Initial version of service consumer

.github/workflows/ci.yaml

@@ -0,0 +1,120 @@
+name: Create namespace and deploy on new branch
+
+on:
+  push:
+    branches-ignore:
+      - main
+    #branches:
+    #  - 'feature-**'
+
+
+
+concurrency: 
+    group: ${{ github.ref }}
+    cancel-in-progress: false
+
+jobs:
+
+  create:
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Git checkout
+        uses: actions/checkout@v1
+
+      - name: Authenticate and set context
+        uses: redhat-actions/oc-login@v1
+
+        with:
+          # URL to your OpenShift cluster.
+          # Refer to Step 2.
+          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
+
+          # Authentication Token. Can use username and password instead.
+          # Refer to Step 3.
+          openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
+
+          # Disables SSL cert checking. Use this if you don't have the certificate authority data.
+          insecure_skip_tls_verify: true
+
+      # extract the current branch name and provide it as a var for easier integration into sed-commands
+      - name: Get branch name
+        id: branch-name
+        uses: tj-actions/[email protected]
+
+      - name: Log the branch name
+        run: |
+          echo ${{ steps.branch-name.outputs.current_branch }}
+
+      - name: Create namespace
+        run: |
+          oc new-project i4t-consumer-${{ steps.branch-name.outputs.current_branch }} || oc project i4t-consumer-${{ steps.branch-name.outputs.current_branch }}
+          oc adm policy add-role-to-group cluster-admin lodestar-developers -n i4t-consumer-${{ steps.branch-name.outputs.current_branch }}
+
+      - name: Rename target branch
+        run: |
+          cd i4trust-consumer/
+          # replace the default destination namespace(i4t-consumer-demo) with the branch namespace (prefixed with i4t-consumer-)
+          sed -i'' -e 's/destination_namespace: \&destination i4t-consumer-demo/destination_namespace: \&destination i4t-consumer-${{ steps.branch-name.outputs.current_branch }}/g' values.yaml
+          # prefix the application name with the branch name to avoid collisions (prefixed with i4t-consumer-)
+          sed -i'' -e 's/release: i4t-consumer-demo/release: i4t-consumer-${{ steps.branch-name.outputs.current_branch }}/g' values.yaml
+          # set the target revision to the current branch
+          sed -i'' -e 's/branch: \&branch main/branch: \&branch ${{ steps.branch-name.outputs.current_branch }}/g' values.yaml
+          # Replace subdomain in URLs with branch name (prefixed by i4t-consumer-)
+          sed -i'' -e 's/i4t-consumer-main/i4t-consumer-${{ steps.branch-name.outputs.current_branch }}/g' values.yaml
+      
+      # See https://github.com/helm/chart-releaser-action/issues/6
+      - name: Install Helm
+        run: |
+          curl -fsSLo get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
+          chmod 700 get_helm.sh
+          ./get_helm.sh
+
+      - name: Deploy applications
+        run: |
+          cd i4trust-consumer/
+          # render app of apps and apply it
+          helm template ${{ secrets.OVERWRITE_VALUES }} -f values.yaml . | oc -n argocd apply -f -
+          cd ..
+
+      - name: Check if all apps are healthy
+        run: |
+          # wait for the changes to take place and potentially crash the applications
+          sleep 60
+
+          # bool to check if the apps are healthy
+          healthy=0
+          # counter to set a number of tries
+          try=0
+          tries=30
+          # get the list of apps in the namespace 
+          componentsInstalled=$(grep "enabled: true" i4trust-consumer/values.yaml -c)
+          # check if the condition is met
+          while [ $healthy == 0 ] && [ $try -lt $tries ]
+          do
+            apps=$(oc get applications.argoproj.io --no-headers -n argocd -l destination-namespace=i4t-consumer-${{ steps.branch-name.outputs.current_branch }} | awk '{ print $3 }')
+            healthyapps=0
+            for app in $apps
+            do
+              if [ $app != "Healthy" ]
+              then
+                echo "Trying again in 30 seconds"
+                sleep 30
+                try=$(( try + 1 ))
+                break
+              elif [ $app == "Healthy" ]
+              then  
+                healthyapps=$(( healthyapps + 1 ))
+              fi
+              if [ $healthyapps == $componentsInstalled ]
+              then
+                healthy=1
+              fi
+            done
+          done
+
+          if [ $try -eq $tries ]
+          then
+            echo "ERROR: Tried too many times"
+            exit 1
+          fi

.github/workflows/cleanup.yaml

@@ -0,0 +1,40 @@
+name: Delete apps and namespace after deleting branch
+
+# trigger on branch deletion to bind the namespaces lifecycle to the branch lifecycle
+on:
+  delete:
+    branches-ignore:
+      - main
+
+jobs:
+
+  delete:
+
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Git checkout
+        uses: actions/checkout@v1
+
+
+      - name: Authenticate and set context
+        uses: redhat-actions/oc-login@v1
+
+        with:
+          # URL to your OpenShift cluster.
+          openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
+
+          # Authentication Token. Can use username and password instead.
+          openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}
+
+          # Disables SSL cert checking. Use this if you don't have the certificate authority data.
+          insecure_skip_tls_verify: true
+
+      - name: Delete applications
+        run: |
+          # remove all apps deployed for the namespace corresponding to the branch
+          oc delete application -l destination-namespace=i4t-consumer-${{ github.event.ref }} -n argocd
+      # delete the namespace associated to the trigger event's branch
+      - name: Delete namespace
+        run: |
+          oc delete project i4t-consumer-${{ github.event.ref }}

README.md

@@ -1,2 +1,67 @@
 # i4trust-consumer
 App-of-apps of an i4Trust service consumer organisation
+
+# i4Trust Consumer Demonstrator
+
+App-of-apps for an i4trust data service consumer (e.g., Happy Pets).
+
+> :bulb: This repository just provides a setup for temporary demonstration purposes. It is not recommended to be used in a production enviroment. Credentials are visible in clear text and are not encrypted. Installations should be deleted when demonstrations/presentations/etc. have finished. 
+
+The GitHub actions of this repo are configured to deploy a full instance with all components 
+required for this demonstrator, as soon as a branch is created. It is meant for a temporary deployment only. 
+Note that the deployment should be deleted after 
+each presentation/demo/etc., since there are only test accounts registered and credentials are visible in clear text in this 
+repo.
+
+Before moving this installation to a production environment, make sure to encrypt all credentials, keys, etc., e.g., 
+using [sealed-secrets](https://github.com/bitnami-labs/sealed-secrets).
+
+All scripts are developed for using an OpenShift Kubernetes cluster, but can be easily adapted for any 
+kind of infrastructure.
+
+
+## Deployment
+
+It is required to setup two GitHub secrets in the 
+repository ([also check this manual](https://github.com/FIWARE-Ops/marinera/blob/main/documentation/GITHUB_CI.md#openshift-service-account-permissions)):
+* `OPENSHIFT_SERVER`: Server URL of the OpenShift cluster
+* `OPENSHIFT_TOKEN`: Token from an OpenShift service account with sufficient permissions for creation/deletion of projects and applications, role assignments and deployments via Helm charts (e.g., with `cluster-admin` role) 
+
+In order to deploy all components, simply create a branch which is named differently than `main`. 
+The GitHub action will deploy all components to the namespace `i4t-consumer-{BRANCH_NAME}`. 
+
+Routes for externally exposed services are automatically created and hostnames are set dynamically. In order to 
+retrieve the created hostnames, one can run, e.g., 
+```shell
+kubectl -n i4t-consumer-{BRANCH_NAME} get routes
+```
+or check in the OpenShift console or in ArgoCD.
+
+
+
+
+### Uninstall
+
+For removing all components and deleting the applications and namespace, simply remove the branch.
+
+
+
+## Credentials
+
+Different accounts are created automatically with default passwords.
+
+| Component     | Username               | Password          | Comment |
+|---------------|------------------------|-------------------|---------|
+| Keyrock Consumer | [email protected] | admin | Admin user of the Consumer Keyrock IDP |
+| Keyrock Consumer | [email protected] | operator | Operator employee user of the Consumer |
+| Keyrock Consumer Shop | [email protected] | admin | Admin user of the Consumer Shop Keyrock IDP |
+| Keyrock Consumer Shop | [email protected] | prime | Prime user of the Consumer shop system |
+| Keyrock Consumer Shop | [email protected] | standard | Standard user of the Consumer shop system |
+
+Root CA, keys and certificates have been created and self-signed using openssl. Keys and certificates used for this demonstrator 
+can be found in the [certs folder](./certs). These should never be used in any kind of production enviroment or on a 
+contineously running environment.  
+Below table displays the assigned EORIs assigned to the different organisations and their keys/certificates:
+| Organisation           | EORI                       |
+|------------------------|----------------------------|
+| Consumer               | EU.EORI.DECONSUMERONE      |

applications/consumer-keyrock-shop/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: pdc-keyrock
+description: Chart holder for argo-cd
+
+type: application
+version: 0.5.0
+appVersion: "8.3.0"
+
+dependencies:
+  - name: keyrock
+    version: 0.5.0
+    repository: https://fiware.github.io/helm-charts

applications/consumer-keyrock-shop/templates/create-user-cm.yaml

@@ -0,0 +1,62 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: consumer-shop-{{ .Values.initScript.createUser.id }}-user-cm
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+    "helm.sh/hook-weight": "1"
+data:
+  entrypoint.sh: |-
+    pip install requests
+    echo "Creating users..."
+    python /scripts/create.py
+  create.py: |-
+    import requests
+    from requests.exceptions import HTTPError
+    import sys
+
+    def main():
+      KEYROCK_HOST = {{ .Values.keyrock.host | quote }}
+
+      # Login
+      login_data = {
+        'name': {{ .Values.keyrock.admin.email | quote }},
+        'password': {{ .Values.keyrock.admin.password | quote }}
+      }
+      login_header = {
+        'Content-Type': 'application/json'
+      }
+      login_response = requests.post(KEYROCK_HOST+'/v1/auth/tokens', json=login_data, headers=login_header)
+      try:
+        login_response.raise_for_status()
+      except HTTPError as e:
+        print(e.response.text)
+        sys.exit(1)
+      token = login_response.headers["X-Subject-Token"]
+
+      # Create user
+      user_header = {
+        'Content-Type': 'application/json',
+        'X-Auth-token': token
+      }
+      
+      {{- range $u := .Values.initScript.createUser.user }}
+      user_data = {
+        'user': {
+          'username': {{ $u.username | quote }},
+          'email': {{ $u.email | quote }},
+          'password': {{ $u.password | quote }}
+        }
+      }
+      user_response = requests.post(KEYROCK_HOST+'/v1/users', json=user_data, headers=user_header)
+      try:
+        user_response.raise_for_status()
+      except HTTPError as e:
+        print(e.response.text)
+        sys.exit(1)
+      
+      {{- end }}
+
+    if __name__ == "__main__":
+      main()

applications/consumer-keyrock-shop/templates/post-hook-user.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.initScript.createUser.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: consumer-shop-user-create-{{ randAlphaNum 5 | lower }}
+  annotations:
+    "helm.sh/hook": post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+    "helm.sh/hook-weight": "1"
+spec:
+  containers:
+    - name: consumer-shop-keyrock-user-create
+      image: python:3
+      command:
+        - /bin/sh
+        - /scripts/entrypoint.sh
+      volumeMounts:
+        - name: scripts
+          mountPath: /scripts
+  volumes:
+    - name: scripts
+      configMap:
+        name: consumer-shop-{{ .Values.initScript.createUser.id }}-user-cm
+  restartPolicy: Never
+
+{{- end }}