[#2727][#2683] Add Sandbox deployment with Helm + include Kafka

This adds the configuration required to deploy Hono with the official
Helm chart to the sandbox VM.
The scripts allow to: install Kubernetes (k3s), deploy cert-manager to
request a public certificate issued by Let's Encrypt and deploy Hono.
The Hono deployment includes the example Kafka cluster provided by the
Helm chart.

Signed-off-by: Abel Buechner-Mihaljevic <[email protected]>

deploy/src/main/sandbox-k8s/00-install-k3s.sh

@@ -0,0 +1,18 @@
+#!/bin/sh
+#*******************************************************************************
+# Copyright (c) 2021 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+#*******************************************************************************
+
+# This script installs the current version of k3s. It is intended to be only used
+# on the Eclipse Foundation's Hono sandbox VM.
+
+curl -sfL https://get.k3s.io | sh -s - server --node-name hono.eclipseprojects.io

deploy/src/main/sandbox-k8s/10-deploy-cert-manager.sh

@@ -0,0 +1,54 @@
+#!/bin/bash
+#*******************************************************************************
+# Copyright (c) 2021 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+#*******************************************************************************
+
+# This script takes care to provide a public certificate from Let's Encrypt.
+# It creates the namespace "hono", deploys the Cert-Manager and requests a certificate.
+# The script expects an email address to be used by Let's Encrypt, as the first argument.
+# The second argument must be "production" to create a valid certificate. If it is not set,
+# the issuer will be configured to use the Let's Encrypt Staging API. This is to avoid
+# hitting a limit on Let's Encrypt's productive API.
+
+SCRIPTPATH="$(cd "$(dirname "$0")" && pwd -P)"
+source $SCRIPTPATH/common.sh
+
+NS_CERT_MANAGER=cert-manager
+EMAIL=$1
+LE_API=${2:-"staging"}
+
+
+retry() {
+  "$@"
+  while [ $? -ne 0 ]; do
+    sleep 2s
+    echo "retrying" "$@"
+    "$@"
+  done
+}
+
+kubectl create namespace hono $KUBECONFIG
+
+# add Helm repo
+helm repo add jetstack https://charts.jetstack.io $KUBECONFIG
+helm repo update $KUBECONFIG
+
+echo ""
+echo "Deploying cert-manager..."
+helm install cert-manager jetstack/cert-manager --namespace $NS_CERT_MANAGER --create-namespace --set installCRDs=true $KUBECONFIG $HELM_WAIT #  --version v1.4.0
+
+# checking when cert-manager is ready is tricky: https://cert-manager.io/docs/installation/kubernetes/#verifying-the-installation
+# we just retry the following command
+echo ""
+echo "Adding issuer Let's Encrypt to cert-manager with API: $LE_API"
+LE_CONFIG=$(helm template ./letsencrypt-chart -f ./letsencrypt-chart/values-$LE_API.yaml --set spec.acme.email=$EMAIL)
+retry echo "$LE_CONFIG" | kubectl apply -f - $KUBECONFIG || true # do not abort although '-e' is set

deploy/src/main/sandbox-k8s/20-deploy-hono.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+#*******************************************************************************
+# Copyright (c) 2021 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+#*******************************************************************************
+
+# This script deploys Hono to the Eclipse Foundation's sandbox at hono.eclipseprojects.io
+# It requires that the namespace "hono" already exists and that the secret for the certificate is present.
+
+SCRIPTPATH="$(cd "$(dirname "$0")" && pwd -P)"
+source $SCRIPTPATH/common.sh
+
+
+# add Helm repos
+helm repo add eclipse-iot https://eclipse.org/packages/charts $KUBECONFIG
+helm repo update $KUBECONFIG
+
+echo ""
+echo "Deploying hono..."
+helm install eclipse-hono --dependency-update -f hono-values.yml -n hono eclipse-iot/hono $KUBECONFIG $HELM_WAIT

deploy/src/main/sandbox-k8s/common.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+#*******************************************************************************
+# Copyright (c) 2021 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+#*******************************************************************************
+
+set -ue
+
+KUBECONFIG="--kubeconfig /etc/rancher/k3s/k3s.yaml"
+HELM_WAIT="--wait --timeout 5m0s"

deploy/src/main/sandbox-k8s/hono-values.yml

@@ -0,0 +1,243 @@
+#
+# Copyright (c) 2021 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+#
+
+honoImagesType: "quarkus-native"
+
+useLoadBalancer: true
+
+messagingNetworkTypes:
+  - "amqp"
+  - "kafka"
+
+amqpMessagingNetworkExample:
+  enabled: true
+  dispatchRouter:
+    keyFile: "/etc/external-tls/tls.key"
+    certFile: "/etc/external-tls/tls.crt"
+    uidFormat: "n"
+    adapterUids: "hono.eclipseprojects.io"
+    extraSecretMounts:
+      sandbox:
+        secretName: "sandbox-tls"
+        mountPath: "/etc/external-tls"
+
+kafkaMessagingClusterExample:
+  enabled: true
+
+adapters:
+  http:
+    enabled: true
+    hono:
+      healthCheck:
+        port: 8088
+        bindAddress: "0.0.0.0"
+        keyPath: "/etc/external-tls/tls.key"
+        certPath: "/etc/external-tls/tls.crt"
+      http:
+        bindAddress: "0.0.0.0"
+        keyPath: "/etc/external-tls/tls.key"
+        certPath: "/etc/external-tls/tls.crt"
+        insecurePortEnabled: true
+        insecurePortBindAddress: "0.0.0.0"
+        jmsVendorPropsEnabled: true
+        maxPayloadSize: 8096
+        tenantIdleTimeout: "1h"
+    extraSecretMounts:
+      sandbox:
+        secretName: "sandbox-tls"
+        mountPath: "/etc/external-tls"
+    resources:
+      requests:
+        cpu:
+        memory: "96Mi"
+      limits:
+        cpu:
+        memory: "96Mi"
+
+  mqtt:
+    enabled: true
+    hono:
+      healthCheck:
+        port: 8088
+        bindAddress: "0.0.0.0"
+        keyPath: "/etc/external-tls/tls.key"
+        certPath: "/etc/external-tls/tls.crt"
+      mqtt:
+        bindAddress: "0.0.0.0"
+        keyPath: "/etc/external-tls/tls.key"
+        certPath: "/etc/external-tls/tls.crt"
+        insecurePortEnabled: true
+        insecurePortBindAddress: "0.0.0.0"
+        jmsVendorPropsEnabled: true
+        maxPayloadSize: 8096
+        tenantIdleTimeout: "1h"
+        maxConnections: 200
+    extraSecretMounts:
+      sandbox:
+        secretName: "sandbox-tls"
+        mountPath: "/etc/external-tls"
+    resources:
+      requests:
+        cpu:
+        memory: "96Mi"
+      limits:
+        cpu:
+        memory: "96Mi"
+
+  amqp:
+    enabled: true
+    hono:
+      healthCheck:
+        port: 8088
+        bindAddress: "0.0.0.0"
+        keyPath: "/etc/external-tls/tls.key"
+        certPath: "/etc/external-tls/tls.crt"
+      amqp:
+        bindAddress: "0.0.0.0"
+        keyPath: "/etc/external-tls/tls.key"
+        certPath: "/etc/external-tls/tls.crt"
+        insecurePortEnabled: true
+        insecurePortBindAddress: "0.0.0.0"
+        tenantIdleTimeout: "1h"
+        maxConnections: 200
+    extraSecretMounts:
+      sandbox:
+        secretName: "sandbox-tls"
+        mountPath: "/etc/external-tls"
+    resources:
+      requests:
+        cpu:
+        memory: "96Mi"
+      limits:
+        cpu:
+        memory: "96Mi"
+
+  coap:
+    enabled: true
+    hono:
+      healthCheck:
+        port: 8088
+        bindAddress: "0.0.0.0"
+        keyPath: "/etc/external-tls/tls.key"
+        certPath: "/etc/external-tls/tls.crt"
+      coap:
+        bindAddress: "0.0.0.0"
+        port: 5684
+        insecurePortEnabled: true
+        keyPath: "/etc/external-tls/tls.key"
+        certPath: "/etc/external-tls/tls.crt"
+        tenantIdleTimeout: "1h"
+        maxConnections: 400
+    extraSecretMounts:
+      sandbox:
+        secretName: "sandbox-tls"
+        mountPath: "/etc/external-tls"
+    resources:
+      requests:
+        cpu:
+        memory: "96Mi"
+      limits:
+        cpu:
+        memory: "96Mi"
+
+  kura:
+    enabled: false
+
+  lora:
+    enabled: false
+
+  amqpMessagingNetworkSpec:
+    keyPath: "/etc/external-tls/tls.key"
+    certPath: "/etc/external-tls/tls.crt"
+    hostnameVerificationRequired: false
+  commandAndControlSpec:
+    keyPath: "/etc/external-tls/tls.key"
+    certPath: "/etc/external-tls/tls.crt"
+    hostnameVerificationRequired: false
+
+authServer:
+  resources:
+    requests:
+      cpu:
+      memory: "32Mi"
+    limits:
+      cpu:
+      memory: "32Mi"
+
+deviceRegistryExample:
+  type: "embedded"
+  hono:
+    registry:
+      amqp:
+        bindAddress: "0.0.0.0"
+        keyPath: "/etc/external-tls/tls.key"
+        certPath: "/etc/external-tls/tls.crt"
+      http:
+        authenticationRequired: false
+        bindAddress: "0.0.0.0"
+        keyPath: "/etc/external-tls/tls.key"
+        certPath: "/etc/external-tls/tls.crt"
+        insecurePortEnabled: true
+        insecurePortBindAddress: "0.0.0.0"
+  extraSecretMounts:
+    sandbox:
+      secretName: "sandbox-tls"
+      mountPath: "/etc/external-tls"
+  resources:
+    requests:
+      cpu:
+      memory: "300Mi"
+    limits:
+      cpu:
+      memory: "300Mi"
+
+commandRouterService:
+  extraSecretMounts:
+    sandbox:
+      secretName: "sandbox-tls"
+      mountPath: "/etc/external-tls"
+  resources:
+    requests:
+      cpu:
+      memory: "128Mi"
+    limits:
+      cpu:
+      memory: "128Mi"
+
+kafka:
+  auth:
+    clientProtocol: "sasl" # no TLS. That would be "sasl_tls"
+  persistence:
+    size: 200Mi
+  zookeeper:
+    persistence:
+      size: 200Mi
+  externalAccess:
+    service:
+      type: "LoadBalancer"
+    autoDiscovery:
+      resources:
+        requests:
+          cpu: 100m
+  resources:
+    requests:
+      cpu: 100m
+
+jaegerBackendExample:
+  enabled: false
+
+prometheus:
+  createInstance: false
+
+grafana:
+  enabled: false

deploy/src/main/sandbox-k8s/letsencrypt-chart/Chart.yaml

@@ -0,0 +1,12 @@
+# This Helm chart is only used for templating not to deploy something.
+# It renders the issuer and certificate files for cert-manager depending
+# on the Let's Encrypt API to be used and it expects the email to be provided
+# on invocation like the following example:
+#  helm template . -f ./values-staging.yaml --set [email protected]
+
+apiVersion: v2
+name: lets-encrypt-chart
+description: A Helm chart used to render issuer and certificate files for cert-manager.
+type: application
+version: 0.1.0
+appVersion: "0.1.0"