OIDC UI v1.7.1 +# 4. Mock Identity System (optional, disabled by default) +# 5. Mock Relying Party Service (optional) +# 6. Mock Relying Party UI (optional) +# 7. Partner Onboarder (eSignet + Resident OIDC) +# 8. Demo OIDC Partner Onboarder +# +# Based on eSignet v1.7.1 deploy scripts: +# - install-esignet.sh +# - initialise-prereq.sh (keycloak-init) +# ============================================================================= + +helmDefaults: + tillerNamespace: kube-system + tillerless: true + install: true + +helmRepos: + bitnami: https://charts.bitnami.com/bitnami + mosip: https://mosip.github.io/mosip-helm + +namespaces: + esignet: + protected: false + keycloak: + protected: true + softhsm: + protected: false + redis: + protected: false + +apps: + # --------------------------------------------------------------------------- + # Keycloak Init for eSignet + # --------------------------------------------------------------------------- + # Creates eSignet-specific Keycloak clients and roles. + # Fetches existing client secrets from keycloak namespace if available. + esignet-keycloak-init: + namespace: esignet + enabled: true + version: 12.0.2 + chart: mosip/keycloak-init + valuesFile: "$WORKDIR/utils/keycloak-init-values.yaml" + set: + keycloakExternalHost: "iam.sandbox.xyz.net" + keycloakInternalHost: "keycloak.keycloak" + clientSecrets[0].name: "$PMS_CLIENT_SECRET_KEY" + clientSecrets[0].secret: "$PMS_CLIENT_SECRET_VALUE" + clientSecrets[1].name: "$MPARTNER_DEFAULT_AUTH_SECRET_KEY" + clientSecrets[1].secret: "$MPARTNER_DEFAULT_AUTH_SECRET_VALUE" + timeout: 480 + priority: -14 + hooks: + preInstall: "$WORKDIR/hooks/esignet-preinstall-keycloak-init.sh" + postInstall: "$WORKDIR/hooks/esignet-postinstall-keycloak-init.sh" + + # --------------------------------------------------------------------------- + # Istio Addons for Keycloak (IAM) + # --------------------------------------------------------------------------- + istio-addons-iam: + namespace: keycloak + enabled: true + version: 0.1.0 + chart: $WORKDIR/utils/istio-addons/iam-istio-addons-0.1.0.tgz + set: + keycloakExternalHost: "iam.sandbox.xyz.net" + keycloakInternalHost: "keycloak.keycloak" + service: "keycloak" + wait: true + timeout: 1200 + priority: -13 + + # --------------------------------------------------------------------------- + # eSignet v1.7.1 + # --------------------------------------------------------------------------- + esignet: + namespace: esignet + enabled: true + version: 1.7.1 + chart: mosip/esignet + set: + image.repository: "mosipid/esignet" + image.tag: "1.7.1" + enable_insecure: "false" + extraEnvVarsCM[0]: "esignet-global" + extraEnvVarsCM[1]: "esignet-softhsm-share" + wait: true + timeout: 600 + priority: -12 + hooks: + preInstall: "$WORKDIR/hooks/esignet-preinstall.sh" + + # --------------------------------------------------------------------------- + # OIDC UI v1.7.1 + # --------------------------------------------------------------------------- + oidc-ui: + namespace: esignet + enabled: true + version: 1.7.1 + chart: mosip/oidc-ui + set: + istio.hosts[0]: "esignet.sandbox.xyz.net" + oidc_ui.oidc_service_host: "esignet.esignet" + oidc_ui.configmaps.oidc-ui.REACT_APP_API_BASE_URL: "http://esignet.esignet/v1/esignet" + oidc_ui.configmaps.oidc-ui.REACT_APP_SBI_DOMAIN_URI: "http://esignet.esignet" + timeout: 1200 + priority: -11 + hooks: + preInstall: "$WORKDIR/hooks/oidc-ui-preinstall.sh" + + # --------------------------------------------------------------------------- + # Mock Identity System (Optional) + # --------------------------------------------------------------------------- + # Enable for testing with mock identity data. + softhsm-mock-identity-system: + namespace: softhsm + enabled: false + version: 12.0.1 + chart: mosip/softhsm + valuesFile: "$WORKDIR/utils/softhsm-mock-identity-system-values.yaml" + wait: true + timeout: 480 + priority: -10 + hooks: + preInstall: "$WORKDIR/hooks/softhsm-mock-identity-system-preinstall.sh" + postInstall: "$WORKDIR/hooks/softhsm-mock-identity-system-postinstall.sh" + + mock-identity-system: + namespace: esignet + enabled: false + version: 0.9.3 + chart: mosip/mock-identity-system + set: + enable_insecure: "false" + extraEnvVarsCM[0]: "esignet-global" + extraEnvVarsCM[1]: "esignet-softhsm-share" + extraEnvVarsCM[2]: "softhsm-mock-identity-system-share" + timeout: 480 + priority: -9 + hooks: + preInstall: "$WORKDIR/hooks/mock-identity-system-preinstall.sh" + + # --------------------------------------------------------------------------- + # Mock Relying Party (Optional) + # --------------------------------------------------------------------------- + mock-relying-party-service: + namespace: esignet + enabled: false + version: 0.9.3 + chart: mosip/mock-relying-party-service + set: + mock_relying_party_service.ESIGNET_SERVICE_URL: "http://esignet.esignet/v1/esignet" + mock_relying_party_service.ESIGNET_AUD_URL: "https://esignet.sandbox.xyz.net/v1/esignet/oauth/v2/token" + enable_insecure: "false" + timeout: 480 + priority: -8 + hooks: + preInstall: "$WORKDIR/hooks/mock-relying-party-service-preinstall.sh" + + mock-relying-party-ui: + namespace: esignet + enabled: false + version: 0.9.3 + chart: mosip/mock-relying-party-ui + set: + mock_relying_party_ui.mock_relying_party_ui_service_host: "healthservices.sandbox.xyz.net" + mock_relying_party_ui.ESIGNET_UI_BASE_URL: "https://esignet.sandbox.xyz.net" + mock_relying_party_ui.MOCK_RELYING_PARTY_SERVER_URL: "https://healthservices.sandbox.xyz.net/mock-relying-party-service" + mock_relying_party_ui.REDIRECT_URI: "https://healthservices.sandbox.xyz.net/userprofile" + mock_relying_party_ui.REDIRECT_URI_REGISTRATION: "https://healthservices.sandbox.xyz.net/registration" + mock_relying_party_ui.SIGN_IN_BUTTON_PLUGIN_URL: "https://esignet.sandbox.xyz.net/plugins/sign-in-button-plugin.js" + istio.hosts[0]: "healthservices.sandbox.xyz.net" + wait: true + timeout: 480 + priority: -7 + hooks: + preInstall: "$WORKDIR/hooks/mock-relying-party-ui-preinstall.sh" + + # --------------------------------------------------------------------------- + # Partner Onboarders + # --------------------------------------------------------------------------- + esignet-resident-oidc-partner-onboarder: + namespace: esignet + enabled: false + version: 12.0.1 + chart: mosip/partner-onboarder + set: + onboarding.configmaps.s3.s3-host: "http://minio.minio:9000" + onboarding.configmaps.s3.s3-user-key: "admin" + onboarding.configmaps.s3.s3-region: "" + onboarding.configmaps.s3.s3-bucket-name: "onboarder" + onboarding.modules[0].name: "ida" + onboarding.modules[0].enabled: "false" + onboarding.modules[1].name: "print" + onboarding.modules[1].enabled: "false" + onboarding.modules[2].name: "abis" + onboarding.modules[2].enabled: "false" + onboarding.modules[3].name: "resident" + onboarding.modules[3].enabled: "false" + onboarding.modules[4].name: "mobileid" + onboarding.modules[4].enabled: "false" + onboarding.modules[5].name: "digitalcard" + onboarding.modules[5].enabled: "false" + onboarding.modules[6].name: "esignet" + onboarding.modules[6].enabled: "true" + onboarding.modules[7].name: "resident-oidc" + onboarding.modules[7].enabled: "true" + onboarding.modules[8].name: "demo-oidc" + onboarding.modules[8].enabled: "false" + onboarding.modules[9].name: "mimoto-keybinding" + onboarding.modules[9].enabled: "false" + wait: true + waitForJobs: true + timeout: 240 + priority: -6 + hooks: + preInstall: "$WORKDIR/hooks/esignet-partner-onboarder-preinstall.sh" + preUpgrade: "$WORKDIR/hooks/esignet-partner-onboarder-preinstall.sh" + postInstall: "$WORKDIR/hooks/esignet-partner-onboarder-postinstall.sh" + postUpgrade: "$WORKDIR/hooks/esignet-partner-onboarder-postinstall.sh" + + esignet-demo-oidc-partner-onboarder: + namespace: esignet + enabled: false + version: 12.0.1 + chart: mosip/partner-onboarder + set: + onboarding.modules[0].name: "ida" + onboarding.modules[0].enabled: "false" + onboarding.modules[1].name: "print" + onboarding.modules[1].enabled: "false" + onboarding.modules[2].name: "abis" + onboarding.modules[2].enabled: "false" + onboarding.modules[3].name: "resident" + onboarding.modules[3].enabled: "false" + onboarding.modules[4].name: "mobileid" + onboarding.modules[4].enabled: "false" + onboarding.modules[5].name: "digitalcard" + onboarding.modules[5].enabled: "false" + onboarding.modules[6].name: "esignet" + onboarding.modules[6].enabled: "false" + onboarding.modules[7].name: "resident-oidc" + onboarding.modules[7].enabled: "false" + onboarding.modules[8].name: "demo-oidc" + onboarding.modules[8].enabled: "true" + onboarding.modules[9].name: "mimoto-keybinding" + onboarding.modules[9].enabled: "false" + onboarding.configmaps.s3.s3-host: "http://minio.minio:9000" + onboarding.configmaps.s3.s3-user-key: "admin" + onboarding.configmaps.s3.s3-region: "" + onboarding.configmaps.s3.s3-bucket-name: "onboarder" + wait: true + waitForJobs: true + timeout: 240 + priority: -5 + hooks: + preInstall: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-preinstall.sh" + preUpgrade: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-preinstall.sh" + postInstall: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-postinstall.sh" + postUpgrade: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-postinstall.sh" diff --git a/Helmsman/dsf/esignet/external-dsf.yaml b/Helmsman/dsf/esignet/external-dsf.yaml new file mode 100644 index 00000000..8db7b775 --- /dev/null +++ b/Helmsman/dsf/esignet/external-dsf.yaml @@ -0,0 +1,290 @@ +# ============================================================================= +# eSignet Profile - External Services DSF (Desired State File) +# ============================================================================= +# This DSF deploys only the external/infrastructure services required for +# standalone eSignet v1.7.1 deployment (without full MOSIP platform). +# +# Components: +# - PostgreSQL (optional, disabled by default if using external DB) +# - PostgreSQL Init (eSignet DB only - v1.7.1 branch) +# - Redis +# - Kafka + Kafka UI +# - SoftHSM for eSignet +# - Keycloak (for IAM / API access control) +# - Captcha validation service +# - Istio addons for service exposure +# +# Based on eSignet v1.7.1 deploy scripts: +# - install-prereq.sh +# - initialise-prereq.sh +# ============================================================================= + +helmDefaults: + tillerNamespace: kube-system + tillerless: true + install: true + +helmRepos: + bitnami: https://charts.bitnami.com/bitnami + mosip: https://mosip.github.io/mosip-helm + kafka-ui: https://provectus.github.io/kafka-ui-charts + +namespaces: + postgres: + protected: true + keycloak: + protected: true + softhsm: + protected: false + redis: + protected: false + kafka: + protected: false + captcha: + protected: false + esignet: + protected: false + +apps: + # --------------------------------------------------------------------------- + # PostgreSQL Server + # --------------------------------------------------------------------------- + # Disabled by default - enable if deploying a new PostgreSQL instance. + # If using an external PostgreSQL, keep disabled and configure via + # generate-secret-cm.py or manual secret/configmap creation. + postgres: + namespace: postgres + enabled: false + version: 13.1.5 + chart: bitnami/postgresql + wait: true + priority: -18 + valuesFile: "$WORKDIR/utils/postgres-values.yaml" + timeout: 1200 + + istio-addons-psql: + namespace: postgres + enabled: true + version: 0.1.0 + chart: $WORKDIR/utils/istio-addons/postgres-istio-addons-0.1.0.tgz + set: + postgresHost: "postgres.sandbox.xyz.net" + wait: true + priority: -17 + timeout: 1200 + + # --------------------------------------------------------------------------- + # PostgreSQL Init - eSignet Database Only + # --------------------------------------------------------------------------- + # Only initializes the mosip_esignet database (v1.7.1 branch). + # All other MOSIP databases are disabled since this is a standalone eSignet. + postgres-init-esignet: + namespace: esignet + enabled: true + version: 12.0.1 + chart: mosip/postgres-init + set: + dbUserPasswords.dbuserPassword: "$DB_USER_PASSWORD" + # Disable all MOSIP platform databases + databases.mosip_toolkit.enabled: "false" + databases.mosip_master.enabled: "false" + databases.mosip_audit.enabled: "false" + databases.mosip_keymgr.enabled: "false" + databases.mosip_kernel.enabled: "false" + databases.mosip_idmap.enabled: "false" + databases.mosip_prereg.enabled: "false" + databases.mosip_idrepo.enabled: "false" + databases.mosip_ida.enabled: "false" + databases.mosip_credential.enabled: "false" + databases.mosip_regprc.enabled: "false" + databases.mosip_regdevice.enabled: "false" + databases.mosip_authdevice.enabled: "false" + databases.mosip_pms.enabled: "false" + databases.mosip_hotlist.enabled: "false" + databases.mosip_resident.enabled: "false" + databases.mosip_digitalcard.enabled: "false" + # Enable eSignet database with v1.7.1 branch + databases.mosip_esignet.enabled: "true" + databases.mosip_esignet.branch: "v1.7.1" + databases.mosip_esignet.host: "postgres.sandbox.xyz.net" + databases.mosip_esignet.port: 5433 + databases.mosip_esignet.dml: 1 + # Mock identity system DB - disabled by default + databases.mosip_mockidentitysystem.enabled: "false" + databases.mosip_mockidentitysystem.branch: "v0.9.3" + databases.mosip_mockidentitysystem.host: "postgres.sandbox.xyz.net" + databases.mosip_mockidentitysystem.repoUrl: "https://github.com/mosip/esignet-mock-services.git" + databases.mosip_mockidentitysystem.port: 5433 + databases.mosip_mockidentitysystem.dml: 1 + wait: true + timeout: 180 + priority: -16 + hooks: + preInstall: "$WORKDIR/hooks/esignet-init-db.sh" + + # --------------------------------------------------------------------------- + # Redis + # --------------------------------------------------------------------------- + redis: + namespace: redis + enabled: true + version: 17.3.14 + chart: bitnami/redis + set: + image.repository: "mosipid/redis" + image.tag: "7.0.5-debian-11-r25" + image.pullPolicy: "Always" + wait: true + timeout: 480 + priority: -16 + hooks: + postInstall: "$WORKDIR/hooks/redis-setup.sh" + + # --------------------------------------------------------------------------- + # Kafka + # --------------------------------------------------------------------------- + kafka: + namespace: kafka + enabled: true + version: 18.3.1 + chart: bitnami/kafka + set: + image.repository: "mosipid/kafka" + image.tag: "3.2.1-debian-11-r9" + zookeeper.image.repository: "mosipid/zookeeper" + zookeeper.image.tag: "3.8.0-debian-11-r30" + clusterDomain: "cluster.local" + logRetentionBytes: "_1073741824" + defaultReplicationFactor: "3" + offsetsTopicReplicationFactor: "3" + transactionStateLogReplicationFactor: "3" + numPartitions: "20" + replicaCount: "5" + autoCreateTopicsEnable: "true" + deleteTopicEnable: "true" + persistence.enabled: "true" + persistence.accessModes[0]: "ReadWriteOnce" + persistence.size: "8Gi" + zookeeper.enabled: "true" + zookeeper.replicaCount: "5" + zookeeper.persistence.enabled: "true" + zookeeper.persistence.size: "2Gi" + resources.requests.cpu: "200m" + resources.requests.memory: "2000Mi" + startupProbe.enabled: "true" + startupProbe.initialDelaySeconds: "30" + startupProbe.periodSeconds: "10" + startupProbe.timeoutSeconds: "1" + startupProbe.failureThreshold: "30" + startupProbe.successThreshold: "1" + wait: true + timeout: 1200 + priority: -15 + + kafka-ui: + namespace: kafka + enabled: true + version: 0.4.2 + chart: kafka-ui/kafka-ui + set: + envs.config.KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: "kafka.kafka:9092" + envs.config.KAFKA_CLUSTERS_0_NAME: "main_kafka" + envs.config.KAFKA_CLUSTERS_0_ZOOKEEPER: "kafka-zookeeper.kafka:2181" + image.pullPolicy: "Always" + wait: true + timeout: 1200 + priority: -14 + + istio-addons-kafka: + namespace: kafka + enabled: true + version: 1.2.0 + chart: $WORKDIR/utils/istio-addons/kafka-istio-addons-1.2.0.tgz + set: + kafkaUiHost: "kafka.sandbox.xyz.net" + installName: "kafka-ui" + wait: true + timeout: 1200 + priority: -13 + + # --------------------------------------------------------------------------- + # SoftHSM for eSignet + # --------------------------------------------------------------------------- + # Note: v1.7.1 deploy scripts install softhsm in esignet namespace, + # but for consistency with existing hooks, we keep it in softhsm namespace. + softhsm-esignet: + namespace: softhsm + enabled: true + version: 12.0.1 + chart: mosip/softhsm + valuesFile: "$WORKDIR/utils/softhsm-esignet-values.yaml" + timeout: 480 + priority: -12 + hooks: + preInstall: "$WORKDIR/hooks/softhsm-esignet-setup.sh" + postInstall: "$WORKDIR/hooks/softhsm-esignet-postinstall.sh" + + # --------------------------------------------------------------------------- + # Keycloak (IAM for API Access Control) + # --------------------------------------------------------------------------- + # Keycloak is optional for eSignet standalone. Enable if you need + # API access control for eSignet client management APIs. + keycloak: + namespace: keycloak + enabled: true + version: 7.1.18 + chart: mosip/keycloak + set: + image.repository: "mosipid/mosip-artemis-keycloak" + image.tag: "1.2.0.2" + image.pullPolicy: "Always" + postgresql.image.registry: "docker.io" + postgresql.image.repository: "mosipid/postgresql" + postgresql.image.tag: "14.2.0-debian-10-r70" + service.type: "ClusterIP" + auth.adminUser: "admin" + extraEnvVars[0].name: "KEYCLOAK_EXTRA_ARGS" + extraEnvVars[0].value: "-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled" + ingress.enabled: "false" + ingress.hostname: "" + ingress.annotations.ingress\.kubernetes\.io/class: "nginx" + proxyAddressForwarding: "true" + replicaCount: "1" + serviceDiscovery.enabled: "true" + resources.requests.cpu: "200m" + resources.requests.memory: "1000Mi" + rbac.create: "true" + rbac.rules[0].apiGroups[0]: "" + rbac.rules[0].resources[0]: "pods" + rbac.rules[0].verbs[0]: "get" + rbac.rules[0].verbs[1]: "list" + wait: true + timeout: 1200 + priority: -11 + + istio-addons-iam: + namespace: keycloak + enabled: true + version: 0.1.0 + chart: $WORKDIR/utils/istio-addons/iam-istio-addons-0.1.0.tgz + set: + keycloakExternalHost: "iam.sandbox.xyz.net" + keycloakInternalHost: "keycloak.keycloak" + service: "keycloak" + wait: true + timeout: 1200 + priority: -10 + + # --------------------------------------------------------------------------- + # Captcha Validation Service + # --------------------------------------------------------------------------- + captcha: + namespace: captcha + enabled: true + version: 0.1.0-beta.1 + chart: mosip/captcha + set: + metrics.serviceMonitor.enabled: "false" + wait: true + timeout: 480 + priority: -9 diff --git a/Helmsman/dsf/prereq-dsf.yaml b/Helmsman/dsf/esignet/prereq-dsf.yaml similarity index 100% rename from Helmsman/dsf/prereq-dsf.yaml rename to Helmsman/dsf/esignet/prereq-dsf.yaml diff --git a/Helmsman/dsf/esignet-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/esignet-dsf.yaml similarity index 100% rename from Helmsman/dsf/esignet-dsf.yaml rename to Helmsman/dsf/mosip-platform-java11/esignet-dsf.yaml diff --git a/Helmsman/dsf/external-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/external-dsf.yaml similarity index 100% rename from Helmsman/dsf/external-dsf.yaml rename to Helmsman/dsf/mosip-platform-java11/external-dsf.yaml diff --git a/Helmsman/dsf/mosip-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/mosip-dsf.yaml similarity index 100% rename from Helmsman/dsf/mosip-dsf.yaml rename to Helmsman/dsf/mosip-platform-java11/mosip-dsf.yaml diff --git a/Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml new file mode 100644 index 00000000..4dcb4620 --- /dev/null +++ b/Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml @@ -0,0 +1,111 @@ +helmDefaults: + tillerNamespace: kube-system + tillerless: true + install: true + +helmRepos: + bitnami: https://charts.bitnami.com/bitnami + mosip: https://mosip.github.io/mosip-helm + banzaicloud-stable: https://charts.helm.sh/stable + +# Note: Based on your requirement disable the namespaces which you want to use, by default all the namespaces are protected. +namespaces: + kube-system: + protected: true + cattle-monitoring-system: + protected: true + cattle-logging-system: + protected: true + istio-system: + protected: true + istio-operator: + protected: true + httpbin: + protected: true + +apps: + rancher-monitoring-crd: + namespace: cattle-monitoring-system + enabled: true + version: 103.1.1+up45.31.1 + chart: mosip/rancher-monitoring-crd + wait: true + timeout: 900 + priority: -6 + hooks: + postInstall: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net " + postUpgrade: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net " + + rancher-monitoring: + namespace: cattle-monitoring-system + enabled: false + version: 103.1.0+up45.31.1 + chart: mosip/rancher-monitoring + set: + grafana.global.cattle.clusterId: "" + global.cattle.clusterId: "" + wait: true + valuesFile: "$WORKDIR/utils/monitoring_values.yaml" + priority: -5 + timeout: 600 + hooks: + postInstall: "$WORKDIR/hooks/alerting-setup.sh " + + elasticsearch: + namespace: cattle-logging-system + enabled: true + version: 17.9.25 + chart: mosip/elasticsearch + set: + image.repository: "mosipint/elasticsearch" + image.tag: "7.17.2-debian-10-r4" + # Kibana configuration and image + global.kibanaEnabled: "true" + kibana.image.repository: "mosipid/kibana" + kibana.image.tag: "7.17.2-debian-10-r0" + kibana.image.pullPolicy: IfNotPresent + data.heapSize: "728m" + data.persistence.enabled: "true" + data.persistence.size: "64Gi" + data.resources.requests.memory: "512Mi" + master.heapSize: "1024m" + master.persistence.enabled: "true" + master.persistence.size: "4Gi" + master.resources.requests.memory: "728Mi" + kibana.persistence.enabled: "false" + sysctlImage.repository: "mosipid/os-shell" + sysctlImage.tag: "12-debian-12-r46" + wait: true + timeout: 900 + priority: -4 + + istio-addons-logging: + namespace: cattle-logging-system + enabled: true + version: 0.1.0 + chart: $WORKDIR/utils/istio-addons/logging-istio-addons-0.1.0.tgz + set: + kibanaHost: "kibana.sandbox.xyz.net" + installName: "elasticsearch-kibana" + wait: true + priority: -3 + + rancher-logging-crd: + namespace: cattle-logging-system + enabled: true + version: 103.1.1+up4.4.0 + chart: mosip/rancher-logging-crd + wait: true + priority: -2 + + rancher-logging: + namespace: cattle-logging-system + enabled: true + version: 103.1.1+up4.4.0 + chart: mosip/rancher-logging + valuesFile: "$WORKDIR/utils/rancher-loggig-values.yaml" + wait: true + priority: -1 + timeout: 1200 + hooks: + postInstall: "$WORKDIR/hooks/post_logging-setup.sh" diff --git a/Helmsman/dsf/testrigs-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/testrigs-dsf.yaml similarity index 100% rename from Helmsman/dsf/testrigs-dsf.yaml rename to Helmsman/dsf/mosip-platform-java11/testrigs-dsf.yaml diff --git a/Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml new file mode 100644 index 00000000..a08deb26 --- /dev/null +++ b/Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml @@ -0,0 +1,393 @@ +helmDefaults: + tillerNamespace: kube-system + tillerless: true + install: true + +helmRepos: + bitnami: https://charts.bitnami.com/bitnami + mosip: https://mosip.github.io/mosip-helm + +namespaces: + postgres: + protected: true + esignet: + protected: false + keycloak: + protected: true + softhsm: + protected: false + redis: + protected: false + artifactory-1202: + protected: false +apps: + postgres: + namespace: postgres + enabled: false + version: 13.1.5 + chart: bitnami/postgresql + wait: true + priority: -18 + valuesFile: "$WORKDIR/utils/postgres-values.yaml" + timeout: 480 + + istio-addons-psql: + namespace: postgres + enabled: false + version: 0.1.0 + chart: $WORKDIR/utils/istio-addons/postgres-istio-addons-0.1.0.tgz + set: + postgresHost: "postgres.sandbox.xyz.net" + wait: true + priority: -17 + timeout: 1200 + + postgres-init-esignet: + namespace: esignet + enabled: true + version: 12.0.1 + chart: mosip/postgres-init + set: + # DB_USER_PASSWORD env var is fetched from postgres namespace in GH Actions + # and masked automatically by GitHub Actions runner + dbUserPasswords.dbuserPassword: "$DB_USER_PASSWORD" + databases.mosip_toolkit.enabled: "false" + databases.mosip_master.enabled: "false" + databases.mosip_audit.enabled: "false" + databases.mosip_keymgr.enabled: "false" + databases.mosip_kernel.enabled: "false" + databases.mosip_idmap.enabled: "false" + databases.mosip_prereg.enabled: "false" + databases.mosip_idrepo.enabled: "false" + databases.mosip_ida.enabled: "false" + databases.mosip_credential.enabled: "false" + databases.mosip_regprc.enabled: "false" + databases.mosip_regdevice.enabled: "false" + databases.mosip_authdevice.enabled: "false" + databases.mosip_pms.enabled: "false" + databases.mosip_hotlist.enabled: "false" + databases.mosip_resident.enabled: "false" + databases.mosip_digitalcard.enabled: "false" + # Enable BOTH esignet and mockidentitysystem databases + databases.mosip_esignet.enabled: "true" + databases.mosip_esignet.branch: "v1.4.1" + databases.mosip_esignet.host: "postgres.sandbox.xyz.net" + databases.mosip_esignet.port: 5433 + databases.mosip_esignet.dml: 1 + databases.mosip_mockidentitysystem.enabled: "false" + databases.mosip_mockidentitysystem.branch: "v0.9.3" + databases.mosip_mockidentitysystem.host: "postgres.sandbox.xyz.net" + databases.mosip_mockidentitysystem.repoUrl: "https://github.com/mosip/esignet-mock-services.git" + databases.mosip_mockidentitysystem.port: 5433 + databases.mosip_mockidentitysystem.dml: 1 + wait: true + timeout: 180 + priority: -16 + hooks: + preInstall: "$WORKDIR/hooks/esignet-init-db.sh" + + redis: + namespace: redis + enabled: true + version: 17.3.14 + chart: bitnami/redis + wait: true + timeout: 480 + priority: -16 + set: + image.repository: "mosipid/redis" + image.tag: "7.0.5-debian-11-r25" + hooks: + postInstall: "$WORKDIR/hooks/redis-setup.sh" + + softhsm-esignet: + namespace: softhsm + enabled: true + version: 12.0.1 + chart: mosip/softhsm + valuesFile: "$WORKDIR/utils/softhsm-esignet-values.yaml" + timeout: 480 + priority: -15 + hooks: + preInstall: "$WORKDIR/hooks/softhsm-esignet-setup.sh" + postInstall: "$WORKDIR/hooks/softhsm-esignet-postinstall.sh" + + keycloak: + namespace: keycloak + enabled: false + protected: true # Prevent Helmsman from deleting this release + version: 7.1.18 + chart: mosip/keycloak + set: + image.repository: "mosipid/mosip-artemis-keycloak" + image.tag: "1.2.0.2" + image.pullPolicy: "Always" + # Override Postgres image + postgresql.image.registry: "docker.io" + postgresql.image.repository: "mosipid/postgresql" + postgresql.image.tag: "14.2.0-debian-10-r70" + service.type: "ClusterIP" + auth.adminUser: "admin" + extraEnvVars[0].name: "KEYCLOAK_EXTRA_ARGS" + extraEnvVars[0].value: "-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled" + ingress.enabled: "false" + ingress.hostname: "" + ingress.annotations.ingress\.kubernetes\.io/class: "nginx" + proxyAddressForwarding: "true" + replicaCount: "1" + serviceDiscovery.enabled: "true" + # resources.limits.cpu: "250m" + # resources.limits.memory: "1Gi" + resources.requests.cpu: "200m" + resources.requests.memory: "1000Mi" + rbac.create: "true" + rbac.rules[0].apiGroups[0]: "" + rbac.rules[0].resources[0]: "pods" + rbac.rules[0].verbs[0]: "get" + rbac.rules[0].verbs[1]: "list" + wait: true + timeout: 600 + priority: -14 + + istio-addons-iam: + namespace: keycloak + enabled: true + version: 0.1.0 + chart: $WORKDIR/utils/istio-addons/iam-istio-addons-0.1.0.tgz + set: + keycloakExternalHost: "iam.sandbox.xyz.net" + keycloakInternalHost: "keycloak.keycloak" + service: "keycloak" + wait: true + timeout: 1200 + priority: -13 + + esignet-keycloak-init: + namespace: esignet + enabled: true + version: 12.0.2 + chart: mosip/keycloak-init + valuesFile: "$WORKDIR/utils/keycloak-init-values.yaml" + set: + # image.repository: "mosipid/keycloak-init" + # image.tag: "1.2.0.1" + keycloakExternalHost: "iam.sandbox.xyz.net" + keycloakInternalHost: "keycloak.keycloak" + clientSecrets[0].name: "$PMS_CLIENT_SECRET_KEY" + clientSecrets[0].secret: "$PMS_CLIENT_SECRET_VALUE" + clientSecrets[1].name: "$MPARTNER_DEFAULT_AUTH_SECRET_KEY" + clientSecrets[1].secret: "$MPARTNER_DEFAULT_AUTH_SECRET_VALUE" + timeout: 480 + priority: -12 + hooks: + preInstall: "$WORKDIR/hooks/esignet-preinstall-keycloak-init.sh" + postInstall: "$WORKDIR/hooks/esignet-postinstall-keycloak-init.sh" + + artifactory-1202: + namespace: artifactory-1202 + enabled: true + version: 12.0.2 + chart: mosip/artifactory + # set: + # image.repository: "mosipid/artifactory-server" + # image.tag: "1.4.1-ES" + wait: true + timeout: 1200 + priority: -12 + hooks: + # For fresh installations + preInstall: "kubectl label ns artifactory-1202 istio-injection=enabled --overwrite" + + esignet: + namespace: esignet + enabled: true + version: 1.4.1 + chart: mosip/esignet + set: + # image.repository: "mosipid/esignet" + # image.tag: "1.4.1" + # Set to true if you don't have public domain & valid SSL (development only) + enable_insecure: "false" + extraEnvVarsCM[0]: "global" + extraEnvVarsCM[1]: "config-server-share" + extraEnvVarsCM[2]: "artifactory-1202-share" + extraEnvVarsCM[3]: "softhsm-esignet-share" + wait: true + timeout: 600 + priority: -11 + hooks: + preInstall: "$WORKDIR/hooks/esignet-preinstall.sh" + + oidc-ui: + namespace: esignet + enabled: true + version: 1.4.1 + chart: mosip/oidc-ui + set: + istio.hosts[0]: "esignet.sandbox.xyz.net" + extraEnvVarsCM[0]: "global" + extraEnvVarsCM[1]: "config-server-share" + extraEnvVarsCM[2]: "artifactory-share" + extraEnvVarsCM[3]: "softhsm-esignet-share" + extraEnvVarsCM[4]: "oidc-ui" + # image.repository: "mosipid/esignet" + # image.tag: "1.4.1" + timeout: 1200 + priority: -10 + hooks: + preInstall: "$WORKDIR/hooks/oidc-ui-preinstall.sh" + + softhsm-mock-identity-system: + namespace: softhsm + enabled: false + version: 12.0.1 + chart: mosip/softhsm + valuesFile: "$WORKDIR/utils/softhsm-mock-identity-system-values.yaml" + wait: true + timeout: 480 + priority: -9 + hooks: + preInstall: "$WORKDIR/hooks/softhsm-mock-identity-system-preinstall.sh" + postInstall: "$WORKDIR/hooks/softhsm-mock-identity-system-postinstall.sh" + + mock-identity-system: + namespace: esignet + enabled: false + version: 0.9.3 + chart: mosip/mock-identity-system + set: + # Set to true if you don't have public domain & valid SSL (development only) + enable_insecure: "false" + extraEnvVarsCM[0]: "global" + extraEnvVarsCM[1]: "config-server-share" + extraEnvVarsCM[2]: "artifactory-1202-share" + extraEnvVarsCM[3]: "softhsm-mock-identity-system-share" + timeout: 480 + priority: -8 + hooks: + preInstall: "$WORKDIR/hooks/mock-identity-system-preinstall.sh" + + mock-relying-party-service: + namespace: esignet + enabled: true + version: 0.9.3 + chart: mosip/mock-relying-party-service + set: + # eSignet service URL (internal) + mock_relying_party_service.ESIGNET_SERVICE_URL: "http://esignet.esignet/v1/esignet" + # eSignet AUD URL (external) - UPDATE with your esignet domain + mock_relying_party_service.ESIGNET_AUD_URL: "https://esignet.sandbox.xyz.net/v1/esignet/oauth/v2/token" + # Set to true if you don't have public domain & valid SSL (development only) + enable_insecure: "false" + timeout: 480 + priority: -7 + hooks: + preInstall: "$WORKDIR/hooks/mock-relying-party-service-preinstall.sh" + + mock-relying-party-ui: + namespace: esignet + enabled: true + version: 0.9.3 + chart: mosip/mock-relying-party-ui + set: + # UPDATE THIS: Mock Relying Party UI domain (e.g., healthservices.sandbox.xyz.net) + mock_relying_party_ui.mock_relying_party_ui_service_host: "healthservices.sandbox.xyz.net" + mock_relying_party_ui.ESIGNET_UI_BASE_URL: "https://esignet.sandbox.xyz.net" + mock_relying_party_ui.MOCK_RELYING_PARTY_SERVER_URL: "https://healthservices.sandbox.xyz.net/mock-relying-party-service" + mock_relying_party_ui.REDIRECT_URI: "https://healthservices.sandbox.xyz.net/userprofile" + mock_relying_party_ui.REDIRECT_URI_REGISTRATION: "https://healthservices.sandbox.xyz.net/registration" + mock_relying_party_ui.SIGN_IN_BUTTON_PLUGIN_URL: "https://esignet.sandbox.xyz.net/plugins/sign-in-button-plugin.js" + istio.hosts[0]: "healthservices.sandbox.xyz.net" + wait: true + timeout: 480 + priority: -6 + hooks: + preInstall: "$WORKDIR/hooks/mock-relying-party-ui-preinstall.sh" + + esignet-resident-oidc-partner-onboarder: + namespace: esignet + enabled: true + version: 12.0.1 + chart: mosip/partner-onboarder + set: + # Module Configuration + # S3 Configuration - UPDATE THESE VALUES FOR YOUR ENVIRONMENT + onboarding.configmaps.s3.s3-host: "http://minio.minio:9000" + onboarding.configmaps.s3.s3-user-key: "admin" + onboarding.configmaps.s3.s3-region: "" + onboarding.configmaps.s3.s3-bucket-name: "onboarder" + onboarding.modules[0].name: "ida" + onboarding.modules[0].enabled: "false" + onboarding.modules[1].name: "print" + onboarding.modules[1].enabled: "false" + onboarding.modules[2].name: "abis" + onboarding.modules[2].enabled: "false" + onboarding.modules[3].name: "resident" + onboarding.modules[3].enabled: "false" + onboarding.modules[4].name: "mobileid" + onboarding.modules[4].enabled: "false" + onboarding.modules[5].name: "digitalcard" + onboarding.modules[5].enabled: "false" + onboarding.modules[6].name: "esignet" + onboarding.modules[6].enabled: "true" + onboarding.modules[7].name: "resident-oidc" + onboarding.modules[7].enabled: "true" + onboarding.modules[8].name: "demo-oidc" + onboarding.modules[8].enabled: "false" + onboarding.modules[9].name: "mimoto-keybinding" + onboarding.modules[9].enabled: "false" + # Set to true if you don't have public domain & valid SSL (development only) + #onboarding.configmaps.onboarding.ENABLE_INSECURE: "false" + wait: true + waitForJobs: true + timeout: 240 + priority: -5 + hooks: + preInstall: "$WORKDIR/hooks/esignet-partner-onboarder-preinstall.sh" + preUpgrade: "$WORKDIR/hooks/esignet-partner-onboarder-preinstall.sh" + postInstall: "$WORKDIR/hooks/esignet-partner-onboarder-postinstall.sh" + postUpgrade: "$WORKDIR/hooks/esignet-partner-onboarder-postinstall.sh" + + esignet-demo-oidc-partner-onboarder: + namespace: esignet + enabled: true + version: 12.0.1 + chart: mosip/partner-onboarder + set: + # Module Configuration - Only demo-oidc enabled + onboarding.modules[0].name: "ida" + onboarding.modules[0].enabled: "false" + onboarding.modules[1].name: "print" + onboarding.modules[1].enabled: "false" + onboarding.modules[2].name: "abis" + onboarding.modules[2].enabled: "false" + onboarding.modules[3].name: "resident" + onboarding.modules[3].enabled: "false" + onboarding.modules[4].name: "mobileid" + onboarding.modules[4].enabled: "false" + onboarding.modules[5].name: "digitalcard" + onboarding.modules[5].enabled: "false" + onboarding.modules[6].name: "esignet" + onboarding.modules[6].enabled: "false" + onboarding.modules[7].name: "resident-oidc" + onboarding.modules[7].enabled: "false" + onboarding.modules[8].name: "demo-oidc" + onboarding.modules[8].enabled: "true" + onboarding.modules[9].name: "mimoto-keybinding" + onboarding.modules[9].enabled: "false" + # S3 Configuration - UPDATE THESE VALUES FOR YOUR ENVIRONMENT + onboarding.configmaps.s3.s3-host: "http://minio.minio:9000" + onboarding.configmaps.s3.s3-user-key: "admin" + onboarding.configmaps.s3.s3-region: "" + onboarding.configmaps.s3.s3-bucket-name: "onboarder" + # Set to true if you don't have public domain & valid SSL (development only) + #onboarding.configmaps.onboarding.ENABLE_INSECURE: "false" + wait: true + waitForJobs: true + timeout: 240 + priority: -4 + hooks: + preInstall: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-preinstall.sh" + preUpgrade: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-preinstall.sh" + postInstall: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-postinstall.sh" + postUpgrade: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-postinstall.sh" diff --git a/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml new file mode 100644 index 00000000..0c9967cf --- /dev/null +++ b/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml @@ -0,0 +1,418 @@ +helmDefaults: + tillerNamespace: kube-system + tillerless: true + install: true + +helmRepos: + bitnami: https://charts.bitnami.com/bitnami + mosip: https://mosip.github.io/mosip-helm + wiremind: https://wiremind.github.io/wiremind-helm-charts + kafka-ui: https://provectus.github.io/kafka-ui-charts + +# Note: Based on your requirement disable the namespaces which you want to use, by default all the namespaces are protected. +namespaces: + postgres: + protected: true + keycloak: + protected: true + softhsm: + protected: true + minio: + protected: true + clamav: + protected: true + activemq: + protected: true + kafka: + protected: true + s3: + protected: true + msg-gateways: + protected: true + captcha: + protected: true + landing-page: + protected: true + +apps: + postgres: + namespace: postgres + enabled: false + version: 13.1.5 + chart: bitnami/postgresql + wait: true + priority: -16 + valuesFile: "$WORKDIR/utils/postgres-values.yaml" + timeout: 1200 + + istio-addons-psql: + namespace: postgres + enabled: true + version: 0.1.0 + chart: $WORKDIR/utils/istio-addons/postgres-istio-addons-0.1.0.tgz + set: + postgresHost: "postgres.sandbox.xyz.net" + wait: true + priority: -4 + timeout: 1200 + + postgres-init: + namespace: postgres + enabled: true + version: 12.0.2 + chart: mosip/postgres-init + set: + dbUserPasswords.dbuserPassword: "" + databases.mosip_master.enabled: "true" + databases.mosip_master.branch: "v1.2.1.4" + databases.mosip_master.host: "postgres.sandbox.xyz.net" + databases.mosip_master.port: 5433 + + databases.mosip_audit.enabled: "true" + databases.mosip_audit.branch: "v1.2.0.1" + databases.mosip_audit.host: "postgres.sandbox.xyz.net" + databases.mosip_audit.port: 5433 + + databases.mosip_keymgr.enabled: "true" + databases.mosip_keymgr.branch: "v1.2.1.0" + databases.mosip_keymgr.host: "postgres.sandbox.xyz.net" + databases.mosip_keymgr.port: 5433 + + databases.mosip_kernel.enabled: "true" + databases.mosip_kernel.branch: " v1.2.0.2" + databases.mosip_kernel.host: "postgres.sandbox.xyz.net" + databases.mosip_kernel.port: 5433 + + databases.mosip_idmap.enabled: "true" + databases.mosip_idmap.branch: "v1.2.2.4" + databases.mosip_idmap.host: "postgres.sandbox.xyz.net" + databases.mosip_idmap.port: 5433 + + databases.mosip_prereg.enabled: "true" + databases.mosip_prereg.branch: "v1.2.0.3" + databases.mosip_prereg.host: "postgres.sandbox.xyz.net" + databases.mosip_prereg.port: 5433 + + databases.mosip_idrepo.enabled: "true" + databases.mosip_idrepo.branch: "v1.2.2.4" + databases.mosip_idrepo.host: "postgres.sandbox.xyz.net" + databases.mosip_idrepo.port: 5433 + + databases.mosip_ida.enabled: "true" + databases.mosip_ida.branch: "v1.2.1.3" + databases.mosip_ida.host: "postgres.sandbox.xyz.net" + databases.mosip_ida.port: 5433 + + databases.mosip_credential.enabled: "true" + databases.mosip_credential.branch: "v1.2.2.4" + databases.mosip_credential.host: "postgres.sandbox.xyz.net" + databases.mosip_credential.port: 5433 + + databases.mosip_regprc.enabled: "true" + databases.mosip_regprc.branch: "v1.2.1.2" + databases.mosip_regprc.host: "postgres.sandbox.xyz.net" + databases.mosip_regprc.port: 5433 + + databases.mosip_pms.enabled: "true" + databases.mosip_pms.branch: "v1.2.2.3" + databases.mosip_pms.host: "postgres.sandbox.xyz.net" + databases.mosip_pms.port: 5433 + + databases.mosip_hotlist.enabled: "true" + databases.mosip_hotlist.branch: "v1.2.1.4" + databases.mosip_hotlist.host: "postgres.sandbox.xyz.net" + databases.mosip_hotlist.port: 5433 + + databases.mosip_resident.enabled: "true" + databases.mosip_resident.branch: "v1.2.1.3" + databases.mosip_resident.host: "postgres.sandbox.xyz.net" + databases.mosip_resident.port: 5433 + + databases.mosip_otp.enabled: "true" + databases.mosip_otp.branch: "v1.3.0-beta.1" + databases.mosip_otp.host: "postgres.sandbox.xyz.net" + databases.mosip_otp.port: 5433 + + databases.mosip_digitalcard.enabled: "true" + databases.mosip_digitalcard.branch: "v1.2.0.1" + databases.mosip_digitalcard.host: "postgres.sandbox.xyz.net" + databases.mosip_digitalcard.port: 5433 + wait: true + timeout: 1200 + priority: -15 + + keycloak: + namespace: keycloak + enabled: true + version: 7.1.18 + chart: mosip/keycloak + set: + image.repository: "mosipid/mosip-artemis-keycloak" + image.tag: "1.2.0.2" + image.pullPolicy: "Always" + # Override Postgres image + postgresql.image.registry: "docker.io" + postgresql.image.repository: "mosipid/postgresql" + postgresql.image.tag: "14.2.0-debian-10-r70" + service.type: "ClusterIP" + auth.adminUser: "admin" + extraEnvVars[0].name: "KEYCLOAK_EXTRA_ARGS" + extraEnvVars[0].value: "-Dkeycloak.profile.feature.upload_scripts=enabled -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled" + ingress.enabled: "false" + ingress.hostname: "" + ingress.annotations.ingress\.kubernetes\.io/class: "nginx" + proxyAddressForwarding: "true" + replicaCount: "1" + serviceDiscovery.enabled: "true" + # resources.limits.cpu: "250m" + # resources.limits.memory: "1Gi" + resources.requests.cpu: "200m" + resources.requests.memory: "1000Mi" + rbac.create: "true" + rbac.rules[0].apiGroups[0]: "" + rbac.rules[0].resources[0]: "pods" + rbac.rules[0].verbs[0]: "get" + rbac.rules[0].verbs[1]: "list" + wait: true + timeout: 1200 + priority: -14 + + istio-addons-iam: + namespace: keycloak + enabled: true + version: 0.1.0 + chart: $WORKDIR/utils/istio-addons/iam-istio-addons-0.1.0.tgz + set: + keycloakExternalHost: "iam.sandbox.xyz.net" + keycloakInternalHost: "keycloak.keycloak" + service: "keycloak" + wait: true + timeout: 1200 + priority: -3 + + keycloak-init: + namespace: keycloak + enabled: true + version: 12.0.2 + chart: mosip/keycloak-init + set: + # image.repository: "mosipid/keycloak-init" + # image.tag: "1.2.0.1" + keycloakExternalHost: "iam.sandbox.xyz.net" + keycloakInternalHost: "keycloak.keycloak" + keycloak.realms.mosip.realm_config.attributes.frontendUrl: "https://iam.sandbox.xyz.net/auth" + keycloak.realms.mosip.realm_config.smtpServer.auth: "false" + keycloak.realms.mosip.realm_config.smtpServer.host: "smtp.gmail.com" + keycloak.realms.mosip.realm_config.smtpServer.port: "465" + keycloak.realms.mosip.realm_config.smtpServer.from: "mosipqa@gmail.com" + keycloak.realms.mosip.realm_config.smtpServer.starttls: "false" + keycloak.realms.mosip.realm_config.smtpServer.ssl: "true" + wait: true + timeout: 1200 + priority: -13 + + softhsm-kernel: + namespace: softhsm + enabled: true + version: 12.0.1 + chart: mosip/softhsm + set: + # resources.limits.cpu: "250m" + # resources.limits.memory: "1Gi" + resources.requests.cpu: "100m" + resources.requests.memory: "100Mi" + wait: true + timeout: 1200 + priority: -12 + + softhsm-ida: + namespace: softhsm + enabled: true + version: 12.0.1 + chart: mosip/softhsm + set: + # resources.limits.cpu: "250m" + # resources.limits.memory: "1Gi" + resources.requests.cpu: "100m" + resources.requests.memory: "200Mi" + wait: true + timeout: 1200 + priority: -11 + + minio: + namespace: minio + enabled: true + version: 10.1.6 + chart: mosip/minio + set: + image.repository: "mosipid/minio" + image.tag: "2022.2.7-debian-10-r0" + metrics.serviceMonitor.enabled: "true" + extraEnvVars[0].name: "MINIO_PROMETHEUS_URL" + extraEnvVars[0].value: "http://rancher-monitoring-prometheus.cattle-monitoring-system:9090" + extraEnvVars[1].name: "MINIO_PROMETHEUS_JOB_ID" + extraEnvVars[1].value: "minio" + resourcesPreset: "none" + wait: true + timeout: 1200 + priority: -10 + + istio-addons-minio: + namespace: minio + enabled: true + version: 1.2.0 + chart: $WORKDIR/utils/istio-addons/minio-istio-addons-1.2.0.tgz + set: + externalHost: "minio.sandbox.xyz.net" + wait: true + timeout: 1200 + hooks: + postInstall: "$WORKDIR/hooks/s3-setup.sh " + priority: -2 + + clamav: + namespace: clamav + enabled: true + version: 3.1.0 + chart: wiremind/clamav + set: + replicaCount: "1" + # image.repository, image.tag, and image.pullPolicy are commented out in the original YAML + # Uncomment and update as needed: + image.repository: "mosipid/clamav" + image.tag: "1.3.0_base" + # image.pullPolicy: "Always" + wait: true + timeout: 1200 + priority: -9 + + activemq: + namespace: activemq + enabled: true + version: 0.0.2 + chart: mosip/activemq-artemis + set: + istio.enabled: "true" + istio.hosts[0]: "activemq.sandbox.xyz.net" + istio.ingressController.name: "ingressgateway-internal" + istio.prefix: "" + wait: true + timeout: 1200 + priority: -8 + hooks: + postInstall: "$WORKDIR/hooks/captcha-setup.sh " + # Note: Create a google recaptcha v2 ("I am not a Robot") from Google Recaptcha Admin. + # Pass the captcha site and secret key in the above post install script as an argument.To create site and secret key below is the link: + # https://cloud.google.com/security/products/recaptcha + # https://www.google.com/recaptcha/admin/create + + kafka: + namespace: kafka + enabled: true + version: 18.3.1 + chart: bitnami/kafka + set: + # Add these for image overrides + image.repository: "mosipid/kafka" + image.tag: "3.2.1-debian-11-r9" + zookeeper.image.repository: "mosipid/zookeeper" + zookeeper.image.tag: "3.8.0-debian-11-r30" + clusterDomain: "cluster.local" + logRetentionBytes: "_1073741824" + defaultReplicationFactor: "3" + offsetsTopicReplicationFactor: "3" + transactionStateLogReplicationFactor: "3" + numPartitions: "20" + replicaCount: "5" + autoCreateTopicsEnable: "true" + deleteTopicEnable: "true" + persistence.enabled: "true" + persistence.accessModes[0]: "ReadWriteOnce" + persistence.size: "8Gi" + zookeeper.enabled: "true" + zookeeper.replicaCount: "5" + zookeeper.persistence.enabled: "true" + zookeeper.persistence.size: "2Gi" + # resources.limits.cpu: "250m" + # resources.limits.memory: "1Gi" + resources.requests.cpu: "200m" + resources.requests.memory: "2000Mi" + startupProbe.enabled: "true" + startupProbe.initialDelaySeconds: "30" + startupProbe.periodSeconds: "10" + startupProbe.timeoutSeconds: "1" + startupProbe.failureThreshold: "30" + startupProbe.successThreshold: "1" + wait: true + timeout: 1200 + priority: -7 + + kafka-ui: + namespace: kafka + enabled: true + version: 0.4.2 + chart: kafka-ui/kafka-ui + set: + # Add these for image overrides + # image.repository: "docker.io/provectuslabs/kafka-ui" + # image.tag: "v0.4.0" + envs.config.KAFKA_CLUSTERS_0_BOOTSTRAPSERVERS: "kafka.kafka:9092" + envs.config.KAFKA_CLUSTERS_0_NAME: "main_kafka" + envs.config.KAFKA_CLUSTERS_0_ZOOKEEPER: "kafka-zookeeper.kafka:2181" + envs.config.KAFKA_CLUSTERS_0_KAFKACONNECT_0_ADDRESS: "http://debezium-service.reporting:8083" + envs.config.KAFKA_CLUSTERS_0_KAFKACONNECT_0_NAME: "debezium" + envs.config.KAFKA_CLUSTERS_0_KAFKACONNECT_1_ADDRESS: "http://es-connect.reporting:8083" + envs.config.KAFKA_CLUSTERS_0_KAFKACONNECT_1_NAME: "es-connect" + image.pullPolicy: "Always" + wait: true + timeout: 1200 + priority: -6 + + istio-addons-kafka: + namespace: kafka + enabled: true + version: 1.2.0 + chart: $WORKDIR/utils/istio-addons/kafka-istio-addons-1.2.0.tgz + set: + kafkaUiHost: "kafka.sandbox.xyz.net" + installName: "kafka-ui" + wait: true + timeout: 1200 + hooks: + postInstall: "$WORKDIR/hooks/msg-gateways-setup.sh" + priority: -1 + + landing-page: + namespace: landing-page + enabled: true + version: 12.0.2 + chart: mosip/landing-page + set: + landing.version: "develop" + landing.name: "" + landing.api: "api.sandbox.xyz.net" + landing.apiInternal: "api-internal.sandbox.xyz.net" + landing.admin: "admin.sandbox.xyz.net" + landing.prereg: "prereg.sandbox.xyz.net" + landing.kafka: "kafka.sandbox.xyz.net" + landing.kibana: "kibana.sandbox.xyz.net" + landing.activemq: "activemq.sandbox.xyz.net" + landing.minio: "minio.sandbox.xyz.net" + landing.keycloak: "iam.sandbox.xyz.net" + landing.regclient: "regclient.sandbox.xyz.net" + landing.postgres.host: "postgres.sandbox.xyz.net" + landing.postgres.port: "5433" + landing.compliance: "compliance.sandbox.xyz.net" + landing.pmp: "pmp.sandbox.xyz.net" + landing.resident: "resident.sandbox.xyz.net" + landing.esignet: "esignet.sandbox.xyz.net" + landing.smtp: "smtp.sandbox.xyz.net" + landing.healthservices: "healthservices.sandbox.xyz.net" + landing.injiweb: "injiweb.sandbox.xyz.net" + landing.injiverify: "injiverify.sandbox.xyz.net" + istio.host: "sandbox.xyz.net" + wait: true + timeout: 1200 + hooks: + preInstall: "$WORKDIR/hooks/landing-page.sh" + priority: -5 diff --git a/Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml new file mode 100644 index 00000000..fcdfefcb --- /dev/null +++ b/Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml @@ -0,0 +1,1110 @@ +helmDefaults: + tillerNamespace: kube-system + tillerless: true + install: true + +helmRepos: + bitnami: https://charts.bitnami.com/bitnami + mosip: https://mosip.github.io/mosip-helm + +namespaces: + conf-secrets: + protected: false + config-server: + protected: false + artifactory: + protected: false + captcha: + protected: false + keymanager: + protected: false + websub: + protected: false + mock-smtp: + protected: false + kernel: + protected: false + masterdata-loader: + protected: false + biosdk: + protected: false + packetmanager: + protected: false + datashare: + protected: false + prereg: + protected: false + idrepo: + protected: false + pms: + protected: false + abis: + protected: false + regproc: + protected: false + admin: + protected: false + ida: + protected: false + print: + protected: false + digitalcard: + protected: false + resident: + protected: false + onboarder: + protected: false + mosip-file-server: + protected: false + regclient: + protected: false +apps: + conf-secrets: + namespace: conf-secrets + enabled: true + version: 12.0.3 + chart: mosip/conf-secrets + priority: -20 + + config-server: + namespace: config-server + enabled: true + version: 12.0.4-develop + chart: mosip/config-server + valuesFile: "$WORKDIR/utils/config-server-values.yaml" + wait: true + timeout: 1200 + priority: -19 + hooks: + preInstall: "$WORKDIR/hooks/config-server-setup.sh" + + artifactory: + namespace: artifactory + enabled: true + version: 12.0.4 + chart: mosip/artifactory + # set: + # image.repository: "mosipid/artifactory-server" + # image.tag: "1.4.1-ES" + wait: true + timeout: 1200 + priority: -18 + hooks: + # For fresh installations + preInstall: "kubectl label ns artifactory istio-injection=enabled --overwrite" + postInstall: "$WORKDIR/hooks/common-labeling-istio-and-sharing-cm-secrets-among-ns.sh" + + # For upgrades/retries + preUpgrade: "kubectl label ns artifactory istio-injection=enabled --overwrite" + postUpgrade: "$WORKDIR/hooks/common-labeling-istio-and-sharing-cm-secrets-among-ns.sh" + + captcha: + namespace: captcha + enabled: true + version: 0.1.0 + chart: mosip/captcha + set: + # image.repository: "mosipdev/captcha-validation-service" + # image.tag: "develop" + extraEnvVars[0].name: MOSIP_CAPTCHA_SECRET_PREREGISTRATION + extraEnvVars[0].valueFrom.secretKeyRef.name: mosip-captcha + extraEnvVars[0].valueFrom.secretKeyRef.key: prereg-captcha-secret-key + priority: -17 + timeout: 1200 + hooks: + preInstall: "kubectl label ns captcha istio-injection=enabled --overwrite" + + + mock-abis: + namespace: abis + enabled: true + version: 12.0.2 + chart: mosip/mock-abis + set: + startupProbe.failureThreshold: 60 + # image.repository: "" + # image.tag: "" + timeout: 1200 + priority: -16 + + + mock-mv: + namespace: abis + enabled: true + version: 12.0.2 + chart: mosip/mock-mv + set: + resources.requests.cpu: 200m + resources.requests.memory: 1500Mi + # image.repository: "" + # image.tag: "" + timeout: 1200 + priority: -16 + + + kernel-keygen: + namespace: keymanager + enabled: true + version: 12.0.1 + chart: mosip/keygen + set: + # image.repository: "mosipdev/keys-generator" + # image.tag: "MOSIP-41674" + springConfigNameEnv: "kernel" + softHsmCM: "softhsm-kernel-share" + # persistence.enabled: "false" + # volumePermissions.enabled: "false" + # persistence.size: "" + # persistence.mountDir: "" + # persistence.pvc_claim_name: "" + wait: true + timeout: 1200 + priority: -15 + + keymanager: + namespace: keymanager + enabled: true + version: 12.1.0 + chart: mosip/keymanager + # set: + # image.repository: "mosipid/kernel-keymanager-service" + # image.tag: "1.2.1.0" + # persistence.enabled: "false" + # volumePermissions.enabled: "false" + # persistence.size: "" + # persistence.mountDir: "" + # persistence.pvc_claim_name: "" + wait: true + timeout: 1200 + priority: -14 + hooks: + preInstall: "$WORKDIR/hooks/wait-for-keygen.sh" + + websub-consolidator: + namespace: websub + enabled: true + version: 12.0.1 + chart: mosip/websub-consolidator + # set: + # image.repository: "mosipqa/consolidator-websub-service" + # image.tag: "1.3.x" + wait: true + timeout: 1200 + priority: -13 + + + websub: + namespace: websub + enabled: true + version: 12.0.1 + chart: mosip/websub + # set: + # image.repository: "mosipqa/websub-service" + # image.tag: "1.3.x" + timeout: 1200 + priority: -12 + + mock-smtp: + namespace: mock-smtp + enabled: true + version: 1.0.0 + chart: mosip/mock-smtp + set: + # image.repository: "mosipdev/mock-smtp" + # image.tag: "1.0.0" + istio.hosts[0]: "smtp.sandbox.xyz.net" + priority: -12 + timeout: 1200 + + + masterdata-loader: + namespace: masterdata-loader + enabled: true + version: 12.0.1 + chart: mosip/masterdata-loader + set: + # image.repository: "mosipqa/masterdata-loader" + # image.tag: "develop" + mosipDataGithubBranch: "v1.2.2.0" + mosipDataGithubRepo: "https://github.com/mosip/mosip-data" + mosipDataXlsfolderPath: "/home/mosip/mosip-data/mosip_master/xlsx" + db.host: "postgres.sandbox.xyz.net" + db.port: 5433 + wait: true + priority: -11 + timeout: 1200 + + + authmanager: + namespace: kernel + enabled: true + version: 12.0.2 + chart: mosip/authmanager + # set: + # image.repository: "mosipdev/kernel-auth-service" + # image.tag: "develop" + priority: -10 + timeout: 1200 + + + auditmanager: + namespace: kernel + enabled: true + version: 12.0.1 + chart: mosip/auditmanager + # set: + # image.repository: "mosipdev/kernel-auditmanager-service" + # image.tag: "release-1.3.x" + priority: -10 + timeout: 1200 + + + idgenerator: + namespace: kernel + enabled: true + version: 12.0.2 + chart: mosip/idgenerator + set: + # image.repository: "bn1997/kernel-idgenerator-service" + # image.tag: "develop" + resources.limits.cpu: "1" + resources.limits.memory: "3000Mi" + resources.requests.cpu: "700m" + resources.requests.memory: "2500Mi" + startupProbe.failureThreshold: "30" + startupProbe.periodSeconds: "10" + priority: -10 + timeout: 1200 + + + masterdata: + namespace: kernel + enabled: true + version: 12.1.4 + chart: mosip/masterdata + set: + # image.repository: "mosipid/kernel-masterdata-service" + # image.tag: "1.2.1.2" + resources.limits.cpu: "600m" + resources.limits.memory: "4000Mi" + resources.requests.cpu: "200m" + resources.requests.memory: "2000Mi" + istio.corsPolicy.allowOrigins[0].exact: "https://admin.sandbox.xyz.net" + wait: true + priority: -10 + timeout: 1200 + + + otpmanager: + namespace: kernel + enabled: true + version: 12.0.1 + chart: mosip/otpmanager + # set: + # image.repository: "" + # image.tag: "" + priority: -10 + timeout: 1200 + + + pridgenerator: + namespace: kernel + enabled: true + version: 12.0.2 + chart: mosip/pridgenerator + # set: + # image.repository: "" + # image.tag: "" + priority: -10 + timeout: 1200 + + + ridgenerator: + namespace: kernel + enabled: true + version: 12.0.2 + chart: mosip/ridgenerator + # set: + # image.repository: "" + # image.tag: "" + priority: -10 + timeout: 1200 + + + syncdata: + namespace: kernel + enabled: true + version: 12.1.4 + chart: mosip/syncdata + set: + # image.repository: "mosipid/kernel-syncdata-service" + # image.tag: "1.2.1.2" + resources.limits.cpu: "500m" + resources.limits.memory: "5000Mi" + resources.requests.cpu: "300m" + resources.requests.memory: "2500Mi" + startupProbe.failureThreshold: "60" + priority: -10 + timeout: 1200 + + + notifier: + namespace: kernel + enabled: true + version: 12.0.2 + chart: mosip/notifier + # set: + # image.repository: "" + # image.tag: "" + priority: -10 + timeout: 1200 + + + biosdk-service: + namespace: biosdk + enabled: true + version: 12.0.1 + chart: mosip/biosdk-service + set: + # image.repository: "mosipid/biosdk-server" + # image.tag: "12.0.1" + biosdk.zippedLibUrl: "http://artifactory.artifactory/artifactory/libs-release-local/biosdk/biosdk-lib.zip" + biosdk.bioapiImpl: "io.mosip.mock.sdk.impl.SampleSDKV2" + priority: -10 + timeout: 1200 + + + packetmanager: + namespace: packetmanager + enabled: true + version: 12.0.4 + chart: mosip/packetmanager + # set: + # image.repository: "mosipid/commons-packet-service" + # image.tag: "1.2.0.3" + priority: -10 + timeout: 1200 + + + datashare: + namespace: datashare + enabled: true + version: 12.0.2 + chart: mosip/datashare + # set: + # image.repository: "mosipid/data-share-service" + # image.tag: "1.2.0.1" + priority: -10 + timeout: 1200 + + prereg-gateway: + namespace: prereg + enabled: true + version: 12.0.3 + chart: mosip/prereg-gateway + set: + istio.hosts[0]: "prereg.sandbox.xyz.net" + priority: -9 + timeout: 1200 + + prereg-captcha: + namespace: prereg + enabled: true + version: 12.0.1 + chart: mosip/prereg-captcha + set: + image.repository: "mosipid/pre-registration-captcha-service" + image.tag: "1.2.0.2" + priority: -9 + timeout: 1200 + + prereg-application: + namespace: prereg + enabled: true + version: 12.0.3 + chart: mosip/prereg-application + # set: + # image.repository: "mosipid/pre-registration-application-service" + # image.tag: "1.2.0.2" + priority: -9 + timeout: 1200 + + + prereg-booking: + namespace: prereg + enabled: true + version: 12.0.2 + chart: mosip/prereg-booking + set: + image.repository: "mosipid/pre-registration-booking-service" + image.tag: "1.2.0.2" + priority: -9 + timeout: 1200 + + prereg-datasync: + namespace: prereg + enabled: true + version: 12.0.3 + chart: mosip/prereg-datasync + # set: + # image.repository: "mosipid/pre-registration-datasync-service" + # image.tag: "1.2.0.2" + priority: -9 + timeout: 1200 + + + prereg-batchjob: + namespace: prereg + enabled: true + version: 12.0.3 + chart: mosip/prereg-batchjob + # set: + # image.repository: "mosipid/pre-registration-batchjob" + # image.tag: "1.2.0.2" + priority: -9 + timeout: 1200 + + + + prereg-ui: + namespace: prereg + enabled: true + version: 12.0.1 + chart: mosip/prereg-ui + set: + # image.repository: "" + # image.tag: "" + prereg.apiHost: "prereg.sandbox.xyz.net" + priority: -9 + timeout: 1200 + + + idrepo-saltgen: + namespace: idrepo + enabled: true + version: 12.2.4 + chart: mosip/idrepo-saltgen + # set: + # image.repository: "" + # image.tag: "" + #timeout: 240 + priority: -9 + timeout: 1200 + + + credential: + namespace: idrepo + enabled: true + version: 12.2.4 + chart: mosip/credential + set: + # image.repository: "mosipid/credential-service" + # image.tag: "1.2.2.2" + replicaCount: 2 + resources.limits.cpu: "500m" + resources.limits.memory: "3000Mi" + resources.requests.cpu: "200m" + resources.requests.memory: "2000Mi" + priority: -8 + timeout: 1200 + + credentialrequest: + namespace: idrepo + enabled: true + version: 12.2.4 + chart: mosip/credentialrequest + set: + # image.repository: "mosipid/credential-request-generator" + # image.tag: "1.2.2.2" + replicaCount: 2 + resources.limits.cpu: "1" + resources.limits.memory: "4000Mi" + resources.requests.cpu: "1" + resources.requests.memory: "3000Mi" + priority: -7 + timeout: 1200 + + + identity: + namespace: idrepo + enabled: true + version: 12.2.4 + chart: mosip/identity + set: + replicaCount: 2 + # image.repository: "mosipid/id-repository-identity-service" + # image.tag: "1.2.2.2" + priority: -7 + timeout: 1200 + + vid: + namespace: idrepo + enabled: true + version: 12.2.4 + chart: mosip/vid + set: + replicaCount: 2 + # image.repository: "mosipid/id-repository-vid-service" + # image.tag: "1.2.2.2" + priority: -6 + timeout: 1200 + + # pms-keycloak-init: + # namespace: pms + # enabled: false + # version: 0.0.1-develop + # chart: mosip/keycloak-init + # set: + # # image.repository: "" + # # image.tag: "" + # priority: -8 + # timeout: 1200 + # hooks: + # preInstall: "$WORKDIR/hooks/pms-keycloak-init.sh" + + + pms-partner: + namespace: pms + enabled: true + version: 12.2.3 + chart: mosip/pms-partner + set: + # image.repository: "mosipid/partner-management-service" + # image.tag: "1.2.2.1" + istio.corsPolicy.allowOrigins[0].prefix: "https://pmp.sandbox.xyz.net" + priority: -9 + timeout: 1200 + + + pms-policy: + namespace: pms + enabled: true + version: 12.2.3 + chart: mosip/pms-policy + set: + # image.repository: "mosipid/partner-management-service" + # image.tag: "1.2.2.1" + istio.corsPolicy.allowOrigins[0].prefix: "https://pmp.sandbox.xyz.net" + priority: -9 + timeout: 1200 + + + # pmp-ui: + # namespace: pms + # enabled: true + # version: 12.0.2 + # chart: mosip/pmp-ui + # set: + # image.repository: "mosipid/pmp-ui" + # image.tag: "1.2.2.1" + # pmp.apiUrl: "https://api-internal.sandbox.xyz.net/" + # istio.hosts[0]: "pmp.sandbox.xyz.net" + # priority: -9 + # timeout: 1200 + + + pmp-revamp-ui: + namespace: pms + enabled: true + version: 12.2.2 + chart: mosip/pmp-revamp-ui + set: + # image.repository: "mosipqa/pmp-revamp-ui" + # image.tag: "develop" + pmp_revamp.react_app_partner_manager_api_base_url: "https://api-internal.sandbox.xyz.net/v1/partnermanager" + pmp_revamp.react_app_policy_manager_api_base_url: "https://api-internal.sandbox.xyz.net/v1/policymanager" + pmp_revamp.pms_partner_manager_internal_service_url: "http://pms-partner.pms/v1/partnermanager" + pmp_revamp.pms_policy_manager_internal_service_url: "http://pms-policy.pms/v1/policymanager" + istio.hosts[0]: "pmp.sandbox.xyz.net" + priority: -9 + timeout: 1200 + + regproc-salt: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-salt + set: + image.repository: "mosipid/kernel-salt-generator" + image.tag: "1.2.0.2" + priority: -9 + timeout: 1200 + + + regproc-workflow: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-workflow + set: + resources.limits.cpu: "500m" + resources.limits.memory: "3000Mi" + resources.requests.cpu: "200m" + resources.requests.memory: "1000Mi" + livenessProbe.periodSeconds: "30" + # image.repository: "" + # image.tag: "" + priority: -8 + timeout: 1200 + hooks: + preInstall: "$WORKDIR/hooks/wait-for-regprocjob.sh" + + regproc-status: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-status + set: + resources.limits.cpu: "500m" + resources.limits.memory: "4000Mi" + resources.requests.cpu: "100m" + resources.requests.memory: "1000Mi" + livenessProbe.periodSeconds: "30" + # image.repository: "" + # image.tag: "" + timeout: 1200 + priority: -7 + + regproc-camel: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-camel + set: + resources.limits.cpu: "1" + resources.limits.memory: "2000Mi" + resources.requests.cpu: "100m" + resources.requests.memory: "1500Mi" + livenessProbe.periodSeconds: "30" + timeout: 1200 + priority: -7 + + regproc-pktserver: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-pktserver + set: + resources.limits.cpu: "500m" + resources.limits.memory: "1250Mi" + resources.requests.cpu: "500m" + resources.requests.memory: "1000Mi" + livenessProbe.periodSeconds: "30" + timeout: 1200 + priority: -7 + + regproc-group1: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-group1 + set: + resources.limits.cpu: "1" + resources.limits.memory: "5000Mi" + resources.requests.cpu: "100m" + resources.requests.memory: "1000Mi" + persistence.storageClass: nfs-csi + persistence.size: 5Gi + livenessProbe.periodSeconds: "30" + timeout: 1200 + priority: -7 + + regproc-group2: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-group2 + set: + # image.repository: "" + # image.tag: "" + resources.limits.cpu: "500m" + resources.limits.memory: "4000Mi" + resources.requests.cpu: "500m" + resources.requests.memory: "4000Mi" + startupProbe.failureThreshold: 60 + livenessProbe.periodSeconds: "30" + timeout: 1200 + priority: -6 + + regproc-group3: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-group3 + set: + resources.limits.cpu: "500m" + resources.limits.memory: "3000Mi" + resources.requests.cpu: "500m" + resources.requests.memory: "3000Mi" + livenessProbe.periodSeconds: "30" + timeout: 1200 + priority: -6 + + regproc-group4: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-group4 + set: + resources.limits.cpu: "500m" + resources.limits.memory: "4000Mi" + resources.requests.cpu: "500m" + resources.requests.memory: "3000Mi" + livenessProbe.periodSeconds: "30" + timeout: 1200 + priority: -6 + + regproc-group5: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-group5 + set: + resources.limits.cpu: "500m" + resources.limits.memory: "4000Mi" + resources.requests.cpu: "500m" + resources.requests.memory: "3000Mi" + livenessProbe.periodSeconds: "30" + timeout: 1200 + priority: -6 + + regproc-group6: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-group6 + set: + resources.limits.cpu: "500m" + resources.limits.memory: "4000Mi" + resources.requests.cpu: "500m" + resources.requests.memory: "3000Mi" + livenessProbe.periodSeconds: "30" + timeout: 1200 + priority: -6 + + regproc-group7: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-group7 + set: + resources.limits.cpu: "500m" + resources.limits.memory: "4000Mi" + resources.requests.cpu: "500m" + resources.requests.memory: "3000Mi" + livenessProbe.periodSeconds: "30" + timeout: 1200 + priority: -6 + + regproc-trans: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-trans + set: + resources.limits.cpu: "500m" + resources.limits.memory: "2500Mi" + resources.requests.cpu: "100m" + resources.requests.memory: "1000Mi" + livenessProbe.periodSeconds: "30" + timeout: 1200 + priority: -6 + + regproc-notifier: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-notifier + set: + resources.limits.cpu: "500m" + resources.limits.memory: "1500Mi" + resources.requests.cpu: "500m" + resources.requests.memory: "1500Mi" + livenessProbe.periodSeconds: "30" + # image.repository: "" + # image.tag: "" + timeout: 1200 + priority: -6 + + regproc-reprocess: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-reprocess + set: + resources.limits.cpu: "500m" + resources.limits.memory: "2500Mi" + resources.requests.cpu: "100m" + resources.requests.memory: "1000Mi" + livenessProbe.periodSeconds: "30" + # image.repository: "" + # image.tag: "" + timeout: 1200 + priority: -6 + + regproc-landingzone: + namespace: regproc + enabled: true + version: 12.1.2 + chart: mosip/regproc-landingzone + set: + resources.limits.cpu: "500m" + resources.limits.memory: "4000Mi" + resources.requests.cpu: "100m" + resources.requests.memory: "1000Mi" + livenessProbe.periodSeconds: "30" + # image.repository: "mosipid/registration-processor-landing-zone" + # image.tag: "1.2.0.2" + timeout: 1200 + priority: -6 + + admin-hotlist: + namespace: admin + enabled: true + version: 12.1.4 + chart: mosip/admin-hotlist + set: + # image.repository: "mosipid/hotlist-service" + # image.tag: "1.2.1.2" + resources.limits.cpu: "500m" + resources.limits.memory: "1500Mi" + resources.requests.cpu: "300m" + resources.requests.memory: "1500Mi" + startupProbe.failureThreshold: 60 + timeout: 1200 + priority: -9 + + admin-service: + namespace: admin + enabled: true + version: 12.1.4 + chart: mosip/admin-service + set: + # image.repository: "mosipid/admin-service" + # image.tag: "1.2.1.2" + resources.limits.cpu: "500m" + resources.limits.memory: "2000Mi" + resources.requests.cpu: "500m" + resources.requests.memory: "2000Mi" + istio.corsPolicy.allowOrigins[0].prefix: "https://admin.sandbox.xyz.net" + startupProbe.failureThreshold: 60 + timeout: 1200 + priority: -9 + + + admin-ui: + namespace: admin + enabled: true + version: 12.0.1 + chart: mosip/admin-ui + set: + # image.repository: "mosipqa/admin-ui" + # image.tag: "1.3.x" + admin.apiUrl: "https://api-internal.sandbox.xyz.net/v1/" + istio.hosts[0]: "admin.sandbox.xyz.net" + timeout: 1200 + priority: -9 + + + ida-keygen: + namespace: ida + enabled: true + version: 12.0.1 + chart: mosip/keygen + set: + springConfigNameEnv: "id-authentication" + softHsmCM: "softhsm-ida-share" + # persistence.enabled: false + # volumePermissions.enabled: false + # persistence.size: + # persistence.mountDir: "" + # persistence.pvc_claim_name: "" + timeout: 1200 + priority: -9 + + + ida-auth: + namespace: ida + enabled: true + version: 12.1.3 + chart: mosip/ida-auth + # set: + # image.repository: "mosipid/authentication-service" + # image.tag: "1.2.1.0" + # enable_insecure: "false" + # persistence.enabled: "false" + # volumePermissions.enabled: "false" + # persistence.mountDir: "" + # persistence.existingClaim: "" + timeout: 1200 + priority: -8 + hooks: + preInstall: "$WORKDIR/hooks/wait-for-idajob.sh" + + ida-internal: + namespace: ida + enabled: true + version: 12.1.3 + chart: mosip/ida-internal + # set: + # image.repository: "mosipid/authentication-internal-service" + # image.tag: "1.2.1.0" + # enable_insecure: "false" + # persistence.enabled: "false" + # volumePermissions.enabled: "false" + # persistence.mountDir: "" + # persistence.existingClaim: "" + timeout: 1200 + priority: -7 + + ida-otp: + namespace: ida + enabled: true + version: 12.1.3 + chart: mosip/ida-otp + # set: + # image.repository: "mosipid/authentication-otp-service" + # image.tag: "1.2.1.0" + # enable_insecure: false + # persistence.enabled: false + # volumePermissions.enabled: false + # persistence.mountDir: "" + # persistence.existingClaim: "" + timeout: 1200 + priority: -6 + + print-service: + namespace: print + enabled: true + version: 12.0.1 + chart: mosip/print-service + # set: + # image.repository: "mosipdev/print" + # image.tag: "release-1.3.x" + timeout: 1200 + priority: -5 + + + digitalcard: + namespace: digitalcard + enabled: true + version: 12.0.1 + chart: mosip/digitalcard + # set: + # image.repository: "mosipid/digital-card-service" + # image.tag: "1.2.0.1" + timeout: 1200 + priority: -5 + + + resident: + namespace: resident + enabled: true + version: 12.3.1 + chart: mosip/resident + set: + image.repository: "mosipid/resident-service" + image.tag: "1.2.1.3" + resources.requests.cpu: "300m" + resources.requests.memory: "2000Mi" + startupProbe.failureThreshold: "60" + istio.corsPolicy.allowOrigins[0].prefix: "https://resident.sandbox.xyz.net" + timeout: 1200 + wait: true + priority: -4 + hooks: + preInstall: "$WORKDIR/hooks/resident-setup.sh" + + resident-ui: + namespace: resident + enabled: true + version: 0.9.1 + chart: mosip/resident-ui + set: + # image.repository: "mosipdev2/resident-ui" + # image.tag: "release-0.9.x" + resident.apiHost: "api-internal.sandbox.xyz.net" + istio.hosts[0]: "resident.sandbox.xyz.net" + wait: true + timeout: 1200 + priority: -3 + + partner-onboarder: + namespace: onboarder + enabled: true + version: 12.0.1 + chart: mosip/partner-onboarder + set: + # image.repository: "mosipqa/partner-onboarder" + # image.tag: "develop" + # onboarding.configmaps.onboarding.enable_insecure: "false" + # onboarding.variables.push_reports_to_s3: "true" + onboarding.configmaps.s3.s3-host: "http://minio.minio:9000" + onboarding.configmaps.s3.s3-user-key: "admin" + onboarding.configmaps.s3.s3-region: "" + onboarding.configmaps.s3.s3-bucket-name: "onboarder" + #onboarding.secrets.s3.s3-user-secret: "password" + # onboarding.volumes.reports.nfs.server: "" + # # provide NFS directory to store reports from NFS server (e.g. /srv/nfs//onboarder/), make sure permission is 777 for the folder: " nfs_path + # onboarding.volumes.reports.nfs.path: "" + extraEnvVarsCM[0]: "global" + extraEnvVarsCM[1]: "keycloak-env-vars" + extraEnvVarsCM[2]: "keycloak-host" + onboarding.modules[0].name: "ida" + onboarding.modules[0].enabled: true + onboarding.modules[1].name: "print" + onboarding.modules[1].enabled: true + onboarding.modules[2].name: "abis" + onboarding.modules[2].enabled: true + onboarding.modules[3].name: "resident" + onboarding.modules[3].enabled: true + onboarding.modules[4].name: "mobileid" + onboarding.modules[4].enabled: true + onboarding.modules[5].name: "digitalcard" + onboarding.modules[5].enabled: true + onboarding.modules[6].name: "esignet" + onboarding.modules[6].enabled: false + onboarding.modules[7].name: "demo-oidc" + onboarding.modules[7].enabled: false + onboarding.modules[8].name: "resident-oidc" + onboarding.modules[8].enabled: false + onboarding.modules[9].name: "mimoto-keybinding" + onboarding.modules[9].enabled: true + wait: true + timeout: 1200 + priority: -2 + hooks: + preInstall: "$WORKDIR/hooks/partner-onboarder-setup.sh" + + mosip-file-server: + namespace: mosip-file-server + enabled: true + version: 12.0.2 + chart: mosip/mosip-file-server + set: + image.repository: "mosipid/mosip-file-server" + image.tag: "1.2.0.1" + mosipfileserver.host: "api.sandbox.xyz.net" + # mosipfileserver.secrets.KEYCLOAK_CLIENT_SECRET: "" + istio.corsPolicy.allowOrigins[0].prefix: "https://api.sandbox.xyz.net" + istio.corsPolicy.allowOrigins[1].prefix: "https://api-internal.sandbox.xyz.net" + istio.corsPolicy.allowOrigins[2].prefix: "https://verifiablecredential.io" + priority: -1 + timeout: 1200 + + regclient: + namespace: regclient + enabled: true + version: 1.3.0-beta.1 + chart: mosip/regclient + set: + startupProbe.failureThreshold: "60" + image.repository: "mosipid/registration-client" + image.tag: "1.2.0.2" + regclient.version: "1.2.0.2" + regclient.upgradeServerUrl: "https://regclient.sandbox.xyz.net" + regclient.healthCheckUrl: "https://api-internal.sandbox.xyz.net/v1/syncdata/actuator/health" + regclient.hostName: "api-internal.sandbox.xyz.net" + istio.host: "regclient.sandbox.xyz.net" + priority: -1 + timeout: 1200 diff --git a/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml new file mode 100644 index 00000000..4dcb4620 --- /dev/null +++ b/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml @@ -0,0 +1,111 @@ +helmDefaults: + tillerNamespace: kube-system + tillerless: true + install: true + +helmRepos: + bitnami: https://charts.bitnami.com/bitnami + mosip: https://mosip.github.io/mosip-helm + banzaicloud-stable: https://charts.helm.sh/stable + +# Note: Based on your requirement disable the namespaces which you want to use, by default all the namespaces are protected. +namespaces: + kube-system: + protected: true + cattle-monitoring-system: + protected: true + cattle-logging-system: + protected: true + istio-system: + protected: true + istio-operator: + protected: true + httpbin: + protected: true + +apps: + rancher-monitoring-crd: + namespace: cattle-monitoring-system + enabled: true + version: 103.1.1+up45.31.1 + chart: mosip/rancher-monitoring-crd + wait: true + timeout: 900 + priority: -6 + hooks: + postInstall: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net " + postUpgrade: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net " + + rancher-monitoring: + namespace: cattle-monitoring-system + enabled: false + version: 103.1.0+up45.31.1 + chart: mosip/rancher-monitoring + set: + grafana.global.cattle.clusterId: "" + global.cattle.clusterId: "" + wait: true + valuesFile: "$WORKDIR/utils/monitoring_values.yaml" + priority: -5 + timeout: 600 + hooks: + postInstall: "$WORKDIR/hooks/alerting-setup.sh " + + elasticsearch: + namespace: cattle-logging-system + enabled: true + version: 17.9.25 + chart: mosip/elasticsearch + set: + image.repository: "mosipint/elasticsearch" + image.tag: "7.17.2-debian-10-r4" + # Kibana configuration and image + global.kibanaEnabled: "true" + kibana.image.repository: "mosipid/kibana" + kibana.image.tag: "7.17.2-debian-10-r0" + kibana.image.pullPolicy: IfNotPresent + data.heapSize: "728m" + data.persistence.enabled: "true" + data.persistence.size: "64Gi" + data.resources.requests.memory: "512Mi" + master.heapSize: "1024m" + master.persistence.enabled: "true" + master.persistence.size: "4Gi" + master.resources.requests.memory: "728Mi" + kibana.persistence.enabled: "false" + sysctlImage.repository: "mosipid/os-shell" + sysctlImage.tag: "12-debian-12-r46" + wait: true + timeout: 900 + priority: -4 + + istio-addons-logging: + namespace: cattle-logging-system + enabled: true + version: 0.1.0 + chart: $WORKDIR/utils/istio-addons/logging-istio-addons-0.1.0.tgz + set: + kibanaHost: "kibana.sandbox.xyz.net" + installName: "elasticsearch-kibana" + wait: true + priority: -3 + + rancher-logging-crd: + namespace: cattle-logging-system + enabled: true + version: 103.1.1+up4.4.0 + chart: mosip/rancher-logging-crd + wait: true + priority: -2 + + rancher-logging: + namespace: cattle-logging-system + enabled: true + version: 103.1.1+up4.4.0 + chart: mosip/rancher-logging + valuesFile: "$WORKDIR/utils/rancher-loggig-values.yaml" + wait: true + priority: -1 + timeout: 1200 + hooks: + postInstall: "$WORKDIR/hooks/post_logging-setup.sh" diff --git a/Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml new file mode 100644 index 00000000..17ee1b75 --- /dev/null +++ b/Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml @@ -0,0 +1,182 @@ +helmDefaults: + tillerNamespace: kube-system + tillerless: true + install: true + +helmRepos: + bitnami: https://charts.bitnami.com/bitnami + mosip: https://mosip.github.io/mosip-helm + +# Note: Based on your requirement disable the namespaces which you want to use, by default all the namespaces are protected. +namespaces: + apitestrig: + protected: false + packetcreator: + protected: false + dslrig: + protected: false + uitestrig: + protected: false + +apps: + packetcreator: + namespace: packetcreator + enabled: true + version: 1.3.0 + chart: mosip/packetcreator + set: + # image.repository: "mosipqa/dsl-packetcreator" + # image.tag: "1.2.1.x" + resources.limits.cpu: "1" + resources.limits.memory: "6000Mi" + resources.requests.cpu: "800m" + resources.requests.memory: "6000Mi" + enable_insecure: false + ingress.enabled: false + ## If ingress enabled, provide ingress host value i.e., PACKETCREATOR_HOST + ingress.host: "" + istio.enabled: true + wait: true + timeout: 2800 + priority: -4 + hooks: + preInstall: "$WORKDIR/hooks/packetcreator-setup.sh" + + apitestrig: + namespace: apitestrig + enabled: true + version: 1.3.4 + chart: mosip/apitestrig + set: + crontime: "0 2 * * *" + apitestrig.configmaps.s3.s3-host: 'http://minio.minio:9000' + apitestrig.configmaps.s3.s3-user-key: 'admin' + apitestrig.configmaps.s3.s3-region: '' + apitestrig.configmaps.db.db-server: "api-internal.sandbox.xyz.net" + apitestrig.configmaps.db.db-su-user: "postgres" + apitestrig.configmaps.db.db-port: "5433" + apitestrig.configmaps.apitestrig.ENV_USER: "api-internal." + apitestrig.configmaps.apitestrig.ENV_ENDPOINT: "https://api-internal.sandbox.xyz.net" + apitestrig.configmaps.apitestrig.ENV_TESTLEVEL: "smokeAndRegression" + apitestrig.configmaps.apitestrig.reportExpirationInDays: "3" + apitestrig.configmaps.apitestrig.slack-webhook-url: "https://hooks.slack.com/services/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" + apitestrig.configmaps.apitestrig.eSignetDeployed: "yes" + apitestrig.configmaps.apitestrig.NS: apitestrig + apitestrig.configmaps.apitestrig.servicesNotDeployed: '' + apitestrig.configmaps.apitestrig.uinGenerationProcessingDelayTimeInMilliSeconds: "600000" + apitestrig.configmaps.apitestrig.vidGenerationProcessingDelayTimeInMilliSeconds: "600000" + + modules.prereg.enabled: true + modules.prereg.image.repository: mosipid/apitest-prereg + modules.prereg.image.tag: 1.2.0.3 + modules.prereg.image.pullPolicy: Always + + modules.masterdata.enabled: true + modules.masterdata.image.repository: mosipid/apitest-masterdata + modules.masterdata.image.tag: 1.2.1.3 + modules.masterdata.image.pullPolicy: Always + + modules.idrepo.enabled: true + modules.idrepo.image.repository: mosipid/apitest-idrepo + modules.idrepo.image.tag: 1.2.2.4 + modules.idrepo.image.pullPolicy: Always + + modules.partner.enabled: true + modules.partner.image.repository: mosipid/apitest-pms + modules.partner.image.tag: 1.2.2.2 + modules.partner.image.pullPolicy: Always + + modules.pms.enabled: false + modules.pms.image.repository: mosipid/apitest-pms + modules.pms.image.tag: 1.3.0-beta.4 + modules.pms.image.pullPolicy: Always + + modules.resident.enabled: true + modules.resident.image.repository: mosipid/apitest-resident + modules.resident.image.tag: 1.2.1.3 + modules.resident.image.pullPolicy: Always + + modules.auth.enabled: true + modules.auth.image.repository: mosipid/apitest-auth + modules.auth.image.tag: 1.2.1.3 + modules.auth.image.pullPolicy: Always + + modules.esignet.enabled: false + modules.esignet.image.repository: mosipid/apitest-esignet + modules.esignet.image.tag: 1.5.1 + modules.esignet.image.pullPolicy: Always + + modules.mimoto.enabled: false + modules.mimoto.image.repository: mosipid/apitest-mimoto + modules.mimoto.image.tag: 0.20.0 + modules.mimoto.image.pullPolicy: Always + + modules.injicertify.enabled: false + modules.injicertify.image.repository: mosipid/apitest-injicertify + modules.injicertify.image.tag: 0.13.0 + modules.injicertify.image.pullPolicy: Always + + modules.esignet-signup.enabled: false + modules.esignet-signup.image.repository: mosipid/apitest-esignet-signup + modules.esignet-signup.image.tag: 1.3.1 + modules.esignet-signup.image.pullPolicy: Always + + modules.variables.push_reports_to_s3: "yes" + priority: -3 + hooks: + preInstall: "$WORKDIR/hooks/apitestrig-setup.sh" + dslorchestrator: + namespace: dslrig + enabled: true + version: 1.3.0 + chart: mosip/dslorchestrator + set: + # image.repository: "mosipqa/dsl-orchestrator" + # image.tag: "1.2.1.x" + crontime: "0 4 * * *" + dslorchestrator.configmaps.s3.s3-host: 'http://minio.minio:9000' + dslorchestrator.configmaps.s3.s3-user-key: 'admin' + dslorchestrator.configmaps.s3.s3-region: '' + dslorchestrator.configmaps.db.db-server: "api-internal.sandbox.xyz.net" + dslorchestrator.configmaps.db.db-su-user: "postgres" + dslorchestrator.configmaps.db.db-port: "5433" + dslorchestrator.configmaps.dslorchestrator.USER: "api-internal." + dslorchestrator.configmaps.dslorchestrator.ENDPOINT: "https://api-internal.sandbox.xyz.net" + dslorchestrator.configmaps.dslorchestrator.packetUtilityBaseUrl: "http://packetcreator.packetcreator:80/v1/packetcreator" + dslorchestrator.configmaps.dslorchestrator.reportExpirationInDays: "3" + dslorchestrator.configmaps.dslorchestrator.NS: "dslrig" + dslorchestrator.configmaps.dslorchestrator.servicesNotDeployed: "" + dslorchestrator.configmaps.dslorchestrator.eSignetDeployed: "yes" + dslorchestrator.configmaps.dslorchestrator.threadCount: "8" + dslorchestrator.configmaps.dslorchestrator.scenariosToSkip: "" + enable_insecure: false + priority: -2 + hooks: + preInstall: "$WORKDIR/hooks/dslrig-setup.sh" + uitestrig: + namespace: uitestrig + enabled: true + version: 12.0.2 + chart: mosip/uitestrig + set: + # image.repository: "" + # image.tag: "develop" + enable_insecure: false + crontime: "0 3 * * *" + uitestrig.configmaps.s3.s3-host: "http://minio.minio:9000" + uitestrig.configmaps.s3.s3-user-key: "admin" + uitestrig.configmaps.s3.s3-region: "" + uitestrig.configmaps.db.db-server: "api-internal.sandbox.xyz.net" + uitestrig.configmaps.db.db-su-user: "postgres" + uitestrig.configmaps.db.db-port: "5433" + uitestrig.configmaps.uitestrig.apiInternalEndPoint: "https://api-internal.sandbox.xyz.net" + uitestrig.configmaps.uitestrig.apiEnvUser: "api-internal.sandbox.xyz.net" + uitestrig.configmaps.uitestrig.PmpPortalPath: "https://pmp.sandbox.xyz.net" + uitestrig.configmaps.uitestrig.adminPortalPath: "https://admin.sandbox.xyz.net" + uitestrig.configmaps.uitestrig.residentPortalPath: "https://resident.sandbox.xyz.net" + uitestrig.configmaps.uitestrig.NS: "uitestrig" + + priority: -1 + hooks: + preInstall: "$WORKDIR/hooks/uitestrig-setup.sh" + postInstall: "$WORKDIR/hooks/trigger-test-jobs.sh" diff --git a/docs/profile-based-deployment.md b/docs/profile-based-deployment.md new file mode 100644 index 00000000..aa6007a1 --- /dev/null +++ b/docs/profile-based-deployment.md @@ -0,0 +1,266 @@ +# Profile-Based Deployment Architecture + +> **Author:** Bhuminathan +> **Date:** 12 March 2026 +> **Purpose:** Engineering Review — Summary of all infra changes for profile-based multi-version deployment + +--- + +## 1. Problem Statement + +Our existing infra repo had a **single flat set of DSF files and tfvars** that only supported deploying the full MOSIP platform (Java 11 / v1.2.1.0). We needed to: + +1. Support **multiple MOSIP platform versions** side-by-side (Java 11 and Java 21) +2. Support **standalone eSignet deployment** (v1.7.1) without the full MOSIP platform +3. Make the deployment pipeline **generic** — adding a new profile in the future should require minimal workflow changes +4. Ensure **Terraform state isolation** — each profile gets its own state file so they don't collide + +--- + +## 2. What Changed (Overview) + +| Area | Files Changed | What | +|------|--------------|------| +| **Helmsman DSFs** | 15 files (moved + created) | Profile-based directory structure | +| **GitHub Actions (Helmsman)** | 4 workflows | Profile input + generic push detection | +| **GitHub Actions (Terraform)** | 2 workflows | Profile input + profile-aware tfvars path | +| **Terraform Backend** | 1 script | Profile-aware state file naming | +| **Terraform tfvars** | 2 new files | Per-profile infrastructure sizing | + +--- + +## 3. Helmsman DSF — Profile Directory Structure + +### Before (flat): +``` +Helmsman/dsf/ +├── prereq-dsf.yaml +├── external-dsf.yaml +├── mosip-dsf.yaml +├── esignet-dsf.yaml +└── testrigs-dsf.yaml +``` + +### After (profile-based): +``` +Helmsman/dsf/ +├── mosip-platform-java11/ ← MOSIP 1.2.1.0 (Java 11) +│ ├── prereq-dsf.yaml +│ ├── external-dsf.yaml +│ ├── mosip-dsf.yaml +│ ├── esignet-dsf.yaml (eSignet v1.4.1) +│ └── testrigs-dsf.yaml +├── mosip-platform-java21/ ← MOSIP 1.3.0 (Java 21) — ready for version updates +│ ├── prereq-dsf.yaml +│ ├── external-dsf.yaml +│ ├── mosip-dsf.yaml +│ ├── esignet-dsf.yaml +│ └── testrigs-dsf.yaml +└── esignet/ ← Standalone eSignet v1.7.1 + ├── prereq-dsf.yaml + ├── external-dsf.yaml (simplified: postgres, redis, kafka, softhsm, keycloak, captcha only) + └── esignet-dsf.yaml (eSignet v1.7.1 + OIDC UI v1.7.1) +``` + +### Key Differences Between Profiles + +| Aspect | mosip-platform-java11 | mosip-platform-java21 | esignet | +|--------|----------------------|----------------------|---------| +| eSignet version | v1.4.1 | v1.4.1 (update pending) | **v1.7.1** | +| OIDC UI version | 1.4.1 | 1.4.1 (update pending) | **1.7.1** | +| DB branch | v1.4.1 | v1.4.1 (update pending) | **v1.7.1** | +| External services | Full (minio, clamav, activemq, etc.) | Full | **Minimal** (postgres, redis, kafka, softhsm, keycloak, captcha) | +| MOSIP platform | ✅ Full (IDA, IDRepo, PMS, etc.) | ✅ Full | ❌ None | +| Test rigs | ✅ | ✅ | ❌ | +| Mock services | Enabled | Enabled | Disabled by default | + +--- + +## 4. Helmsman Workflows — Profile Input + Generic Push + +### 4.1 Changes Applied to All 4 Workflows + +| Workflow | Profile Dropdown Options | DSF File Used | +|----------|------------------------|---------------| +| `helmsman_external.yml` | mosip-platform-java11, mosip-platform-java21, esignet | `dsf/{profile}/prereq-dsf.yaml` + `dsf/{profile}/external-dsf.yaml` | +| `helmsman_esignet.yml` | mosip-platform-java11, mosip-platform-java21, esignet | `dsf/{profile}/esignet-dsf.yaml` | +| `helmsman_mosip.yml` | mosip-platform-java11, mosip-platform-java21 | `dsf/{profile}/mosip-dsf.yaml` | +| `helmsman_testrigs.yml` | mosip-platform-java11, mosip-platform-java21 | `dsf/{profile}/testrigs-dsf.yaml` | + +### 4.2 Generic Push Triggers (Glob Patterns) + +Push paths now use `**` globs so new profiles are auto-detected: + +```yaml +# Before (had to list every profile): +paths: + - Helmsman/dsf/mosip-platform-java11/mosip-dsf.yaml + - Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml + +# After (generic): +paths: + - Helmsman/dsf/**/mosip-dsf.yaml +``` + +### 4.3 Generic Push Profile Detection + +On push, the profile is **dynamically extracted** from the changed file path: + +```bash +# Extracts "mosip-platform-java21" from "Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml" +PROFILE=$(echo "$CHANGED_FILES" | grep 'mosip-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') +``` + +No hardcoded profile names in detection logic — adding a new profile directory just works. + +### 4.4 Workflow Chaining Logic + +``` +helmsman_external (esignet profile) + └── STOPS here (no MOSIP platform needed) + +helmsman_external (mosip-platform-* profile) + └── chains to → helmsman_mosip (auto-detected via startsWith('mosip-platform-')) + └── chains to → helmsman_testrigs (commented out, pending stabilization) +``` + +The chaining condition uses `startsWith(github.event.inputs.profile, 'mosip-platform-')` — any future `mosip-platform-*` profile auto-chains. + +--- + +## 5. Deployment Flows + +### Flow A: Full MOSIP Platform (mosip-platform-java11 or mosip-platform-java21) + +``` +1. helmsman_external.yml → prereq-dsf.yaml + external-dsf.yaml + (istio, monitoring, postgres, kafka, minio, clamav, etc.) +2. helmsman_mosip.yml → mosip-dsf.yaml + (IDA, IDRepo, PMS, PreReg, Kernel, Resident) +3. helmsman_esignet.yml → esignet-dsf.yaml + (eSignet v1.4.1, OIDC UI, partner onboarding) +4. helmsman_testrigs.yml → testrigs-dsf.yaml + (API test rigs) +``` + +### Flow B: Standalone eSignet (esignet profile) + +``` +1. helmsman_external.yml → prereq-dsf.yaml + external-dsf.yaml + (istio, monitoring, postgres, redis, kafka, softhsm, keycloak, captcha) +2. helmsman_esignet.yml → esignet-dsf.yaml + (eSignet v1.7.1, OIDC UI v1.7.1) + (MOSIP DSF check SKIPPED automatically) +``` + +No `helmsman_mosip` or `helmsman_testrigs` — the `esignet` profile has no `mosip-dsf.yaml` or `testrigs-dsf.yaml`. + +--- + +## 6. Terraform — Profile-Based Infrastructure + +### 6.1 Directory Structure + +``` +terraform/implementations/aws/infra/ +├── aws.tfvars ← original (used by base-infra / observ-infra) +├── main.tf +├── variables.tf +├── outputs.tf +└── profiles/ + ├── mosip/ + │ └── aws.tfvars ← full MOSIP platform sizing + └── esignet/ + └── aws.tfvars ← lightweight standalone eSignet sizing +``` + +### 6.2 Infrastructure Sizing Differences + +| Resource | mosip profile | esignet profile | +|----------|:------------:|:--------------:| +| Instance type (K8s nodes) | t3a.2xlarge | t3a.xlarge | +| Instance type (Nginx) | t3a.2xlarge | t3a.xlarge | +| Control plane nodes | 3 | 2 | +| ETCD nodes | 3 | 2 | +| Worker nodes | 2 | 1 | +| EBS volume 1 | 300 GB | 200 GB | +| EBS volume 2 | 200 GB | 0 (disabled) | +| Public subdomains | 5 (resident, prereg, esignet, healthservices, signup) | 2 (esignet, signup) | +| Internal subdomains | 11 | 4 (iam, kafka, postgres, keycloak) | + +### 6.3 Workflow Changes (terraform.yml + terraform-destroy.yml) + +Both workflows now have an **INFRA_PROFILE** input: + +```yaml +INFRA_PROFILE: + description: 'Infrastructure profile (only for infra component)' + type: choice + options: + - mosip + - esignet + default: mosip +``` + +- Profile is **only used for `infra` component** — `base-infra` and `observ-infra` are shared (no profiles) +- Tfvars path: `profiles/{profile}/aws.tfvars` +- Concurrency groups include profile — `mosip` and `esignet` runs don't block each other + +### 6.4 State File Isolation + +The `configure-backend.sh` script now accepts `--profile` and includes it in state file naming: + +| Backend | mosip | esignet | +|---------|-------|---------| +| **Local** | `aws-infra-mosip-main-terraform.tfstate` | `aws-infra-esignet-main-terraform.tfstate` | +| **S3** | key: `aws-infra-mosip-main-terraform.tfstate` | key: `aws-infra-esignet-main-terraform.tfstate` | +| **Azure** | key: `azure-infra-mosip-main-terraform.tfstate` | key: `azure-infra-esignet-main-terraform.tfstate` | +| **GCS** | prefix: `terraform/gcp-infra-mosip-main` | prefix: `terraform/gcp-infra-esignet-main` | + +**Without this fix**, running terraform apply with `mosip` then `esignet` would have used the **same state file** — destroying mosip infra and recreating esignet infra. + +--- + +## 7. Adding a New Profile in the Future + +### Helmsman (e.g., adding `mosip-platform-java25`): + +1. Create `Helmsman/dsf/mosip-platform-java25/` with the DSF files +2. Add `mosip-platform-java25` to the `workflow_dispatch` choice options in the relevant workflows +3. **That's it** — push triggers (glob) and profile detection (sed extraction) are generic + +### Terraform (e.g., adding `inji`): + +1. Create `terraform/implementations/aws/infra/profiles/inji/aws.tfvars` +2. Add `inji` to the `INFRA_PROFILE` choice options in `terraform.yml` and `terraform-destroy.yml` +3. **That's it** — state file naming and backend config auto-include the profile + +--- + +## 8. Files Changed Summary + +| # | File | Change Type | Description | +|---|------|-------------|-------------| +| 1 | `Helmsman/dsf/mosip-platform-java11/*` | Renamed (git mv) | Moved from flat `dsf/` to profile dir | +| 2 | `Helmsman/dsf/mosip-platform-java21/*` | Added (copy) | Copy of java11, ready for java21 version updates | +| 3 | `Helmsman/dsf/esignet/prereq-dsf.yaml` | Renamed (git mv) | Same as mosip-platform prereq | +| 4 | `Helmsman/dsf/esignet/external-dsf.yaml` | New | Simplified external services for standalone eSignet | +| 5 | `Helmsman/dsf/esignet/esignet-dsf.yaml` | New | eSignet v1.7.1 standalone DSF | +| 6 | `.github/workflows/helmsman_external.yml` | Modified | Profile input, glob push, generic matrix detection | +| 7 | `.github/workflows/helmsman_esignet.yml` | Modified | Profile input, glob push, generic detection | +| 8 | `.github/workflows/helmsman_mosip.yml` | Modified | Profile input, glob push, generic detection | +| 9 | `.github/workflows/helmsman_testrigs.yml` | Modified | Profile input added, glob push, generic detection | +| 10 | `.github/workflows/terraform.yml` | Modified | INFRA_PROFILE input, profile-aware tfvars path | +| 11 | `.github/workflows/terraform-destroy.yml` | Modified | INFRA_PROFILE input, profile-aware tfvars path | +| 12 | `.github/scripts/configure-backend.sh` | Modified | `--profile` flag, profile in state file names | +| 13 | `terraform/.../profiles/mosip/aws.tfvars` | New | Full MOSIP platform infra sizing | +| 14 | `terraform/.../profiles/esignet/aws.tfvars` | New | Lightweight standalone eSignet sizing | + +--- + +## 9. Pending / Next Steps + +- [ ] **Update `mosip-platform-java21` DSFs** — currently identical copies of java11; need to update chart versions, image tags, and DB branches for Java 21 / MOSIP 1.3.0 +- [ ] **Hook scripts** — not touched yet (`Helmsman/hooks/*`); will review one by one +- [ ] **Partner onboarding stabilization** — workflow-caller in `helmsman_mosip.yml` is commented out +- [ ] **eSignet profile tfvars** — placeholder values need real values before first deployment diff --git a/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars b/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars new file mode 100644 index 00000000..2a12e0d3 --- /dev/null +++ b/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars @@ -0,0 +1,96 @@ +# ============================================================ +# eSignet Standalone Infrastructure Profile +# ============================================================ +# Lightweight deployment for standalone eSignet +# Includes: eSignet, OIDC UI, Postgres, Redis, Kafka, Keycloak +# Does NOT include full MOSIP platform services +# ============================================================ + +# Environment name (infra component) +cluster_name = "" + +# eSignet's domain (ex: esignet.xyz.net) +cluster_env_domain = "" + +# Email-ID will be used by certbot to notify SSL certificate expiry via email +mosip_email_id = "" + +# SSH login key name for AWS node instances (ex: my-ssh-key) +ssh_key_name = "" + +# The AWS region for resource creation +aws_provider_region = "ap-south-1" + +# Specific availability zones for VM deployment (optional) +specific_availability_zones = [] + +# The instance type for Kubernetes nodes (control plane, worker, etcd) +# Smaller instance type since eSignet standalone needs fewer resources +k8s_instance_type = "t3a.xlarge" + +# The instance type for Nginx server (load balancer) +nginx_instance_type = "t3a.xlarge" + +# The Route 53 hosted zone ID +zone_id = "" + +## UBUNTU 24.04 +# The Amazon Machine Image ID for the instances +ami = "ami-0ad21ae1d0696ad58" + +# Repo K8S-INFRA URL +k8s_infra_repo_url = "https://github.com/mosip/k8s-infra.git" + +# Repo K8S-INFRA branch +k8s_infra_branch = "release-1.2.1.x" + +# NGINX Node's Root volume size +nginx_node_root_volume_size = 24 + +# NGINX node's EBS volume size +nginx_node_ebs_volume_size = 200 + +# NGINX node's second EBS volume size (set to 0 - not needed for standalone eSignet) +nginx_node_ebs_volume_size_2 = 0 + +# Kubernetes nodes Root volume size +k8s_instance_root_volume_size = 64 + +# Control-plane, ETCD, Worker — smaller cluster for standalone eSignet +k8s_control_plane_node_count = 2 + +# ETCD, Worker +k8s_etcd_node_count = 2 + +# Worker +k8s_worker_node_count = 1 + +# RKE2 Version Configuration +rke2_version = "v1.28.9+rke2r1" + +# Security group CIDRs +network_cidr = "172.0.0.0/8" # Use your actual VPC CIDR +WIREGUARD_CIDR = "172.0.0.0/8" # Use your actual WireGuard VPN CIDR + +# Rancher Import Configuration +enable_rancher_import = true +rancher_import_url = "\"\"" + +# DNS Records to map — only eSignet-relevant subdomains +subdomain_public = ["esignet", "signup"] +subdomain_internal = ["iam", "kafka", "postgres", "keycloak"] + +# PostgreSQL Configuration +enable_postgresql_setup = true +postgresql_version = "15" +storage_device = "/dev/nvme2n1" +mount_point = "/srv/postgres" +postgresql_port = "5433" + +# MOSIP Infrastructure Repository Configuration +mosip_infra_repo_url = "https://github.com/mosip/infra.git" + +mosip_infra_branch = "release-0.2.0" + +# VPC Configuration - Existing VPC to use (discovered by Name tag) +vpc_name = "" diff --git a/terraform/implementations/aws/infra/profiles/mosip/aws.tfvars b/terraform/implementations/aws/infra/profiles/mosip/aws.tfvars new file mode 100644 index 00000000..0e94de71 --- /dev/null +++ b/terraform/implementations/aws/infra/profiles/mosip/aws.tfvars @@ -0,0 +1,99 @@ +# ============================================================ +# MOSIP Platform Infrastructure Profile +# ============================================================ +# Full MOSIP platform deployment with all services +# Includes: IDA, IDRepo, PMS, PreReg, Kernel, Resident, eSignet +# ============================================================ + +# Environment name (infra component) +cluster_name = "" + +# MOSIP's domain (ex: sandbox.xyz.net) +cluster_env_domain = "" + +# Email-ID will be used by certbot to notify SSL certificate expiry via email +mosip_email_id = "" + +# SSH login key name for AWS node instances (ex: my-ssh-key) +ssh_key_name = "" + +# The AWS region for resource creation +aws_provider_region = "ap-south-1" + +# Specific availability zones for VM deployment (optional) +# If empty, uses all available AZs in the region +# Example: ["ap-south-1a", "ap-south-1b"] for specific AZs +# Example: [] for all available AZs in the region +specific_availability_zones = [] + +# The instance type for Kubernetes nodes (control plane, worker, etcd) +k8s_instance_type = "t3a.2xlarge" + +# The instance type for Nginx server (load balancer) +nginx_instance_type = "t3a.2xlarge" + +# The Route 53 hosted zone ID +zone_id = "" + +## UBUNTU 24.04 +# The Amazon Machine Image ID for the instances +ami = "ami-0ad21ae1d0696ad58" + +# Repo K8S-INFRA URL +k8s_infra_repo_url = "https://github.com/mosip/k8s-infra.git" + +# Repo K8S-INFRA branch +k8s_infra_branch = "release-1.2.1.x" + +# NGINX Node's Root volume size +nginx_node_root_volume_size = 24 + +# NGINX node's EBS volume size +nginx_node_ebs_volume_size = 300 + +# NGINX node's second EBS volume size (optional - set to 0 to disable) +nginx_node_ebs_volume_size_2 = 200 # Enable second EBS volume for PostgreSQL testing + +# Kubernetes nodes Root volume size +k8s_instance_root_volume_size = 64 + +# Control-plane, ETCD, Worker +k8s_control_plane_node_count = 3 + +# ETCD, Worker +k8s_etcd_node_count = 3 + +# Worker +k8s_worker_node_count = 2 + +# RKE2 Version Configuration +rke2_version = "v1.28.9+rke2r1" + +# Security group CIDRs +network_cidr = "172.0.0.0/8" # Use your actual VPC CIDR +WIREGUARD_CIDR = "172.0.0.0/8" # Use your actual WireGuard VPN CIDR + + +# Rancher Import URL +# Rancher Import Configuration +enable_rancher_import = true +rancher_import_url = "\"\"" + +# DNS Records to map +subdomain_public = ["resident", "prereg", "esignet", "healthservices", "signup"] +subdomain_internal = ["admin", "iam", "activemq", "kafka", "kibana", "postgres", "smtp", "pmp", "minio", "regclient", "compliance"] + +# PostgreSQL Configuration (used when second EBS volume is enabled) +enable_postgresql_setup = true # Enable PostgreSQL setup for main infra +postgresql_version = "15" +storage_device = "/dev/nvme2n1" +mount_point = "/srv/postgres" +postgresql_port = "5433" + +# MOSIP Infrastructure Repository Configuration +mosip_infra_repo_url = "https://github.com/mosip/infra.git" + +mosip_infra_branch = "release-0.2.0" + +# VPC Configuration - Existing VPC to use (discovered by Name tag) +vpc_name = "" From edbfd23fb773abf60672a1b965a2b4e358ac667f Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Thu, 12 Mar 2026 14:30:38 +0530 Subject: [PATCH 02/28] [MOSIP-44613]added draw.io Signed-off-by: bhumi46 --- docs/engineer-review-script.txt | 98 +++++++++++++++++ docs/profile-based-deployment.drawio | 152 +++++++++++++++++++++++++++ 2 files changed, 250 insertions(+) create mode 100644 docs/engineer-review-script.txt create mode 100644 docs/profile-based-deployment.drawio diff --git a/docs/engineer-review-script.txt b/docs/engineer-review-script.txt new file mode 100644 index 00000000..66ccf748 --- /dev/null +++ b/docs/engineer-review-script.txt @@ -0,0 +1,98 @@ +ENGINEER REVIEW CALL — 5 MIN SPEAKING SCRIPT +============================================== +Topic: Profile-Based Deployment Architecture for Infra Repo + + +[OPENING — 30 sec] + +I've been working on making our infra repo profile-based — so we can deploy +the full MOSIP platform and standalone eSignet from the same repo, without +them stepping on each other. + + +[HELMSMAN DSF RESTRUCTURING — 1.5 min] + +Previously, we had a flat structure — one set of DSF files in Helmsman/dsf/. +The problem was, if you wanted standalone eSignet v1.7.1 versus full MOSIP +with eSignet v1.4.1, you'd have to manually edit files every time. + +Now we have three profile directories: + + - mosip-platform-java11 — current MOSIP 1.2.1.0 setup, Java 11 + - mosip-platform-java21 — placeholder for MOSIP 1.3.0, Java 21 migration + - esignet — standalone eSignet v1.7.1 with only the services + it actually needs: postgres, redis, kafka, + softhsm, keycloak, captcha. + No minio, no clamav, no activemq. + +Each profile is a self-contained directory. You pick a profile, you get the +right versions and the right services. + + +[WORKFLOW CHANGES — 1.5 min] + +All four Helmsman workflows and two Terraform workflows now have a profile +dropdown. You select your profile when triggering a run. + +For push triggers, we use glob patterns — Helmsman/dsf/**/mosip-dsf.yaml — +so when someone pushes a change inside any profile directory, the workflow +auto-detects which profile changed using a simple sed extraction. No +hardcoded profile names in the detection logic. + +The chaining also got smarter — if you run helmsman_external with the esignet +profile, it does NOT chain to helmsman_mosip because there's no MOSIP platform +to deploy. It uses startsWith('mosip-platform-') to decide — so any future +mosip-platform-* profile will auto-chain correctly. + + +[TERRAFORM PROFILES — 1 min] + +Same concept for Terraform. We have a profiles/ directory under +terraform/implementations/aws/infra/ with mosip and esignet tfvars. + +The esignet profile uses t3a.xlarge instead of t3a.2xlarge, a 2+2+1 node +cluster instead of 3+3+2, and only 2 public subdomains instead of 5. +Significant cost savings for standalone eSignet. + +Critical fix: the configure-backend.sh now takes a --profile flag and +includes the profile name in the state file path. Without this, running +terraform for mosip then esignet would have used the same state file — +effectively destroying one to create the other. + + +[CLOSING — EXTENSIBILITY — 30 sec] + +The key design goal was extensibility. Adding a new profile in the future is +a two-step process: create the directory with your DSF or tfvars files, add +the name to the workflow dropdown. Push detection, state isolation, and +chaining all work automatically. + +Next steps: update java21 DSFs with actual 1.3.0 versions, and review hook +scripts one by one. + + +============================================== +FILES CHANGED (14 total) +============================================== + +Helmsman DSFs: + [MOVED] Helmsman/dsf/*.yaml --> Helmsman/dsf/mosip-platform-java11/ + [ADDED] Helmsman/dsf/mosip-platform-java21/* (copy of java11) + [ADDED] Helmsman/dsf/esignet/esignet-dsf.yaml (eSignet v1.7.1) + [ADDED] Helmsman/dsf/esignet/external-dsf.yaml (simplified services) + [MOVED] Helmsman/dsf/esignet/prereq-dsf.yaml + +Workflows: + [MODIFIED] .github/workflows/helmsman_external.yml + [MODIFIED] .github/workflows/helmsman_esignet.yml + [MODIFIED] .github/workflows/helmsman_mosip.yml + [MODIFIED] .github/workflows/helmsman_testrigs.yml + [MODIFIED] .github/workflows/terraform.yml + [MODIFIED] .github/workflows/terraform-destroy.yml + +Scripts: + [MODIFIED] .github/scripts/configure-backend.sh + +Terraform: + [ADDED] terraform/.../profiles/mosip/aws.tfvars + [ADDED] terraform/.../profiles/esignet/aws.tfvars diff --git a/docs/profile-based-deployment.drawio b/docs/profile-based-deployment.drawio new file mode 100644 index 00000000..ce7698e9 --- /dev/null +++ b/docs/profile-based-deployment.drawio @@ -0,0 +1,152 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From fc9830aa030b78ee15dbca78257acf1822c95c68 Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Thu, 12 Mar 2026 17:50:39 +0530 Subject: [PATCH 03/28] [MOSIP-44613]added separate hooks for profile esignet Signed-off-by: bhumi46 --- Helmsman/dsf/esignet/esignet-dsf.yaml | 76 ++--------- Helmsman/dsf/esignet/external-dsf.yaml | 22 +-- .../esignet-1.7.1/captcha-postinstall.sh | 53 ++++++++ ...demo-oidc-partner-onboarder-postinstall.sh | 23 ++++ ...-demo-oidc-partner-onboarder-preinstall.sh | 20 +++ .../hooks/esignet-1.7.1/esignet-init-db.sh | 45 ++++++ .../esignet-partner-onboarder-postinstall.sh | 23 ++++ .../esignet-partner-onboarder-preinstall.sh | 27 ++++ .../hooks/esignet-1.7.1/esignet-preinstall.sh | 94 +++++++++++++ .../hooks/esignet-1.7.1/kafka-postinstall.sh | 28 ++++ .../esignet-1.7.1/keycloak-postinstall.sh | 128 ++++++++++++++++++ .../mock-identity-system-preinstall.sh | 24 ++++ .../mock-relying-party-service-preinstall.sh | 23 ++++ .../mock-relying-party-ui-preinstall.sh | 23 ++++ .../hooks/esignet-1.7.1/oidc-ui-preinstall.sh | 34 +++++ .../esignet-1.7.1/postgres-postinstall.sh | 47 +++++++ .../esignet-1.7.1/postgres-preinstall.sh | 54 ++++++++ Helmsman/hooks/esignet-1.7.1/redis-setup.sh | 55 ++++++++ .../softhsm-esignet-postinstall.sh | 52 +++++++ .../esignet-1.7.1/softhsm-esignet-setup.sh | 31 +++++ ...ofthsm-mock-identity-system-postinstall.sh | 29 ++++ ...softhsm-mock-identity-system-preinstall.sh | 17 +++ 22 files changed, 859 insertions(+), 69 deletions(-) create mode 100755 Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/kafka-postinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-preinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/mock-relying-party-ui-preinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/oidc-ui-preinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/redis-setup.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/softhsm-esignet-setup.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh create mode 100755 Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-preinstall.sh diff --git a/Helmsman/dsf/esignet/esignet-dsf.yaml b/Helmsman/dsf/esignet/esignet-dsf.yaml index 4ee9b61b..8e26fc8c 100644 --- a/Helmsman/dsf/esignet/esignet-dsf.yaml +++ b/Helmsman/dsf/esignet/esignet-dsf.yaml @@ -30,54 +30,8 @@ helmRepos: namespaces: esignet: protected: false - keycloak: - protected: true - softhsm: - protected: false - redis: - protected: false apps: - # --------------------------------------------------------------------------- - # Keycloak Init for eSignet - # --------------------------------------------------------------------------- - # Creates eSignet-specific Keycloak clients and roles. - # Fetches existing client secrets from keycloak namespace if available. - esignet-keycloak-init: - namespace: esignet - enabled: true - version: 12.0.2 - chart: mosip/keycloak-init - valuesFile: "$WORKDIR/utils/keycloak-init-values.yaml" - set: - keycloakExternalHost: "iam.sandbox.xyz.net" - keycloakInternalHost: "keycloak.keycloak" - clientSecrets[0].name: "$PMS_CLIENT_SECRET_KEY" - clientSecrets[0].secret: "$PMS_CLIENT_SECRET_VALUE" - clientSecrets[1].name: "$MPARTNER_DEFAULT_AUTH_SECRET_KEY" - clientSecrets[1].secret: "$MPARTNER_DEFAULT_AUTH_SECRET_VALUE" - timeout: 480 - priority: -14 - hooks: - preInstall: "$WORKDIR/hooks/esignet-preinstall-keycloak-init.sh" - postInstall: "$WORKDIR/hooks/esignet-postinstall-keycloak-init.sh" - - # --------------------------------------------------------------------------- - # Istio Addons for Keycloak (IAM) - # --------------------------------------------------------------------------- - istio-addons-iam: - namespace: keycloak - enabled: true - version: 0.1.0 - chart: $WORKDIR/utils/istio-addons/iam-istio-addons-0.1.0.tgz - set: - keycloakExternalHost: "iam.sandbox.xyz.net" - keycloakInternalHost: "keycloak.keycloak" - service: "keycloak" - wait: true - timeout: 1200 - priority: -13 - # --------------------------------------------------------------------------- # eSignet v1.7.1 # --------------------------------------------------------------------------- @@ -96,7 +50,7 @@ apps: timeout: 600 priority: -12 hooks: - preInstall: "$WORKDIR/hooks/esignet-preinstall.sh" + preInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-preinstall.sh" # --------------------------------------------------------------------------- # OIDC UI v1.7.1 @@ -114,7 +68,7 @@ apps: timeout: 1200 priority: -11 hooks: - preInstall: "$WORKDIR/hooks/oidc-ui-preinstall.sh" + preInstall: "$WORKDIR/hooks/esignet-1.7.1/oidc-ui-preinstall.sh" # --------------------------------------------------------------------------- # Mock Identity System (Optional) @@ -130,8 +84,8 @@ apps: timeout: 480 priority: -10 hooks: - preInstall: "$WORKDIR/hooks/softhsm-mock-identity-system-preinstall.sh" - postInstall: "$WORKDIR/hooks/softhsm-mock-identity-system-postinstall.sh" + preInstall: "$WORKDIR/hooks/esignet-1.7.1/softhsm-mock-identity-system-preinstall.sh" + postInstall: "$WORKDIR/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh" mock-identity-system: namespace: esignet @@ -146,7 +100,7 @@ apps: timeout: 480 priority: -9 hooks: - preInstall: "$WORKDIR/hooks/mock-identity-system-preinstall.sh" + preInstall: "$WORKDIR/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh" # --------------------------------------------------------------------------- # Mock Relying Party (Optional) @@ -163,7 +117,7 @@ apps: timeout: 480 priority: -8 hooks: - preInstall: "$WORKDIR/hooks/mock-relying-party-service-preinstall.sh" + preInstall: "$WORKDIR/hooks/esignet-1.7.1/mock-relying-party-service-preinstall.sh" mock-relying-party-ui: namespace: esignet @@ -182,7 +136,7 @@ apps: timeout: 480 priority: -7 hooks: - preInstall: "$WORKDIR/hooks/mock-relying-party-ui-preinstall.sh" + preInstall: "$WORKDIR/hooks/esignet-1.7.1/mock-relying-party-ui-preinstall.sh" # --------------------------------------------------------------------------- # Partner Onboarders @@ -222,10 +176,10 @@ apps: timeout: 240 priority: -6 hooks: - preInstall: "$WORKDIR/hooks/esignet-partner-onboarder-preinstall.sh" - preUpgrade: "$WORKDIR/hooks/esignet-partner-onboarder-preinstall.sh" - postInstall: "$WORKDIR/hooks/esignet-partner-onboarder-postinstall.sh" - postUpgrade: "$WORKDIR/hooks/esignet-partner-onboarder-postinstall.sh" + preInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh" + preUpgrade: "$WORKDIR/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh" + postInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh" + postUpgrade: "$WORKDIR/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh" esignet-demo-oidc-partner-onboarder: namespace: esignet @@ -262,7 +216,7 @@ apps: timeout: 240 priority: -5 hooks: - preInstall: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-preinstall.sh" - preUpgrade: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-preinstall.sh" - postInstall: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-postinstall.sh" - postUpgrade: "$WORKDIR/hooks/esignet-demo-oidc-partner-onboarder-postinstall.sh" + preInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh" + preUpgrade: "$WORKDIR/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh" + postInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh" + postUpgrade: "$WORKDIR/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh" diff --git a/Helmsman/dsf/esignet/external-dsf.yaml b/Helmsman/dsf/esignet/external-dsf.yaml index 8db7b775..096b429d 100644 --- a/Helmsman/dsf/esignet/external-dsf.yaml +++ b/Helmsman/dsf/esignet/external-dsf.yaml @@ -42,9 +42,6 @@ namespaces: protected: false captcha: protected: false - esignet: - protected: false - apps: # --------------------------------------------------------------------------- # PostgreSQL Server @@ -54,13 +51,16 @@ apps: # generate-secret-cm.py or manual secret/configmap creation. postgres: namespace: postgres - enabled: false + enabled: true version: 13.1.5 chart: bitnami/postgresql wait: true priority: -18 valuesFile: "$WORKDIR/utils/postgres-values.yaml" timeout: 1200 + hooks: + preInstall: "$WORKDIR/hooks/esignet-1.7.1/postgres-preinstall.sh" + postInstall: "$WORKDIR/hooks/esignet-1.7.1/postgres-postinstall.sh" istio-addons-psql: namespace: postgres @@ -120,7 +120,7 @@ apps: timeout: 180 priority: -16 hooks: - preInstall: "$WORKDIR/hooks/esignet-init-db.sh" + preInstall: "$WORKDIR/hooks/esignet-1.7.1/esignet-init-db.sh" # --------------------------------------------------------------------------- # Redis @@ -138,7 +138,7 @@ apps: timeout: 480 priority: -16 hooks: - postInstall: "$WORKDIR/hooks/redis-setup.sh" + postInstall: "$WORKDIR/hooks/esignet-1.7.1/redis-setup.sh" # --------------------------------------------------------------------------- # Kafka @@ -180,6 +180,8 @@ apps: wait: true timeout: 1200 priority: -15 + hooks: + postInstall: "$WORKDIR/hooks/esignet-1.7.1/kafka-postinstall.sh" kafka-ui: namespace: kafka @@ -221,8 +223,8 @@ apps: timeout: 480 priority: -12 hooks: - preInstall: "$WORKDIR/hooks/softhsm-esignet-setup.sh" - postInstall: "$WORKDIR/hooks/softhsm-esignet-postinstall.sh" + preInstall: "$WORKDIR/hooks/esignet-1.7.1/softhsm-esignet-setup.sh" + postInstall: "$WORKDIR/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh" # --------------------------------------------------------------------------- # Keycloak (IAM for API Access Control) @@ -274,6 +276,8 @@ apps: wait: true timeout: 1200 priority: -10 + hooks: + postInstall: "$WORKDIR/hooks/esignet-1.7.1/keycloak-postinstall.sh" # --------------------------------------------------------------------------- # Captcha Validation Service @@ -288,3 +292,5 @@ apps: wait: true timeout: 480 priority: -9 + hooks: + postInstall: "$WORKDIR/hooks/esignet-1.7.1/captcha-postinstall.sh" diff --git a/Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh new file mode 100755 index 00000000..259dbc66 --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Captcha Post-install +# ============================================================================= +# Based on: deploy/captcha/install.sh +# Configures captcha secrets for eSignet and patches captcha deployment +# with the secret key environment variable. +# +# Environment Variables: +# CAPTCHA_SITE_KEY - reCAPTCHA site key (REQUIRED) +# CAPTCHA_SECRET_KEY - reCAPTCHA secret key (REQUIRED) +# ESIGNET_NS - eSignet namespace (default: esignet) +# ============================================================================= +set -euo pipefail + +ESIGNET_NS="${ESIGNET_NS:-esignet}" +CAPTCHA_NS="captcha" +CAPTCHA_SITE_KEY="${CAPTCHA_SITE_KEY:?ERROR: CAPTCHA_SITE_KEY environment variable must be set}" +CAPTCHA_SECRET_KEY="${CAPTCHA_SECRET_KEY:?ERROR: CAPTCHA_SECRET_KEY environment variable must be set}" + +echo "================================================" +echo "eSignet 1.7.1 - Captcha Post-install" +echo "================================================" + +# --- Step 1: Create captcha secrets for eSignet --- +# Source: deploy/captcha/install.sh - captcha secrets section +echo "Creating esignet-captcha secret in $ESIGNET_NS namespace" +kubectl -n "$ESIGNET_NS" create secret generic esignet-captcha \ + --from-literal=esignet-captcha-site-key="$CAPTCHA_SITE_KEY" \ + --from-literal=esignet-captcha-secret-key="$CAPTCHA_SECRET_KEY" \ + --dry-run=client -o yaml | kubectl apply -f - + +# --- Step 2: Copy captcha secret to captcha namespace --- +# Source: deploy/captcha/install.sh -> ../copy_cm_func.sh secret esignet-captcha esignet captcha +echo "Copying esignet-captcha secret to $CAPTCHA_NS namespace" +kubectl -n "$ESIGNET_NS" get secret esignet-captcha -o yaml | \ + sed "s/namespace: $ESIGNET_NS/namespace: $CAPTCHA_NS/g" | \ + kubectl apply -f - + +# --- Step 3: Patch captcha deployment with secret env var --- +# Source: deploy/captcha/install.sh - MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET +echo "Patching captcha deployment with secret key environment variable" +ENV_VAR_EXISTS=$(kubectl -n "$CAPTCHA_NS" get deployment captcha -o jsonpath="{.spec.template.spec.containers[0].env[?(@.name=='MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET')].name}" 2>/dev/null || echo "") + +if [[ -z "$ENV_VAR_EXISTS" ]]; then + echo "Adding MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET env var..." + kubectl patch deployment -n "$CAPTCHA_NS" captcha --type='json' \ + -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET", "valueFrom": {"secretKeyRef": {"name": "esignet-captcha", "key": "esignet-captcha-secret-key"}}}}]' +else + echo "MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET env var already exists." +fi + +echo "Captcha post-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh new file mode 100755 index 00000000..523aedc0 --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-postinstall.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Demo OIDC Partner Onboarder Post-install +# ============================================================================= +# Post-install validation after demo OIDC partner onboarding. +# ============================================================================= +set -euo pipefail + +echo "================================================" +echo "eSignet 1.7.1 - Demo OIDC Partner Onboarder Post-install" +echo "================================================" + +# Check onboarding job status +JOB_STATUS=$(kubectl -n esignet get jobs -l app.kubernetes.io/instance=esignet-demo-oidc-partner-onboarder -o jsonpath='{.items[0].status.succeeded}' 2>/dev/null || echo "") + +if [ "$JOB_STATUS" = "1" ]; then + echo "Demo OIDC partner onboarding completed successfully." +else + echo "WARNING: Demo OIDC partner onboarding job may not have completed. Check logs." + kubectl -n esignet logs -l app.kubernetes.io/instance=esignet-demo-oidc-partner-onboarder --tail=20 2>/dev/null || true +fi + +echo "Demo OIDC partner onboarder post-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh new file mode 100755 index 00000000..71170cdf --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/esignet-demo-oidc-partner-onboarder-preinstall.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Demo OIDC Partner Onboarder Pre-install +# ============================================================================= +# Prepares for demo OIDC partner onboarding. +# ============================================================================= +set -euo pipefail + +echo "================================================" +echo "eSignet 1.7.1 - Demo OIDC Partner Onboarder Pre-install" +echo "================================================" + +# Ensure esignet namespace exists +kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f - + +# Verify eSignet service is running +kubectl -n esignet wait --for=condition=ready pod -l app.kubernetes.io/name=esignet --timeout=300s 2>/dev/null || \ + echo "WARNING: eSignet pods not ready. Demo OIDC partner onboarding may fail." + +echo "Demo OIDC partner onboarder pre-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh b/Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh new file mode 100755 index 00000000..f7283285 --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Database Init Pre-install (postgres-init-esignet) +# ============================================================================= +# Based on: deploy/postgres/postgres-init.sh +# Copies postgres secrets from postgres namespace to esignet namespace +# before the postgres-init helm chart runs DB initialization. +# +# Environment Variables: +# ESIGNET_NS - eSignet namespace (default: esignet) +# ============================================================================= +set -euo pipefail + +ESIGNET_NS="${ESIGNET_NS:-esignet}" +POSTGRES_NS="postgres" + +echo "================================================" +echo "eSignet 1.7.1 - Database Init Pre-install" +echo "================================================" + +# --- Step 1: Ensure esignet namespace exists with istio --- +kubectl create namespace "$ESIGNET_NS" --dry-run=client -o yaml | kubectl apply -f - +kubectl label namespace "$ESIGNET_NS" istio-injection=enabled --overwrite + +# --- Step 2: Copy postgres-postgresql secret from postgres to esignet --- +# Source: deploy/postgres/postgres-init.sh -> ../copy_cm_func.sh secret postgres-postgresql postgres esignet +echo "Copying postgres-postgresql secret to $ESIGNET_NS namespace" +kubectl -n "$POSTGRES_NS" get secret postgres-postgresql -o yaml | \ + sed "s/namespace: $POSTGRES_NS/namespace: $ESIGNET_NS/g" | \ + kubectl apply -f - + +# --- Step 3: Copy db-common-secrets from postgres to esignet --- +# Source: deploy/postgres/postgres-init.sh -> ../copy_cm_func.sh secret db-common-secrets postgres esignet +echo "Copying db-common-secrets to $ESIGNET_NS namespace" +kubectl -n "$POSTGRES_NS" get secret db-common-secrets -o yaml | \ + sed "s/namespace: $POSTGRES_NS/namespace: $ESIGNET_NS/g" | \ + kubectl apply -f - + +# --- Step 4: Copy postgres-config configmap from postgres to esignet --- +echo "Copying postgres-config configmap to $ESIGNET_NS namespace" +kubectl -n "$POSTGRES_NS" get configmap postgres-config -o yaml | \ + sed "s/namespace: $POSTGRES_NS/namespace: $ESIGNET_NS/g" | \ + kubectl apply -f - + +echo "Database init pre-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh new file mode 100755 index 00000000..14ba9128 --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-postinstall.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Partner Onboarder Post-install +# ============================================================================= +# Post-install cleanup and validation after partner onboarding. +# ============================================================================= +set -euo pipefail + +echo "================================================" +echo "eSignet 1.7.1 - Partner Onboarder Post-install" +echo "================================================" + +# Check onboarding job status +JOB_STATUS=$(kubectl -n esignet get jobs -l app.kubernetes.io/instance=esignet-resident-oidc-partner-onboarder -o jsonpath='{.items[0].status.succeeded}' 2>/dev/null || echo "") + +if [ "$JOB_STATUS" = "1" ]; then + echo "Partner onboarding completed successfully." +else + echo "WARNING: Partner onboarding job may not have completed. Check logs." + kubectl -n esignet logs -l app.kubernetes.io/instance=esignet-resident-oidc-partner-onboarder --tail=20 2>/dev/null || true +fi + +echo "Partner onboarder post-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh new file mode 100755 index 00000000..aca06794 --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/esignet-partner-onboarder-preinstall.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Partner Onboarder Pre-install +# ============================================================================= +# Prepares for eSignet + Resident OIDC partner onboarding. +# ============================================================================= +set -euo pipefail + +echo "================================================" +echo "eSignet 1.7.1 - Partner Onboarder Pre-install" +echo "================================================" + +# Ensure esignet namespace exists +kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f - + +# Verify eSignet service is running +kubectl -n esignet wait --for=condition=ready pod -l app.kubernetes.io/name=esignet --timeout=300s 2>/dev/null || \ + echo "WARNING: eSignet pods not ready. Partner onboarding may fail." + +# Verify Keycloak is accessible +if kubectl -n keycloak get svc keycloak &>/dev/null; then + echo "Keycloak service found." +else + echo "WARNING: Keycloak service not found. Partner onboarding requires Keycloak." +fi + +echo "Partner onboarder pre-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh new file mode 100755 index 00000000..297b356c --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh @@ -0,0 +1,94 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - eSignet Service Pre-install +# ============================================================================= +# Based on: deploy/esignet/install.sh +# Prepares esignet namespace with all required configmaps and secrets +# (softhsm, postgres, redis) before eSignet helm chart deployment. +# +# Environment Variables: +# ESIGNET_NS - eSignet namespace (default: esignet) +# ENABLE_INSECURE - Set to "true" if no valid SSL (default: false) +# SERVICE_MONITOR_FLAG - Enable prometheus service monitor (default: false) +# ============================================================================= +set -euo pipefail + +ESIGNET_NS="${ESIGNET_NS:-esignet}" +SOFTHSM_NS="${SOFTHSM_NS:-softhsm}" +POSTGRES_NS="postgres" +REDIS_NS="redis" + +echo "================================================" +echo "eSignet 1.7.1 - eSignet Service Pre-install" +echo "================================================" + +# --- Step 1: Ensure esignet namespace exists with istio --- +echo "Setting up $ESIGNET_NS namespace" +kubectl create namespace "$ESIGNET_NS" --dry-run=client -o yaml | kubectl apply -f - +kubectl label namespace "$ESIGNET_NS" istio-injection=enabled --overwrite + +# --- Step 2: Update helm repos --- +helm repo add mosip https://mosip.github.io/mosip-helm || true +helm repo update + +# --- Step 3: Copy configmaps from other namespaces --- +# Source: deploy/esignet/install.sh -> copy_cm_func.sh calls + +# Copy esignet-softhsm-share configmap from softhsm namespace +echo "Copying esignet-softhsm-share configmap from $SOFTHSM_NS" +if kubectl -n "$SOFTHSM_NS" get configmap esignet-softhsm-share &>/dev/null; then + kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true configmap esignet-softhsm-share + kubectl -n "$SOFTHSM_NS" get configmap esignet-softhsm-share -o yaml | \ + sed "s/namespace: $SOFTHSM_NS/namespace: $ESIGNET_NS/g" | \ + kubectl -n "$ESIGNET_NS" create -f - +else + echo "WARNING: esignet-softhsm-share configmap not found in $SOFTHSM_NS" +fi + +# Copy postgres-config configmap from postgres namespace +echo "Copying postgres-config configmap from $POSTGRES_NS" +if kubectl -n "$POSTGRES_NS" get configmap postgres-config &>/dev/null; then + kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true configmap postgres-config + kubectl -n "$POSTGRES_NS" get configmap postgres-config -o yaml | \ + sed "s/namespace: $POSTGRES_NS/namespace: $ESIGNET_NS/g" | \ + kubectl -n "$ESIGNET_NS" create -f - +else + echo "WARNING: postgres-config configmap not found in $POSTGRES_NS" +fi + +# Copy redis-config configmap from redis namespace +echo "Copying redis-config configmap from $REDIS_NS" +if kubectl -n "$REDIS_NS" get configmap redis-config &>/dev/null; then + kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true configmap redis-config + kubectl -n "$REDIS_NS" get configmap redis-config -o yaml | \ + sed "s/namespace: $REDIS_NS/namespace: $ESIGNET_NS/g" | \ + kubectl -n "$ESIGNET_NS" create -f - +else + echo "WARNING: redis-config configmap not found in $REDIS_NS" +fi + +# --- Step 4: Copy secrets from other namespaces --- + +# Copy esignet-softhsm secret from softhsm namespace +echo "Copying esignet-softhsm secret from $SOFTHSM_NS" +if kubectl -n "$SOFTHSM_NS" get secret esignet-softhsm &>/dev/null; then + kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true secret esignet-softhsm + kubectl -n "$SOFTHSM_NS" get secret esignet-softhsm -o yaml | \ + sed "s/namespace: $SOFTHSM_NS/namespace: $ESIGNET_NS/g" | \ + kubectl -n "$ESIGNET_NS" create -f - +else + echo "WARNING: esignet-softhsm secret not found in $SOFTHSM_NS" +fi + +# Copy redis secret from redis namespace +echo "Copying redis secret from $REDIS_NS" +if kubectl -n "$REDIS_NS" get secret redis &>/dev/null; then + kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true secret redis + kubectl -n "$REDIS_NS" get secret redis -o yaml | \ + sed "s/namespace: $REDIS_NS/namespace: $ESIGNET_NS/g" | \ + kubectl -n "$ESIGNET_NS" create -f - +else + echo "WARNING: redis secret not found in $REDIS_NS" +fi + +echo "eSignet pre-install completed. All configmaps and secrets copied." diff --git a/Helmsman/hooks/esignet-1.7.1/kafka-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/kafka-postinstall.sh new file mode 100755 index 00000000..a3c3ae77 --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/kafka-postinstall.sh @@ -0,0 +1,28 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Kafka Post-install +# ============================================================================= +# Based on: deploy/install-prereq.sh (kafka section) +# Creates kafka-config configmap in esignet namespace after Kafka deployment. +# +# Environment Variables: +# KAFKA_URL - Kafka bootstrap servers URL (default: internal kafka cluster) +# ESIGNET_NS - eSignet namespace (default: esignet) +# ============================================================================= +set -euo pipefail + +ESIGNET_NS="${ESIGNET_NS:-esignet}" +KAFKA_URL="${KAFKA_URL:-kafka-0.kafka-headless.kafka.svc.cluster.local:9092,kafka-1.kafka-headless.kafka.svc.cluster.local:9092,kafka-2.kafka-headless.kafka.svc.cluster.local:9092}" + +echo "================================================" +echo "eSignet 1.7.1 - Kafka Post-install" +echo "================================================" + +# --- Create kafka-config configmap in esignet namespace --- +# Source: deploy/install-prereq.sh - kafka configmap creation +echo "Creating kafka-config configmap in $ESIGNET_NS namespace" +kubectl -n "$ESIGNET_NS" create configmap kafka-config \ + --from-literal=SPRING_KAFKA_BOOTSTRAP-SERVERS="$KAFKA_URL" \ + --dry-run=client -o yaml | kubectl apply -f - + +echo "Kafka post-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh new file mode 100755 index 00000000..433f5f2c --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh @@ -0,0 +1,128 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Keycloak Post-install (Keycloak Init) +# ============================================================================= +# Based on: deploy/keycloak/keycloak-init.sh + deploy/initialise-prereq.sh +# Copies keycloak configmaps/secrets to esignet namespace and runs +# keycloak-init helm chart to create eSignet-specific clients and roles. +# +# Environment Variables: +# INSTALLATION_DOMAIN - Base domain (default: sandbox.xyz.net) +# KEYCLOAK_INIT_VERSION - keycloak-init chart version (default: 12.0.2) +# ESIGNET_NS - eSignet namespace (default: esignet) +# ============================================================================= +set -euo pipefail + +ESIGNET_NS="${ESIGNET_NS:-esignet}" +KEYCLOAK_NS="keycloak" +CHART_VERSION="${KEYCLOAK_INIT_VERSION:-12.0.2}" +INSTALLATION_DOMAIN="${INSTALLATION_DOMAIN:-sandbox.xyz.net}" +IAMHOST_URL="iam.${INSTALLATION_DOMAIN}" + +echo "================================================" +echo "eSignet 1.7.1 - Keycloak Post-install (Init)" +echo "================================================" + +# --- Step 1: Copy keycloak configmaps and secrets to esignet namespace --- +# Source: deploy/keycloak/keycloak-init.sh - copy_cm_func.sh calls +echo "Copying keycloak configmaps and secrets to $ESIGNET_NS namespace" + +# Copy keycloak-host configmap +if kubectl -n "$KEYCLOAK_NS" get configmap keycloak-host &>/dev/null; then + kubectl -n "$KEYCLOAK_NS" get configmap keycloak-host -o yaml | \ + sed "s/namespace: $KEYCLOAK_NS/namespace: $ESIGNET_NS/g" | \ + kubectl apply -f - + echo "keycloak-host configmap copied." +else + # Create keycloak-host configmap if keycloak didn't create it + echo "Creating keycloak-host configmap" + kubectl -n "$ESIGNET_NS" create configmap keycloak-host \ + --from-literal=keycloak-external-url="https://$IAMHOST_URL" \ + --from-literal=keycloak-internal-url="http://keycloak.$KEYCLOAK_NS" \ + --dry-run=client -o yaml | kubectl apply -f - +fi + +# Copy keycloak-env-vars configmap +if kubectl -n "$KEYCLOAK_NS" get configmap keycloak-env-vars &>/dev/null; then + kubectl -n "$KEYCLOAK_NS" get configmap keycloak-env-vars -o yaml | \ + sed "s/namespace: $KEYCLOAK_NS/namespace: $ESIGNET_NS/g" | \ + kubectl apply -f - + echo "keycloak-env-vars configmap copied." +fi + +# Copy keycloak secret +if kubectl -n "$KEYCLOAK_NS" get secret keycloak &>/dev/null; then + kubectl -n "$KEYCLOAK_NS" get secret keycloak -o yaml | \ + sed "s/namespace: $KEYCLOAK_NS/namespace: $ESIGNET_NS/g" | \ + kubectl apply -f - + echo "keycloak secret copied." +fi + +# --- Step 2: Read existing client secrets if any --- +# Source: deploy/keycloak/keycloak-init.sh - reading existing secrets +echo "Checking for existing keycloak-client-secrets" +HELM_SET_SECRETS="" + +declare -A SECRET_KEYS=( + ["mosip_pms_client_secret"]="0" + ["mpartner_default_auth_secret"]="1" + ["mosip_ida_client_secret"]="2" + ["mosip_deployment_client_secret"]="3" + ["mpartner_default_mobile_secret"]="4" +) + +if kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets &>/dev/null; then + echo "Found existing keycloak-client-secrets. Preserving client secrets." + for key in "${!SECRET_KEYS[@]}"; do + idx="${SECRET_KEYS[$key]}" + val=$(kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets \ + -o jsonpath="{.data.$key}" 2>/dev/null | base64 -d 2>/dev/null || echo "") + if [[ -n "$val" ]]; then + HELM_SET_SECRETS="$HELM_SET_SECRETS --set clientSecrets[$idx].name=$key --set clientSecrets[$idx].secret=$val" + fi + done +else + echo "No existing keycloak-client-secrets found. Fresh install." +fi + +# --- Step 3: Run keycloak-init helm chart --- +# Source: deploy/keycloak/keycloak-init.sh - helm install keycloak-init +echo "Installing esignet-keycloak-init" +helm repo add mosip https://mosip.github.io/mosip-helm || true +helm repo update + +kubectl -n "$ESIGNET_NS" delete secret --ignore-not-found=true keycloak-client-secrets +helm -n "$ESIGNET_NS" delete esignet-keycloak-init 2>/dev/null || true + +eval helm -n "$ESIGNET_NS" install esignet-keycloak-init mosip/keycloak-init \ + $HELM_SET_SECRETS \ + --set keycloak.realms.mosip.realm_config.attributes.frontendUrl="https://$IAMHOST_URL/auth" \ + --set keycloakInternalHost="keycloak.$KEYCLOAK_NS" \ + --set keycloakExternalHost="$IAMHOST_URL" \ + --version "$CHART_VERSION" --wait --wait-for-jobs + +# --- Step 4: Sync updated client secrets back to keycloak namespace --- +# Source: deploy/keycloak/keycloak-init.sh - secret sync back +echo "Syncing keycloak-client-secrets back to $KEYCLOAK_NS namespace" +if kubectl -n "$ESIGNET_NS" get secret keycloak-client-secrets &>/dev/null; then + if kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets &>/dev/null; then + # Update existing secret in keycloak namespace + for key in "${!SECRET_KEYS[@]}"; do + val=$(kubectl -n "$ESIGNET_NS" get secret keycloak-client-secrets \ + -o jsonpath="{.data.$key}" 2>/dev/null || echo "") + if [[ -n "$val" ]]; then + kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets -o json | \ + jq ".data[\"$key\"]=\"$val\"" | \ + kubectl apply -f - + fi + done + else + # Copy entire secret to keycloak namespace + kubectl -n "$ESIGNET_NS" get secret keycloak-client-secrets -o yaml | \ + sed "s/namespace: $ESIGNET_NS/namespace: $KEYCLOAK_NS/g" | \ + kubectl apply -f - + fi + echo "keycloak-client-secrets synced to $KEYCLOAK_NS namespace." +fi + +echo "Keycloak post-install (init) completed." diff --git a/Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh new file mode 100755 index 00000000..f3b795fd --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Mock Identity System Pre-install +# ============================================================================= +# Prepares esignet namespace for mock identity system deployment. +# ============================================================================= +set -euo pipefail + +echo "================================================" +echo "eSignet 1.7.1 - Mock Identity System Pre-install" +echo "================================================" + +# Ensure esignet namespace exists +kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f - + +# Verify SoftHSM mock identity configmap exists in esignet namespace +if kubectl -n esignet get configmap softhsm-mock-identity-system-share &>/dev/null; then + echo "SoftHSM mock identity system configmap found." +else + echo "WARNING: softhsm-mock-identity-system-share configmap not found in esignet namespace." + echo "Ensure softhsm-mock-identity-system is deployed and post-install hook has run." +fi + +echo "Mock identity system pre-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-preinstall.sh new file mode 100755 index 00000000..3077072e --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/mock-relying-party-service-preinstall.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Mock Relying Party Service Pre-install +# ============================================================================= +# Prepares for mock relying party service deployment. +# ============================================================================= +set -euo pipefail + +echo "================================================" +echo "eSignet 1.7.1 - Mock Relying Party Service Pre-install" +echo "================================================" + +# Ensure esignet namespace exists +kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f - + +# Verify eSignet service is available +if kubectl -n esignet get svc esignet &>/dev/null; then + echo "eSignet service found." +else + echo "WARNING: eSignet service not found. Mock relying party service needs eSignet to be running." +fi + +echo "Mock relying party service pre-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/mock-relying-party-ui-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/mock-relying-party-ui-preinstall.sh new file mode 100755 index 00000000..e16d43f8 --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/mock-relying-party-ui-preinstall.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Mock Relying Party UI Pre-install +# ============================================================================= +# Prepares for mock relying party UI deployment. +# ============================================================================= +set -euo pipefail + +echo "================================================" +echo "eSignet 1.7.1 - Mock Relying Party UI Pre-install" +echo "================================================" + +# Ensure esignet namespace exists +kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f - + +# Verify mock relying party service is available +if kubectl -n esignet get svc mock-relying-party-service &>/dev/null; then + echo "Mock relying party service found." +else + echo "WARNING: Mock relying party service not found. UI depends on the service being deployed." +fi + +echo "Mock relying party UI pre-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/oidc-ui-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/oidc-ui-preinstall.sh new file mode 100755 index 00000000..63cc2e0d --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/oidc-ui-preinstall.sh @@ -0,0 +1,34 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - OIDC UI Pre-install +# ============================================================================= +# Based on: deploy/oidc-ui/install.sh +# Waits for eSignet service readiness before deploying OIDC UI. +# Theme, language, and provider name are configured via DSF helm set values. +# +# Environment Variables: +# ESIGNET_NS - eSignet namespace (default: esignet) +# ============================================================================= +set -euo pipefail + +ESIGNET_NS="${ESIGNET_NS:-esignet}" + +echo "================================================" +echo "eSignet 1.7.1 - OIDC UI Pre-install" +echo "================================================" + +# --- Step 1: Ensure esignet namespace exists --- +kubectl create namespace "$ESIGNET_NS" --dry-run=client -o yaml | kubectl apply -f - +kubectl label namespace "$ESIGNET_NS" istio-injection=enabled --overwrite + +# --- Step 2: Update helm repos --- +helm repo add mosip https://mosip.github.io/mosip-helm || true +helm repo update + +# --- Step 3: Wait for eSignet service to be available --- +# Source: deploy/oidc-ui/install.sh - eSignet must be running before OIDC UI +echo "Waiting for eSignet service to be ready..." +kubectl -n "$ESIGNET_NS" wait --for=condition=ready pod -l app.kubernetes.io/name=esignet --timeout=300s 2>/dev/null || \ + echo "WARNING: eSignet pods not yet ready. OIDC UI may need to retry connections." + +echo "OIDC UI pre-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh new file mode 100755 index 00000000..6b78bb46 --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/postgres-postinstall.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Postgres Post-install +# ============================================================================= +# Based on: deploy/postgres/generate-secret-cm.py +# Creates postgres secrets (db-common-secrets) and configmap (postgres-config) +# after PostgreSQL helm chart deployment. Replaces interactive Python script +# with environment variable driven approach. +# +# Environment Variables: +# DB_USER_PASSWORD - Database user password (REQUIRED) +# POSTGRES_HOST - PostgreSQL host (default: postgres-postgresql.postgres) +# POSTGRES_PORT - PostgreSQL port (default: 5432) +# DB_USER - Database username (default: esignetuser) +# DB_NAME - Database name (default: mosip_esignet) +# ============================================================================= +set -euo pipefail + +POSTGRES_NS="postgres" +DB_USER_PASSWORD="${DB_USER_PASSWORD:?ERROR: DB_USER_PASSWORD environment variable must be set}" +POSTGRES_HOST="${POSTGRES_HOST:-postgres-postgresql.postgres}" +POSTGRES_PORT="${POSTGRES_PORT:-5432}" +DB_USER="${DB_USER:-esignetuser}" +DB_NAME="${DB_NAME:-mosip_esignet}" + +echo "================================================" +echo "eSignet 1.7.1 - Postgres Post-install" +echo "================================================" + +# --- Step 1: Create db-common-secrets --- +# Source: deploy/postgres/generate-secret-cm.py -> create_or_update_secret() +echo "Creating db-common-secrets in $POSTGRES_NS namespace" +kubectl -n "$POSTGRES_NS" create secret generic db-common-secrets \ + --from-literal=db-dbuser-password="$DB_USER_PASSWORD" \ + --dry-run=client -o yaml | kubectl apply -f - + +# --- Step 2: Create postgres-config configmap --- +# Source: deploy/postgres/generate-secret-cm.py -> create_or_update_configmap() +echo "Creating postgres-config configmap in $POSTGRES_NS namespace" +kubectl -n "$POSTGRES_NS" create configmap postgres-config \ + --from-literal=database-host="$POSTGRES_HOST" \ + --from-literal=database-port="$POSTGRES_PORT" \ + --from-literal=database-username="$DB_USER" \ + --from-literal=database-name="$DB_NAME" \ + --dry-run=client -o yaml | kubectl apply -f - + +echo "Postgres post-install completed. Secrets and configmaps created." diff --git a/Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh new file mode 100755 index 00000000..5d3b1bd0 --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh @@ -0,0 +1,54 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - Postgres Pre-install +# ============================================================================= +# Based on: deploy/install-prereq.sh +# Creates esignet namespace, applies esignet-global configmap, and prepares +# postgres namespace before PostgreSQL helm chart deployment. +# +# Environment Variables: +# INSTALLATION_DOMAIN - Base domain (default: sandbox.xyz.net) +# ESIGNET_NS - eSignet namespace (default: esignet) +# ============================================================================= +set -euo pipefail + +ESIGNET_NS="${ESIGNET_NS:-esignet}" +INSTALLATION_DOMAIN="${INSTALLATION_DOMAIN:-sandbox.xyz.net}" + +echo "================================================" +echo "eSignet 1.7.1 - Postgres Pre-install" +echo "================================================" + +# --- Step 1: Create esignet namespace (referenced by esignet-global configmap) --- +echo "Creating $ESIGNET_NS namespace" +kubectl create namespace "$ESIGNET_NS" --dry-run=client -o yaml | kubectl apply -f - +kubectl label namespace "$ESIGNET_NS" istio-injection=enabled --overwrite + +# --- Step 2: Apply esignet-global configmap --- +# Source: deploy/esignet-global-cm.yaml.sample +echo "Applying esignet-global configmap in $ESIGNET_NS namespace" +cat < ../copy_cm_func.sh configmap redis-config redis esignet +echo "Copying redis-config configmap to $ESIGNET_NS namespace" +kubectl -n "$REDIS_NS" get configmap redis-config -o yaml | \ + sed "s/namespace: $REDIS_NS/namespace: $ESIGNET_NS/g" | \ + kubectl apply -f - + +# --- Step 4: Copy redis secret to esignet namespace --- +# Source: deploy/esignet/install.sh -> ../copy_cm_func.sh secret redis redis esignet +echo "Copying redis secret to $ESIGNET_NS namespace" +kubectl -n "$REDIS_NS" get secret redis -o yaml | \ + sed "s/namespace: $REDIS_NS/namespace: $ESIGNET_NS/g" | \ + kubectl apply -f - + +echo "Redis setup completed. Config and credentials shared with $ESIGNET_NS namespace." diff --git a/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh new file mode 100755 index 00000000..45afddef --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-postinstall.sh @@ -0,0 +1,52 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - SoftHSM eSignet Post-install +# ============================================================================= +# Based on: deploy/esignet/install.sh (copy_cm_func.sh calls for softhsm) +# Shares SoftHSM configmap and secrets from softhsm namespace to esignet +# namespace after SoftHSM deployment. +# +# Environment Variables: +# SOFTHSM_NS - SoftHSM namespace (default: softhsm) +# ESIGNET_NS - eSignet namespace (default: esignet) +# ============================================================================= +set -euo pipefail + +SOFTHSM_NS="${SOFTHSM_NS:-softhsm}" +ESIGNET_NS="${ESIGNET_NS:-esignet}" + +echo "================================================" +echo "eSignet 1.7.1 - SoftHSM eSignet Post-install" +echo "================================================" + +# --- Step 1: Wait for SoftHSM pod to be ready --- +echo "Waiting for SoftHSM pod to be ready..." +kubectl -n "$SOFTHSM_NS" wait --for=condition=ready pod -l app.kubernetes.io/instance=esignet-softhsm --timeout=300s || \ + echo "WARNING: SoftHSM pod not ready yet. Continuing with configmap/secret copy." + +# --- Step 2: Copy esignet-softhsm-share configmap to esignet namespace --- +# Source: deploy/esignet/install.sh -> ../copy_cm_func.sh configmap esignet-softhsm-share softhsm esignet +echo "Copying esignet-softhsm-share configmap to $ESIGNET_NS namespace" +if kubectl -n "$SOFTHSM_NS" get configmap esignet-softhsm-share &>/dev/null; then + kubectl -n "$SOFTHSM_NS" get configmap esignet-softhsm-share -o yaml | \ + sed "s/namespace: $SOFTHSM_NS/namespace: $ESIGNET_NS/g" | \ + kubectl apply -f - + echo "esignet-softhsm-share configmap copied." +else + echo "WARNING: esignet-softhsm-share configmap not found in $SOFTHSM_NS." + echo "SoftHSM helm chart may create it on first use." +fi + +# --- Step 3: Copy esignet-softhsm secret to esignet namespace --- +# Source: deploy/esignet/install.sh -> ../copy_cm_func.sh secret esignet-softhsm softhsm esignet +echo "Copying esignet-softhsm secret to $ESIGNET_NS namespace" +if kubectl -n "$SOFTHSM_NS" get secret esignet-softhsm &>/dev/null; then + kubectl -n "$SOFTHSM_NS" get secret esignet-softhsm -o yaml | \ + sed "s/namespace: $SOFTHSM_NS/namespace: $ESIGNET_NS/g" | \ + kubectl apply -f - + echo "esignet-softhsm secret copied." +else + echo "WARNING: esignet-softhsm secret not found in $SOFTHSM_NS." +fi + +echo "SoftHSM eSignet post-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-setup.sh b/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-setup.sh new file mode 100755 index 00000000..5bcb61cc --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/softhsm-esignet-setup.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - SoftHSM eSignet Pre-install Setup +# ============================================================================= +# Based on: deploy/softhsm/install.sh +# Creates softhsm namespace and prepares for SoftHSM deployment. +# +# Environment Variables: +# SOFTHSM_NS - SoftHSM namespace (default: softhsm) +# ============================================================================= +set -euo pipefail + +SOFTHSM_NS="${SOFTHSM_NS:-softhsm}" + +echo "================================================" +echo "eSignet 1.7.1 - SoftHSM eSignet Pre-install" +echo "================================================" + +# --- Create softhsm namespace --- +echo "Creating $SOFTHSM_NS namespace" +kubectl create namespace "$SOFTHSM_NS" --dry-run=client -o yaml | kubectl apply -f - + +# --- Label namespace for Istio sidecar injection --- +echo "Applying Istio injection label" +kubectl label namespace "$SOFTHSM_NS" istio-injection=enabled --overwrite + +# --- Update helm repos --- +echo "Updating helm repos" +helm repo update + +echo "SoftHSM eSignet pre-install setup completed." diff --git a/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh new file mode 100755 index 00000000..4f39bd1e --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - SoftHSM Mock Identity System Post-install +# ============================================================================= +# Shares SoftHSM mock identity system configmap with esignet namespace. +# ============================================================================= +set -euo pipefail + +echo "================================================" +echo "eSignet 1.7.1 - SoftHSM Mock Identity System Post-install" +echo "================================================" + +# Wait for SoftHSM mock identity pod to be ready +kubectl -n softhsm wait --for=condition=ready pod -l app.kubernetes.io/instance=softhsm-mock-identity-system --timeout=300s 2>/dev/null || \ + echo "WARNING: SoftHSM mock identity system pod not yet ready." + +# Share SoftHSM mock identity configmap with esignet namespace +MOCK_HSM_PIN=$(kubectl -n softhsm get secret softhsm-mock-identity-system -o jsonpath='{.data.security-pin}' 2>/dev/null || echo "") + +if [ -n "$MOCK_HSM_PIN" ]; then + kubectl -n esignet create configmap softhsm-mock-identity-system-share \ + --from-literal=softhsm-pin="$(echo "$MOCK_HSM_PIN" | base64 -d)" \ + --dry-run=client -o yaml | kubectl apply -f - + echo "SoftHSM mock identity system credentials shared with esignet namespace." +else + echo "WARNING: SoftHSM mock identity system secret not found." +fi + +echo "SoftHSM mock identity system post-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-preinstall.sh new file mode 100755 index 00000000..99a1ea0d --- /dev/null +++ b/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-preinstall.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# ============================================================================= +# eSignet 1.7.1 - SoftHSM Mock Identity System Pre-install +# ============================================================================= +# Prepares SoftHSM for the mock identity system. +# ============================================================================= +set -euo pipefail + +echo "================================================" +echo "eSignet 1.7.1 - SoftHSM Mock Identity System Pre-install" +echo "================================================" + +# Ensure softhsm namespace exists +kubectl create namespace softhsm --dry-run=client -o yaml | kubectl apply -f - +kubectl label namespace softhsm istio-injection=enabled --overwrite + +echo "SoftHSM mock identity system pre-install completed." From a5e20a784ed230105dffcd23b0727b9b20907156 Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Tue, 24 Mar 2026 11:48:36 +0530 Subject: [PATCH 04/28] [MOSIP-44622] added minio configs to dsf Signed-off-by: bhumi46 --- Helmsman/dsf/esignet/external-dsf.yaml | 33 +++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/Helmsman/dsf/esignet/external-dsf.yaml b/Helmsman/dsf/esignet/external-dsf.yaml index 096b429d..6a36c83e 100644 --- a/Helmsman/dsf/esignet/external-dsf.yaml +++ b/Helmsman/dsf/esignet/external-dsf.yaml @@ -5,7 +5,7 @@ # standalone eSignet v1.7.1 deployment (without full MOSIP platform). # # Components: -# - PostgreSQL (optional, disabled by default if using external DB) +# - PostgreSQL (optional, disable it if using external DB) # - PostgreSQL Init (eSignet DB only - v1.7.1 branch) # - Redis # - Kafka + Kafka UI @@ -294,3 +294,34 @@ apps: priority: -9 hooks: postInstall: "$WORKDIR/hooks/esignet-1.7.1/captcha-postinstall.sh" + + minio: + namespace: minio + enabled: true + version: 10.1.6 + chart: mosip/minio + set: + image.repository: "mosipid/minio" + image.tag: "2022.2.7-debian-10-r0" + metrics.serviceMonitor.enabled: "true" + extraEnvVars[0].name: "MINIO_PROMETHEUS_URL" + extraEnvVars[0].value: "http://rancher-monitoring-prometheus.cattle-monitoring-system:9090" + extraEnvVars[1].name: "MINIO_PROMETHEUS_JOB_ID" + extraEnvVars[1].value: "minio" + resourcesPreset: "none" + wait: true + timeout: 1200 + priority: -8 + + istio-addons-minio: + namespace: minio + enabled: true + version: 1.2.0 + chart: $WORKDIR/utils/istio-addons/minio-istio-addons-1.2.0.tgz + set: + externalHost: "minio.sandbox.xyz.net" + wait: true + timeout: 1200 + hooks: + postInstall: "$WORKDIR/hooks/s3-setup.sh " + priority: -9 From 77d5030c88b7668d6669753b4b71aba6dbb86e27 Mon Sep 17 00:00:00 2001 From: bhumi46 <111699703+bhumi46@users.noreply.github.com> Date: Tue, 24 Mar 2026 12:36:26 +0530 Subject: [PATCH 05/28] Delete docs/engineer-review-script.txt Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com> --- docs/engineer-review-script.txt | 98 --------------------------------- 1 file changed, 98 deletions(-) delete mode 100644 docs/engineer-review-script.txt diff --git a/docs/engineer-review-script.txt b/docs/engineer-review-script.txt deleted file mode 100644 index 66ccf748..00000000 --- a/docs/engineer-review-script.txt +++ /dev/null @@ -1,98 +0,0 @@ -ENGINEER REVIEW CALL — 5 MIN SPEAKING SCRIPT -============================================== -Topic: Profile-Based Deployment Architecture for Infra Repo - - -[OPENING — 30 sec] - -I've been working on making our infra repo profile-based — so we can deploy -the full MOSIP platform and standalone eSignet from the same repo, without -them stepping on each other. - - -[HELMSMAN DSF RESTRUCTURING — 1.5 min] - -Previously, we had a flat structure — one set of DSF files in Helmsman/dsf/. -The problem was, if you wanted standalone eSignet v1.7.1 versus full MOSIP -with eSignet v1.4.1, you'd have to manually edit files every time. - -Now we have three profile directories: - - - mosip-platform-java11 — current MOSIP 1.2.1.0 setup, Java 11 - - mosip-platform-java21 — placeholder for MOSIP 1.3.0, Java 21 migration - - esignet — standalone eSignet v1.7.1 with only the services - it actually needs: postgres, redis, kafka, - softhsm, keycloak, captcha. - No minio, no clamav, no activemq. - -Each profile is a self-contained directory. You pick a profile, you get the -right versions and the right services. - - -[WORKFLOW CHANGES — 1.5 min] - -All four Helmsman workflows and two Terraform workflows now have a profile -dropdown. You select your profile when triggering a run. - -For push triggers, we use glob patterns — Helmsman/dsf/**/mosip-dsf.yaml — -so when someone pushes a change inside any profile directory, the workflow -auto-detects which profile changed using a simple sed extraction. No -hardcoded profile names in the detection logic. - -The chaining also got smarter — if you run helmsman_external with the esignet -profile, it does NOT chain to helmsman_mosip because there's no MOSIP platform -to deploy. It uses startsWith('mosip-platform-') to decide — so any future -mosip-platform-* profile will auto-chain correctly. - - -[TERRAFORM PROFILES — 1 min] - -Same concept for Terraform. We have a profiles/ directory under -terraform/implementations/aws/infra/ with mosip and esignet tfvars. - -The esignet profile uses t3a.xlarge instead of t3a.2xlarge, a 2+2+1 node -cluster instead of 3+3+2, and only 2 public subdomains instead of 5. -Significant cost savings for standalone eSignet. - -Critical fix: the configure-backend.sh now takes a --profile flag and -includes the profile name in the state file path. Without this, running -terraform for mosip then esignet would have used the same state file — -effectively destroying one to create the other. - - -[CLOSING — EXTENSIBILITY — 30 sec] - -The key design goal was extensibility. Adding a new profile in the future is -a two-step process: create the directory with your DSF or tfvars files, add -the name to the workflow dropdown. Push detection, state isolation, and -chaining all work automatically. - -Next steps: update java21 DSFs with actual 1.3.0 versions, and review hook -scripts one by one. - - -============================================== -FILES CHANGED (14 total) -============================================== - -Helmsman DSFs: - [MOVED] Helmsman/dsf/*.yaml --> Helmsman/dsf/mosip-platform-java11/ - [ADDED] Helmsman/dsf/mosip-platform-java21/* (copy of java11) - [ADDED] Helmsman/dsf/esignet/esignet-dsf.yaml (eSignet v1.7.1) - [ADDED] Helmsman/dsf/esignet/external-dsf.yaml (simplified services) - [MOVED] Helmsman/dsf/esignet/prereq-dsf.yaml - -Workflows: - [MODIFIED] .github/workflows/helmsman_external.yml - [MODIFIED] .github/workflows/helmsman_esignet.yml - [MODIFIED] .github/workflows/helmsman_mosip.yml - [MODIFIED] .github/workflows/helmsman_testrigs.yml - [MODIFIED] .github/workflows/terraform.yml - [MODIFIED] .github/workflows/terraform-destroy.yml - -Scripts: - [MODIFIED] .github/scripts/configure-backend.sh - -Terraform: - [ADDED] terraform/.../profiles/mosip/aws.tfvars - [ADDED] terraform/.../profiles/esignet/aws.tfvars From 0fc3a0531d9fc57552985e10f344ac08c6fbe3a1 Mon Sep 17 00:00:00 2001 From: bhumi46 <111699703+bhumi46@users.noreply.github.com> Date: Tue, 24 Mar 2026 12:37:18 +0530 Subject: [PATCH 06/28] Delete docs/profile-based-deployment.md Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com> --- docs/profile-based-deployment.md | 266 ------------------------------- 1 file changed, 266 deletions(-) delete mode 100644 docs/profile-based-deployment.md diff --git a/docs/profile-based-deployment.md b/docs/profile-based-deployment.md deleted file mode 100644 index aa6007a1..00000000 --- a/docs/profile-based-deployment.md +++ /dev/null @@ -1,266 +0,0 @@ -# Profile-Based Deployment Architecture - -> **Author:** Bhuminathan -> **Date:** 12 March 2026 -> **Purpose:** Engineering Review — Summary of all infra changes for profile-based multi-version deployment - ---- - -## 1. Problem Statement - -Our existing infra repo had a **single flat set of DSF files and tfvars** that only supported deploying the full MOSIP platform (Java 11 / v1.2.1.0). We needed to: - -1. Support **multiple MOSIP platform versions** side-by-side (Java 11 and Java 21) -2. Support **standalone eSignet deployment** (v1.7.1) without the full MOSIP platform -3. Make the deployment pipeline **generic** — adding a new profile in the future should require minimal workflow changes -4. Ensure **Terraform state isolation** — each profile gets its own state file so they don't collide - ---- - -## 2. What Changed (Overview) - -| Area | Files Changed | What | -|------|--------------|------| -| **Helmsman DSFs** | 15 files (moved + created) | Profile-based directory structure | -| **GitHub Actions (Helmsman)** | 4 workflows | Profile input + generic push detection | -| **GitHub Actions (Terraform)** | 2 workflows | Profile input + profile-aware tfvars path | -| **Terraform Backend** | 1 script | Profile-aware state file naming | -| **Terraform tfvars** | 2 new files | Per-profile infrastructure sizing | - ---- - -## 3. Helmsman DSF — Profile Directory Structure - -### Before (flat): -``` -Helmsman/dsf/ -├── prereq-dsf.yaml -├── external-dsf.yaml -├── mosip-dsf.yaml -├── esignet-dsf.yaml -└── testrigs-dsf.yaml -``` - -### After (profile-based): -``` -Helmsman/dsf/ -├── mosip-platform-java11/ ← MOSIP 1.2.1.0 (Java 11) -│ ├── prereq-dsf.yaml -│ ├── external-dsf.yaml -│ ├── mosip-dsf.yaml -│ ├── esignet-dsf.yaml (eSignet v1.4.1) -│ └── testrigs-dsf.yaml -├── mosip-platform-java21/ ← MOSIP 1.3.0 (Java 21) — ready for version updates -│ ├── prereq-dsf.yaml -│ ├── external-dsf.yaml -│ ├── mosip-dsf.yaml -│ ├── esignet-dsf.yaml -│ └── testrigs-dsf.yaml -└── esignet/ ← Standalone eSignet v1.7.1 - ├── prereq-dsf.yaml - ├── external-dsf.yaml (simplified: postgres, redis, kafka, softhsm, keycloak, captcha only) - └── esignet-dsf.yaml (eSignet v1.7.1 + OIDC UI v1.7.1) -``` - -### Key Differences Between Profiles - -| Aspect | mosip-platform-java11 | mosip-platform-java21 | esignet | -|--------|----------------------|----------------------|---------| -| eSignet version | v1.4.1 | v1.4.1 (update pending) | **v1.7.1** | -| OIDC UI version | 1.4.1 | 1.4.1 (update pending) | **1.7.1** | -| DB branch | v1.4.1 | v1.4.1 (update pending) | **v1.7.1** | -| External services | Full (minio, clamav, activemq, etc.) | Full | **Minimal** (postgres, redis, kafka, softhsm, keycloak, captcha) | -| MOSIP platform | ✅ Full (IDA, IDRepo, PMS, etc.) | ✅ Full | ❌ None | -| Test rigs | ✅ | ✅ | ❌ | -| Mock services | Enabled | Enabled | Disabled by default | - ---- - -## 4. Helmsman Workflows — Profile Input + Generic Push - -### 4.1 Changes Applied to All 4 Workflows - -| Workflow | Profile Dropdown Options | DSF File Used | -|----------|------------------------|---------------| -| `helmsman_external.yml` | mosip-platform-java11, mosip-platform-java21, esignet | `dsf/{profile}/prereq-dsf.yaml` + `dsf/{profile}/external-dsf.yaml` | -| `helmsman_esignet.yml` | mosip-platform-java11, mosip-platform-java21, esignet | `dsf/{profile}/esignet-dsf.yaml` | -| `helmsman_mosip.yml` | mosip-platform-java11, mosip-platform-java21 | `dsf/{profile}/mosip-dsf.yaml` | -| `helmsman_testrigs.yml` | mosip-platform-java11, mosip-platform-java21 | `dsf/{profile}/testrigs-dsf.yaml` | - -### 4.2 Generic Push Triggers (Glob Patterns) - -Push paths now use `**` globs so new profiles are auto-detected: - -```yaml -# Before (had to list every profile): -paths: - - Helmsman/dsf/mosip-platform-java11/mosip-dsf.yaml - - Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml - -# After (generic): -paths: - - Helmsman/dsf/**/mosip-dsf.yaml -``` - -### 4.3 Generic Push Profile Detection - -On push, the profile is **dynamically extracted** from the changed file path: - -```bash -# Extracts "mosip-platform-java21" from "Helmsman/dsf/mosip-platform-java21/mosip-dsf.yaml" -PROFILE=$(echo "$CHANGED_FILES" | grep 'mosip-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') -``` - -No hardcoded profile names in detection logic — adding a new profile directory just works. - -### 4.4 Workflow Chaining Logic - -``` -helmsman_external (esignet profile) - └── STOPS here (no MOSIP platform needed) - -helmsman_external (mosip-platform-* profile) - └── chains to → helmsman_mosip (auto-detected via startsWith('mosip-platform-')) - └── chains to → helmsman_testrigs (commented out, pending stabilization) -``` - -The chaining condition uses `startsWith(github.event.inputs.profile, 'mosip-platform-')` — any future `mosip-platform-*` profile auto-chains. - ---- - -## 5. Deployment Flows - -### Flow A: Full MOSIP Platform (mosip-platform-java11 or mosip-platform-java21) - -``` -1. helmsman_external.yml → prereq-dsf.yaml + external-dsf.yaml - (istio, monitoring, postgres, kafka, minio, clamav, etc.) -2. helmsman_mosip.yml → mosip-dsf.yaml - (IDA, IDRepo, PMS, PreReg, Kernel, Resident) -3. helmsman_esignet.yml → esignet-dsf.yaml - (eSignet v1.4.1, OIDC UI, partner onboarding) -4. helmsman_testrigs.yml → testrigs-dsf.yaml - (API test rigs) -``` - -### Flow B: Standalone eSignet (esignet profile) - -``` -1. helmsman_external.yml → prereq-dsf.yaml + external-dsf.yaml - (istio, monitoring, postgres, redis, kafka, softhsm, keycloak, captcha) -2. helmsman_esignet.yml → esignet-dsf.yaml - (eSignet v1.7.1, OIDC UI v1.7.1) - (MOSIP DSF check SKIPPED automatically) -``` - -No `helmsman_mosip` or `helmsman_testrigs` — the `esignet` profile has no `mosip-dsf.yaml` or `testrigs-dsf.yaml`. - ---- - -## 6. Terraform — Profile-Based Infrastructure - -### 6.1 Directory Structure - -``` -terraform/implementations/aws/infra/ -├── aws.tfvars ← original (used by base-infra / observ-infra) -├── main.tf -├── variables.tf -├── outputs.tf -└── profiles/ - ├── mosip/ - │ └── aws.tfvars ← full MOSIP platform sizing - └── esignet/ - └── aws.tfvars ← lightweight standalone eSignet sizing -``` - -### 6.2 Infrastructure Sizing Differences - -| Resource | mosip profile | esignet profile | -|----------|:------------:|:--------------:| -| Instance type (K8s nodes) | t3a.2xlarge | t3a.xlarge | -| Instance type (Nginx) | t3a.2xlarge | t3a.xlarge | -| Control plane nodes | 3 | 2 | -| ETCD nodes | 3 | 2 | -| Worker nodes | 2 | 1 | -| EBS volume 1 | 300 GB | 200 GB | -| EBS volume 2 | 200 GB | 0 (disabled) | -| Public subdomains | 5 (resident, prereg, esignet, healthservices, signup) | 2 (esignet, signup) | -| Internal subdomains | 11 | 4 (iam, kafka, postgres, keycloak) | - -### 6.3 Workflow Changes (terraform.yml + terraform-destroy.yml) - -Both workflows now have an **INFRA_PROFILE** input: - -```yaml -INFRA_PROFILE: - description: 'Infrastructure profile (only for infra component)' - type: choice - options: - - mosip - - esignet - default: mosip -``` - -- Profile is **only used for `infra` component** — `base-infra` and `observ-infra` are shared (no profiles) -- Tfvars path: `profiles/{profile}/aws.tfvars` -- Concurrency groups include profile — `mosip` and `esignet` runs don't block each other - -### 6.4 State File Isolation - -The `configure-backend.sh` script now accepts `--profile` and includes it in state file naming: - -| Backend | mosip | esignet | -|---------|-------|---------| -| **Local** | `aws-infra-mosip-main-terraform.tfstate` | `aws-infra-esignet-main-terraform.tfstate` | -| **S3** | key: `aws-infra-mosip-main-terraform.tfstate` | key: `aws-infra-esignet-main-terraform.tfstate` | -| **Azure** | key: `azure-infra-mosip-main-terraform.tfstate` | key: `azure-infra-esignet-main-terraform.tfstate` | -| **GCS** | prefix: `terraform/gcp-infra-mosip-main` | prefix: `terraform/gcp-infra-esignet-main` | - -**Without this fix**, running terraform apply with `mosip` then `esignet` would have used the **same state file** — destroying mosip infra and recreating esignet infra. - ---- - -## 7. Adding a New Profile in the Future - -### Helmsman (e.g., adding `mosip-platform-java25`): - -1. Create `Helmsman/dsf/mosip-platform-java25/` with the DSF files -2. Add `mosip-platform-java25` to the `workflow_dispatch` choice options in the relevant workflows -3. **That's it** — push triggers (glob) and profile detection (sed extraction) are generic - -### Terraform (e.g., adding `inji`): - -1. Create `terraform/implementations/aws/infra/profiles/inji/aws.tfvars` -2. Add `inji` to the `INFRA_PROFILE` choice options in `terraform.yml` and `terraform-destroy.yml` -3. **That's it** — state file naming and backend config auto-include the profile - ---- - -## 8. Files Changed Summary - -| # | File | Change Type | Description | -|---|------|-------------|-------------| -| 1 | `Helmsman/dsf/mosip-platform-java11/*` | Renamed (git mv) | Moved from flat `dsf/` to profile dir | -| 2 | `Helmsman/dsf/mosip-platform-java21/*` | Added (copy) | Copy of java11, ready for java21 version updates | -| 3 | `Helmsman/dsf/esignet/prereq-dsf.yaml` | Renamed (git mv) | Same as mosip-platform prereq | -| 4 | `Helmsman/dsf/esignet/external-dsf.yaml` | New | Simplified external services for standalone eSignet | -| 5 | `Helmsman/dsf/esignet/esignet-dsf.yaml` | New | eSignet v1.7.1 standalone DSF | -| 6 | `.github/workflows/helmsman_external.yml` | Modified | Profile input, glob push, generic matrix detection | -| 7 | `.github/workflows/helmsman_esignet.yml` | Modified | Profile input, glob push, generic detection | -| 8 | `.github/workflows/helmsman_mosip.yml` | Modified | Profile input, glob push, generic detection | -| 9 | `.github/workflows/helmsman_testrigs.yml` | Modified | Profile input added, glob push, generic detection | -| 10 | `.github/workflows/terraform.yml` | Modified | INFRA_PROFILE input, profile-aware tfvars path | -| 11 | `.github/workflows/terraform-destroy.yml` | Modified | INFRA_PROFILE input, profile-aware tfvars path | -| 12 | `.github/scripts/configure-backend.sh` | Modified | `--profile` flag, profile in state file names | -| 13 | `terraform/.../profiles/mosip/aws.tfvars` | New | Full MOSIP platform infra sizing | -| 14 | `terraform/.../profiles/esignet/aws.tfvars` | New | Lightweight standalone eSignet sizing | - ---- - -## 9. Pending / Next Steps - -- [ ] **Update `mosip-platform-java21` DSFs** — currently identical copies of java11; need to update chart versions, image tags, and DB branches for Java 21 / MOSIP 1.3.0 -- [ ] **Hook scripts** — not touched yet (`Helmsman/hooks/*`); will review one by one -- [ ] **Partner onboarding stabilization** — workflow-caller in `helmsman_mosip.yml` is commented out -- [ ] **eSignet profile tfvars** — placeholder values need real values before first deployment From 9a02f0c0bc7f62af1432b99aa80e26186cfcb6c3 Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Tue, 24 Mar 2026 14:56:36 +0530 Subject: [PATCH 07/28] [MOSIP-44613] Updated code rabbit suggestion for configure-backend.sh Signed-off-by: bhumi46 --- .github/scripts/configure-backend.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/scripts/configure-backend.sh b/.github/scripts/configure-backend.sh index 44599e62..59f1a2f2 100755 --- a/.github/scripts/configure-backend.sh +++ b/.github/scripts/configure-backend.sh @@ -149,7 +149,6 @@ create_local_backend() { # Include branch name for consistency and to avoid conflicts # Use 'local' as default branch name if not provided local branch_suffix="${branch:-local}" - local profile="$3" local state_file if [ -n "$profile" ]; then state_file="${provider}-${component}-${profile}-${branch_suffix}-terraform.tfstate" From 75a45ca27445904d12f72d53086a9c122b3c8083 Mon Sep 17 00:00:00 2001 From: bhumi46 <111699703+bhumi46@users.noreply.github.com> Date: Tue, 24 Mar 2026 15:08:07 +0530 Subject: [PATCH 08/28] Update Helmsman/dsf/esignet/external-dsf.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com> --- Helmsman/dsf/esignet/external-dsf.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Helmsman/dsf/esignet/external-dsf.yaml b/Helmsman/dsf/esignet/external-dsf.yaml index 6a36c83e..3659e50b 100644 --- a/Helmsman/dsf/esignet/external-dsf.yaml +++ b/Helmsman/dsf/esignet/external-dsf.yaml @@ -42,6 +42,8 @@ namespaces: protected: false captcha: protected: false + minio: + protected: false apps: # --------------------------------------------------------------------------- # PostgreSQL Server From 9a95f6507d36ec348c2c4598d942cfd9e446fd33 Mon Sep 17 00:00:00 2001 From: bhumi46 <111699703+bhumi46@users.noreply.github.com> Date: Tue, 24 Mar 2026 15:20:52 +0530 Subject: [PATCH 09/28] Update Helmsman/dsf/esignet/external-dsf.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com> --- Helmsman/dsf/esignet/external-dsf.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Helmsman/dsf/esignet/external-dsf.yaml b/Helmsman/dsf/esignet/external-dsf.yaml index 3659e50b..ccf6b148 100644 --- a/Helmsman/dsf/esignet/external-dsf.yaml +++ b/Helmsman/dsf/esignet/external-dsf.yaml @@ -314,6 +314,7 @@ apps: wait: true timeout: 1200 priority: -8 + # Ensure minio is deployed before its Istio addons istio-addons-minio: namespace: minio @@ -326,4 +327,4 @@ apps: timeout: 1200 hooks: postInstall: "$WORKDIR/hooks/s3-setup.sh " - priority: -9 + priority: -7 From 054db4b0a81abeddd9d17d0421b8f408118206c4 Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Tue, 24 Mar 2026 15:26:57 +0530 Subject: [PATCH 10/28] [MOSIP-44613] removed trailing space Signed-off-by: bhumi46 --- Helmsman/dsf/esignet/external-dsf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Helmsman/dsf/esignet/external-dsf.yaml b/Helmsman/dsf/esignet/external-dsf.yaml index ccf6b148..aac12869 100644 --- a/Helmsman/dsf/esignet/external-dsf.yaml +++ b/Helmsman/dsf/esignet/external-dsf.yaml @@ -326,5 +326,5 @@ apps: wait: true timeout: 1200 hooks: - postInstall: "$WORKDIR/hooks/s3-setup.sh " + postInstall: "$WORKDIR/hooks/s3-setup.sh" priority: -7 From 1a0a01f1bbc139109158e596bbdf1d050238e0fe Mon Sep 17 00:00:00 2001 From: bhumi46 <111699703+bhumi46@users.noreply.github.com> Date: Tue, 24 Mar 2026 15:28:11 +0530 Subject: [PATCH 11/28] Update Helmsman/dsf/mosip-platform-java21/external-dsf.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com> --- Helmsman/dsf/mosip-platform-java21/external-dsf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml index 0c9967cf..394c893f 100644 --- a/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml +++ b/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml @@ -79,7 +79,7 @@ apps: databases.mosip_keymgr.port: 5433 databases.mosip_kernel.enabled: "true" - databases.mosip_kernel.branch: " v1.2.0.2" + databases.mosip_kernel.branch: "v1.2.0.2" databases.mosip_kernel.host: "postgres.sandbox.xyz.net" databases.mosip_kernel.port: 5433 From bff85ce8f6a8eacdea9e9a1b5bcfdd017bf2ef8a Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Tue, 24 Mar 2026 15:33:02 +0530 Subject: [PATCH 12/28] [MOSIP-44613] removed trailing space Signed-off-by: bhumi46 --- Helmsman/utils/rancher-loggig-values.yaml | 181 ---------------------- 1 file changed, 181 deletions(-) delete mode 100644 Helmsman/utils/rancher-loggig-values.yaml diff --git a/Helmsman/utils/rancher-loggig-values.yaml b/Helmsman/utils/rancher-loggig-values.yaml deleted file mode 100644 index 4fbdd1f1..00000000 --- a/Helmsman/utils/rancher-loggig-values.yaml +++ /dev/null @@ -1,181 +0,0 @@ -additionalLoggingSources: - aks: - enabled: false - eks: - enabled: false - gke: - enabled: false - k3s: - container_engine: systemd - enabled: false - stripUnderscores: false - kubeAudit: - auditFilename: '' - enabled: false - fluentbit: - logTag: kube-audit - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/controlplane - value: 'true' - - effect: NoExecute - key: node-role.kubernetes.io/etcd - value: 'true' - pathPrefix: '' - rke: - enabled: false - fluentbit: - log_level: info - mem_buffer_limit: 5MB - rke2: - enabled: true - stripUnderscores: false -affinity: {} -annotations: {} -createCustomResource: false -debug: false -disablePvc: true -env: [] -extraArgs: - - '-enable-leader-election=true' -fluentbit: - filterKubernetes: - Merge_Log: '' - Merge_Log_Key: '' - Merge_Log_Trim: '' - Merge_Parser: '' - inputTail: - Buffer_Chunk_Size: '' - Buffer_Max_Size: '' - Mem_Buf_Limit: '' - Multiline_Flush: '' - Skip_Long_Lines: '' - resources: {} - tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/controlplane - value: 'true' - - effect: NoExecute - key: node-role.kubernetes.io/etcd - value: 'true' -fluentd: - bufferStorageVolume: {} - env: [] - livenessProbe: - initialDelaySeconds: 30 - periodSeconds: 15 - tcpSocket: - port: 24240 - nodeSelector: {} - resources: {} - tolerations: {} -fullnameOverride: '' -global: - cattle: - psp: - enabled: false - systemProjectId: p-mhh2f - dockerRootDirectory: '' - rkeWindowsPathPrefix: c:\ - seLinux: - enabled: false -http: - port: 8080 - service: - annotations: {} - clusterIP: None - labels: {} - type: ClusterIP -image: - pullPolicy: IfNotPresent - repository: rancher/mirrored-kube-logging-logging-operator - tag: 4.4.0 -imagePullSecrets: [] -images: - config_reloader: - repository: rancher/mirrored-jimmidyson-configmap-reload - tag: v0.4.0 - fluentbit: - repository: rancher/mirrored-fluent-fluent-bit - tag: 2.2.0 - fluentbit_debug: - repository: rancher/mirrored-fluent-fluent-bit - tag: 2.2.0-debug - fluentd: - repository: rancher/mirrored-banzaicloud-fluentd - tag: v1.14.6-alpine-5 - nodeagent_fluentbit: - os: windows - repository: rancher/fluent-bit - tag: 2.2.0 -logging: - allowClusterResourcesFromAllNamespaces: false - clusterDomain: cluster.local. - clusterFlows: [] - clusterOutputs: [] - controlNamespace: '' - defaultFlow: {} - enableRecreateWorkloadOnImmutableFieldChange: false - enabled: false - errorOutputRef: '' - eventTailer: {} - flowConfigCheckDisabled: false - flowConfigOverride: '' - fluentbit: {} - fluentbitDisabled: false - fluentd: {} - fluentdDisabled: false - globalFilters: [] - hostTailer: {} - loggingRef: '' - nodeAgents: {} - skipInvalidResources: false - syslogNG: {} - watchNamespaceSelector: {} - watchNamespaces: [] -loggingServiceAccountAnnotations: {} -monitoring: - serviceMonitor: - additionalLabels: {} - enabled: false - metricRelabelings: [] - relabelings: [] -nameOverride: '' -namespaceOverride: '' -nodeAgents: - tls: - enabled: false -nodeSelector: - kubernetes.io/os: linux -podLabels: {} -podSecurityContext: {} -priorityClassName: {} -rbac: - enabled: true - psp: - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default - seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default -replicaCount: 1 -resources: {} -securityContext: {} -serviceAccount: - annotations: {} -systemdLogPath: /run/log/journal -testReceiver: - enabled: false - image: fluent/fluent-bit - port: 8080 - pullPolicy: IfNotPresent - service: - annotations: {} - clusterIP: None - labels: {} - type: ClusterIP -tolerations: - - effect: NoSchedule - key: cattle.io/os - operator: Equal - value: linux -volumeMounts: [] -volumes: [] From 6c4d4d332cc0ee045fe8cfc2c618b29f3c0c87d1 Mon Sep 17 00:00:00 2001 From: bhumi46 <111699703+bhumi46@users.noreply.github.com> Date: Tue, 24 Mar 2026 15:33:49 +0530 Subject: [PATCH 13/28] Update Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com> --- Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml index 4dcb4620..2a405675 100644 --- a/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml +++ b/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml @@ -103,7 +103,7 @@ apps: enabled: true version: 103.1.1+up4.4.0 chart: mosip/rancher-logging - valuesFile: "$WORKDIR/utils/rancher-loggig-values.yaml" + valuesFile: "$WORKDIR/utils/rancher-logging-values.yaml" wait: true priority: -1 timeout: 1200 From efbeb088d8752335f8781bdd03216f9c2be37694 Mon Sep 17 00:00:00 2001 From: bhumi46 <111699703+bhumi46@users.noreply.github.com> Date: Tue, 24 Mar 2026 16:31:56 +0530 Subject: [PATCH 14/28] Update Helmsman/dsf/esignet/external-dsf.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com> --- Helmsman/dsf/esignet/external-dsf.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Helmsman/dsf/esignet/external-dsf.yaml b/Helmsman/dsf/esignet/external-dsf.yaml index aac12869..eda984ec 100644 --- a/Helmsman/dsf/esignet/external-dsf.yaml +++ b/Helmsman/dsf/esignet/external-dsf.yaml @@ -44,6 +44,8 @@ namespaces: protected: false minio: protected: false + esignet: + protected: true apps: # --------------------------------------------------------------------------- # PostgreSQL Server From c9201c26def67bced11262b3d5f87e3c295800bb Mon Sep 17 00:00:00 2001 From: bhumi46 <111699703+bhumi46@users.noreply.github.com> Date: Tue, 24 Mar 2026 16:33:52 +0530 Subject: [PATCH 15/28] Update Helmsman/dsf/mosip-platform-java21/external-dsf.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com> --- Helmsman/dsf/mosip-platform-java21/external-dsf.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml index 394c893f..70eac633 100644 --- a/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml +++ b/Helmsman/dsf/mosip-platform-java21/external-dsf.yaml @@ -267,7 +267,7 @@ apps: wait: true timeout: 1200 hooks: - postInstall: "$WORKDIR/hooks/s3-setup.sh " + postInstall: "$WORKDIR/hooks/s3-setup.sh" priority: -2 clamav: From fc60c586fdb9806977da3d1499e3547dae0e7d40 Mon Sep 17 00:00:00 2001 From: bhumi46 <111699703+bhumi46@users.noreply.github.com> Date: Tue, 24 Mar 2026 17:01:47 +0530 Subject: [PATCH 16/28] Update Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com> --- .../hooks/esignet-1.7.1/mock-identity-system-preinstall.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh index f3b795fd..0637202b 100755 --- a/Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh +++ b/Helmsman/hooks/esignet-1.7.1/mock-identity-system-preinstall.sh @@ -17,8 +17,9 @@ kubectl create namespace esignet --dry-run=client -o yaml | kubectl apply -f - if kubectl -n esignet get configmap softhsm-mock-identity-system-share &>/dev/null; then echo "SoftHSM mock identity system configmap found." else - echo "WARNING: softhsm-mock-identity-system-share configmap not found in esignet namespace." - echo "Ensure softhsm-mock-identity-system is deployed and post-install hook has run." + echo "ERROR: softhsm-mock-identity-system-share configmap not found in esignet namespace." + echo "Deploy/copy this shared ConfigMap before running mock identity system install." + exit 1 fi echo "Mock identity system pre-install completed." From f3b96df93e4e3df110fb4867222b9107c66c8de0 Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Tue, 24 Mar 2026 17:34:21 +0530 Subject: [PATCH 17/28] [MOSIP-44613] updated hooks script and renamed values.yaml files Signed-off-by: bhumi46 --- .../esignet-1.7.1/keycloak-postinstall.sh | 19 +- Helmsman/utils/rancher-logging-values.yaml | 181 ++++++++++++++++++ 2 files changed, 196 insertions(+), 4 deletions(-) create mode 100644 Helmsman/utils/rancher-logging-values.yaml diff --git a/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh index 433f5f2c..9a8965d0 100755 --- a/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh +++ b/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh @@ -61,7 +61,15 @@ fi # --- Step 2: Read existing client secrets if any --- # Source: deploy/keycloak/keycloak-init.sh - reading existing secrets echo "Checking for existing keycloak-client-secrets" -HELM_SET_SECRETS="" +HELM_SET_SECRETS=() + +escape_helm_value() { + local value="$1" + value="${value//\\/\\\\}" + value="${value//,/\\,}" + value="${value//=/\\=}" + printf '%s' "$value" +} declare -A SECRET_KEYS=( ["mosip_pms_client_secret"]="0" @@ -78,7 +86,10 @@ if kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets &>/dev/null; the val=$(kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets \ -o jsonpath="{.data.$key}" 2>/dev/null | base64 -d 2>/dev/null || echo "") if [[ -n "$val" ]]; then - HELM_SET_SECRETS="$HELM_SET_SECRETS --set clientSecrets[$idx].name=$key --set clientSecrets[$idx].secret=$val" + HELM_SET_SECRETS+=( + --set-string "clientSecrets[$idx].name=$key" + --set-string "clientSecrets[$idx].secret=$(escape_helm_value "$val")" + ) fi done else @@ -94,8 +105,8 @@ helm repo update kubectl -n "$ESIGNET_NS" delete secret --ignore-not-found=true keycloak-client-secrets helm -n "$ESIGNET_NS" delete esignet-keycloak-init 2>/dev/null || true -eval helm -n "$ESIGNET_NS" install esignet-keycloak-init mosip/keycloak-init \ - $HELM_SET_SECRETS \ +helm -n "$ESIGNET_NS" install esignet-keycloak-init mosip/keycloak-init \ + "${HELM_SET_SECRETS[@]}" \ --set keycloak.realms.mosip.realm_config.attributes.frontendUrl="https://$IAMHOST_URL/auth" \ --set keycloakInternalHost="keycloak.$KEYCLOAK_NS" \ --set keycloakExternalHost="$IAMHOST_URL" \ diff --git a/Helmsman/utils/rancher-logging-values.yaml b/Helmsman/utils/rancher-logging-values.yaml new file mode 100644 index 00000000..4fbdd1f1 --- /dev/null +++ b/Helmsman/utils/rancher-logging-values.yaml @@ -0,0 +1,181 @@ +additionalLoggingSources: + aks: + enabled: false + eks: + enabled: false + gke: + enabled: false + k3s: + container_engine: systemd + enabled: false + stripUnderscores: false + kubeAudit: + auditFilename: '' + enabled: false + fluentbit: + logTag: kube-audit + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/controlplane + value: 'true' + - effect: NoExecute + key: node-role.kubernetes.io/etcd + value: 'true' + pathPrefix: '' + rke: + enabled: false + fluentbit: + log_level: info + mem_buffer_limit: 5MB + rke2: + enabled: true + stripUnderscores: false +affinity: {} +annotations: {} +createCustomResource: false +debug: false +disablePvc: true +env: [] +extraArgs: + - '-enable-leader-election=true' +fluentbit: + filterKubernetes: + Merge_Log: '' + Merge_Log_Key: '' + Merge_Log_Trim: '' + Merge_Parser: '' + inputTail: + Buffer_Chunk_Size: '' + Buffer_Max_Size: '' + Mem_Buf_Limit: '' + Multiline_Flush: '' + Skip_Long_Lines: '' + resources: {} + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/controlplane + value: 'true' + - effect: NoExecute + key: node-role.kubernetes.io/etcd + value: 'true' +fluentd: + bufferStorageVolume: {} + env: [] + livenessProbe: + initialDelaySeconds: 30 + periodSeconds: 15 + tcpSocket: + port: 24240 + nodeSelector: {} + resources: {} + tolerations: {} +fullnameOverride: '' +global: + cattle: + psp: + enabled: false + systemProjectId: p-mhh2f + dockerRootDirectory: '' + rkeWindowsPathPrefix: c:\ + seLinux: + enabled: false +http: + port: 8080 + service: + annotations: {} + clusterIP: None + labels: {} + type: ClusterIP +image: + pullPolicy: IfNotPresent + repository: rancher/mirrored-kube-logging-logging-operator + tag: 4.4.0 +imagePullSecrets: [] +images: + config_reloader: + repository: rancher/mirrored-jimmidyson-configmap-reload + tag: v0.4.0 + fluentbit: + repository: rancher/mirrored-fluent-fluent-bit + tag: 2.2.0 + fluentbit_debug: + repository: rancher/mirrored-fluent-fluent-bit + tag: 2.2.0-debug + fluentd: + repository: rancher/mirrored-banzaicloud-fluentd + tag: v1.14.6-alpine-5 + nodeagent_fluentbit: + os: windows + repository: rancher/fluent-bit + tag: 2.2.0 +logging: + allowClusterResourcesFromAllNamespaces: false + clusterDomain: cluster.local. + clusterFlows: [] + clusterOutputs: [] + controlNamespace: '' + defaultFlow: {} + enableRecreateWorkloadOnImmutableFieldChange: false + enabled: false + errorOutputRef: '' + eventTailer: {} + flowConfigCheckDisabled: false + flowConfigOverride: '' + fluentbit: {} + fluentbitDisabled: false + fluentd: {} + fluentdDisabled: false + globalFilters: [] + hostTailer: {} + loggingRef: '' + nodeAgents: {} + skipInvalidResources: false + syslogNG: {} + watchNamespaceSelector: {} + watchNamespaces: [] +loggingServiceAccountAnnotations: {} +monitoring: + serviceMonitor: + additionalLabels: {} + enabled: false + metricRelabelings: [] + relabelings: [] +nameOverride: '' +namespaceOverride: '' +nodeAgents: + tls: + enabled: false +nodeSelector: + kubernetes.io/os: linux +podLabels: {} +podSecurityContext: {} +priorityClassName: {} +rbac: + enabled: true + psp: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default + seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default +replicaCount: 1 +resources: {} +securityContext: {} +serviceAccount: + annotations: {} +systemdLogPath: /run/log/journal +testReceiver: + enabled: false + image: fluent/fluent-bit + port: 8080 + pullPolicy: IfNotPresent + service: + annotations: {} + clusterIP: None + labels: {} + type: ClusterIP +tolerations: + - effect: NoSchedule + key: cattle.io/os + operator: Equal + value: linux +volumeMounts: [] +volumes: [] From a5c81c3cfaf941f2ff251a2472431059d1372c82 Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Tue, 24 Mar 2026 17:39:34 +0530 Subject: [PATCH 18/28] [MOSIP-44613] updated k8s nodes values Signed-off-by: bhumi46 --- .../implementations/aws/infra/profiles/esignet/aws.tfvars | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars b/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars index 2a12e0d3..4795ad7b 100644 --- a/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars +++ b/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars @@ -57,13 +57,13 @@ nginx_node_ebs_volume_size_2 = 0 k8s_instance_root_volume_size = 64 # Control-plane, ETCD, Worker — smaller cluster for standalone eSignet -k8s_control_plane_node_count = 2 +k8s_control_plane_node_count = 1 # ETCD, Worker -k8s_etcd_node_count = 2 +k8s_etcd_node_count = 1 # Worker -k8s_worker_node_count = 1 +k8s_worker_node_count = 2 # RKE2 Version Configuration rke2_version = "v1.28.9+rke2r1" From 18e27a306f359de26ecf19a20218c55f4b185f11 Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Tue, 24 Mar 2026 17:41:19 +0530 Subject: [PATCH 19/28] [MOSIP-44613] updated k8s nodes values Signed-off-by: bhumi46 --- .github/scripts/configure-backend.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/scripts/configure-backend.sh b/.github/scripts/configure-backend.sh index 59f1a2f2..d683ea85 100755 --- a/.github/scripts/configure-backend.sh +++ b/.github/scripts/configure-backend.sh @@ -76,6 +76,10 @@ while [[ $# -gt 0 ]]; do shift ;; --profile) + if [[ -z "$2" || "$2" == -* ]]; then + echo "Error: --profile requires a non-empty argument that is not an option flag." + exit 1 + fi PROFILE="$2" shift 2 ;; From 8df549eba7bbb68659bcee0a59a892c13e6f0c31 Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Tue, 24 Mar 2026 17:49:55 +0530 Subject: [PATCH 20/28] [MOSIP-44613] updated k8s nodes values Signed-off-by: bhumi46 --- Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh index 5d3b1bd0..6c3417c8 100755 --- a/Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh +++ b/Helmsman/hooks/esignet-1.7.1/postgres-preinstall.sh @@ -41,7 +41,7 @@ data: mosip-api-internal-host: "api-internal.${INSTALLATION_DOMAIN}" mosip-kafka-host: "kafka.${INSTALLATION_DOMAIN}" mosip-esignet-host: "esignet.${INSTALLATION_DOMAIN}" - mosip-postgres-host: "esignet-postgres.${INSTALLATION_DOMAIN}" + mosip-postgres-host: "postgres.${INSTALLATION_DOMAIN}" mosip-signup-host: "signup.${INSTALLATION_DOMAIN}" mosip-smtp-host: "smtp.${INSTALLATION_DOMAIN}" EOF From 37d03e9392c1c0273261edcb28eb64ffa49dda7c Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Tue, 24 Mar 2026 18:30:52 +0530 Subject: [PATCH 21/28] [MOSIP-44613] updated ram according to heap memory Signed-off-by: bhumi46 --- Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml index 2a405675..7415b9c7 100644 --- a/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml +++ b/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml @@ -67,11 +67,11 @@ apps: data.heapSize: "728m" data.persistence.enabled: "true" data.persistence.size: "64Gi" - data.resources.requests.memory: "512Mi" + data.resources.requests.memory: "1100Mi" master.heapSize: "1024m" master.persistence.enabled: "true" master.persistence.size: "4Gi" - master.resources.requests.memory: "728Mi" + master.resources.requests.memory: "1536Mi" kibana.persistence.enabled: "false" sysctlImage.repository: "mosipid/os-shell" sysctlImage.tag: "12-debian-12-r46" From cce316b80108c16fbd13e3d09cecf1cbacb3193a Mon Sep 17 00:00:00 2001 From: abhishek-1809 Date: Wed, 25 Mar 2026 10:34:29 +0530 Subject: [PATCH 22/28] [MOSIP-44608] updated terraform script to support ebs volume for activemq as optional Signed-off-by: abhishek-1809 --- .../implementations/aws/infra/aws.tfvars | 13 +- terraform/implementations/aws/infra/main.tf | 6 + .../implementations/aws/infra/variables.tf | 25 +++ terraform/infra/aws/main.tf | 8 +- terraform/infra/aws/variables.tf | 25 +++ terraform/infra/main.tf | 6 + terraform/infra/variables.tf | 25 +++ .../aws/activemq-setup/activemq-setup.sh | 123 ++++++++++++++ .../aws/activemq-setup/activemq-setup.yml | 160 ++++++++++++++++++ terraform/modules/aws/activemq-setup/main.tf | 126 ++++++++++++++ terraform/modules/aws/aws-main.tf | 17 ++ terraform/modules/aws/variables.tf | 25 +++ 12 files changed, 557 insertions(+), 2 deletions(-) create mode 100644 terraform/modules/aws/activemq-setup/activemq-setup.sh create mode 100644 terraform/modules/aws/activemq-setup/activemq-setup.yml create mode 100644 terraform/modules/aws/activemq-setup/main.tf diff --git a/terraform/implementations/aws/infra/aws.tfvars b/terraform/implementations/aws/infra/aws.tfvars index 25012b59..db03e9a2 100644 --- a/terraform/implementations/aws/infra/aws.tfvars +++ b/terraform/implementations/aws/infra/aws.tfvars @@ -57,7 +57,7 @@ k8s_control_plane_node_count = 3 k8s_etcd_node_count = 3 # Worker -k8s_worker_node_count = 2 +k8s_worker_node_count = 2 # RKE2 Version Configuration rke2_version = "v1.28.9+rke2r1" @@ -90,3 +90,14 @@ mosip_infra_branch = "release-0.2.0" # VPC Configuration - Existing VPC to use (discovered by Name tag) vpc_name = "" + +# ── ActiveMQ Configuration ───────────────────────────────────────────────────── +# Set enable_activemq_setup = true AND nginx_node_ebs_volume_size_3 > 0 to +# create a dedicated EBS volume, format it as XFS, and mount it on the NGINX node. +# ActiveMQ itself runs inside Kubernetes via Helm (no software installed here). +# Both conditions must be true — set either to false/0 to skip entirely. +enable_activemq_setup = true # Toggle: true = create & mount, false = skip +nginx_node_ebs_volume_size_3 = 30 # Volume size in GB (e.g. 100); 0 = disabled + +activemq_storage_device = "/dev/nvme3n1" +activemq_mount_point = "/srv/activemq" diff --git a/terraform/implementations/aws/infra/main.tf b/terraform/implementations/aws/infra/main.tf index 2a18191e..d7148319 100644 --- a/terraform/implementations/aws/infra/main.tf +++ b/terraform/implementations/aws/infra/main.tf @@ -50,6 +50,12 @@ module "mosip_infra" { mosip_infra_repo_url = var.mosip_infra_repo_url mosip_infra_branch = var.mosip_infra_branch + # ActiveMQ Configuration + enable_activemq_setup = var.enable_activemq_setup + nginx_node_ebs_volume_size_3 = var.nginx_node_ebs_volume_size_3 + activemq_storage_device = var.activemq_storage_device + activemq_mount_point = var.activemq_mount_point + # AWS-specific configuration aws_provider_region = var.aws_provider_region specific_availability_zones = var.specific_availability_zones diff --git a/terraform/implementations/aws/infra/variables.tf b/terraform/implementations/aws/infra/variables.tf index caca8c1d..13b7e535 100644 --- a/terraform/implementations/aws/infra/variables.tf +++ b/terraform/implementations/aws/infra/variables.tf @@ -226,3 +226,28 @@ variable "mosip_infra_branch" { type = string default = "develop" } + +# ActiveMQ Configuration Variables +variable "enable_activemq_setup" { + description = "Enable ActiveMQ EBS volume setup on the NGINX node" + type = bool + default = false +} + +variable "nginx_node_ebs_volume_size_3" { + description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable" + type = number + default = 0 +} + +variable "activemq_storage_device" { + description = "Block device path of the 3rd EBS volume for ActiveMQ" + type = string + default = "/dev/nvme3n1" +} + +variable "activemq_mount_point" { + description = "Mount point for ActiveMQ persistent storage" + type = string + default = "/srv/activemq" +} diff --git a/terraform/infra/aws/main.tf b/terraform/infra/aws/main.tf index fe69e456..f489f334 100644 --- a/terraform/infra/aws/main.tf +++ b/terraform/infra/aws/main.tf @@ -39,7 +39,7 @@ module "aws_infrastructure" { nginx_node_ebs_volume_size_2 = var.nginx_node_ebs_volume_size_2 K8S_INSTANCE_ROOT_VOLUME_SIZE = var.k8s_instance_root_volume_size network_cidr = var.network_cidr - DEPLOYMENT_TYPE = "infra" # Regular MOSIP infrastructure deployment + DEPLOYMENT_TYPE = "infra" # Regular MOSIP infrastructure deployment WIREGUARD_CIDR = var.WIREGUARD_CIDR # PostgreSQL Configuration @@ -52,4 +52,10 @@ module "aws_infrastructure" { # MOSIP Infrastructure Repository Configuration mosip_infra_repo_url = var.mosip_infra_repo_url mosip_infra_branch = var.mosip_infra_branch + + # ActiveMQ Configuration + enable_activemq_setup = var.enable_activemq_setup + nginx_node_ebs_volume_size_3 = var.nginx_node_ebs_volume_size_3 + activemq_storage_device = var.activemq_storage_device + activemq_mount_point = var.activemq_mount_point } diff --git a/terraform/infra/aws/variables.tf b/terraform/infra/aws/variables.tf index 03d6269c..9ecd5a9e 100644 --- a/terraform/infra/aws/variables.tf +++ b/terraform/infra/aws/variables.tf @@ -189,3 +189,28 @@ variable "mosip_infra_branch" { type = string default = "develop" } + +# ActiveMQ Configuration Variables +variable "enable_activemq_setup" { + description = "Enable ActiveMQ EBS volume setup on the NGINX node" + type = bool + default = false +} + +variable "nginx_node_ebs_volume_size_3" { + description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable" + type = number + default = 0 +} + +variable "activemq_storage_device" { + description = "Block device path of the 3rd EBS volume for ActiveMQ" + type = string + default = "/dev/nvme3n1" +} + +variable "activemq_mount_point" { + description = "Mount point for ActiveMQ persistent storage" + type = string + default = "/srv/activemq" +} diff --git a/terraform/infra/main.tf b/terraform/infra/main.tf index 02f2b5a1..a01be42b 100644 --- a/terraform/infra/main.tf +++ b/terraform/infra/main.tf @@ -61,6 +61,12 @@ module "aws_infra" { # MOSIP Infrastructure Repository Configuration mosip_infra_repo_url = var.mosip_infra_repo_url mosip_infra_branch = var.mosip_infra_branch + + # ActiveMQ Configuration + enable_activemq_setup = var.enable_activemq_setup + nginx_node_ebs_volume_size_3 = var.nginx_node_ebs_volume_size_3 + activemq_storage_device = var.activemq_storage_device + activemq_mount_point = var.activemq_mount_point } # Azure Infrastructure diff --git a/terraform/infra/variables.tf b/terraform/infra/variables.tf index 7cc28f07..70176c35 100644 --- a/terraform/infra/variables.tf +++ b/terraform/infra/variables.tf @@ -291,3 +291,28 @@ variable "mosip_infra_branch" { type = string default = "develop" } + +# ActiveMQ Configuration Variables +variable "enable_activemq_setup" { + description = "Enable ActiveMQ EBS volume setup on the NGINX node" + type = bool + default = false +} + +variable "nginx_node_ebs_volume_size_3" { + description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable" + type = number + default = 0 +} + +variable "activemq_storage_device" { + description = "Block device path of the 3rd EBS volume for ActiveMQ" + type = string + default = "/dev/nvme3n1" +} + +variable "activemq_mount_point" { + description = "Mount point for ActiveMQ persistent storage" + type = string + default = "/srv/activemq" +} \ No newline at end of file diff --git a/terraform/modules/aws/activemq-setup/activemq-setup.sh b/terraform/modules/aws/activemq-setup/activemq-setup.sh new file mode 100644 index 00000000..fc188c59 --- /dev/null +++ b/terraform/modules/aws/activemq-setup/activemq-setup.sh @@ -0,0 +1,123 @@ +#!/bin/bash + +# ActiveMQ EBS Volume Setup - Runs on the Terraform RUNNER machine. +# Ansible SSHes into the NGINX node to format/mount EBS and configure NFS. +# ActiveMQ itself runs inside Kubernetes — this only prepares the storage. + +set -euo pipefail + +echo "=== ActiveMQ EBS Volume Setup Started at $(date) ===" + +# ── Validate required environment variables ──────────────────────────────────── +echo "=== Validating Environment Variables ===" +REQUIRED_VARS=( + "NGINX_PRIVATE_IP" + "ACTIVEMQ_STORAGE_DEVICE" + "ACTIVEMQ_MOUNT_POINT" + "SSH_KEY_FILE" + "WORK_DIR" +) +MISSING_VARS=() +for var in "${REQUIRED_VARS[@]}"; do + [ -z "${!var:-}" ] && MISSING_VARS+=("$var") +done +if [ ${#MISSING_VARS[@]} -ne 0 ]; then + echo "ERROR: Missing required environment variables:" + printf ' - %s\n' "${MISSING_VARS[@]}" + exit 1 +fi +echo " NGINX_PRIVATE_IP=$NGINX_PRIVATE_IP" +echo " ACTIVEMQ_STORAGE_DEVICE=$ACTIVEMQ_STORAGE_DEVICE" +echo " ACTIVEMQ_MOUNT_POINT=$ACTIVEMQ_MOUNT_POINT" +echo " SSH_KEY_FILE=$SSH_KEY_FILE" +echo " WORK_DIR=$WORK_DIR" + +# ── Verify Ansible is available on the runner ────────────────────────────────── +echo "=== Checking Ansible on runner machine ===" +if ! command -v ansible-playbook &>/dev/null; then + echo "ERROR: ansible-playbook not found on the Terraform runner." + echo "Please install Ansible on the machine running Terraform:" + echo " Ubuntu/Debian : sudo apt-get install -y ansible" + echo " RHEL/CentOS : sudo yum install -y ansible" + echo " pip : pip3 install ansible" + exit 1 +fi +echo "Ansible found: $(ansible --version | head -1)" + +# ── Wait for NGINX SSH to be ready ──────────────────────────────────────────── +echo "=== Waiting for NGINX SSH to be ready ($NGINX_PRIVATE_IP) ===" +for i in $(seq 1 20); do + if ssh -i "$SSH_KEY_FILE" \ + -o StrictHostKeyChecking=no \ + -o ConnectTimeout=5 \ + -o BatchMode=yes \ + ubuntu@"$NGINX_PRIVATE_IP" "echo ok" &>/dev/null; then + echo "SSH ready after $i attempt(s)" + break + fi + echo " Attempt $i/20: SSH not ready yet, retrying in 10s..." + sleep 10 + if [ "$i" -eq 20 ]; then + echo "ERROR: NGINX SSH did not become ready after 200 seconds" + exit 1 + fi +done + +# ── Create Ansible inventory and config ─────────────────────────────────────── +echo "=== Creating Ansible inventory ===" +cat > "$WORK_DIR/inventory.ini" < "$WORK_DIR/ansible.cfg" <&1 | tee "$ANSIBLE_LOG" +ANSIBLE_EXIT=${PIPESTATUS[0]} +set -o pipefail + +if [ "$ANSIBLE_EXIT" -ne 0 ]; then + echo "" + echo "ERROR: Ansible playbook failed (exit code $ANSIBLE_EXIT)" + echo "--- Last 30 lines of log ---" + tail -30 "$ANSIBLE_LOG" || true + exit 1 +fi + +echo "" +echo "=== Done at $(date) ===" +echo "EBS volume for ActiveMQ is mounted at $ACTIVEMQ_MOUNT_POINT on $NGINX_PRIVATE_IP" +echo "StorageClass YAML written to /tmp/activemq-storageclass.yaml on this runner" \ No newline at end of file diff --git a/terraform/modules/aws/activemq-setup/activemq-setup.yml b/terraform/modules/aws/activemq-setup/activemq-setup.yml new file mode 100644 index 00000000..fa95b4d4 --- /dev/null +++ b/terraform/modules/aws/activemq-setup/activemq-setup.yml @@ -0,0 +1,160 @@ +--- +# ActiveMQ EBS Volume + NFS Export + StorageClass Setup +# Runs from the Terraform RUNNER machine, SSHes into the NGINX node. +# Steps: +# 1. Wait for EBS device → format as XFS → mount it +# 2. Set correct NFS permissions on mount point +# 3. Configure NFS export so Kubernetes pods can reach the storage +# 4. Generate a Kubernetes StorageClass YAML on the runner (delegate_to: localhost) + +- name: ActiveMQ EBS Volume + NFS Setup + hosts: activemq_servers + become: yes + gather_facts: yes + + tasks: + + # ── System prerequisites ─────────────────────────────────────────────────── + - name: Update apt cache + apt: + update_cache: yes + cache_valid_time: 3600 + + - name: Install required tools + apt: + name: + - xfsprogs # mkfs.xfs + - util-linux # lsblk, blkid + - nfs-kernel-server # NFS server + state: present + + # ── Wait for EBS block device ────────────────────────────────────────────── + - name: Wait for ActiveMQ storage device to appear + wait_for: + path: "{{ activemq_storage_device }}" + timeout: 120 + msg: "Timed out waiting for device {{ activemq_storage_device }}" + + - name: Show available block devices + command: lsblk -f + register: block_devices + changed_when: false + + - name: Display block devices + debug: + var: block_devices.stdout_lines + + # ── Format the EBS volume ────────────────────────────────────────────────── + - name: Check if device already has a filesystem + command: blkid -o value -s TYPE "{{ activemq_storage_device }}" + register: existing_fs + changed_when: false + failed_when: false + + - name: Create XFS filesystem on device (skipped if already formatted) + filesystem: + fstype: xfs + dev: "{{ activemq_storage_device }}" + when: existing_fs.stdout == "" + + # ── Create mount point and mount ─────────────────────────────────────────── + - name: Create mount point directory + file: + path: "{{ activemq_mount_point }}" + state: directory + mode: '0777' + + - name: Mount device and add to fstab (idempotent) + mount: + path: "{{ activemq_mount_point }}" + src: "{{ activemq_storage_device }}" + fstype: xfs + opts: defaults,nofail + dump: '0' + passno: '2' + state: mounted + + # ── NFS: Set ownership and permissions ──────────────────────────────────── + - name: Set NFS-compatible permissions on mount point + file: + path: "{{ activemq_mount_point }}" + mode: '0777' + state: directory + + # ── NFS: Configure /etc/exports ─────────────────────────────────────────── + - name: Add ActiveMQ NFS export entry + lineinfile: + path: /etc/exports + line: "{{ activemq_mount_point }} *(rw,sync,no_root_squash,no_all_squash,insecure,subtree_check)" + state: present + create: yes + backup: yes + + - name: Apply NFS export changes (exportfs -rav) + command: exportfs -rav + register: exportfs_result + + - name: Display exportfs result + debug: + var: exportfs_result.stdout_lines + + # ── NFS: Start and enable NFS server ────────────────────────────────────── + - name: Start and enable NFS kernel server + systemd: + name: nfs-kernel-server + state: restarted + enabled: yes + daemon_reload: yes + + - name: Verify NFS export is active + command: exportfs -v + register: exports_verify + changed_when: false + + - name: Display active NFS exports + debug: + var: exports_verify.stdout_lines + + # ── NFS: Show mount info ─────────────────────────────────────────────────── + - name: Show mount and disk usage + command: df -h "{{ activemq_mount_point }}" + register: mount_info + changed_when: false + + # ── Generate Kubernetes StorageClass YAML on the runner ─────────────────── + # delegate_to: localhost writes the file on the Terraform runner, NOT on NGINX. + # Terraform's second null_resource then copies it to the K8s control plane. + - name: Generate Kubernetes StorageClass YAML for ActiveMQ NFS share + copy: + content: | + apiVersion: storage.k8s.io/v1 + kind: StorageClass + metadata: + name: nfs-csi-activemq + provisioner: nfs.csi.k8s.io + parameters: + server: {{ hostvars[inventory_hostname].ansible_host | default(inventory_hostname) }} + share: {{ activemq_mount_point }}/ + mountPermissions: '0777' + subDir: ${pvc.metadata.namespace}-${pvc.metadata.name}-${pv.metadata.name} + reclaimPolicy: Delete + volumeBindingMode: Immediate + dest: /tmp/activemq-storageclass.yaml + mode: '0644' + delegate_to: localhost + become: false + + # ── Final status report ──────────────────────────────────────────────────── + - name: Display final status + debug: + msg: + - "EBS volume setup complete" + - "Device : {{ activemq_storage_device }}" + - "Mount : {{ activemq_mount_point }}" + - "Disk usage : {{ mount_info.stdout_lines }}" + - "NFS export : {{ activemq_mount_point }} *(rw,sync,no_root_squash,...)" + - "NFS server IP : {{ hostvars[inventory_hostname].ansible_host | default(inventory_hostname) }}" + - "StorageClass : nfs-csi-activemq → /tmp/activemq-storageclass.yaml (on runner)" + - "" + - "Next: Terraform will apply the StorageClass to Kubernetes." + - "In Helmsman DSF, set: --set persistence.storageClass=nfs-csi-activemq" \ No newline at end of file diff --git a/terraform/modules/aws/activemq-setup/main.tf b/terraform/modules/aws/activemq-setup/main.tf new file mode 100644 index 00000000..14f1fc85 --- /dev/null +++ b/terraform/modules/aws/activemq-setup/main.tf @@ -0,0 +1,126 @@ +# ActiveMQ EBS Volume Setup Module +# Runs Ansible on the Terraform RUNNER machine, which SSHes into the NGINX node. +# 1. Formats + mounts the 3rd EBS volume on the NGINX node +# 2. Configures NFS export for Kubernetes pod access +# 3. Generates and applies a Kubernetes StorageClass for the NFS share + +variable "NGINX_PUBLIC_IP" { type = string } +variable "NGINX_PRIVATE_IP" { type = string } +variable "SSH_PRIVATE_KEY" { + type = string + sensitive = true + description = "SSH private key content for connecting to nodes" +} +variable "NGINX_NODE_EBS_VOLUME_SIZE_3" { type = number } + +variable "ACTIVEMQ_STORAGE_DEVICE" { + type = string + default = "/dev/nvme3n1" + description = "Block device path of the 3rd EBS volume" +} +variable "ACTIVEMQ_MOUNT_POINT" { + type = string + default = "/srv/activemq" + description = "Mount point for ActiveMQ persistent storage (also the NFS share path)" +} + +# Kubernetes Control Plane — for applying the StorageClass +variable "CONTROL_PLANE_HOST" { + type = string + description = "IP address of the Kubernetes control plane node" +} +variable "CONTROL_PLANE_USER" { + type = string + default = "ubuntu" + description = "SSH username for control plane access" +} + +# ── Resource 1: EBS Volume + NFS Setup (runs Ansible on the Terraform runner) ── +resource "null_resource" "activemq-ebs-nfs-setup" { + count = var.NGINX_NODE_EBS_VOLUME_SIZE_3 > 0 ? 1 : 0 + + triggers = { + device_mount_hash = md5("${var.ACTIVEMQ_STORAGE_DEVICE}${var.ACTIVEMQ_MOUNT_POINT}") + } + + # Write the SSH private key to a temp file on the runner, then run Ansible locally. + # Ansible SSHes into the NGINX node using that key. + provisioner "local-exec" { + # SECURITY: The SSH private key is passed via environment variable, NOT + # interpolated in the command string. This prevents it from appearing in: + # - Terraform plan/apply output + # - Shell history (ps aux, /proc) + # - CI/CD logs that capture stdout + # The script reads TF_ACTIVEMQ_SSH_KEY and writes it to a chmod-600 temp file. + command = <<-EOT + set -euo pipefail + + # ── Write SSH key from env var (never from command args) ────────────────── + KEY_FILE=$(mktemp /tmp/activemq-ssh-key-XXXXXX) + chmod 600 "$KEY_FILE" + # Use printf to avoid trailing newline issues with echo + printf '%s' "$TF_ACTIVEMQ_SSH_KEY" > "$KEY_FILE" + + # ── Copy playbook to a temp working dir ─────────────────────────────────── + WORK_DIR=$(mktemp -d /tmp/activemq-setup-XXXXXX) + cp "${path.module}/activemq-setup.yml" "$WORK_DIR/activemq-setup.yml" + cp "${path.module}/activemq-setup.sh" "$WORK_DIR/activemq-setup.sh" + chmod +x "$WORK_DIR/activemq-setup.sh" + + # ── Run the setup script (Ansible runs on this runner, SSHes into NGINX) ── + export NGINX_PRIVATE_IP="${var.NGINX_PRIVATE_IP}" + export ACTIVEMQ_STORAGE_DEVICE="${var.ACTIVEMQ_STORAGE_DEVICE}" + export ACTIVEMQ_MOUNT_POINT="${var.ACTIVEMQ_MOUNT_POINT}" + export SSH_KEY_FILE="$KEY_FILE" + export WORK_DIR="$WORK_DIR" + + bash "$WORK_DIR/activemq-setup.sh" + + # ── Cleanup key (also runs on failure via trap) ──────────────────────────── + rm -f "$KEY_FILE" + EOT + interpreter = ["bash", "-c"] + + environment = { + # Key passed as env var — never appears in command string or Terraform logs + TF_ACTIVEMQ_SSH_KEY = var.SSH_PRIVATE_KEY + } + } +} + +# ── Resource 2: Apply StorageClass to Kubernetes ────────────────────────────── +# The Ansible playbook generates /tmp/activemq-storageclass.yaml on the runner. +# This resource copies it to the K8s control plane and applies it. +resource "null_resource" "activemq-k8s-storageclass" { + count = var.NGINX_NODE_EBS_VOLUME_SIZE_3 > 0 ? 1 : 0 + depends_on = [null_resource.activemq-ebs-nfs-setup] + + connection { + type = "ssh" + host = var.CONTROL_PLANE_HOST + user = var.CONTROL_PLANE_USER + private_key = var.SSH_PRIVATE_KEY + timeout = "10m" + agent = false + } + + # Copy the StorageClass YAML (generated by Ansible on the runner) to control plane + provisioner "file" { + source = "/tmp/activemq-storageclass.yaml" + destination = "/tmp/activemq-storageclass.yaml" + } + + # Apply it to the cluster + provisioner "remote-exec" { + inline = [ + "export KUBECONFIG=$(find /home/ubuntu/.kube/ -name '*.yaml' | head -1)", + "echo 'Using kubeconfig: $KUBECONFIG'", + "kubectl cluster-info", + "echo 'Applying ActiveMQ NFS StorageClass...'", + "kubectl apply -f /tmp/activemq-storageclass.yaml", + "echo 'Verifying StorageClass was created...'", + "kubectl get storageclass nfs-csi-activemq", + "rm -f /tmp/activemq-storageclass.yaml" + ] + } +} \ No newline at end of file diff --git a/terraform/modules/aws/aws-main.tf b/terraform/modules/aws/aws-main.tf index b305076a..afa87aaa 100644 --- a/terraform/modules/aws/aws-main.tf +++ b/terraform/modules/aws/aws-main.tf @@ -535,3 +535,20 @@ module "postgresql-setup" { CONTROL_PLANE_HOST = [for instance in module.aws-resource-creation.K8S_CLUSTER_PRIVATE_IPS : instance][0] CONTROL_PLANE_USER = "ubuntu" } + +module "activemq-setup" { + count = var.enable_activemq_setup && var.nginx_node_ebs_volume_size_3 > 0 ? 1 : 0 + depends_on = [module.aws-resource-creation, module.nginx-setup, module.rke2-setup, module.nfs-setup, module.postgresql-setup] + source = "./activemq-setup" + + NGINX_PUBLIC_IP = module.aws-resource-creation.NGINX_PUBLIC_IP + NGINX_PRIVATE_IP = module.aws-resource-creation.NGINX_PRIVATE_IP + SSH_PRIVATE_KEY = var.SSH_PRIVATE_KEY + NGINX_NODE_EBS_VOLUME_SIZE_3 = var.nginx_node_ebs_volume_size_3 + ACTIVEMQ_STORAGE_DEVICE = var.activemq_storage_device + ACTIVEMQ_MOUNT_POINT = var.activemq_mount_point + + # Control plane for applying the StorageClass to Kubernetes + CONTROL_PLANE_HOST = [for instance in module.aws-resource-creation.K8S_CLUSTER_PRIVATE_IPS : instance][0] + CONTROL_PLANE_USER = "ubuntu" +} \ No newline at end of file diff --git a/terraform/modules/aws/variables.tf b/terraform/modules/aws/variables.tf index 7cfbe659..144832ae 100644 --- a/terraform/modules/aws/variables.tf +++ b/terraform/modules/aws/variables.tf @@ -197,4 +197,29 @@ variable "mosip_infra_branch" { description = "Branch of the MOSIP infrastructure repository" type = string default = "develop" +} + +# ActiveMQ Configuration Variables +variable "enable_activemq_setup" { + description = "Enable ActiveMQ EBS volume setup on the NGINX node" + type = bool + default = false +} + +variable "nginx_node_ebs_volume_size_3" { + description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable" + type = number + default = 0 +} + +variable "activemq_storage_device" { + description = "Block device path of the 3rd EBS volume for ActiveMQ" + type = string + default = "/dev/nvme3n1" +} + +variable "activemq_mount_point" { + description = "Mount point for ActiveMQ persistent storage" + type = string + default = "/srv/activemq" } \ No newline at end of file From d051ad717ffcc365e9d0bcf3a338dd3cb59e6b64 Mon Sep 17 00:00:00 2001 From: abhishek-1809 Date: Wed, 25 Mar 2026 14:25:44 +0530 Subject: [PATCH 23/28] [MOSIP-44608] updated terraform script to support ebs volume for activemq as optional Signed-off-by: abhishek-1809 --- terraform/modules/aws/aws-main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/modules/aws/aws-main.tf b/terraform/modules/aws/aws-main.tf index afa87aaa..46b9bda1 100644 --- a/terraform/modules/aws/aws-main.tf +++ b/terraform/modules/aws/aws-main.tf @@ -129,6 +129,7 @@ module "aws-resource-creation" { NGINX_NODE_EBS_VOLUME_SIZE = var.NGINX_NODE_EBS_VOLUME_SIZE NGINX_NODE_EBS_VOLUME_SIZE_2 = var.nginx_node_ebs_volume_size_2 + NGINX_NODE_EBS_VOLUME_SIZE_3 = var.nginx_node_ebs_volume_size_3 NGINX_NODE_ROOT_VOLUME_SIZE = var.NGINX_NODE_ROOT_VOLUME_SIZE # VPC and Subnet Configuration From c6eaea32c6437afb1840e13874c95ee016248697 Mon Sep 17 00:00:00 2001 From: abhishek-1809 Date: Wed, 25 Mar 2026 14:45:02 +0530 Subject: [PATCH 24/28] [MOSIP-44608] updated terraform script to support ebs volume for activemq as optional Signed-off-by: abhishek-1809 --- .../aws/aws-resource-creation/variables.tf | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/terraform/modules/aws/aws-resource-creation/variables.tf b/terraform/modules/aws/aws-resource-creation/variables.tf index e2e41088..0346bb37 100644 --- a/terraform/modules/aws/aws-resource-creation/variables.tf +++ b/terraform/modules/aws/aws-resource-creation/variables.tf @@ -46,6 +46,11 @@ variable "ZONE_ID" { type = string } variable "NGINX_NODE_ROOT_VOLUME_SIZE" { type = number } variable "NGINX_NODE_EBS_VOLUME_SIZE" { type = number } variable "NGINX_NODE_EBS_VOLUME_SIZE_2" { type = number } +variable "NGINX_NODE_EBS_VOLUME_SIZE_3" { + type = number + default = 0 + description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable" +} variable "K8S_INSTANCE_ROOT_VOLUME_SIZE" { type = number } variable "DNS_RECORDS" { @@ -169,6 +174,17 @@ EOF Cluster = var.CLUSTER_NAME Component = var.CLUSTER_NAME } + }] : [], var.NGINX_NODE_EBS_VOLUME_SIZE_3 > 0 ? [{ + device_name = "/dev/sdd" + volume_size = var.NGINX_NODE_EBS_VOLUME_SIZE_3 + volume_type = "gp3" + delete_on_termination = true + encrypted = false + tags = { + Name = "${local.TAG_NAME.NGINX_TAG_NAME}-vol3" + Cluster = var.CLUSTER_NAME + Component = var.CLUSTER_NAME + } }] : []) } K8S_EC2_NODE = { From 284b0fcda9f7ff29c16e2521641d2f6c83394a9a Mon Sep 17 00:00:00 2001 From: abhishek-1809 Date: Thu, 26 Mar 2026 15:40:48 +0530 Subject: [PATCH 25/28] [MOSIP-44608] updated terraform script to support ebs volume for activemq as optional Signed-off-by: abhishek-1809 --- .../implementations/aws/infra/aws.tfvars | 103 ------------------ .../aws/infra/profiles/esignet/aws.tfvars | 11 ++ .../aws/infra/profiles/mosip/aws.tfvars | 13 ++- .../aws/activemq-setup/activemq-setup.yml | 20 +++- terraform/modules/aws/activemq-setup/main.tf | 20 +++- terraform/modules/aws/aws-main.tf | 5 +- .../aws/aws-resource-creation/variables.tf | 7 +- terraform/modules/aws/variables.tf | 12 +- 8 files changed, 74 insertions(+), 117 deletions(-) delete mode 100644 terraform/implementations/aws/infra/aws.tfvars diff --git a/terraform/implementations/aws/infra/aws.tfvars b/terraform/implementations/aws/infra/aws.tfvars deleted file mode 100644 index db03e9a2..00000000 --- a/terraform/implementations/aws/infra/aws.tfvars +++ /dev/null @@ -1,103 +0,0 @@ -# Environment name (infra component) -cluster_name = "" - -# MOSIP's domain (ex: sandbox.xyz.net) -cluster_env_domain = "" - -# Email-ID will be used by certbot to notify SSL certificate expiry via email -mosip_email_id = "" - -# SSH login key name for AWS node instances (ex: my-ssh-key) -ssh_key_name = "" - -# The AWS region for resource creation -aws_provider_region = "ap-south-1" - -# Specific availability zones for VM deployment (optional) -# If empty, uses all available AZs in the region -# Example: ["ap-south-1a", "ap-south-1b"] for specific AZs -# Example: [] for all available AZs in the region -specific_availability_zones = [] - -# The instance type for Kubernetes nodes (control plane, worker, etcd) -k8s_instance_type = "t3a.2xlarge" - -# The instance type for Nginx server (load balancer) -nginx_instance_type = "t3a.2xlarge" - -# The Route 53 hosted zone ID -zone_id = "" - -## UBUNTU 24.04 -# The Amazon Machine Image ID for the instances -ami = "ami-0ad21ae1d0696ad58" - -# Repo K8S-INFRA URL -k8s_infra_repo_url = "https://github.com/mosip/k8s-infra.git" - -# Repo K8S-INFRA branch -k8s_infra_branch = "release-1.2.1.x" - -# NGINX Node's Root volume size -nginx_node_root_volume_size = 24 - -# NGINX node's EBS volume size -nginx_node_ebs_volume_size = 300 - -# NGINX node's second EBS volume size (optional - set to 0 to disable) -nginx_node_ebs_volume_size_2 = 200 # Enable second EBS volume for PostgreSQL testing - -# Kubernetes nodes Root volume size -k8s_instance_root_volume_size = 64 - -# Control-plane, ETCD, Worker -k8s_control_plane_node_count = 3 - -# ETCD, Worker -k8s_etcd_node_count = 3 - -# Worker -k8s_worker_node_count = 2 - -# RKE2 Version Configuration -rke2_version = "v1.28.9+rke2r1" - -# Security group CIDRs -network_cidr = "172.0.0.0/8" # Use your actual VPC CIDR -WIREGUARD_CIDR = "172.0.0.0/8" # Use your actual WireGuard VPN CIDR - - -# Rancher Import URL -# Rancher Import Configuration -enable_rancher_import = true -rancher_import_url = "\"\"" - -# DNS Records to map -subdomain_public = ["resident", "prereg", "esignet", "healthservices", "signup"] -subdomain_internal = ["admin", "iam", "activemq", "kafka", "kibana", "postgres", "smtp", "pmp", "minio", "regclient", "compliance"] - -# PostgreSQL Configuration (used when second EBS volume is enabled) -enable_postgresql_setup = true # Enable PostgreSQL setup for main infra -postgresql_version = "15" -storage_device = "/dev/nvme2n1" -mount_point = "/srv/postgres" -postgresql_port = "5433" - -# MOSIP Infrastructure Repository Configuration -mosip_infra_repo_url = "https://github.com/mosip/infra.git" - -mosip_infra_branch = "release-0.2.0" - -# VPC Configuration - Existing VPC to use (discovered by Name tag) -vpc_name = "" - -# ── ActiveMQ Configuration ───────────────────────────────────────────────────── -# Set enable_activemq_setup = true AND nginx_node_ebs_volume_size_3 > 0 to -# create a dedicated EBS volume, format it as XFS, and mount it on the NGINX node. -# ActiveMQ itself runs inside Kubernetes via Helm (no software installed here). -# Both conditions must be true — set either to false/0 to skip entirely. -enable_activemq_setup = true # Toggle: true = create & mount, false = skip -nginx_node_ebs_volume_size_3 = 30 # Volume size in GB (e.g. 100); 0 = disabled - -activemq_storage_device = "/dev/nvme3n1" -activemq_mount_point = "/srv/activemq" diff --git a/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars b/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars index 4795ad7b..9c8146de 100644 --- a/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars +++ b/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars @@ -94,3 +94,14 @@ mosip_infra_branch = "release-0.2.0" # VPC Configuration - Existing VPC to use (discovered by Name tag) vpc_name = "" + +# ── ActiveMQ Configuration ───────────────────────────────────────────────────── +# Set enable_activemq_setup = true AND nginx_node_ebs_volume_size_3 > 0 to +# create a dedicated EBS volume, format it as XFS, and mount it on the NGINX node. +# ActiveMQ itself runs inside Kubernetes via Helm (no software installed here). +# Both conditions must be true — set either to false/0 to skip entirely. +enable_activemq_setup = false # Toggle: true = create & mount, false = skip +nginx_node_ebs_volume_size_3 = 0 # Volume size in GB (e.g. 100); 0 = disabled + +activemq_storage_device = "/dev/nvme3n1" +activemq_mount_point = "/srv/activemq" diff --git a/terraform/implementations/aws/infra/profiles/mosip/aws.tfvars b/terraform/implementations/aws/infra/profiles/mosip/aws.tfvars index 0e94de71..a6b179ed 100644 --- a/terraform/implementations/aws/infra/profiles/mosip/aws.tfvars +++ b/terraform/implementations/aws/infra/profiles/mosip/aws.tfvars @@ -64,7 +64,7 @@ k8s_control_plane_node_count = 3 k8s_etcd_node_count = 3 # Worker -k8s_worker_node_count = 2 +k8s_worker_node_count = 2 # RKE2 Version Configuration rke2_version = "v1.28.9+rke2r1" @@ -97,3 +97,14 @@ mosip_infra_branch = "release-0.2.0" # VPC Configuration - Existing VPC to use (discovered by Name tag) vpc_name = "" + +# ── ActiveMQ Configuration ───────────────────────────────────────────────────── +# Set enable_activemq_setup = true AND nginx_node_ebs_volume_size_3 > 0 to +# create a dedicated EBS volume, format it as XFS, and mount it on the NGINX node. +# ActiveMQ itself runs inside Kubernetes via Helm (no software installed here). +# Both conditions must be true — set either to false/0 to skip entirely. +enable_activemq_setup = true # Toggle: true = create & mount, false = skip +nginx_node_ebs_volume_size_3 = 30 # Volume size in GB (e.g. 100); 0 = disabled + +activemq_storage_device = "/dev/nvme3n1" +activemq_mount_point = "/srv/activemq" diff --git a/terraform/modules/aws/activemq-setup/activemq-setup.yml b/terraform/modules/aws/activemq-setup/activemq-setup.yml index fa95b4d4..5a6ef01c 100644 --- a/terraform/modules/aws/activemq-setup/activemq-setup.yml +++ b/terraform/modules/aws/activemq-setup/activemq-setup.yml @@ -29,10 +29,12 @@ state: present # ── Wait for EBS block device ────────────────────────────────────────────── + # activemq_storage_device may be a raw path (/dev/nvme3n1) or a stable + # by-id path (/dev/disk/by-id/nvme-...). Both work with wait_for. - name: Wait for ActiveMQ storage device to appear wait_for: path: "{{ activemq_storage_device }}" - timeout: 120 + timeout: 240 msg: "Timed out waiting for device {{ activemq_storage_device }}" - name: Show available block devices @@ -57,6 +59,17 @@ dev: "{{ activemq_storage_device }}" when: existing_fs.stdout == "" + # ── Resolve stable UUID for fstab ───────────────────────────────────────── + # Raw NVMe device names (/dev/nvme3n1) change on instance reboot/replacement. + # Using UUID= in fstab is stable — it survives device renaming. + - name: Resolve filesystem UUID of the device + command: blkid -o value -s UUID "{{ activemq_storage_device }}" + register: device_uuid + changed_when: false + retries: 3 + delay: 5 + until: device_uuid.stdout != "" + # ── Create mount point and mount ─────────────────────────────────────────── - name: Create mount point directory file: @@ -64,10 +77,11 @@ state: directory mode: '0777' - - name: Mount device and add to fstab (idempotent) + # fstab and mount use UUID= — stable across reboots and NVMe renaming. + - name: Mount device by UUID and add to fstab (idempotent) mount: path: "{{ activemq_mount_point }}" - src: "{{ activemq_storage_device }}" + src: "UUID={{ device_uuid.stdout | trim }}" fstype: xfs opts: defaults,nofail dump: '0' diff --git a/terraform/modules/aws/activemq-setup/main.tf b/terraform/modules/aws/activemq-setup/main.tf index 14f1fc85..11d95eef 100644 --- a/terraform/modules/aws/activemq-setup/main.tf +++ b/terraform/modules/aws/activemq-setup/main.tf @@ -40,6 +40,10 @@ resource "null_resource" "activemq-ebs-nfs-setup" { count = var.NGINX_NODE_EBS_VOLUME_SIZE_3 > 0 ? 1 : 0 triggers = { + # Re-run when target node is replaced (new IP = new instance) + nginx_private_ip = var.NGINX_PRIVATE_IP + + # Re-run when storage configuration changes device_mount_hash = md5("${var.ACTIVEMQ_STORAGE_DEVICE}${var.ACTIVEMQ_MOUNT_POINT}") } @@ -52,7 +56,7 @@ resource "null_resource" "activemq-ebs-nfs-setup" { # - Shell history (ps aux, /proc) # - CI/CD logs that capture stdout # The script reads TF_ACTIVEMQ_SSH_KEY and writes it to a chmod-600 temp file. - command = <<-EOT + command = <<-EOT set -euo pipefail # ── Write SSH key from env var (never from command args) ────────────────── @@ -63,6 +67,10 @@ resource "null_resource" "activemq-ebs-nfs-setup" { # ── Copy playbook to a temp working dir ─────────────────────────────────── WORK_DIR=$(mktemp -d /tmp/activemq-setup-XXXXXX) + + # ── Guarantee cleanup of KEY_FILE and WORK_DIR on success or failure ────── + trap 'rm -rf "$KEY_FILE" "$WORK_DIR"' EXIT ERR + cp "${path.module}/activemq-setup.yml" "$WORK_DIR/activemq-setup.yml" cp "${path.module}/activemq-setup.sh" "$WORK_DIR/activemq-setup.sh" chmod +x "$WORK_DIR/activemq-setup.sh" @@ -75,9 +83,6 @@ resource "null_resource" "activemq-ebs-nfs-setup" { export WORK_DIR="$WORK_DIR" bash "$WORK_DIR/activemq-setup.sh" - - # ── Cleanup key (also runs on failure via trap) ──────────────────────────── - rm -f "$KEY_FILE" EOT interpreter = ["bash", "-c"] @@ -113,7 +118,10 @@ resource "null_resource" "activemq-k8s-storageclass" { # Apply it to the cluster provisioner "remote-exec" { inline = [ - "export KUBECONFIG=$(find /home/ubuntu/.kube/ -name '*.yaml' | head -1)", + # Build kubeconfig path from the actual login user using find to locate the .yaml file + "export KUBECONFIG=$(find /home/${var.CONTROL_PLANE_USER}/.kube/ -name '*.yaml' | head -1)", + # Fail immediately with a clear message if no valid file was found. + "if [ -z \"$KUBECONFIG\" ] || [ ! -f \"$KUBECONFIG\" ]; then echo \"ERROR: kubeconfig not found in /home/${var.CONTROL_PLANE_USER}/.kube/\"; exit 1; fi", "echo 'Using kubeconfig: $KUBECONFIG'", "kubectl cluster-info", "echo 'Applying ActiveMQ NFS StorageClass...'", @@ -123,4 +131,4 @@ resource "null_resource" "activemq-k8s-storageclass" { "rm -f /tmp/activemq-storageclass.yaml" ] } -} \ No newline at end of file +} diff --git a/terraform/modules/aws/aws-main.tf b/terraform/modules/aws/aws-main.tf index 46b9bda1..f6162e7f 100644 --- a/terraform/modules/aws/aws-main.tf +++ b/terraform/modules/aws/aws-main.tf @@ -130,6 +130,7 @@ module "aws-resource-creation" { NGINX_NODE_EBS_VOLUME_SIZE = var.NGINX_NODE_EBS_VOLUME_SIZE NGINX_NODE_EBS_VOLUME_SIZE_2 = var.nginx_node_ebs_volume_size_2 NGINX_NODE_EBS_VOLUME_SIZE_3 = var.nginx_node_ebs_volume_size_3 + enable_activemq_setup = var.enable_activemq_setup NGINX_NODE_ROOT_VOLUME_SIZE = var.NGINX_NODE_ROOT_VOLUME_SIZE # VPC and Subnet Configuration @@ -484,7 +485,7 @@ module "nginx-setup" { SSH_PRIVATE_KEY = var.SSH_PRIVATE_KEY K8S_INFRA_BRANCH = var.K8S_INFRA_BRANCH K8S_INFRA_REPO_URL = var.K8S_INFRA_REPO_URL - NGINX_TYPE = var.NGINX_TYPE # Pass through the NGINX_TYPE + NGINX_TYPE = var.NGINX_TYPE # Pass through the NGINX_TYPE } @@ -552,4 +553,4 @@ module "activemq-setup" { # Control plane for applying the StorageClass to Kubernetes CONTROL_PLANE_HOST = [for instance in module.aws-resource-creation.K8S_CLUSTER_PRIVATE_IPS : instance][0] CONTROL_PLANE_USER = "ubuntu" -} \ No newline at end of file +} diff --git a/terraform/modules/aws/aws-resource-creation/variables.tf b/terraform/modules/aws/aws-resource-creation/variables.tf index 0346bb37..e8624908 100644 --- a/terraform/modules/aws/aws-resource-creation/variables.tf +++ b/terraform/modules/aws/aws-resource-creation/variables.tf @@ -51,6 +51,11 @@ variable "NGINX_NODE_EBS_VOLUME_SIZE_3" { default = 0 description = "EBS volume size (GB) for ActiveMQ data on the NGINX node — set to 0 to disable" } +variable "enable_activemq_setup" { + description = "Enable ActiveMQ EBS volume setup on the NGINX node" + type = bool + default = false +} variable "K8S_INSTANCE_ROOT_VOLUME_SIZE" { type = number } variable "DNS_RECORDS" { @@ -174,7 +179,7 @@ EOF Cluster = var.CLUSTER_NAME Component = var.CLUSTER_NAME } - }] : [], var.NGINX_NODE_EBS_VOLUME_SIZE_3 > 0 ? [{ + }] : [], var.enable_activemq_setup && var.NGINX_NODE_EBS_VOLUME_SIZE_3 > 0 ? [{ device_name = "/dev/sdd" volume_size = var.NGINX_NODE_EBS_VOLUME_SIZE_3 volume_type = "gp3" diff --git a/terraform/modules/aws/variables.tf b/terraform/modules/aws/variables.tf index 144832ae..f6c96359 100644 --- a/terraform/modules/aws/variables.tf +++ b/terraform/modules/aws/variables.tf @@ -216,10 +216,20 @@ variable "activemq_storage_device" { description = "Block device path of the 3rd EBS volume for ActiveMQ" type = string default = "/dev/nvme3n1" + + validation { + condition = can(regex("^/dev/.+$", var.activemq_storage_device)) + error_message = "activemq_storage_device must be a valid device path starting with /dev/ (e.g., /dev/nvme3n1 or /dev/disk/by-id/nvme-volume-id)." + } } variable "activemq_mount_point" { description = "Mount point for ActiveMQ persistent storage" type = string default = "/srv/activemq" -} \ No newline at end of file + + validation { + condition = can(regex("^/([A-Za-z0-9._-]+)(/.*)?$", var.activemq_mount_point)) + error_message = "activemq_mount_point must be a valid absolute directory path (e.g., /srv/activemq)." + } +} From 725b1d9ef1f62882ea5c48e30b8250a60a1986d0 Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Fri, 27 Mar 2026 12:43:43 +0530 Subject: [PATCH 26/28] [MOSIP-44751]helmsman workflows always deploy java11 profile regardless of selected profile Signed-off-by: bhumi46 --- .github/workflows/helmsman_esignet.yml | 9 ++++-- .github/workflows/helmsman_external.yml | 38 +++++++++++++------------ .github/workflows/helmsman_mosip.yml | 9 ++++-- .github/workflows/helmsman_testrigs.yml | 9 ++++-- 4 files changed, 41 insertions(+), 24 deletions(-) diff --git a/.github/workflows/helmsman_esignet.yml b/.github/workflows/helmsman_esignet.yml index 11f8d1ce..44b3384e 100644 --- a/.github/workflows/helmsman_esignet.yml +++ b/.github/workflows/helmsman_esignet.yml @@ -110,9 +110,14 @@ jobs: PROFILE="${{ github.event.inputs.profile }}" else # Auto-detect profile from push trigger — extract profile dir name from changed files - CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || echo "") + # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone) + CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || \ + git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "") PROFILE=$(echo "$CHANGED_FILES" | grep 'esignet-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') - PROFILE=${PROFILE:-mosip-platform-java11} + if [[ -z "$PROFILE" ]]; then + echo "Error: could not detect profile from changed DSF files." + exit 1 + fi fi echo "PROFILE=$PROFILE" >> $GITHUB_ENV echo "📁 Using profile: $PROFILE" diff --git a/.github/workflows/helmsman_external.yml b/.github/workflows/helmsman_external.yml index 44fe3dd6..50a11dd5 100644 --- a/.github/workflows/helmsman_external.yml +++ b/.github/workflows/helmsman_external.yml @@ -33,6 +33,7 @@ jobs: runs-on: ubuntu-latest outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} + profile: ${{ steps.set-matrix.outputs.PROFILE }} steps: - name: Checkout repository with full history uses: actions/checkout@v4 @@ -42,36 +43,36 @@ jobs: - name: Generate workflow matrix id: set-matrix run: | - # Determine profile - if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then - PROFILE="${{ github.event.inputs.profile }}" - else - PROFILE="mosip-platform-java11" - fi - echo "Using profile: $PROFILE" - matrix_json='{"include":[]}' if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then + PROFILE="${{ github.event.inputs.profile }}" matrix_json="{\"include\":[{\"dsf_files\":\"${PROFILE}/prereq-dsf.yaml\",\"wg_conf\":\"wg0\"},{\"dsf_files\":\"${PROFILE}/external-dsf.yaml\",\"wg_conf\":\"wg1\"}]}" else # Handle different event types properly if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then - # For push events, use GitHub's provided SHAs - base_sha="${{ github.event.before}}" + base_sha="${{ github.event.before }}" head_sha="${{ github.sha }}" elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then - # For PRs, compare against target branch base_sha="${{ github.event.pull_request.base.sha }}" head_sha="${{ github.event.pull_request.head.sha }}" fi - # Get changed files safely - changed_files=$(git diff --name-only "$base_sha" "$head_sha" -- 'Helmsman/dsf/' || echo "") - + # Get changed files safely; fall back to HEAD~1 if base_sha is unreachable + changed_files=$(git diff --name-only "$base_sha" "$head_sha" -- 'Helmsman/dsf/' 2>/dev/null || \ + git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "") + entries=() # Dynamically detect changed profiles from file paths changed_profiles=$(echo "$changed_files" | grep 'Helmsman/dsf/' | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|' | sort -u) + + # Derive PROFILE from the changed files (first detected profile dir) + PROFILE=$(echo "$changed_profiles" | head -1) + if [[ -z "$PROFILE" ]]; then + echo "Error: could not detect profile from changed DSF files." + exit 1 + fi + for profile_dir in $changed_profiles; do if echo "$changed_files" | grep -q "Helmsman/dsf/${profile_dir}/prereq-dsf.yaml"; then entries+=("{\"dsf_files\":\"${profile_dir}/prereq-dsf.yaml\",\"wg_conf\":\"wg0\"}") @@ -81,12 +82,13 @@ jobs: entries+=("{\"dsf_files\":\"${profile_dir}/external-dsf.yaml\",\"wg_conf\":\"wg1\"}") fi done - + if [ ${#entries[@]} -gt 0 ]; then matrix_json="{\"include\":[$(IFS=,; echo "${entries[*]}")]}" fi fi + echo "Using profile: $PROFILE" echo "matrix=$matrix_json" >> $GITHUB_OUTPUT echo "PROFILE=$PROFILE" >> $GITHUB_OUTPUT deploy: @@ -261,9 +263,9 @@ jobs: workflow-caller: runs-on: ubuntu-latest - needs: deploy + needs: [deploy, set-matrix] # Only trigger MOSIP workflow for mosip-platform profiles, not for standalone esignet - if: ${{ github.event_name == 'workflow_dispatch' && startsWith(github.event.inputs.profile, 'mosip-platform-') }} + if: ${{ startsWith(needs.set-matrix.outputs.profile, 'mosip-platform-') }} steps: - name: Trigger helmsman mosip workflow via API env: @@ -276,4 +278,4 @@ jobs: -H "Authorization: Bearer $GITHUB_TOKEN" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/$GITHUB_REPO/actions/workflows/helmsman_mosip.yml/dispatches \ - -d '{"ref":"'"$BRANCH"'","inputs":{"mode":"apply"}}' \ No newline at end of file + -d '{"ref":"'"$BRANCH"'","inputs":{"mode":"apply","profile":"'"${{ needs.set-matrix.outputs.profile }}"'"}}' \ No newline at end of file diff --git a/.github/workflows/helmsman_mosip.yml b/.github/workflows/helmsman_mosip.yml index d0aa9f9a..2c7ca537 100644 --- a/.github/workflows/helmsman_mosip.yml +++ b/.github/workflows/helmsman_mosip.yml @@ -77,9 +77,14 @@ jobs: echo "PROFILE=${{ github.event.inputs.profile }}" >> $GITHUB_ENV else # Auto-detect profile from push trigger — extract profile dir name from changed files - CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || echo "") + # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone) + CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || \ + git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "") PROFILE=$(echo "$CHANGED_FILES" | grep 'mosip-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') - PROFILE=${PROFILE:-mosip-platform-java11} + if [[ -z "$PROFILE" ]]; then + echo "Error: could not detect profile from changed DSF files." + exit 1 + fi echo "PROFILE=$PROFILE" >> $GITHUB_ENV fi echo "Using profile: $PROFILE" diff --git a/.github/workflows/helmsman_testrigs.yml b/.github/workflows/helmsman_testrigs.yml index 95f2be01..ad17ec23 100644 --- a/.github/workflows/helmsman_testrigs.yml +++ b/.github/workflows/helmsman_testrigs.yml @@ -77,9 +77,14 @@ jobs: echo "PROFILE=${{ github.event.inputs.profile }}" >> $GITHUB_ENV else # Auto-detect profile from push trigger — extract profile dir name from changed files - CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || echo "") + # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone) + CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || \ + git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "") PROFILE=$(echo "$CHANGED_FILES" | grep 'testrigs-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') - PROFILE=${PROFILE:-mosip-platform-java11} + if [[ -z "$PROFILE" ]]; then + echo "Error: could not detect profile from changed DSF files." + exit 1 + fi echo "PROFILE=$PROFILE" >> $GITHUB_ENV fi echo "Using profile: $PROFILE" From c4569615dcb0c106807cf6adb0238d55ac9ae25f Mon Sep 17 00:00:00 2001 From: bhumi46 Date: Mon, 30 Mar 2026 11:57:13 +0530 Subject: [PATCH 27/28] [MOSIP-44613]Resolved code rabbit comments Signed-off-by: bhumi46 --- .github/workflows/helmsman_esignet.yml | 11 ++++++++--- .github/workflows/helmsman_external.yml | 7 ++++--- .github/workflows/helmsman_mosip.yml | 13 +++++++++---- .github/workflows/helmsman_testrigs.yml | 13 +++++++++---- Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml | 10 +++++----- Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml | 2 +- Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml | 8 ++++---- .../dsf/mosip-platform-java21/testrigs-dsf.yaml | 2 +- Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh | 8 ++++++++ Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh | 6 +++--- Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh | 10 +++++----- .../hooks/esignet-1.7.1/keycloak-postinstall.sh | 4 ++-- Helmsman/hooks/esignet-1.7.1/redis-setup.sh | 3 ++- .../softhsm-mock-identity-system-postinstall.sh | 2 +- .../aws/infra/profiles/esignet/aws.tfvars | 2 +- terraform/implementations/aws/infra/variables.tf | 8 ++++++++ .../modules/aws/activemq-setup/activemq-setup.sh | 8 ++++++++ .../modules/aws/activemq-setup/activemq-setup.yml | 2 +- terraform/modules/aws/activemq-setup/main.tf | 2 +- 19 files changed, 81 insertions(+), 40 deletions(-) diff --git a/.github/workflows/helmsman_esignet.yml b/.github/workflows/helmsman_esignet.yml index 44b3384e..250b6ae0 100644 --- a/.github/workflows/helmsman_esignet.yml +++ b/.github/workflows/helmsman_esignet.yml @@ -111,7 +111,12 @@ jobs: else # Auto-detect profile from push trigger — extract profile dir name from changed files # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone) - CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || \ + BEFORE="${{ github.event.before }}" + SHA="${{ github.sha }}" + if [[ -z "$BEFORE" || "$BEFORE" == "0000000000000000000000000000000000000000" ]]; then + BEFORE="HEAD~1" + fi + CHANGED_FILES=$(git diff --name-only "$BEFORE" "$SHA" -- 'Helmsman/dsf/' 2>/dev/null || \ git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "") PROFILE=$(echo "$CHANGED_FILES" | grep 'esignet-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') if [[ -z "$PROFILE" ]]; then @@ -119,8 +124,8 @@ jobs: exit 1 fi fi - echo "PROFILE=$PROFILE" >> $GITHUB_ENV - echo "📁 Using profile: $PROFILE" + echo "PROFILE=$PROFILE" >> "$GITHUB_ENV" + echo "Using profile: $PROFILE" - name: Setup ufw firewall run: | diff --git a/.github/workflows/helmsman_external.yml b/.github/workflows/helmsman_external.yml index 50a11dd5..30efcbf6 100644 --- a/.github/workflows/helmsman_external.yml +++ b/.github/workflows/helmsman_external.yml @@ -66,8 +66,8 @@ jobs: # Dynamically detect changed profiles from file paths changed_profiles=$(echo "$changed_files" | grep 'Helmsman/dsf/' | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|' | sort -u) - # Derive PROFILE from the changed files (first detected profile dir) - PROFILE=$(echo "$changed_profiles" | head -1) + # Derive PROFILE from the changed files (all detected profile dirs, newline-separated) + PROFILE="$changed_profiles" if [[ -z "$PROFILE" ]]; then echo "Error: could not detect profile from changed DSF files." exit 1 @@ -272,10 +272,11 @@ jobs: GITHUB_REPO: ${{ github.repository }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} BRANCH: ${{ github.ref_name }} + MODE: ${{ github.event.inputs.mode }} run: | curl -X POST \ -H "Accept: application/vnd.github+json" \ -H "Authorization: Bearer $GITHUB_TOKEN" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/repos/$GITHUB_REPO/actions/workflows/helmsman_mosip.yml/dispatches \ - -d '{"ref":"'"$BRANCH"'","inputs":{"mode":"apply","profile":"'"${{ needs.set-matrix.outputs.profile }}"'"}}' \ No newline at end of file + -d '{"ref":"'"$BRANCH"'","inputs":{"mode":"'"${MODE:-apply}"'","profile":"'"${{ needs.set-matrix.outputs.profile }}"'"}}' \ No newline at end of file diff --git a/.github/workflows/helmsman_mosip.yml b/.github/workflows/helmsman_mosip.yml index 2c7ca537..6eb4484b 100644 --- a/.github/workflows/helmsman_mosip.yml +++ b/.github/workflows/helmsman_mosip.yml @@ -74,19 +74,24 @@ jobs: - name: Set Profile run: | if [ -n "${{ github.event.inputs.profile }}" ]; then - echo "PROFILE=${{ github.event.inputs.profile }}" >> $GITHUB_ENV + PROFILE="${{ github.event.inputs.profile }}" else # Auto-detect profile from push trigger — extract profile dir name from changed files # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone) - CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || \ + BEFORE="${{ github.event.before }}" + SHA="${{ github.sha }}" + if [[ -z "$BEFORE" || "$BEFORE" == "0000000000000000000000000000000000000000" ]]; then + BEFORE="HEAD~1" + fi + CHANGED_FILES=$(git diff --name-only "$BEFORE" "$SHA" -- 'Helmsman/dsf/' 2>/dev/null || \ git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "") - PROFILE=$(echo "$CHANGED_FILES" | grep 'mosip-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') + PROFILE=$(echo "$CHANGED_FILES" | grep 'mosip-dsf\.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') if [[ -z "$PROFILE" ]]; then echo "Error: could not detect profile from changed DSF files." exit 1 fi - echo "PROFILE=$PROFILE" >> $GITHUB_ENV fi + echo "PROFILE=$PROFILE" >> "$GITHUB_ENV" echo "Using profile: $PROFILE" - name: Setup ufw firewall diff --git a/.github/workflows/helmsman_testrigs.yml b/.github/workflows/helmsman_testrigs.yml index ad17ec23..3d1d87fa 100644 --- a/.github/workflows/helmsman_testrigs.yml +++ b/.github/workflows/helmsman_testrigs.yml @@ -74,19 +74,24 @@ jobs: - name: Set Profile run: | if [ -n "${{ github.event.inputs.profile }}" ]; then - echo "PROFILE=${{ github.event.inputs.profile }}" >> $GITHUB_ENV + PROFILE="${{ github.event.inputs.profile }}" else # Auto-detect profile from push trigger — extract profile dir name from changed files # Fall back to HEAD~1 if github.event.before is unreachable (e.g. shallow clone) - CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} -- 'Helmsman/dsf/' 2>/dev/null || \ + BEFORE="${{ github.event.before }}" + SHA="${{ github.sha }}" + if [[ -z "$BEFORE" || "$BEFORE" == "0000000000000000000000000000000000000000" ]]; then + BEFORE="HEAD~1" + fi + CHANGED_FILES=$(git diff --name-only "$BEFORE" "$SHA" -- 'Helmsman/dsf/' 2>/dev/null || \ git diff --name-only HEAD~1 HEAD -- 'Helmsman/dsf/' 2>/dev/null || echo "") - PROFILE=$(echo "$CHANGED_FILES" | grep 'testrigs-dsf.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') + PROFILE=$(echo "$CHANGED_FILES" | grep 'testrigs-dsf\.yaml' | head -1 | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|') if [[ -z "$PROFILE" ]]; then echo "Error: could not detect profile from changed DSF files." exit 1 fi - echo "PROFILE=$PROFILE" >> $GITHUB_ENV fi + echo "PROFILE=$PROFILE" >> "$GITHUB_ENV" echo "Using profile: $PROFILE" - name: Setup ufw firewall diff --git a/Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml b/Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml index 4dcb4620..125fcdf4 100644 --- a/Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml +++ b/Helmsman/dsf/mosip-platform-java11/prereq-dsf.yaml @@ -33,8 +33,8 @@ apps: timeout: 900 priority: -6 hooks: - postInstall: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net " - postUpgrade: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net " + postInstall: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net ${ISTIO_VERSION}" + postUpgrade: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net ${ISTIO_VERSION}" rancher-monitoring: namespace: cattle-monitoring-system @@ -42,8 +42,8 @@ apps: version: 103.1.0+up45.31.1 chart: mosip/rancher-monitoring set: - grafana.global.cattle.clusterId: "" - global.cattle.clusterId: "" + grafana.global.cattle.clusterId: "$CLUSTER_ID" + global.cattle.clusterId: "$CLUSTER_ID" wait: true valuesFile: "$WORKDIR/utils/monitoring_values.yaml" priority: -5 @@ -103,7 +103,7 @@ apps: enabled: true version: 103.1.1+up4.4.0 chart: mosip/rancher-logging - valuesFile: "$WORKDIR/utils/rancher-loggig-values.yaml" + valuesFile: "$WORKDIR/utils/rancher-logging-values.yaml" wait: true priority: -1 timeout: 1200 diff --git a/Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml index a08deb26..a510dc74 100644 --- a/Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml +++ b/Helmsman/dsf/mosip-platform-java21/esignet-dsf.yaml @@ -227,7 +227,7 @@ apps: istio.hosts[0]: "esignet.sandbox.xyz.net" extraEnvVarsCM[0]: "global" extraEnvVarsCM[1]: "config-server-share" - extraEnvVarsCM[2]: "artifactory-share" + extraEnvVarsCM[2]: "artifactory-1202-share" extraEnvVarsCM[3]: "softhsm-esignet-share" extraEnvVarsCM[4]: "oidc-ui" # image.repository: "mosipid/esignet" diff --git a/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml index 7415b9c7..9e8d446a 100644 --- a/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml +++ b/Helmsman/dsf/mosip-platform-java21/prereq-dsf.yaml @@ -33,8 +33,8 @@ apps: timeout: 900 priority: -6 hooks: - postInstall: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net " - postUpgrade: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net " + postInstall: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net ${ISTIO_VERSION}" + postUpgrade: "$WORKDIR/hooks/install-istio-and-httpbin.sh sandbox.xyz.net ${ISTIO_VERSION}" rancher-monitoring: namespace: cattle-monitoring-system @@ -42,8 +42,8 @@ apps: version: 103.1.0+up45.31.1 chart: mosip/rancher-monitoring set: - grafana.global.cattle.clusterId: "" - global.cattle.clusterId: "" + grafana.global.cattle.clusterId: "$CLUSTER_ID" + global.cattle.clusterId: "$CLUSTER_ID" wait: true valuesFile: "$WORKDIR/utils/monitoring_values.yaml" priority: -5 diff --git a/Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml b/Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml index 17ee1b75..751ed34f 100644 --- a/Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml +++ b/Helmsman/dsf/mosip-platform-java21/testrigs-dsf.yaml @@ -59,7 +59,7 @@ apps: apitestrig.configmaps.apitestrig.ENV_ENDPOINT: "https://api-internal.sandbox.xyz.net" apitestrig.configmaps.apitestrig.ENV_TESTLEVEL: "smokeAndRegression" apitestrig.configmaps.apitestrig.reportExpirationInDays: "3" - apitestrig.configmaps.apitestrig.slack-webhook-url: "https://hooks.slack.com/services/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" + apitestrig.configmaps.apitestrig.slack-webhook-url: "$SLACK_WEBHOOK_URL" apitestrig.configmaps.apitestrig.eSignetDeployed: "yes" apitestrig.configmaps.apitestrig.NS: apitestrig apitestrig.configmaps.apitestrig.servicesNotDeployed: '' diff --git a/Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh index 259dbc66..2aa2a559 100755 --- a/Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh +++ b/Helmsman/hooks/esignet-1.7.1/captcha-postinstall.sh @@ -44,6 +44,14 @@ ENV_VAR_EXISTS=$(kubectl -n "$CAPTCHA_NS" get deployment captcha -o jsonpath="{. if [[ -z "$ENV_VAR_EXISTS" ]]; then echo "Adding MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET env var..." + # Ensure env array exists before appending to it + ENV_ARRAY_EXISTS=$(kubectl -n "$CAPTCHA_NS" get deployment captcha \ + -o jsonpath="{.spec.template.spec.containers[0].env}" 2>/dev/null || echo "") + if [[ -z "$ENV_ARRAY_EXISTS" ]]; then + echo "env array not found, initializing..." + kubectl patch deployment -n "$CAPTCHA_NS" captcha --type='json' \ + -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env", "value": []}]' + fi kubectl patch deployment -n "$CAPTCHA_NS" captcha --type='json' \ -p='[{"op": "add", "path": "/spec/template/spec/containers/0/env/-", "value": {"name": "MOSIP_CAPTCHA_GOOGLERECAPTCHAV2_SECRET_ESIGNET", "valueFrom": {"secretKeyRef": {"name": "esignet-captcha", "key": "esignet-captcha-secret-key"}}}}]' else diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh b/Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh index f7283285..6e44ef3d 100755 --- a/Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh +++ b/Helmsman/hooks/esignet-1.7.1/esignet-init-db.sh @@ -26,20 +26,20 @@ kubectl label namespace "$ESIGNET_NS" istio-injection=enabled --overwrite # Source: deploy/postgres/postgres-init.sh -> ../copy_cm_func.sh secret postgres-postgresql postgres esignet echo "Copying postgres-postgresql secret to $ESIGNET_NS namespace" kubectl -n "$POSTGRES_NS" get secret postgres-postgresql -o yaml | \ - sed "s/namespace: $POSTGRES_NS/namespace: $ESIGNET_NS/g" | \ + sed "s|^\(\s*namespace:\) $POSTGRES_NS$|\1 $ESIGNET_NS|" | \ kubectl apply -f - # --- Step 3: Copy db-common-secrets from postgres to esignet --- # Source: deploy/postgres/postgres-init.sh -> ../copy_cm_func.sh secret db-common-secrets postgres esignet echo "Copying db-common-secrets to $ESIGNET_NS namespace" kubectl -n "$POSTGRES_NS" get secret db-common-secrets -o yaml | \ - sed "s/namespace: $POSTGRES_NS/namespace: $ESIGNET_NS/g" | \ + sed "s|^\(\s*namespace:\) $POSTGRES_NS$|\1 $ESIGNET_NS|" | \ kubectl apply -f - # --- Step 4: Copy postgres-config configmap from postgres to esignet --- echo "Copying postgres-config configmap to $ESIGNET_NS namespace" kubectl -n "$POSTGRES_NS" get configmap postgres-config -o yaml | \ - sed "s/namespace: $POSTGRES_NS/namespace: $ESIGNET_NS/g" | \ + sed "s|^\(\s*namespace:\) $POSTGRES_NS$|\1 $ESIGNET_NS|" | \ kubectl apply -f - echo "Database init pre-install completed." diff --git a/Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh b/Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh index 297b356c..73a2076c 100755 --- a/Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh +++ b/Helmsman/hooks/esignet-1.7.1/esignet-preinstall.sh @@ -39,7 +39,7 @@ echo "Copying esignet-softhsm-share configmap from $SOFTHSM_NS" if kubectl -n "$SOFTHSM_NS" get configmap esignet-softhsm-share &>/dev/null; then kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true configmap esignet-softhsm-share kubectl -n "$SOFTHSM_NS" get configmap esignet-softhsm-share -o yaml | \ - sed "s/namespace: $SOFTHSM_NS/namespace: $ESIGNET_NS/g" | \ + sed "s|^\(\s*namespace:\) $SOFTHSM_NS$|\1 $ESIGNET_NS|" | \ kubectl -n "$ESIGNET_NS" create -f - else echo "WARNING: esignet-softhsm-share configmap not found in $SOFTHSM_NS" @@ -50,7 +50,7 @@ echo "Copying postgres-config configmap from $POSTGRES_NS" if kubectl -n "$POSTGRES_NS" get configmap postgres-config &>/dev/null; then kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true configmap postgres-config kubectl -n "$POSTGRES_NS" get configmap postgres-config -o yaml | \ - sed "s/namespace: $POSTGRES_NS/namespace: $ESIGNET_NS/g" | \ + sed "s|^\(\s*namespace:\) $POSTGRES_NS$|\1 $ESIGNET_NS|" | \ kubectl -n "$ESIGNET_NS" create -f - else echo "WARNING: postgres-config configmap not found in $POSTGRES_NS" @@ -61,7 +61,7 @@ echo "Copying redis-config configmap from $REDIS_NS" if kubectl -n "$REDIS_NS" get configmap redis-config &>/dev/null; then kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true configmap redis-config kubectl -n "$REDIS_NS" get configmap redis-config -o yaml | \ - sed "s/namespace: $REDIS_NS/namespace: $ESIGNET_NS/g" | \ + sed "s|^\(\s*namespace:\) $REDIS_NS$|\1 $ESIGNET_NS|" | \ kubectl -n "$ESIGNET_NS" create -f - else echo "WARNING: redis-config configmap not found in $REDIS_NS" @@ -74,7 +74,7 @@ echo "Copying esignet-softhsm secret from $SOFTHSM_NS" if kubectl -n "$SOFTHSM_NS" get secret esignet-softhsm &>/dev/null; then kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true secret esignet-softhsm kubectl -n "$SOFTHSM_NS" get secret esignet-softhsm -o yaml | \ - sed "s/namespace: $SOFTHSM_NS/namespace: $ESIGNET_NS/g" | \ + sed "s|^\(\s*namespace:\) $SOFTHSM_NS$|\1 $ESIGNET_NS|" | \ kubectl -n "$ESIGNET_NS" create -f - else echo "WARNING: esignet-softhsm secret not found in $SOFTHSM_NS" @@ -85,7 +85,7 @@ echo "Copying redis secret from $REDIS_NS" if kubectl -n "$REDIS_NS" get secret redis &>/dev/null; then kubectl -n "$ESIGNET_NS" delete --ignore-not-found=true secret redis kubectl -n "$REDIS_NS" get secret redis -o yaml | \ - sed "s/namespace: $REDIS_NS/namespace: $ESIGNET_NS/g" | \ + sed "s|^\(\s*namespace:\) $REDIS_NS$|\1 $ESIGNET_NS|" | \ kubectl -n "$ESIGNET_NS" create -f - else echo "WARNING: redis secret not found in $REDIS_NS" diff --git a/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh index 9a8965d0..77d65b12 100755 --- a/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh +++ b/Helmsman/hooks/esignet-1.7.1/keycloak-postinstall.sh @@ -106,7 +106,7 @@ kubectl -n "$ESIGNET_NS" delete secret --ignore-not-found=true keycloak-client-s helm -n "$ESIGNET_NS" delete esignet-keycloak-init 2>/dev/null || true helm -n "$ESIGNET_NS" install esignet-keycloak-init mosip/keycloak-init \ - "${HELM_SET_SECRETS[@]}" \ + ${HELM_SET_SECRETS[@]+"${HELM_SET_SECRETS[@]}"} \ --set keycloak.realms.mosip.realm_config.attributes.frontendUrl="https://$IAMHOST_URL/auth" \ --set keycloakInternalHost="keycloak.$KEYCLOAK_NS" \ --set keycloakExternalHost="$IAMHOST_URL" \ @@ -123,7 +123,7 @@ if kubectl -n "$ESIGNET_NS" get secret keycloak-client-secrets &>/dev/null; then -o jsonpath="{.data.$key}" 2>/dev/null || echo "") if [[ -n "$val" ]]; then kubectl -n "$KEYCLOAK_NS" get secret keycloak-client-secrets -o json | \ - jq ".data[\"$key\"]=\"$val\"" | \ + jq --arg k "$key" --arg v "$val" '.data[$k]=$v' | \ kubectl apply -f - fi done diff --git a/Helmsman/hooks/esignet-1.7.1/redis-setup.sh b/Helmsman/hooks/esignet-1.7.1/redis-setup.sh index 3e910348..f0ef8577 100755 --- a/Helmsman/hooks/esignet-1.7.1/redis-setup.sh +++ b/Helmsman/hooks/esignet-1.7.1/redis-setup.sh @@ -20,7 +20,8 @@ echo "================================================" # --- Step 1: Wait for Redis to be ready --- echo "Waiting for Redis pods to be ready..." -kubectl -n "$REDIS_NS" wait --for=condition=ready pod -l app.kubernetes.io/name=redis --timeout=300s +kubectl -n "$REDIS_NS" wait --for=condition=ready pod -l app.kubernetes.io/name=redis --timeout=300s || \ + echo "WARNING: Redis pods not ready after timeout, continuing" # --- Step 2: Apply redis-config configmap in redis namespace --- # Source: deploy/redis/redis-config.yaml diff --git a/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh b/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh index 4f39bd1e..af637117 100755 --- a/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh +++ b/Helmsman/hooks/esignet-1.7.1/softhsm-mock-identity-system-postinstall.sh @@ -19,7 +19,7 @@ MOCK_HSM_PIN=$(kubectl -n softhsm get secret softhsm-mock-identity-system -o jso if [ -n "$MOCK_HSM_PIN" ]; then kubectl -n esignet create configmap softhsm-mock-identity-system-share \ - --from-literal=softhsm-pin="$(echo "$MOCK_HSM_PIN" | base64 -d)" \ + --from-literal=softhsm-pin="$(echo -n "$MOCK_HSM_PIN" | base64 -d)" \ --dry-run=client -o yaml | kubectl apply -f - echo "SoftHSM mock identity system credentials shared with esignet namespace." else diff --git a/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars b/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars index 9c8146de..97879ee6 100644 --- a/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars +++ b/terraform/implementations/aws/infra/profiles/esignet/aws.tfvars @@ -77,7 +77,7 @@ enable_rancher_import = true rancher_import_url = "\"\"" # DNS Records to map — only eSignet-relevant subdomains -subdomain_public = ["esignet", "signup"] +subdomain_public = ["esignet", "signup", "minio"] subdomain_internal = ["iam", "kafka", "postgres", "keycloak"] # PostgreSQL Configuration diff --git a/terraform/implementations/aws/infra/variables.tf b/terraform/implementations/aws/infra/variables.tf index 13b7e535..f8fb80ef 100644 --- a/terraform/implementations/aws/infra/variables.tf +++ b/terraform/implementations/aws/infra/variables.tf @@ -244,10 +244,18 @@ variable "activemq_storage_device" { description = "Block device path of the 3rd EBS volume for ActiveMQ" type = string default = "/dev/nvme3n1" + validation { + condition = length(var.activemq_storage_device) > 0 && startswith(var.activemq_storage_device, "/dev/") + error_message = "activemq_storage_device must be non-empty and start with '/dev/'." + } } variable "activemq_mount_point" { description = "Mount point for ActiveMQ persistent storage" type = string default = "/srv/activemq" + validation { + condition = length(var.activemq_mount_point) > 0 && startswith(var.activemq_mount_point, "/") + error_message = "activemq_mount_point must be non-empty and an absolute path starting with '/'." + } } diff --git a/terraform/modules/aws/activemq-setup/activemq-setup.sh b/terraform/modules/aws/activemq-setup/activemq-setup.sh index fc188c59..4f321c47 100644 --- a/terraform/modules/aws/activemq-setup/activemq-setup.sh +++ b/terraform/modules/aws/activemq-setup/activemq-setup.sh @@ -117,6 +117,14 @@ if [ "$ANSIBLE_EXIT" -ne 0 ]; then exit 1 fi +if [ ! -s /tmp/activemq-storageclass.yaml ]; then + echo "" + echo "ERROR: StorageClass manifest not found or empty at /tmp/activemq-storageclass.yaml" + echo "--- Last 30 lines of Ansible log ---" + tail -30 "$ANSIBLE_LOG" || true + exit 1 +fi + echo "" echo "=== Done at $(date) ===" echo "EBS volume for ActiveMQ is mounted at $ACTIVEMQ_MOUNT_POINT on $NGINX_PRIVATE_IP" diff --git a/terraform/modules/aws/activemq-setup/activemq-setup.yml b/terraform/modules/aws/activemq-setup/activemq-setup.yml index 5a6ef01c..ae9fde2e 100644 --- a/terraform/modules/aws/activemq-setup/activemq-setup.yml +++ b/terraform/modules/aws/activemq-setup/activemq-setup.yml @@ -99,7 +99,7 @@ - name: Add ActiveMQ NFS export entry lineinfile: path: /etc/exports - line: "{{ activemq_mount_point }} *(rw,sync,no_root_squash,no_all_squash,insecure,subtree_check)" + line: "{{ activemq_mount_point }} {{ activemq_nfs_allowed_hosts | default('*') }}(rw,sync,no_all_squash,subtree_check)" state: present create: yes backup: yes diff --git a/terraform/modules/aws/activemq-setup/main.tf b/terraform/modules/aws/activemq-setup/main.tf index 11d95eef..25763157 100644 --- a/terraform/modules/aws/activemq-setup/main.tf +++ b/terraform/modules/aws/activemq-setup/main.tf @@ -122,7 +122,7 @@ resource "null_resource" "activemq-k8s-storageclass" { "export KUBECONFIG=$(find /home/${var.CONTROL_PLANE_USER}/.kube/ -name '*.yaml' | head -1)", # Fail immediately with a clear message if no valid file was found. "if [ -z \"$KUBECONFIG\" ] || [ ! -f \"$KUBECONFIG\" ]; then echo \"ERROR: kubeconfig not found in /home/${var.CONTROL_PLANE_USER}/.kube/\"; exit 1; fi", - "echo 'Using kubeconfig: $KUBECONFIG'", + "echo \"Using kubeconfig: $KUBECONFIG\"", "kubectl cluster-info", "echo 'Applying ActiveMQ NFS StorageClass...'", "kubectl apply -f /tmp/activemq-storageclass.yaml", From 41c125a889507857ea263255687f0ddcbc056539 Mon Sep 17 00:00:00 2001 From: bhumi46 <111699703+bhumi46@users.noreply.github.com> Date: Mon, 30 Mar 2026 12:32:46 +0530 Subject: [PATCH 28/28] Update .github/workflows/helmsman_external.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Signed-off-by: bhumi46 <111699703+bhumi46@users.noreply.github.com> --- .github/workflows/helmsman_external.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/helmsman_external.yml b/.github/workflows/helmsman_external.yml index 30efcbf6..0e40a69b 100644 --- a/.github/workflows/helmsman_external.yml +++ b/.github/workflows/helmsman_external.yml @@ -67,10 +67,11 @@ jobs: changed_profiles=$(echo "$changed_files" | grep 'Helmsman/dsf/' | sed 's|Helmsman/dsf/\([^/]*\)/.*|\1|' | sort -u) # Derive PROFILE from the changed files (all detected profile dirs, newline-separated) - PROFILE="$changed_profiles" + # For workflow-caller, we only care about mosip-platform-* profiles + PROFILE=$(echo "$changed_profiles" | grep '^mosip-platform-' | head -1) if [[ -z "$PROFILE" ]]; then - echo "Error: could not detect profile from changed DSF files." - exit 1 + # No MOSIP profile detected - this is fine for esignet-only changes + PROFILE="" fi for profile_dir in $changed_profiles; do