Modifications in the ods-api-service configuration

Author: jorge-romero

Makefile

@@ -18,6 +18,14 @@ ifeq ($(INSECURE), $(filter $(INSECURE), true yes))
     INSECURE_FLAG = --insecure
 endif
 
+# ODS API Service configuration files
+env ?= dev
+ENV ?= $(env)
+env := $(ENV)
+ODS_CONFIGURATION_DIR := ../ods-configuration
+ODS_CONFIGURATION_FULL_PATH := $(abspath $(ODS_CONFIGURATION_DIR))
+ODS_API_SERVICE_DATABASE_REPO := $(ODS_API_SERVICE_DIR:-.../ods-api-service)
+
 # REPOSITORIES
 ## Prepare Bitbucket repos (create project and repos).
 prepare-bitbucket-repos:
@@ -195,8 +203,14 @@ start-ods-api-service-build:
 
 ## Apply OpenShift resources related to the Ods API Service.
 apply-ods-api-service-chart:
-	cd ods-api-service/chart && envsubst < values.yaml.template > values.yaml && helm upgrade --install --namespace $(ODS_NAMESPACE) \
-		-f values.yaml \
+	cd ods-api-service/chart && \
+	helm upgrade --install --namespace $(ODS_NAMESPACE) \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-core.values.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-core.secrets.enc.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-api-service.values.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-api-service.secrets.enc.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/$(env)/ods-api-service.values.$(env).yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/$(env)/ods-api-service.secrets.$(env).enc.yaml \
 		--set projectId=$(ODS_NAMESPACE) \
 		--set appSelector=app=ods-api-service \
 		--set registry=$(DOCKER_REGISTRY) \
@@ -210,14 +224,137 @@ apply-ods-api-service-chart:
 		--set global.imageNamespace=$(ODS_NAMESPACE) \
 		--set global.imageTag=$(ODS_IMAGE_TAG) \
 		--set ODS_OPENSHIFT_APP_DOMAIN=$(OPENSHIFT_APPS_BASEDOMAIN) \
-		ods-api-service . && rm values.yaml
+		ods-api-service . 
 .PHONY: apply-ods-api-service-chart
 
 ## Configure ODS API Service (sets up PostgreSQL superuser for backup operations).
 configure-ods-api-service:
 	cd ods-api-service && ./configure.sh --namespace $(ODS_NAMESPACE)
 .PHONY: configure-ods-api-service
 
+##### HELM CHART MANAGEMENT
+.PHONY: helm-encrypt-secrets helm-decrypt-secrets helm-diff helm-render-ods-api-service helm-render-ods-api-service-application-yaml
+## Render ODS API Service Helm chart with all configurations (values and secrets).
+helm-render-ods-api-service:
+	@cd ods-api-service/chart && \
+	helm secrets template ods-api-service . \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-core.values.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-core.secrets.enc.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-api-service.values.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-api-service.secrets.enc.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/$(env)/ods-api-service.values.$(env).yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/$(env)/ods-api-service.secrets.$(env).enc.yaml \
+		--set projectId=$(ODS_NAMESPACE) \
+		--set appSelector=app=ods-api-service \
+		--set registry=$(DOCKER_REGISTRY) \
+		--set componentId=ods-api-service \
+		--set global.projectId=$(ODS_NAMESPACE) \
+		--set global.appSelector=app=ods-api-service \
+		--set global.registry=$(DOCKER_REGISTRY) \
+		--set global.componentId=ods-api-service \
+		--set imageNamespace=$(ODS_NAMESPACE) \
+		--set imageTag=$(ODS_IMAGE_TAG) \
+		--set global.imageNamespace=$(ODS_NAMESPACE) \
+		--set global.imageTag=$(ODS_IMAGE_TAG) \
+		--set ODS_OPENSHIFT_APP_DOMAIN=$(OPENSHIFT_APPS_BASEDOMAIN)
+
+## Render the generated application.yaml from Helm templates to a local file.
+helm-render-ods-api-service-application-yaml:
+	@cd ods-api-service/chart && \
+	helm secrets template ods-api-service . \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-core.values.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-core.secrets.enc.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-api-service.values.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-api-service.secrets.enc.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/$(env)/ods-api-service.values.$(env).yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/$(env)/ods-api-service.secrets.$(env).enc.yaml \
+		--set projectId=$(ODS_NAMESPACE) \
+		--set appSelector=app=ods-api-service \
+		--set registry=$(DOCKER_REGISTRY) \
+		--set componentId=ods-api-service \
+		--set global.projectId=$(ODS_NAMESPACE) \
+		--set global.appSelector=app=ods-api-service \
+		--set global.registry=$(DOCKER_REGISTRY) \
+		--set global.componentId=ods-api-service \
+		--set imageNamespace=$(ODS_NAMESPACE) \
+		--set imageTag=$(ODS_IMAGE_TAG) \
+		--set global.imageNamespace=$(ODS_NAMESPACE) \
+		--set global.imageTag=$(ODS_IMAGE_TAG) \
+		--set ODS_OPENSHIFT_APP_DOMAIN=$(OPENSHIFT_APPS_BASEDOMAIN) \
+		2>/dev/null | \
+		yq -r 'select(.kind == "ConfigMap") | select(.metadata.name == "ods-api-service-config") | .data["application.yaml"]'
+		
+
+## Render the generated .env file from Helm templates to a local file.
+helm-render-ods-api-service-dot-env:
+	@cd ods-api-service/chart && \
+	 helm secrets template ods-api-service . \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-core.values.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-core.secrets.enc.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-api-service.values.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-api-service.secrets.enc.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/$(env)/ods-api-service.values.$(env).yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/$(env)/ods-api-service.secrets.$(env).enc.yaml \
+		--set projectId=$(ODS_NAMESPACE) \
+		--set appSelector=app=ods-api-service \
+		--set registry=$(DOCKER_REGISTRY) \
+		--set componentId=ods-api-service \
+		--set global.projectId=$(ODS_NAMESPACE) \
+		--set global.appSelector=app=ods-api-service \
+		--set global.registry=$(DOCKER_REGISTRY) \
+		--set global.componentId=ods-api-service \
+		--set imageNamespace=$(ODS_NAMESPACE) \
+		--set imageTag=$(ODS_IMAGE_TAG) \
+		--set global.imageNamespace=$(ODS_NAMESPACE) \
+		--set global.imageTag=$(ODS_IMAGE_TAG) \
+		--set ODS_OPENSHIFT_APP_DOMAIN=$(OPENSHIFT_APPS_BASEDOMAIN) 2>/dev/null | ../../scripts/extract-config-env-from-template.sh
+
+
+
+
+helm-encrypt-secrets:
+	@echo "Usage: make helm-encrypt-secrets ENV=all|environment. It use ENV=dev by default if ENV is not set. It will encrypt secrets in the root of the configuration directory and in the environment-specific subdirectory (if it exists)."
+	@echo "       make helm-encrypt-secrets ODS_CONFIGURATION_DIR=path/to/config to specify a different configuration directory (default: ../ods-configuration)."
+
+	@echo "Encrypting secrets in $(ODS_CONFIGURATION_DIR)..."
+	./scripts/encrypt-helm-secrets.sh $(ODS_CONFIGURATION_DIR) $(ENV)
+	@echo "✓ Secrets encrypted"
+
+## Decrypt secrets files (ENV=<name>|all, omit for root folder only)
+helm-decrypt-secrets:
+	@echo "Usage: make helm-decrypt-secrets ENV=all|environment. It use ENV=dev by default if ENV is not set. It will decrypt secrets in the root of the configuration directory and in the environment-specific subdirectory (if it exists)."
+	@echo "       make helm-decrypt-secrets ODS_CONFIGURATION_DIR=path/to/config to specify a different configuration directory (default: ../ods-configuration)."
+
+	@echo "Decrypting secrets in $(ODS_CONFIGURATION_DIR)..."
+	./scripts/decrypt-helm-secrets.sh $(ODS_CONFIGURATION_DIR) $(ENV)
+	@echo "✓ Secrets decrypted"
+
+## Diff Helm chart against cluster using helm secrets diff
+helm-diff:
+	@echo "Running helm secrets diff (dry-run through Makefile)..."
+	@export HELM_DIFF_IGNORE_UNKNOWN_FLAGS=true && helm -n devstack-dev secrets diff upgrade --install --atomic \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-core.values.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-core.secrets.enc.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-api-service.values.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/ods-api-service.secrets.enc.yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/$(env)/ods-api-service.values.$(env).yaml \
+		-f $(ODS_CONFIGURATION_FULL_PATH)/$(env)/ods-api-service.secrets.$(env).enc.yaml \
+		--set projectId=devstack \
+		--set appSelector=app=devstack-api-service \
+		--set registry=image-registry.openshift-image-registry.svc:5000 \
+		--set componentId=api-service \
+		--set global.projectId=devstack \
+		--set global.appSelector=app=devstack-api-service \
+		--set global.registry=image-registry.openshift-image-registry.svc:5000 \
+		--set global.componentId=api-service \
+		--set imageNamespace=devstack-dev \
+		--set imageTag=b19c9164 \
+		--set global.imageNamespace=devstack-dev \
+		--set global.imageTag=b19c9164 \
+		--set ODS_OPENSHIFT_APP_DOMAIN=apps.eu-dev.ocp.aws.boehringer.com \
+		--no-color --three-way-merge --normalize-manifests \
+		api-service ./chart
+
 
 # BACKUP
 ## Create a backup of the current state.
@@ -256,3 +393,4 @@ help:
 	} \
 	{ lastLine = $$0 }' $(MAKEFILE_LIST)
 .PHONY: help
+

ods-api-service/chart/templates/core/configmaps.yaml

@@ -1,8 +1,33 @@
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ .Release.Name }}-config
+  labels:
+    {{- include "chart.labels" . | nindent 4 }} 
 data:
   application.yaml: |
 {{ include "chart.application.yaml" . | nindent 4 }}
 
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-config-db
+  labels:
+    {{- include "chart.labels" . | nindent 4 }} 
+data:
+  ODS_API_SERVICE_DB_DATASOURCE_URL: "jdbc:postgresql://{{ include "chart.fullname" . }}-postgresql:5432/{{ .Values.postgresql.databaseName }}"
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-config-db-secret
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+type: Opaque
+data:
+  ODS_API_SERVICE_DB_NAME: {{ .Values.postgresql.databaseNameB64 }}
+  ODS_API_SERVICE_DB_USER: {{ .Values.postgresql.databaseUserB64 }}
+  ODS_API_SERVICE_DB_PASSWORD: {{ .Values.postgresql.databasePasswordB64 }}

ods-api-service/chart/templates/core/deployment.yaml

@@ -52,14 +52,11 @@ spec:
               value: {{ .Values.env.OAUTH2_JWK_SET_URI | quote }}
             - name: JAVA_OPTS
               value: {{ .Values.env.JAVA_OPTS | quote }}
-            - name: SPRING_DATASOURCE_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "chart.fullname" . }}-postgresql
-                  key: database-password
           envFrom:
             - configMapRef:
-                name: {{ include "chart.fullname" . }}-postgresql-config
+                name: {{ .Release.Name }}-config-db
+            - secretRef:
+                name: {{ .Release.Name }}-config-db-secret
           {{- if .Values.externalServices.aap.enabled }}
             - configMapRef:
                 name: {{ include "chart.fullname" . }}-aap-config

ods-api-service/chart/templates/external-service-bitbucket/external-service-bitbucket-configmap.yaml

@@ -7,10 +7,10 @@ metadata:
     {{- include "chart.labels" . | nindent 4 }}
     app.kubernetes.io/component: bitbucket-config
 data:
-  {{- range $index, $instance := .Values.externalServices.bitbucket.instances }}
-  BITBUCKET_{{ $instance.name | upper | replace "-" "_" }}_BASE_REST_URL: {{ $instance.baseUrl | quote }}
-  BITBUCKET_{{ $instance.name | upper | replace "-" "_" }}_CONNECTION_TIMEOUT: {{ $instance.connectionTimeout | quote }}
-  BITBUCKET_{{ $instance.name | upper | replace "-" "_" }}_READ_TIMEOUT: {{ $instance.readTimeout | quote }}
-  BITBUCKET_{{ $instance.name | upper | replace "-" "_" }}_TRUST_ALL: {{ $instance.trustAllCertificates | quote }}
+  {{- range $name, $instance := .Values.externalServices.bitbucket.instances }}
+  BITBUCKET_{{ $name | upper | replace "-" "_" }}_BASE_REST_URL: {{ $instance.baseUrl | quote }}
+  BITBUCKET_{{ $name | upper | replace "-" "_" }}_CONNECTION_TIMEOUT: {{ $instance.connectionTimeout | quote }}
+  BITBUCKET_{{ $name | upper | replace "-" "_" }}_READ_TIMEOUT: {{ $instance.readTimeout | quote }}
+  BITBUCKET_{{ $name | upper | replace "-" "_" }}_TRUST_ALL: {{ $instance.trustAllCertificates | quote }}
   {{- end }}
 {{- end }}

ods-api-service/chart/templates/external-service-bitbucket/external-service-bitbucket-secret.yaml

@@ -8,15 +8,15 @@ metadata:
     app.kubernetes.io/component: bitbucket-credentials
 type: Opaque
 data:
-  {{- range $index, $instance := .Values.externalServices.bitbucket.instances }}
+  {{- range $name, $instance := .Values.externalServices.bitbucket.instances }}
   {{- if $instance.bearerToken }}
-  BITBUCKET_{{ $instance.name | upper | replace "-" "_" }}_BEARER_TOKEN: {{ $instance.bearerToken | b64enc | quote }}
+  BITBUCKET_{{ $name | upper | replace "-" "_" }}_BEARER_TOKEN: {{ $instance.bearerToken | b64enc | quote }}
   {{- end }}
   {{- if $instance.username }}
-  BITBUCKET_{{ $instance.name | upper | replace "-" "_" }}_USERNAME: {{ $instance.username | b64enc | quote }}
+  BITBUCKET_{{ $name | upper | replace "-" "_" }}_USERNAME: {{ $instance.username | b64enc | quote }}
   {{- end }}
   {{- if $instance.password }}
-  BITBUCKET_{{ $instance.name | upper | replace "-" "_" }}_PASSWORD: {{ $instance.password | b64enc | quote }}
+  BITBUCKET_{{ $name | upper | replace "-" "_" }}_PASSWORD: {{ $instance.password | b64enc | quote }}
   {{- end }}
   {{- end }}
 {{- end }}

ods-api-service/chart/templates/external-service-jira/external-service-jira-configmap.yaml

@@ -8,10 +8,10 @@ metadata:
     app.kubernetes.io/component: jira-config
 data:
   JIRA_DEFAULT_INSTANCE: {{ .Values.externalServices.jira.defaultInstance | quote }}
-  {{- range $index, $instance := .Values.externalServices.jira.instances }}
-  JIRA_{{ $instance.name | upper | replace "-" "_" }}_BASE_URL: {{ $instance.baseUrl | quote }}
-  JIRA_{{ $instance.name | upper | replace "-" "_" }}_CONNECTION_TIMEOUT: {{ $instance.connectionTimeout | quote }}
-  JIRA_{{ $instance.name | upper | replace "-" "_" }}_READ_TIMEOUT: {{ $instance.readTimeout | quote }}
-  JIRA_{{ $instance.name | upper | replace "-" "_" }}_TRUST_ALL: {{ $instance.trustAllCertificates | quote }}
+  {{- range $name, $instance := .Values.externalServices.jira.instances }}
+  JIRA_{{ $name | upper | replace "-" "_" }}_BASE_URL: {{ $instance.baseUrl | quote }}
+  JIRA_{{ $name | upper | replace "-" "_" }}_CONNECTION_TIMEOUT: {{ $instance.connectionTimeout | quote }}
+  JIRA_{{ $name | upper | replace "-" "_" }}_READ_TIMEOUT: {{ $instance.readTimeout | quote }}
+  JIRA_{{ $name | upper | replace "-" "_" }}_TRUST_ALL: {{ $instance.trustAllCertificates | quote }}
   {{- end }}
 {{- end }}

ods-api-service/chart/templates/external-service-jira/external-service-jira-secret.yaml

@@ -8,15 +8,15 @@ metadata:
     app.kubernetes.io/component: jira-credentials
 type: Opaque
 data:
-  {{- range $index, $instance := .Values.externalServices.jira.instances }}
+  {{- range $name, $instance := .Values.externalServices.jira.instances }}
   {{- if $instance.bearerToken }}
-  JIRA_{{ $instance.name | upper | replace "-" "_" }}_BEARER_TOKEN: {{ $instance.bearerToken | b64enc | quote }}
+  JIRA_{{ $name | upper | replace "-" "_" }}_BEARER_TOKEN: {{ $instance.bearerToken | b64enc | quote }}
   {{- end }}
   {{- if $instance.username }}
-  JIRA_{{ $instance.name | upper | replace "-" "_" }}_USERNAME: {{ $instance.username | b64enc | quote }}
+  JIRA_{{ $name | upper | replace "-" "_" }}_USERNAME: {{ $instance.username | b64enc | quote }}
   {{- end }}
   {{- if $instance.password }}
-  JIRA_{{ $instance.name | upper | replace "-" "_" }}_PASSWORD: {{ $instance.password | b64enc | quote }}
+  JIRA_{{ $name | upper | replace "-" "_" }}_PASSWORD: {{ $instance.password | b64enc | quote }}
   {{- end }}
   {{- end }}
 {{- end }}

ods-api-service/chart/templates/external-service-openshift/external-service-openshift-configmap.yaml

@@ -7,11 +7,11 @@ metadata:
     {{- include "chart.labels" . | nindent 4 }}
     app.kubernetes.io/component: openshift-config
 data:
-  {{- range $index, $instance := .Values.externalServices.openshift.instances }}
-  OPENSHIFT_{{ $instance.name | upper | replace "-" "_" }}_API_URL: {{ $instance.apiUrl | quote }}
-  OPENSHIFT_{{ $instance.name | upper | replace "-" "_" }}_NAMESPACE: {{ $instance.namespace | quote }}
-  OPENSHIFT_{{ $instance.name | upper | replace "-" "_" }}_CONNECTION_TIMEOUT: {{ $instance.connectionTimeout | quote }}
-  OPENSHIFT_{{ $instance.name | upper | replace "-" "_" }}_READ_TIMEOUT: {{ $instance.readTimeout | quote }}
-  OPENSHIFT_{{ $instance.name | upper | replace "-" "_" }}_TRUST_ALL: {{ $instance.trustAllCertificates | quote }}
+  {{- range $name, $instance := .Values.externalServices.openshift.instances }}
+  OPENSHIFT_{{ $name | upper | replace "-" "_" }}_API_URL: {{ $instance.apiUrl | quote }}
+  OPENSHIFT_{{ $name | upper | replace "-" "_" }}_NAMESPACE: {{ $instance.namespace | quote }}
+  OPENSHIFT_{{ $name | upper | replace "-" "_" }}_CONNECTION_TIMEOUT: {{ $instance.connectionTimeout | quote }}
+  OPENSHIFT_{{ $name | upper | replace "-" "_" }}_READ_TIMEOUT: {{ $instance.readTimeout | quote }}
+  OPENSHIFT_{{ $name | upper | replace "-" "_" }}_TRUST_ALL: {{ $instance.trustAllCertificates | quote }}
   {{- end }}
 {{- end }}

ods-api-service/chart/templates/external-service-openshift/external-service-openshift-secret.yaml

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/component: openshift-credentials
 type: Opaque
 data:
-  {{- range $index, $instance := .Values.externalServices.openshift.instances }}
-  OPENSHIFT_{{ $instance.name | upper | replace "-" "_" }}_TOKEN: {{ $instance.token | b64enc | quote }}
+  {{- range $name, $instance := .Values.externalServices.openshift.instances }}
+  OPENSHIFT_{{ $name | upper | replace "-" "_" }}_TOKEN: {{ $instance.token | b64enc | quote }}
   {{- end }}
 {{- end }}