From 58a7f37a83617f1cc4dc78145773dada0d567c29 Mon Sep 17 00:00:00 2001
From: JeffMboya <jangina.mboya@gmail.com>
Date: Thu, 28 Nov 2024 13:17:36 +0300
Subject: [PATCH] Add AMA certs

Signed-off-by: JeffMboya <jangina.mboya@gmail.com>
---
 .../templates/amcerts-deployment.yaml         | 113 ++++++++++++++++++
 .../magistrala/templates/amcerts-service.yaml |  20 ++++
 charts/magistrala/values.yaml                 |  74 ++++++++----
 scripts/vault/config.hcl                      |  10 ++
 scripts/vault/entrypoint.sh                   |  25 ++++
 5 files changed, 220 insertions(+), 22 deletions(-)
 create mode 100644 charts/magistrala/templates/amcerts-deployment.yaml
 create mode 100644 charts/magistrala/templates/amcerts-service.yaml
 create mode 100644 scripts/vault/config.hcl
 create mode 100644 scripts/vault/entrypoint.sh

diff --git a/charts/magistrala/templates/amcerts-deployment.yaml b/charts/magistrala/templates/amcerts-deployment.yaml
new file mode 100644
index 00000000..7e89179d
--- /dev/null
+++ b/charts/magistrala/templates/amcerts-deployment.yaml
@@ -0,0 +1,113 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.amcerts.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-amcerts-config
+data:
+  config.yml: |
+    common_name: "AbstractMachines_Selfsigned_ca"
+    organization:
+      - "AbstractMachines"
+    organizational_unit:
+      - "AbstractMachines_ca"
+    country:
+      - "France"
+    province:
+      - "Paris"
+    locality:
+      - "Quai de Valmy"
+    postal_code:
+      - "75010 Paris"
+    dns_names:
+      - "localhost"
+    ip_addresses:
+      - "localhost"
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-amcerts
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}
+      component: amcerts
+  template:
+    metadata:
+      annotations:
+        prometheus.io/path: /metrics
+        prometheus.io/port: "{{ .Values.amcerts.httpPort }}"
+        prometheus.io/scrape: "true"
+      labels:
+        app: {{ .Release.Name }}
+        component: amcerts
+    spec:
+      {{- if (or .Values.amcerts.image.pullSecrets .Values.defaults.image.pullSecrets) }}
+      imagePullSecrets:
+        {{- range (or .Values.amcerts.image.pullSecrets .Values.defaults.image.pullSecrets) }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      volumes:
+        - configMap:
+            defaultMode: 256
+            name: {{ .Release.Name }}-amcerts-config
+            optional: false
+          name: amcerts-config
+      containers:
+        - name: {{ .Release.Name }}-amcerts
+          image: "{{ default (printf "%s/amcerts" .Values.defaults.image.rootRepository) .Values.amcerts.image.repository }}:{{ default .Values.defaults.image.tag .Values.amcerts.image.tag }}"
+          imagePullPolicy: {{ default .Values.defaults.image.pullPolicy .Values.amcerts.image.pullPolicy }}
+          env:
+            - name: AM_JAEGER_URL
+              value: "http://{{ .Values.magistrala.jaeger.fullnameOverride }}-collector:{{ .Values.magistrala.jaeger.collector.service.otlp.http.port }}/v1/traces"
+            - name: AM_CERTS_JAEGER_TRACE_RATIO
+              value: {{ default .Values.defaults.jaegerTraceRatio .Values.amcerts.jaegerTraceRatio | quote }}
+            - name: AM_CERTS_LOG_LEVEL
+              value: {{ default .Values.defaults.logLevel .Values.amcerts.logLevel | quote }}
+            - name: AM_CERTS_HTTP_HOST
+              value: "0.0.0.0"
+            - name: AM_CERTS_HTTP_PORT
+              value: {{ .Values.amcerts.httpPort | quote }}
+            - name: AM_CERTS_GRPC_HOST
+              value: "0.0.0.0"
+            - name: AM_CERTS_GRPC_PORT
+              value: {{ .Values.amcerts.grpcPort | quote }}
+            - name: AM_CERTS_AUTH_GRPC_URL
+              value: {{ .Release.Name }}-envoy:{{ .Values.magistrala.auth.grpcPort }}
+            - name: MG_THINGS_URL
+              value: http://{{ .Release.Name }}-things:{{ .Values.magistrala.things.httpPort }}
+            - name: AM_CERTS_DB_HOST
+            {{- if .Values.postgresqlamcerts.enabled }}
+              value: {{ .Release.Name }}-postgresqlcerts
+            {{- else }}
+              value: {{ .Values.postgresqlamcerts.host | quote }}
+            {{- end }}
+            - name: AM_CERTS_DB_PORT
+              value: {{ .Values.postgresqlamcerts.port | quote }}
+            - name: AM_CERTS_DB_NAME
+              value: {{ .Values.postgresqlamcerts.database | quote }}
+            - name: AM_CERTS_DB_USER
+              value: {{ .Values.postgresqlamcerts.username | quote }}
+            - name: AM_CERTS_DB_PASS
+              value: {{ .Values.postgresqlamcerts.password | quote }}
+            - name: MG_CERTS_SIGN_CA_PATH
+              value: {{ .Values.magistrala.certs.signCAPath }}
+            - name: MG_CERTS_SIGN_CA_KEY_PATH
+              value: {{ .Values.magistrala.certs.signCAKeyPath }}
+          ports:
+            - containerPort: {{ .Values.amcerts.httpPort }}
+              protocol: TCP
+            - containerPort: {{ .Values.amcerts.grpcPort }}
+              protocol: TCP
+          volumeMounts:
+            - name: amcerts-config
+              mountPath: /config/config.yml
+              subPath: config.yml
+{{- end }}
diff --git a/charts/magistrala/templates/amcerts-service.yaml b/charts/magistrala/templates/amcerts-service.yaml
new file mode 100644
index 00000000..06e2df3e
--- /dev/null
+++ b/charts/magistrala/templates/amcerts-service.yaml
@@ -0,0 +1,20 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+{{- if .Values.amcerts.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-amcerts
+spec:
+  selector:
+    app: {{ .Release.Name }}
+    component: amcerts
+  ports:
+    - port: {{ .Values.amcerts.httpPort }}
+      protocol: TCP
+      name: {{ .Release.Name }}-amcerts-{{ .Values.amcerts.httpPort }}
+    - port: {{ .Values.amcerts.grpcPort }}
+      protocol: TCP
+      name: {{ .Release.Name }}-amcerts-grpc-{{ .Values.amcerts.grpcPort }}
+{{- end }}
diff --git a/charts/magistrala/values.yaml b/charts/magistrala/values.yaml
index b58bc318..cb6c8cb7 100644
--- a/charts/magistrala/values.yaml
+++ b/charts/magistrala/values.yaml
@@ -92,8 +92,7 @@ nats:
         maxSize: 2Gi
 
 adapter_coap:
-  image:
-    {}
+  image: {}
     # pullSecrets: {}
     # If your image repository requires authentication, you can specify image pull secrets here.
     # Example:
@@ -147,8 +146,7 @@ adapter_coap:
   #     effect: "NoSchedule"
 
 adapter_http:
-  image:
-    {}
+  image: {}
     # pullSecrets: {}
     # repository: "magistrala/adapter-http"
     # tag: "latest"
@@ -238,8 +236,7 @@ postgresqlspicedb:
 
 auth:
   # logLevel: error
-  image:
-    {}
+  image: {}
     # pullSecrets: {}
     # rootRepository: "magistrala/auth"
     # tag: "latest"
@@ -280,8 +277,7 @@ postgresqlauth:
           postgresql: *postgresqlAuthPort
 
 users:
-  image:
-    {}
+  image: {}
     # pullSecrets: {}
     # repository: "magistrala/users"
     # tag: "latest"
@@ -324,8 +320,7 @@ postgresqlusers:
           postgresql: *postgresqlUsersPort
 
 things:
-  image:
-    {}
+  image: {}
     # pullSecrets: {}
     # repository: "magistrala/things"
     # tag: "latest"
@@ -407,8 +402,7 @@ postgresqlbootstrap:
 
 certs:
   enabled: true
-  image:
-    {}
+  image: {}
     # pullSecrets: {}
     # repository: "magistrala/certs"
     # tag: "latest"
@@ -449,11 +443,51 @@ postgresqlcerts:
       service:
         ports:
           postgresql: *postgresqlCertsPort
+amcerts:
+  enabled: true
+  image:
+    repository: "ghcr.io/absmach/certs"
+    tag: "latest"
+    # pullSecrets: {}
+    # pullPolicy: "IfNotPresent"
+  # jaegerTraceRatio: 1.0
+  # sendTelemetry: true
+  # logLevel: "info"
+  httpPort: 9010
+  grpcPort: 7012
+  # signCAPath: "/etc/ssl/certs/ca.crt"
+  # signCAKeyPath: "/etc/ssl/certs/ca.key"
+  # vault:
+  #   url: "http://magistrala-vault:8200"
+  #   approleRoleid: magistrala
+  #   approleSecret: magistrala
+  #   namespace: magistrala
+  #   thingsCertsPkiPath: pki_int
+  #   thingsCertsPkiRoleName: magistrala_things_certs
+
+postgresqlamcerts:
+  ## If you want to use an external database, set this to false and change host & port to external postgresql server host & port respectively
+  enabled: true
+  name: postgresql-certs
+  host: postgresql-certs
+  port: &postgresqlCertsPort 5432
+  database: &postgresqlCertsDatabase certs
+  username: &postgresqlCertsUsername magistrala
+  password: &postgresqlCertsPassword magistrala
+  global:
+    postgresql:
+      auth:
+        postgresPassword: *postgresqlCertsPassword
+        username: *postgresqlCertsUsername
+        password: *postgresqlCertsPassword
+        database: *postgresqlCertsDatabase
+      service:
+        ports:
+          postgresql: *postgresqlCertsPort
 
 invitations:
   enabled: true
-  image:
-    {}
+  image: {}
     # pullSecrets: {}
     # repository: "magistrala/invitations"
     # tag: "latest"
@@ -488,8 +522,7 @@ postgresqlinvitations:
 
 journal:
   enabled: true
-  image:
-    {}
+  image: {}
     # pullSecrets: {}
     # repository: "magistrala/journal"
     # tag: "latest"
@@ -532,8 +565,7 @@ timescaledb:
   username: &messagesRwTimescaleUsername magistrala
   password: &messagesRwTimescalePassword magistrala
   reader:
-    image:
-      {}
+    image: {}
       # pullSecrets: {}
       # repository: "magistrala/timescale-reader"
       # tag: "latest"
@@ -547,8 +579,7 @@ timescaledb:
     # affinity: {}
     # tolerations: {}
   writer:
-    image:
-      {}
+    image: {}
       # pullSecrets: {}
       # repository: "magistrala/timescale-writer"
       # tag: "latest"
@@ -579,8 +610,7 @@ timescaledb:
 
 ui:
   enabled: true
-  image:
-    {}
+  image: {}
     # pullSecrets: {}
     # repository: "magistrala/ui"
     # tag: "latest"
diff --git a/scripts/vault/config.hcl b/scripts/vault/config.hcl
new file mode 100644
index 00000000..7672287f
--- /dev/null
+++ b/scripts/vault/config.hcl
@@ -0,0 +1,10 @@
+storage "file" {
+  path = "/vault/file"
+}
+
+listener "tcp" {
+  address     = "0.0.0.0:8200"
+  tls_disable = 1
+}
+
+ui = true
\ No newline at end of file
diff --git a/scripts/vault/entrypoint.sh b/scripts/vault/entrypoint.sh
new file mode 100644
index 00000000..efc6f5a7
--- /dev/null
+++ b/scripts/vault/entrypoint.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/dumb-init /bin/sh
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+VAULT_CONFIG_DIR=/vault/config
+
+docker-entrypoint.sh server &
+VAULT_PID=$!
+
+sleep 2
+
+echo $MG_VAULT_UNSEAL_KEY_1
+echo $MG_VAULT_UNSEAL_KEY_2
+echo $MG_VAULT_UNSEAL_KEY_3
+
+if [[ ! -z "${MG_VAULT_UNSEAL_KEY_1}" ]] &&
+   [[ ! -z "${MG_VAULT_UNSEAL_KEY_2}" ]] &&
+   [[ ! -z "${MG_VAULT_UNSEAL_KEY_3}" ]]; then
+	echo "Unsealing Vault"
+	vault operator unseal ${MG_VAULT_UNSEAL_KEY_1}
+	vault operator unseal ${MG_VAULT_UNSEAL_KEY_2}
+	vault operator unseal ${MG_VAULT_UNSEAL_KEY_3}
+fi
+
+wait $VAULT_PID
\ No newline at end of file