MG-141 - Fix Bootstrap and Certs services startup in k8s setup with HELM (#152)

* Fix default pull secret

Signed-off-by: JeffMboya <[email protected]>

emove extra bootstrap url

Signed-off-by: JeffMboya <[email protected]>

change BS pull policy to always

Signed-off-by: JeffMboya <[email protected]>

change encKey

Signed-off-by: JeffMboya <[email protected]>

fix image: {}

Signed-off-by: JeffMboya <[email protected]>

fix image: {}

Signed-off-by: JeffMboya <[email protected]>

fix image: {}

Signed-off-by: JeffMboya <[email protected]>

fix image: {}

Signed-off-by: JeffMboya <[email protected]>

fix image: {}

Signed-off-by: JeffMboya <[email protected]>

fix image: {}

Signed-off-by: JeffMboya <[email protected]>

* fix bootstrap not starting

Signed-off-by: JeffMboya <[email protected]>

* remove MG_BOOTSTRAP_ES_URL and MG_SDK_BASE_URL

Signed-off-by: JeffMboya <[email protected]>

* enable certs and vault

Signed-off-by: JeffMboya <[email protected]>

* add vault parameters

Signed-off-by: JeffMboya <[email protected]>

* update jaegerTraceRatio to 1.0

Signed-off-by: JeffMboya <[email protected]>

* update maintainers

Signed-off-by: JeffMboya <[email protected]>

* update helm docs

Signed-off-by: JeffMboya <[email protected]>

* fix journal container restarting

Signed-off-by: JeffMboya <[email protected]>

* Fix certs

Signed-off-by: JeffMboya <[email protected]>

* Update readme; disable vault by default

Signed-off-by: JeffMboya <[email protected]>

* Update README

Signed-off-by: JeffMboya <[email protected]>

---------

Signed-off-by: JeffMboya <[email protected]>

Author: JeffMboya

charts/magistrala/Chart.yaml

@@ -13,7 +13,7 @@ sources:
   - https://hub.docker.com/u/magistrala
 maintainers:
   - name: drasko
-    email: draasko[email protected]
+    email: drasko[email protected]
   - name: dusan
     email: [email protected]
 

charts/magistrala/README.md

@@ -10,7 +10,7 @@ Magistrala IoT Platform
 
 | Name | Email | Url |
 | ---- | ------ | --- |
-| drasko | <draasko[email protected]> |  |
+| drasko | <drasko[email protected]> |  |
 | dusan | <[email protected]> |  |
 
 ## Source Code
@@ -60,26 +60,32 @@ Magistrala IoT Platform
 | bootstrap.encKey | string | `"randomstring"` |  |
 | bootstrap.eventConsumerName | string | `"EventConsumerByBootstrap"` |  |
 | bootstrap.httpPort | int | `9013` |  |
-| bootstrap.image | object | `{}` |  |
+| bootstrap.image.pullPolicy | string | `"IfNotPresent"` |  |
+| bootstrap.image.pullSecrets | object | `{}` |  |
+| bootstrap.image.repository | string | `"magistrala/bootstrap"` |  |
+| bootstrap.image.tag | string | `"latest"` |  |
+| bootstrap.jaegerTraceRatio | float | `1` |  |
+| bootstrap.logLevel | string | `"info"` |  |
 | bootstrap.redisESPort | int | `6379` |  |
-| certs.enabled | bool | `false` |  |
+| bootstrap.sendTelemetry | bool | `true` |  |
+| certs.enabled | bool | `true` |  |
 | certs.httpPort | int | `9019` |  |
 | certs.image | object | `{}` |  |
 | certs.logLevel | string | `"info"` |  |
 | certs.signCAKeyPath | string | `"/etc/ssl/certs/ca.key"` |  |
 | certs.signCAPath | string | `"/etc/ssl/certs/ca.crt"` |  |
-| certs.vault.approleRoleid | string | `""` |  |
-| certs.vault.approleSecret | string | `""` |  |
-| certs.vault.namespace | string | `""` |  |
-| certs.vault.thingsCertsPkiPath | string | `""` |  |
-| certs.vault.thingsCertsPkiRoleName | string | `""` |  |
-| certs.vault.url | string | `""` |  |
+| certs.vault.approleRoleid | string | `"magistrala"` |  |
+| certs.vault.approleSecret | string | `"magistrala"` |  |
+| certs.vault.namespace | string | `"magistrala"` |  |
+| certs.vault.thingsCertsPkiPath | string | `"pki_int"` |  |
+| certs.vault.thingsCertsPkiRoleName | string | `"magistrala_things_certs"` |  |
+| certs.vault.url | string | `"http://magistrala-vault:8200"` |  |
 | defaults.eventStreamURL | string | `"magistrala-nats:4222"` |  |
 | defaults.image.pullPolicy | string | `"IfNotPresent"` |  |
 | defaults.image.rootRepository | string | `"magistrala"` |  |
 | defaults.image.tag | string | `"latest"` |  |
 | defaults.jaegerCollectorPort | int | `4318` |  |
-| defaults.jaegerTraceRatio | int | `10` |  |
+| defaults.jaegerTraceRatio | float | `1` |  |
 | defaults.logLevel | string | `"info"` |  |
 | defaults.natsPort | int | `4222` |  |
 | defaults.replicaCount | int | `3` |  |
@@ -308,4 +314,4 @@ Magistrala IoT Platform
 | users.passwordRegex | string | `"^.{8,}$"` |  |
 | users.secretKey | string | `"secretKey"` |  |
 | users.tokenResetEndpoint | string | `"/reset-request"` |  |
-| vault.enabled | bool | `false` |  |
+| vault.enabled | bool | `true` |  |

charts/magistrala/templates/bootstrap-deployment.yaml

@@ -42,12 +42,14 @@ spec:
               value: {{ .Values.defaults.eventStreamURL | quote }}
             - name: MG_BOOTSTRAP_LOG_LEVEL
               value: {{ default .Values.defaults.logLevel .Values.bootstrap.logLevel | quote }}
-            - name: MG_BOOTSTRAP_HOST
+            - name: MG_BOOTSTRAP_HTTP_HOST
               value: "0.0.0.0"
-            - name: MG_BOOTSTRAP_PORT
+            - name: MG_BOOTSTRAP_HTTP_PORT
               value: {{ .Values.bootstrap.httpPort | quote }}
             - name: MG_THINGS_URL
               value: http://{{ .Release.Name }}-things:{{ .Values.things.httpPort }}
+            - name: MG_THINGS_ES_URL              
+              value: {{ .Release.Name }}-redis-streams-master:{{ .Values.things.redisESPort }}
             - name: MG_AUTH_GRPC_URL
               value: {{ .Release.Name }}-envoy:{{ .Values.auth.grpcPort }}
             - name: MG_BOOTSTRAP_ENCRYPT_KEY
@@ -66,7 +68,7 @@ spec:
               value: {{ .Values.postgresqlbootstrap.username | quote }}
             - name: MG_BOOTSTRAP_DB_PASS
               value: {{ .Values.postgresqlbootstrap.password | quote }}
-            - name: MG_BOOTSTRAP_NAME
+            - name: MG_BOOTSTRAP_DB_NAME
               value: {{ .Values.postgresqlbootstrap.database | quote }}
 
           ports:

charts/magistrala/templates/journal-deployment.yaml

@@ -47,19 +47,19 @@ spec:
               value: {{ .Values.journal.httpPort  | quote  }}
             - name : MG_AUTH_GRPC_URL
               value: {{ .Release.Name }}-envoy:{{ .Values.auth.grpcPort }}
-            - name: MG_JOURNAL_HOST
+            - name: MG_JOURNAL_DB_HOST
             {{- if .Values.postgresqljournal.enabled }}
               value: "{{ .Release.Name }}-postgresqljournal"
             {{- else }}
               value: {{ .Values.postgresqljournal.host | quote }}
             {{- end }}
-            - name: MG_JOURNAL_PORT
+            - name: MG_JOURNAL_DB_PORT
               value: {{ .Values.postgresqljournal.port  | quote }}
-            - name: MG_JOURNAL_NAME
+            - name: MG_JOURNAL_DB_NAME
               value: {{ .Values.postgresqljournal.database | quote }}
-            - name: MG_JOURNAL_USER
+            - name: MG_JOURNAL_DB_USER
               value: {{ .Values.postgresqljournal.username | quote }}
-            - name: MG_JOURNAL_PASS
+            - name: MG_JOURNAL_DB_PASS
               value: {{ .Values.postgresqljournal.password | quote }}
           ports:
             - containerPort: {{ .Values.journal.httpPort }}

charts/magistrala/templates/things-deployment.yaml

@@ -56,7 +56,7 @@ spec:
               value: {{ .Values.postgresqlthings.username | quote }}
             - name: MG_THINGS_DB_PASS
               value: {{ .Values.postgresqlthings.password | quote }}
-            - name: MG_THINGS_DB
+            - name: MG_THINGS_DB_NAME
               value: {{ .Values.postgresqlthings.database | quote }}
             - name: MG_ES_URL
               value: {{ .Values.defaults.eventStreamURL | quote }}

charts/magistrala/values.yaml

@@ -10,13 +10,12 @@ defaults:
     pullPolicy: "IfNotPresent"
     rootRepository: "magistrala"
     tag: "latest"
-    # pullSecrets:
-    #   - {}
+    # pullSecrets: {}
   # Replicas of MQTT adapter, NATS, Things, Envoy and Auth
   replicaCount: 3
   natsPort: 4222
   jaegerCollectorPort: 4318
-  jaegerTraceRatio: 10
+  jaegerTraceRatio: 1.0
   sendTelemetry: true
   eventStreamURL: "magistrala-nats:4222"
 
@@ -235,7 +234,7 @@ auth:
     # tag: "latest"
     # pullPolicy: "IfNotPresent"
   # Log level for the auth service. Common options are "debug", "info", "warn", "error".
-  # jaegerTraceRatio: 10
+  # jaegerTraceRatio: 1.0
   # sendTelemetry: true
   httpPort: 8189
   grpcPort: 8181
@@ -275,7 +274,7 @@ users:
      # repository: "magistrala/users"
      # tag: "latest"
      # pullPolicy: "IfNotPresent"
-  # jaegerTraceRatio: 10
+  # jaegerTraceRatio: 1.0
   # sendTelemetry: true
   # logLevel: "info"
   httpPort: 9002
@@ -356,15 +355,15 @@ redis-things:
   usePassword: false
 
 bootstrap:
-  image: {}
-    # pullSecrets: {}
-    # repository: "magistrala/bootstrap"
-    # tag: "latest"
-    # pullPolicy: "IfNotPresent"
-  # jaegerTraceRatio: 10
-  # sendTelemetry: true
-  # logLevel: "info"
   enabled: true
+  image:
+    pullSecrets: {}
+    repository: "magistrala/bootstrap"
+    tag: "latest"
+    pullPolicy: "IfNotPresent"
+  jaegerTraceRatio: 1.0
+  sendTelemetry: true
+  logLevel: "info"
   httpPort: 9013
   redisESPort: 6379
   encKey: "randomstring"
@@ -394,25 +393,25 @@ postgresqlbootstrap:
           postgresql: *postgresqlBootstrapPort
 
 certs:
-  enabled: false
+  enabled: true
   image: {}
     # pullSecrets: {}
     # repository: "magistrala/certs"
     # tag: "latest"
     # pullPolicy: "IfNotPresent"
-  # jaegerTraceRatio: 10
+  # jaegerTraceRatio: 1.0
   # sendTelemetry: true
   httpPort: 9019
   logLevel: "info"
   signCAPath: "/etc/ssl/certs/ca.crt"
   signCAKeyPath: "/etc/ssl/certs/ca.key"
   vault:
-    url: ""
-    approleRoleid: ""
-    approleSecret: ""
-    namespace: ""
-    thingsCertsPkiPath: ""
-    thingsCertsPkiRoleName: ""
+    url: "http://magistrala-vault:8200"
+    approleRoleid: magistrala
+    approleSecret: magistrala
+    namespace: magistrala
+    thingsCertsPkiPath: pki_int
+    thingsCertsPkiRoleName: magistrala_things_certs
 
 vault:
   enabled: false
@@ -444,7 +443,7 @@ invitations:
     # repository: "magistrala/invitations"
     # tag: "latest"
     # pullPolicy: "IfNotPresent"
-  # jaegerTraceRatio: 10
+  # jaegerTraceRatio: 1.0
   # sendTelemetry: true
   # logLevel: "info"
   httpPort: 9020
@@ -479,7 +478,7 @@ journal:
     # repository: "magistrala/journal"
     # tag: "latest"
     # pullPolicy: "IfNotPresent"
-  # jaegerTraceRatio: 10
+  # jaegerTraceRatio: 1.0
   # sendTelemetry: true
   # logLevel: "info"
   httpPort: 9021
@@ -522,7 +521,7 @@ timescaledb:
       # repository: "magistrala/timescale-reader"
       # tag: "latest"
       # pullPolicy: "IfNotPresent"
-    # jaegerTraceRatio: 10
+    # jaegerTraceRatio: 1.0
     # sendTelemetry: true
     # logLevel: "info"
     enabled: true
@@ -536,7 +535,7 @@ timescaledb:
       # repository: "magistrala/timescale-writer"
       # tag: "latest"
       # pullPolicy: "IfNotPresent"
-    # jaegerTraceRatio: 10
+    # jaegerTraceRatio: 1.0
     # sendTelemetry: true
     # logLevel: "info"
     # nodeSelector: {}
@@ -567,7 +566,7 @@ ui:
     # repository: "magistrala/ui"
     # tag: "latest"
     # pullPolicy: "IfNotPresent"
-  # logLevel: "info"
+    # logLevel: "info"
   # hostname: ""
   # contentTypes: "application/senml+json"
   port: 9095
@@ -582,7 +581,6 @@ ui:
   # invitationsUrl: "http:///magistrala-auth:9020"
   # journalUrl: "http:///magistrala-auth:9021"
   # domainsUrl: "http://magistrala-auth:8189"
-  # bootstrapUrl: "http://magistrala-boostrap:9013"
   googleClientID: ""
   googleClientSecret: ""
   googleRedirectHostname: "https://stage-domain-name"

scripts/vault/vault.md

@@ -1,27 +1,70 @@
-# Install and configure `vault` with `certs`
-Make sure you configured your `KUBECONFIG` to point to destination cluster.
-
-Install vault
-
-```bash
-cd charts/magistrala
-helm upgrade magistrala . -n mg  --set vault.enabled=true
-```
-
-Initialize vault
-```bash
-cd ../../scripts/vault
-./vault_init.sh
-```
-
-
-Now upgrade installation of magistrala enabling certs service and setting proper values
-```bash
-source .env
-cd ../../charts/magistrala
-helm upgrade magistrala  --create-namespace -n mg . \
-                    --set certs.vault.url=$MG_VAULT_ADDR \
-                    --set certs.vault.approleRoleid=$MG_VAULT_THINGS_CERTS_ISSUER_ROLEID \
-                    --set certs.vault.approleSecret=$MG_VAULT_THINGS_CERTS_ISSUER_SECRET \
-                    --set certs.vault.namespace=$MG_VAULT_NAMESPACE 
-```
+## How to Install and Configure `vault` with `certs`
+
+### Prerequisites:
+
+1. **Kubernetes Configuration**: Ensure your `KUBECONFIG` is set up to point to the Kubernetes cluster where you want to deploy `vault`. This can typically be done by running:
+   ```bash
+   export KUBECONFIG=/path/to/your/kubeconfig
+   ```
+   This command tells your local machine which Kubernetes cluster to interact with.
+
+### Step 1: Install `vault` using Helm
+
+1. **Navigate to the `magistrala` Helm chart directory**:
+
+   ```bash
+   cd charts/magistrala
+   ```
+
+2. **Install `vault`**:
+   ```bash
+   helm upgrade magistrala . -n mg --set vault.enabled=true
+   ```
+   This command uses Helm to upgrade (or install) the `magistrala` release in the `mg` namespace with `vault` enabled.
+
+### Step 2: Initialize `vault`
+
+1. **Navigate to the `vault` Scripts Directory**:
+
+   If you are currently in the `charts/magistrala` directory, go up two levels to the root and then to the `vault` scripts directory by running:
+
+   ```bash
+   cd ../../scripts/vault
+   ```
+
+   If you are at the root of the repository, navigate to the `vault` scripts directory directly by running:
+
+   ```bash
+   cd scripts/vault
+   ```
+
+2. **Run the `vault_init.sh` script**:
+   ```bash
+   ./vault_init.sh
+   ```
+   This script initializes `vault` by setting up necessary configurations, such as unsealing the vault and applying initial policies. This is a crucial step to get `vault` ready for use.
+
+### Step 3: Enable the `certs` Service and Apply Configuration
+
+1. **Load Environment Variables**:
+
+   ```bash
+   source .env
+   ```
+
+   This command loads environment variables from the `.env` file into your current shell session. These variables are required for the next step to configure the `certs` service.
+
+2. **Navigate back to the `magistrala` Helm chart directory**:
+
+   ```bash
+   cd ../../charts/magistrala
+   ```
+
+3. **Upgrade the `magistrala` installation with `certs` enabled**:
+   ```bash
+   helm upgrade magistrala --create-namespace -n mg . \
+       --set certs.vault.url=$MG_VAULT_ADDR \
+       --set certs.vault.approleRoleid=$MG_VAULT_THINGS_CERTS_ISSUER_ROLEID \
+       --set certs.vault.approleSecret=$MG_VAULT_THINGS_CERTS_ISSUER_SECRET \
+       --set certs.vault.namespace=$MG_VAULT_NAMESPACE
+   ```