diff --git a/scripts/deploy_all.sh b/scripts/deploy_all.sh index ec00f362..7d678284 100755 --- a/scripts/deploy_all.sh +++ b/scripts/deploy_all.sh @@ -15,7 +15,7 @@ set -e : ${DEPLOYMENT_ENV:=local} ## Should be deployed in the listed order -: ${COMPONENTS=api-gateway auth-hydra edv kms vct orb resolver csh vcs vcs-v1 vault-server hub-auth hub-router wallet-web adapter-issuer adapter-rp} +: ${COMPONENTS=api-gateway auth-hydra edv kms vct orb resolver csh vcs vcs-v1 vault-server hub-auth hub-router wallet-web adapter-issuer adapter-rp wallet-demo-app} DEPLOY_LIST=( $COMPONENTS ) ## Map: component --> healthcheck(s) @@ -36,6 +36,7 @@ declare -A HEALTCHECK_URL=( [wallet-web]="https://wallet.$DOMAIN/healthcheck https://vcwallet.$DOMAIN/healthcheck" [adapter-issuer]="https://adapter-issuer.$DOMAIN/healthcheck" [adapter-rp]="https://adapter-rp.$DOMAIN/healthcheck" + [wallet-demo-app]="https://wallet-demo-app.$DOMAIN/healthcheck" ) ## Map: healthckeck --> http-code declare -A HEALTHCHECK_CODE=( @@ -61,7 +62,9 @@ declare -A HEALTHCHECK_CODE=( [https://adapter-rp.$DOMAIN/healthcheck]=200 [https://adapter-issuer.$DOMAIN/healthcheck]=200 [https://auth-hydra.$DOMAIN/health/ready]=200 - [https://auth-hydra-admin.$DOMAIN/health/ready]=200) + [https://auth-hydra-admin.$DOMAIN/health/ready]=200 + [https://wallet-demo-app.$DOMAIN/health/ready]=200 +) # healthCheck function -- copied from sandbox RED=$(tput setaf 1) diff --git a/scripts/service_list.txt b/scripts/service_list.txt index 882c05db..1963502e 100644 --- a/scripts/service_list.txt +++ b/scripts/service_list.txt @@ -30,4 +30,5 @@ vcs-awskms vcs-localkms vcwallet wallet +wallet-demo-app static-file-server diff --git a/wallet-demo-app/Makefile b/wallet-demo-app/Makefile new file mode 100644 index 00000000..2af3902e --- /dev/null +++ b/wallet-demo-app/Makefile @@ -0,0 +1,131 @@ +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +SHELL := /bin/bash +CONTAINER_CMD ?= docker +USER_ID = $(shell id -u) +DOCKER_CMD_RUN_OPTS ?= -u $(USER_ID) +CONTAINER_CMD_RUN_OPTS ?= $(if $(findstring docker,$(CONTAINER_CMD)),$(DOCKER_CMD_RUN_OPTS),) + +export DEPLOYMENT_ENV ?= local +# space delimited of Key:Value pairs +COMMON_LABELS := instance:${DEPLOYMENT_ENV} +export DOMAIN ?= ${DEPLOYMENT_ENV}.trustbloc.dev + +OS = $(shell uname -s | tr '[:upper:]' '[:lower:]') +ARCH = $(shell uname -m | sed 's/x86_64/amd64/') + +#IMAGES +WALLET_DEMO_APP_IMG ?= ghcr.io/trustbloc-cicd/wallet-demo-app:1.2.2-snapshot-b08a949 + + +# do not modify +KUSTOMIZE_DIR = kustomize/wallet-demo-app +KEYS_OUTPUT_DIR = ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV}/keys +CERTS_OUTPUT_DIR = ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV}/certs +PREFIX ?= +KUSTOMIZE_BUILD_OPTS ?= --load-restrictor LoadRestrictionsNone --enable-alpha-plugins +export KUSTOMIZE_PLUGIN_HOME = $(abspath .)/kustomize/plugin + +.PHONY: all +all: setup + +.PHONY: setup +setup: generate-test-certs + @echo setup + +.PHONY: setup-no-certs +setup-no-certs: + @echo setup-no-certs + +# TODO (#521): frapsoft/openssl only has an amd64 version. While this does work when using Docker on arm64-based macOS +# currently thanks to the automatic built-in QEMU emulation, it would be better to use a +# native arm64 version. +.PHONY: generate-test-certs +generate-test-certs: clean-certs + @echo $(abspath .) + @$(CONTAINER_CMD) run ${CONTAINER_CMD_RUN_OPTS} -i --platform linux/amd64 --rm \ + -v $(abspath .):/opt/workspace:Z \ + -e DOMAIN=${DOMAIN} \ + -e CERTS_OUTPUT_DIR=${CERTS_OUTPUT_DIR} \ + --entrypoint "/opt/workspace/scripts/generate_test_certs.sh" \ + docker.io/frapsoft/openssl:latest + @cd ${CERTS_OUTPUT_DIR} && ln -fs trustbloc-dev-ca.crt ca.crt + @cd ${CERTS_OUTPUT_DIR} && ln -fs ${DOMAIN}.key tls.key + @cd ${CERTS_OUTPUT_DIR} && ln -fs ${DOMAIN}.crt tls.crt + +.PHONY: deploy +deploy: prechecks kustomize kubectl set-images set-labels deploy-wallet-demo-app + +.PHONY: prechecks +prechecks: +ifeq (, $(shell stat ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV} 2>/dev/null)) + @echo "Environment not found ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV}" + @exit 1 +endif + +.PHONY: set-labels +set-labels: kustomize + @pushd ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV}/wallet-demo-app &&\ + ${KUSTOMIZE} edit set label ${COMMON_LABELS} &&\ + popd + +.PHONY: set-images +set-images: kustomize + @pushd ${KUSTOMIZE_DIR}/base &&\ + ${KUSTOMIZE} edit set image wallet-demo-app=${WALLET_DEMO_APP_IMG} &&\ + popd + +.PHONY: deploy-wallet-demo-app +deploy-wallet-demo-app: prechecks kustomize kubectl + @minikube image load $(WALLET_DEMO_APP_IMG) + $(KUSTOMIZE) build ${KUSTOMIZE_BUILD_OPTS} \ + ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV}/wallet-demo-app | $(KUBECTL) apply -f - + +.PHONY: undeploy +undeploy: prechecks kustomize kubectl set-images set-labels undeploy-wallet-demo-app + +.PHONY: undeploy-wallet-demo-app +undeploy-wallet-demo-app: prechecks kustomize kubectl + $(KUSTOMIZE) build ${KUSTOMIZE_BUILD_OPTS} \ + ${KUSTOMIZE_DIR}/overlays/${DEPLOYMENT_ENV}/wallet-demo-app | $(KUBECTL) delete -f - + +.PHONY: kustomize +kustomize: +ifeq (, $(shell which kustomize 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p bin ;\ + curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.3.0/kustomize_v4.3.0_$(OS)_$(ARCH).tar.gz | tar xzf - -C bin/ ;\ + } +KUSTOMIZE=$(realpath ./bin/kustomize) +else +KUSTOMIZE=$(shell which kustomize) +endif + +.PHONY: kubectl +kubectl: +ifeq (, $(shell which kubectl 2>/dev/null)) + @{ \ + set -e ;\ + mkdir -p bin ;\ + curl -sSL https://storage.googleapis.com/kubernetes-release/release/v1.21.2/bin/$(OS)/$(ARCH)/kubectl -o bin/kubectl ;\ + chmod u+x bin/kubectl ;\ + } +KUBECTL=$(realpath ./bin/kubectl) +else +KUBECTL=$(shell which kubectl) +endif + +.PHONY: clean +clean: clean-all + +.PHONY: clean-all +clean-all: clean-certs + +.PHONY: clean-certs +clean-certs: + @rm -Rf ${CERTS_OUTPUT_DIR} diff --git a/wallet-demo-app/README.md b/wallet-demo-app/README.md new file mode 100644 index 00000000..1a52298f --- /dev/null +++ b/wallet-demo-app/README.md @@ -0,0 +1,27 @@ +# [Wallet Demo App](https://github.com/trustbloc/wallet-sdk/tree/main/demo/app) k8s deployment # + + +## pre-requisits +* [Minikube](https://minikube.sigs.k8s.io/docs/start/) with ingress addon. +* GNU sed +* (Optional: Gets installed by make) [kustomize](https://kubectl.docs.kubernetes.io/installation/kustomize/). + +## Quick Run +* `make all` +* `make deploy-wallet-demo-app` + +## Cleanup +* `make undeploy-wallet-demo-app` +* `make clean` + +## options and features +* By default dns domain is `local.trustboc.dev`. To run with different domain (See next), run with: `make DOMAIN=ali.trustbloc.dev` +* By default Bloc domain is `orb-1.trustboc.dev`. To run with different domain (See next), run with: `make BLOC_DOMAIN=orb-1.ali.trustbloc.dev` +* Will create an Ingress for external access. When running with unregistered dns domains, create records (/etc/hosts) for: + - `wallet.DOMAIN` +* if running `podman` pass `CONTAINER_CMD=podman` as option to make +* Running with none self-signed certificates: place certs into kustomize/wallet/overlays/sandbox/certs, then run with: `make setup-no-certs`. +>files: + - ca.crt + - tls.crt + - tls.key diff --git a/wallet-demo-app/kustomize/plugin/svceng/sedtransformer/SedTransformer b/wallet-demo-app/kustomize/plugin/svceng/sedtransformer/SedTransformer new file mode 100755 index 00000000..598173b5 --- /dev/null +++ b/wallet-demo-app/kustomize/plugin/svceng/sedtransformer/SedTransformer @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +# +# Copyright SecureKey Technologies Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# https://github.com/kubernetes-sigs/kustomize/blob/master/plugin/someteam.example.com/v1/sedtransformer/SedTransformer +# Skip the config file name argument. +shift +args=() +for arg in "$@"; do + env_expanded=${arg@P} + args+=(-e "$env_expanded") +done + +sed "${args[@]}" diff --git a/wallet-demo-app/kustomize/wallet-demo-app/.gitignore b/wallet-demo-app/kustomize/wallet-demo-app/.gitignore new file mode 100644 index 00000000..9f03159e --- /dev/null +++ b/wallet-demo-app/kustomize/wallet-demo-app/.gitignore @@ -0,0 +1,8 @@ +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +**/keys/** +**/certs/** diff --git a/wallet-demo-app/kustomize/wallet-demo-app/base/deployment.yml b/wallet-demo-app/kustomize/wallet-demo-app/base/deployment.yml new file mode 100644 index 00000000..19e41cbb --- /dev/null +++ b/wallet-demo-app/kustomize/wallet-demo-app/base/deployment.yml @@ -0,0 +1,35 @@ +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: wallet-demo-app +spec: + replicas: 1 + selector: + matchLabels: + app: wallet-demo-app + template: + metadata: + labels: + app: wallet-demo-app + spec: + containers: + - name: wallet-demo-app + image: wallet-demo-app:latest + ports: + - containerPort: 80 + protocol: TCP + name: http-port + livenessProbe: + httpGet: + path: /healthcheck + port: http-port + initialDelaySeconds: 30 + periodSeconds: 10 + failureThreshold: 5 diff --git a/wallet-demo-app/kustomize/wallet-demo-app/base/kustomization.yaml b/wallet-demo-app/kustomize/wallet-demo-app/base/kustomization.yaml new file mode 100644 index 00000000..f6806f38 --- /dev/null +++ b/wallet-demo-app/kustomize/wallet-demo-app/base/kustomization.yaml @@ -0,0 +1,18 @@ +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +generatorOptions: {} + +resources: +- deployment.yml +- service.yml + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: wallet-demo-app + newName: ghcr.io/trustbloc-cicd/wallet-demo-app + newTag: 1.2.2-snapshot-b08a949 diff --git a/wallet-demo-app/kustomize/wallet-demo-app/base/service.yml b/wallet-demo-app/kustomize/wallet-demo-app/base/service.yml new file mode 100644 index 00000000..e2e93673 --- /dev/null +++ b/wallet-demo-app/kustomize/wallet-demo-app/base/service.yml @@ -0,0 +1,29 @@ +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: wallet-demo-app + labels: + app: wallet-demo-app +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http-port + - name: prometheus + port: 9100 + protocol: TCP + targetPort: prometheus + selector: + app: wallet-demo-app +status: + loadBalancer: {} +--- diff --git a/wallet-demo-app/kustomize/wallet-demo-app/overlays/common/kustomization.yaml b/wallet-demo-app/kustomize/wallet-demo-app/overlays/common/kustomization.yaml new file mode 100644 index 00000000..14d06cae --- /dev/null +++ b/wallet-demo-app/kustomize/wallet-demo-app/overlays/common/kustomization.yaml @@ -0,0 +1,27 @@ +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# Adds namespace to all resources. +#namespace: edge-sandbox-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +commonLabels: + group: services + project: trustbloc + + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../base + +transformers: +- sedtransform.yml diff --git a/wallet-demo-app/kustomize/wallet-demo-app/overlays/common/sedtransform.yml b/wallet-demo-app/kustomize/wallet-demo-app/overlays/common/sedtransform.yml new file mode 100644 index 00000000..2f9a66e3 --- /dev/null +++ b/wallet-demo-app/kustomize/wallet-demo-app/overlays/common/sedtransform.yml @@ -0,0 +1,11 @@ +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +apiVersion: svceng +kind: SedTransformer +metadata: + name: sedtransformer +argsOneLiner: s^||DOMAIN||^${DOMAIN}^g diff --git a/wallet-demo-app/kustomize/wallet-demo-app/overlays/local/wallet-demo-app/ingress.yml b/wallet-demo-app/kustomize/wallet-demo-app/overlays/local/wallet-demo-app/ingress.yml new file mode 100644 index 00000000..23d9924c --- /dev/null +++ b/wallet-demo-app/kustomize/wallet-demo-app/overlays/local/wallet-demo-app/ingress.yml @@ -0,0 +1,29 @@ +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: wallet-demo-app + labels: + app: wallet-demo-app +spec: + tls: + - hosts: + - wallet-demo-app.||DOMAIN|| + secretName: INGRESS_TLS_SECRET + rules: + - host: wallet-demo-app.||DOMAIN|| + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: wallet-demo-app + port: + name: http diff --git a/wallet-demo-app/kustomize/wallet-demo-app/overlays/local/wallet-demo-app/kustomization.yaml b/wallet-demo-app/kustomize/wallet-demo-app/overlays/local/wallet-demo-app/kustomization.yaml new file mode 100644 index 00000000..70ef123d --- /dev/null +++ b/wallet-demo-app/kustomize/wallet-demo-app/overlays/local/wallet-demo-app/kustomization.yaml @@ -0,0 +1,47 @@ +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +# Adds namespace to all resources. +#namespace: edge-sandbox-system + +# Value of this field is prepended to the +# names of all resources, e.g. a deployment named +# "wordpress" becomes "alices-wordpress". +# Note that it should also match with the prefix (text before '-') of the namespace +# field above. +commonLabels: + group: services + instance: local + project: trustbloc + +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +secretGenerator: +- files: + - ../certs/tls.crt + - ../certs/tls.key + name: wallet-demo-app-wildcard-cert + type: kubernetes.io/tls + +replacements: +- source: + kind: Secret + name: wallet-demo-app-wildcard-cert + version: v1 + targets: + - fieldPaths: + - spec.tls.0.secretName + select: + kind: Ingress + name: wallet-demo-app + +resources: +- ../../common +- ingress.yml + +transformers: +- sedtransform.yml diff --git a/wallet-demo-app/kustomize/wallet-demo-app/overlays/local/wallet-demo-app/sedtransform.yml b/wallet-demo-app/kustomize/wallet-demo-app/overlays/local/wallet-demo-app/sedtransform.yml new file mode 100644 index 00000000..2f9a66e3 --- /dev/null +++ b/wallet-demo-app/kustomize/wallet-demo-app/overlays/local/wallet-demo-app/sedtransform.yml @@ -0,0 +1,11 @@ +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +apiVersion: svceng +kind: SedTransformer +metadata: + name: sedtransformer +argsOneLiner: s^||DOMAIN||^${DOMAIN}^g diff --git a/wallet-demo-app/scripts/generate_test_certs.sh b/wallet-demo-app/scripts/generate_test_certs.sh new file mode 100755 index 00000000..160be184 --- /dev/null +++ b/wallet-demo-app/scripts/generate_test_certs.sh @@ -0,0 +1,62 @@ +#!/bin/sh +# +# Copyright Gen Digital Inc. All Rights Reserved. +# +# SPDX-License-Identifier: Apache-2.0 +# + +set -e + +echo "Generating test certs ..." +export RANDFILE=/tmp/rnd + + +if [ "${DOMAIN}x" == "x" -o "${CERTS_OUTPUT_DIR}x" == "x" ]; then + echo "DOMAIN/CERTS_OUTPUT_DIR env not set" + exit 1 +fi + +cd /opt/workspace + +mkdir -p ${CERTS_OUTPUT_DIR} + +trustblocSSLConf=$(mktemp) +echo "subjectKeyIdentifier=hash +authorityKeyIdentifier = keyid,issuer +extendedKeyUsage = serverAuth +keyUsage = Digital Signature, Key Encipherment +subjectAltName = @alt_names +[alt_names] +DNS.1 = *.${DOMAIN}" >> "$trustblocSSLConf" + +CERT_CA="${CERTS_OUTPUT_DIR}/trustbloc-dev-ca.crt" +if [ ! -f "$CERT_CA" ]; then + echo "... Generating CA cert ..." + openssl ecparam -name prime256v1 -genkey -noout \ + -out ${CERTS_OUTPUT_DIR}/trustbloc-dev-ca.key + openssl req -new -x509 -key ${CERTS_OUTPUT_DIR}/trustbloc-dev-ca.key \ + -subj "/C=CA/ST=ON/O=TrustBloc/OU=TrustBloc Dev CA" \ + -out ${CERTS_OUTPUT_DIR}/trustbloc-dev-ca.crt -days 1095 +else + echo "Skipping CA generation - already exists" +fi + +echo "... Generating TrustBloc domain cert: ${DOMAIN} ..." + +openssl ecparam -name prime256v1 -genkey -noout \ + -out ${CERTS_OUTPUT_DIR}/${DOMAIN}.key + +openssl req -new -key ${CERTS_OUTPUT_DIR}/${DOMAIN}.key \ + -subj "/C=CA/ST=ON/O=TrustBloc/OU=trustbloc/CN=${DOMAIN}" \ + -out ${CERTS_OUTPUT_DIR}/${DOMAIN}.csr + +openssl x509 -req -in ${CERTS_OUTPUT_DIR}/${DOMAIN}.csr \ + -CA ${CERTS_OUTPUT_DIR}/trustbloc-dev-ca.crt \ + -CAkey ${CERTS_OUTPUT_DIR}/trustbloc-dev-ca.key \ + -CAcreateserial -CAserial ${CERTS_OUTPUT_DIR}/${DOMAIN}.srl -extfile "$trustblocSSLConf" \ + -out ${CERTS_OUTPUT_DIR}/${DOMAIN}.crt -days 365 + +# RFC 4346 Append CA to CERT +cat ${CERTS_OUTPUT_DIR}/trustbloc-dev-ca.crt >> ${CERTS_OUTPUT_DIR}/${DOMAIN}.crt + +echo "... Done generating test certs"