lightstep · smithclay · May 30, 2024 · May 30, 2024
@@ -0,0 +1,41 @@
+# via https://docs.github.com/en/actions/publishing-packages/publishing-docker-images
+
+name: Publish MID server image
+on: workflow_dispatch
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: lightstep/sn-collector/mid-experimental
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: mid
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
@@ -22,12 +22,13 @@ To monitor the cluster, make sure you have the following before proceeding:
 * ability to pull from the public Docker image repository `ghcr.io/lightstep/sn-collector`
 * `ClusterRole` 
 
-#### 1. Add OpenTelemetry helm repository
+#### 1. Add OpenTelemetry and ServiceNow helm repository
 
 We use the OpenTelemetry Helm charts to configure collectors for Kubernetes monitoring. Helm charts make it easy to deploy and configure Kubernetes manifests.
 
 ```sh
 helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts
+helm repo add servicenow https://install.service-now.com/glide/distribution/builds/package/informer/informer-helm/repo
 helm repo update
 ```
 
@@ -57,6 +58,12 @@ kubectl create configmap servicenow-events-url \
     -n servicenow --from-literal=url=$SERVICENOW_EVENTS_URL
 ```
 
+(__Optional__)  Set username and password for CNO with a user that has the `discovery_admin` role, replacing INSTANCE_NAME with your instance name.
+```sh
+kubectl create secret generic k8s-informer-cred-INSTANCE_NAME -n servicenow \
+    --from-literal=.user=USERNAME --from-literal=.password=PASSWORD
+```
+
 (__Optional__) Set username for Event Manangement:
 ```sh
 export SERVICENOW_EVENTS_USERNAME='your-mid-username'
@@ -71,7 +78,7 @@ kubectl create secret generic servicenow-events-password \
     -n servicenow --from-literal="password=$SERVICENOW_EVENTS_PASSWORD"
 ```
 
-#### 4. Deploy ServiceNow Collector for Cluster Monitoring
+#### 4. Deploy ServiceNow Collector for Cluster Monitoring and CNO for Visibility
 
 You're now ready to deploy a collector to your cluster to collect cluster-level metrics and events. To preview the generated manifest before deploying, add the `--dry-run` option to the below command:
 
@@ -81,6 +88,14 @@ helm upgrade otel-collector-cluster open-telemetry/opentelemetry-collector \
     --values https://raw.githubusercontent.com/lightstep/sn-collector/main/collector/config-k8s/values-cluster.yaml
 ```
 
+Next, install CNO for visibility. Additional install instructions for CNO are on the ServiceNow documentation [portal](https://docs.servicenow.com/bundle/washingtondc-it-operations-management/page/product/cloud-native-operations-visibility/task/cnov-deploy-install.html). By sending `Y` you accept the terms and conditions of ServiceNow CNO.
+
+```sh
+helm upgrade k8s-informer servicenow/k8s-informer-chart \ 
+    --set acceptEula=Y --set instance.name=INSTANCE_NAME --set clusterName="CLUSTER_NAME" \
+    --install --namespace servicenow
+```
+
 The pod will deploy after a few seconds, to check status and for errors, run:
 
 ```sh

@@ -0,0 +1,114 @@
+# ################
+# 1st Stage: Use openjdk 8 to verify signature w/ jarsigner
+# https://developers.redhat.com/articles/2022/09/16/updating-docker-hubs-openjdk-image#openjdk_and_java_se_updates
+# ################
+FROM eclipse-temurin:8-jdk-alpine AS download_verification
+
+RUN apk -q update && \
+    apk add bash && \
+    apk add -q wget && \
+    rm -rf /tmp/*
+
+ARG MID_INSTALLATION_URL=https://install.service-now.com/glide/distribution/builds/package/app-signed/mid/2024/03/06/mid.vancouver-07-06-2023__patch7-hotfix1-03-05-2024_03-06-2024_1225.linux.x86-64.zip
+ARG MID_INSTALLATION_FILE
+ARG MID_SIGNATURE_VERIFICATION="TRUE"
+
+WORKDIR /opt/snc_mid_server/
+
+COPY asset/* /opt/snc_mid_server/
+
+# download.sh and validate_signature.sh
+RUN chmod 6750 /opt/snc_mid_server/*.sh
+
+RUN echo "Check MID installer URL: ${MID_INSTALLATION_URL} or Local installer: ${MID_INSTALLATION_FILE}"
+
+# Download the installation ZIP file or using the local one
+RUN if [ -z "$MID_INSTALLATION_FILE" ] ; \
+    then /opt/snc_mid_server/download.sh $MID_INSTALLATION_URL ; \
+    else echo "Use local file: $MID_INSTALLATION_FILE" && ls -alF /opt/snc_mid_server/ && mv /opt/snc_mid_server/$MID_INSTALLATION_FILE /tmp/mid.zip ; fi
+
+# Verify mid.zip signature
+RUN if [ "$MID_SIGNATURE_VERIFICATION" = "TRUE" ] || [ "$MID_SIGNATURE_VERIFICATION" = "true" ] ; \
+    then echo "Verify the signature of the installation file" && /opt/snc_mid_server/validate_signature.sh /tmp/mid.zip; \
+    else echo "Skip signature validation of the installation file "; fi
+
+RUN unzip -d /opt/snc_mid_server/ /tmp/mid.zip && rm -f /tmp/mid.zip
+
+# ################
+# Final Stage (using the downloaded ZIP file from previous stage)
+# ################
+FROM almalinux:9.1
+
+RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
+
+RUN dnf update -y && \
+    dnf install -y  --allowerasing bind-utils \
+                    xmlstarlet \
+                    curl \
+                    procps \
+                    net-tools \
+                    iputils &&\
+    dnf clean packages -y && \
+    rm -rf /tmp/*
+
+# ##########################
+# Build argument definition
+# ##########################
+
+
+ARG MID_USERNAME=mid
+
+ARG GROUP_ID=1001
+
+ARG USER_ID=1001
+
+
+# ############################
+# Runtime Env Var Definition
+# ############################
+
+# Ensure UTF-8 Encoding
+ENV LANG en_US.UTF-8
+
+# Mandatory Env Var
+ENV MID_INSTANCE_URL "" \
+    MID_INSTANCE_USERNAME "" \
+    MID_INSTANCE_PASSWORD "" \
+    MID_SERVER_NAME "" \
+# Optional Env Var
+    MID_PROXY_HOST "" \
+    MID_PROXY_PORT "" \
+    MID_PROXY_USERNAME "" \
+    MID_PROXY_PASSWORD "" \
+    MID_SECRETS_FILE "" \
+    MID_MUTUAL_AUTH_PEM_FILE "" \
+    MID_SSL_BOOTSTRAP_CERT_REVOCATION_CHECK "" \
+    MID_SSL_USE_INSTANCE_SECURITY_POLICY ""
+
+
+RUN if [[ -z "${GROUP_ID}" ]]; then GROUP_ID=1001; fi && \
+		if [[ -z "${USER_ID}" ]]; then USER_ID=1001; fi && \
+        echo "Add GROUP id: ${GROUP_ID}, USER id: ${USER_ID} for username: ${MID_USERNAME}"
+
+
+RUN groupadd -g $GROUP_ID $MID_USERNAME && \
+        useradd -c "MID container user" -r -m -u $USER_ID -g $MID_USERNAME $MID_USERNAME
+
+# only copy needed scripts and .container
+COPY asset/init asset/.container asset/check_health.sh asset/post_start.sh asset/pre_stop.sh /opt/snc_mid_server/
+
+# 6:setuid + setgid, 750: a:rwx, g:rx, o:
+RUN chmod 6750 /opt/snc_mid_server/* && chown -R $MID_USERNAME:$MID_USERNAME /opt/snc_mid_server/
+
+# Copy agent/ from download_verification
+COPY --chown=$MID_USERNAME:$MID_USERNAME  --from=download_verification /opt/snc_mid_server/agent/ /opt/snc_mid_server/agent/
+
+# Check if the wrapper PID file exists and a HeartBeat is processed in the last 30 minutes
+HEALTHCHECK --interval=5m --start-period=3m --retries=3 --timeout=15s \
+    CMD bash check_health.sh || exit 1
+
+WORKDIR /opt/snc_mid_server/
+
+USER $MID_USERNAME
+
+ENTRYPOINT ["/opt/snc_mid_server/init", "start"]
@@ -0,0 +1,5 @@
+# MID Server Container, ServiceNow Inc.
+StartAsProcess=true
+ContainerDeploymentName=
+DeploymentMidId=
+ContainerDeploymentNamespace=
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+
+if [ ! -f agent/work/mid.pid ]
+then
+  echo "agent/work/mid.pid doesn't exist"
+  exit 1
+fi
+
+if [ ! -f agent/.healthcheck ]
+then
+  echo "agent/.healthcheck doesn't exist"
+  exit 1
+fi
+
+# check if currentTime - lastModifiedTime of .healthcheck is >= 30 min (1800 sec) \
+currentTime=`date '+%s'`
+lastModifiedTime=`date -r agent/.healthcheck '+%s'`
+
+if [ $(($currentTime-$lastModifiedTime)) -gt 1800 ]
+then
+  exit 1
+fi
+
+exit 0
@@ -0,0 +1,17 @@
+#!/bin/bash
+#
+# Sample variable
+#   mid_installation_url =
+
+set -e
+
+mid_installation_url=$1
+
+if [[ ! -z "$mid_installation_url" ]]
+then
+  echo "Downloading $mid_installation_url"
+  wget $mid_installation_url -O /tmp/mid.zip
+else
+  echo "ERROR: Downloading [$mid_installation_url] failed!"
+  exit 1
+fi