Initial init

Author: Adam Sayah

Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: Helm chart to deploy the needed secrets for Axway Amplify Mesh Governance.
+name: apic-hybrid-init
+version: 0.1.0

Dockerfile

@@ -0,0 +1,3 @@
+FROM alpine
+RUN apk add openssl curl
+RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && chmod +x ./kubectl && mv ./kubectl /usr/local/bin/kubectl

README.md

@@ -1,2 +1,25 @@
 # Axway-Amplify-Mesh-Init
-Helm chart to deploy the needed secrets for Axway Amplify Mesh Governance. 
+
+## Create the needed namespaces
+```Shell
+kubectl create namespace istio-system #if not existing
+kubectl create namespace apic-control #if not exisiting
+```
+
+## Start the init
+
+```Shell
+git clone https://github.com/asayah/Axway-Amplify-Mesh-Init
+# (Optional) If you specify gatewayHost, a self signed certificate will be created for your gateway Host. 
+helm install . -n apic-init --set gatewayHost=example.com
+```
+
+## If You want to use diffrents namespaces
+
+```Shell
+git clone https://github.com/asayah/Axway-Amplify-Mesh-Init
+kubectl create namespace foo
+kubectl create namespace bar
+# (Optional) If you specify gatewayHost, a self signed certificate will be created for your gateway Host. 
+helm install . -n apic-init --set gatewayHost=example.com --set apic.namespace=foo --set istio.namespace=bar
+```

templates/_helpers.tpl

@@ -0,0 +1,53 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "apic-hybrid-init.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "apic-hybrid-init.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "apic-hybrid-init.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "apic-hybrid-init.labels" -}}
+app.kubernetes.io/name: {{ include "apic-hybrid-init.name" . }}
+helm.sh/chart: {{ include "apic-hybrid-init.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Create a cert name form gatway DNS host.
+*/}}
+
+{{- define "gatewayCertName" }}
+{{- printf "%s-%s-certs" (split "." .Values.gatewayHost)._0 (split "." .Values.gatewayHost)._1 }}
+{{- end }}

templates/agent-secrets.yaml

@@ -0,0 +1,69 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: apic-secrets-prereq
+  namespace: {{ .Values.apic.namespace }}
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: access-secrets-for-agent-mesh-secrets-creation
+  namespace: {{ .Values.apic.namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+
+---  
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: apic-prereq-to-secrets
+  namespace: {{ .Values.apic.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: access-secrets-for-agent-mesh-secrets-creation
+subjects:
+- kind: ServiceAccount
+  name: apic-secrets-prereq
+  namespace: {{ .Values.apic.namespace }}
+
+---  
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: apic-secrets-prereq
+  namespace: {{ .Values.apic.namespace }}
+spec:
+  parallelism: 1    
+  completions: 1    
+  template:         
+    metadata:
+      name: apic-secrets-prereq
+    spec:
+      serviceAccountName: apic-secrets-prereq
+      containers:
+      - name: secret-init
+        image: asayah/kubectl
+        command:
+        - sh
+        - -c
+        - |
+          mkdir -p /tmp/sda
+          mkdir -p /tmp/csa
+          openssl genpkey -algorithm RSA -out /tmp/sda/private_key.pem -pkeyopt rsa_keygen_bits:2048
+          openssl rsa -pubout -in /tmp/sda/private_key.pem -out /tmp/sda/public_key.der -outform der && base64 /tmp/sda/public_key.der > /tmp/sda/public_key
+          openssl genpkey -algorithm RSA -out /tmp/csa/private_key.pem -pkeyopt rsa_keygen_bits:2048
+          openssl rsa -pubout -in /tmp/csa/private_key.pem -out /tmp/csa/public_key.der -outform der && base64 /tmp/csa/public_key.der > /tmp/csa/public_key
+          kubectl create secret generic csa-secrets --from-file=publicKey=/tmp/csa/public_key --from-file=privateKey=/tmp/csa/private_key.pem --from-literal=password="" -o yaml
+          kubectl create secret generic sda-secrets --from-file=publicKey=/tmp/sda/public_key --from-file=privateKey=/tmp/sda/private_key.pem --from-literal=password="" -o yaml
+
+      restartPolicy: Never
+---

templates/gateway-secrets.yaml

@@ -0,0 +1,71 @@
+{{- if (.Values.gatewayHost) }}
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: istio-secrets-prereq
+  namespace: {{ .Values.istio.namespace }}
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: access-secrets-for-gateway-secrets-creation
+  namespace: {{ .Values.istio.namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+
+---  
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istio-prereq-to-secrets
+  namespace: {{ .Values.istio.namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: access-secrets-for-gateway-secrets-creation
+subjects:
+- kind: ServiceAccount
+  name: istio-secrets-prereq
+  namespace: {{ .Values.istio.namespace }}
+
+---  
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: istio-secrets-prereq
+  namespace: {{ .Values.istio.namespace }}
+spec:
+  parallelism: 1    
+  completions: 1    
+  template:         
+    metadata:
+      name: istio-secrets-prereq
+    spec:
+      serviceAccountName: istio-secrets-prereq
+      containers:
+      - name: secret-init
+        image: asayah/kubectl
+        env:
+        - name: GATEWAY_DNS
+          value: {{ .Values.gatewayHost }}
+        - name: GATEWAY_SECRET_NAME
+          value: {{ template "gatewayCertName" . }}  
+        command:
+        - sh
+        - -c
+        - |
+          openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/ca-selfsigned.key -out /tmp/ca-selfsigned.crt -subj "/C=US/ST=Phoenix/L=Phoenix/O=Global Security/OU=Axway RD/CN=$GATEWAY_DNS"
+          kubectl create secret tls $GATEWAY_SECRET_NAME --cert /tmp/ca-selfsigned.crt --key /tmp/ca-selfsigned.key -o yaml
+
+      restartPolicy: Never
+---
+{{- end }}

values.yaml

@@ -0,0 +1,8 @@
+istio:
+  namespace: istio-system
+
+apic:
+  namespace: apic-control
+
+# To create edge gateway cert, set gatewayHost var.
+#gatewayHost=exemple.com