feat(icm): enable encryption volume (#653)

BREAKING_CHANGE

.chglog/config.yml

@@ -25,4 +25,4 @@ options:
       - Subject
   notes:
     keywords:
-      - BREAKING CHANGE
+      - BREAKING_CHANGE

.github/workflows/lint-test_icm-as-integrationtest.yml

@@ -55,7 +55,10 @@ jobs:
         sed -i 's/runAsNonRoot: true/runAsNonRoot: false/' charts/icm-as/values.yaml
 
         sudo mkdir -p /data/icm/sites
-        sed -i 's/<local folder>/\/data\/icm\/sites/' charts/icm-as/values.yaml
+        sed -i 's/<local sites folder>/\/data\/icm\/sites/' charts/icm-as/values.yaml
+        
+        sudo mkdir -p /data/icm/encryption
+        sed -i 's/<local encryption folder>/\/data\/icm\/encryption/' charts/icm-as/values.yaml
 
         sudo mkdir -p /data/icm/mssql/data
         sudo mkdir -p /data/icm/mssql/backup

.github/workflows/lint-test_icm-integrationtest.yml

@@ -57,6 +57,9 @@ jobs:
         sudo mkdir -p /data/icm/sites
         sed -i 's/<local sites folder>/\/data\/icm\/sites/' charts/icm/values.yaml
 
+        sudo mkdir -p /data/icm/encryption
+        sed -i 's/<local encryption folder>/\/data\/icm\/encryption/' charts/icm/values.yaml
+
         sudo mkdir -p /data/icm/mssql/data
         sudo mkdir -p /data/icm/mssql/backup
         sed -i 's/<local mssql data folder>/\/data\/icm\/mssql\/data/' charts/icm/values.yaml

charts/icm-as/Chart.yaml

@@ -4,4 +4,4 @@ name: icm-as
 version: 1.10.0
 description: Intershop Commerce Management - AppServer
 type: application
-appVersion: 11.2.1
+appVersion: 11.10.3-LTS

charts/icm-as/release-notes/2.0.0.md

@@ -0,0 +1,23 @@
+# Detailed changes
+
+## values.yaml
+
+| Modification type | Description                                                                                         |                Severity                 | Additional Notes                                                  |
+|:-----------------:|-----------------------------------------------------------------------------------------------------|:---------------------------------------:|-------------------------------------------------------------------|
+|        ADD        | mandatory section `persistence.encryption` has been added                                           | <span style="color:red">BREAKING</span> |                                                                   |
+|        ADD        | sections `persistence.sites` and `persistence.encryption` now additinally support the type `static` | <span style="color:green">MINOR</span>  | realizes static provisioning using an existing `PersistentVolume` |
+
+
+## Infrastructure requirements
+
+| Modification type | Description                                                                                                                                                   |                Severity                 | Additional Notes                                        |
+|:-----------------:|---------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------:|---------------------------------------------------------|
+|        ADD        | storage for `persistence.encryption` has to be provived                                                                                                       | <span style="color:red">BREAKING</span> | additional storage has to be provided by infrastructure |
+|        ADD        | support for type `static` in sections `persistence.sites` and `persistence.encryption` allows to reference `PersistentVolume`s provided by the infrastructure | <span style="color:green">MINOR</span>  |                                                         |
+
+## Compatibility to icm-as
+
+|  Version(s)  | Description                                                                                              |
+|:------------:|----------------------------------------------------------------------------------------------------------|
+| &lt; 12.0.0  | *icm-as* versions < 12.0.0 can still be deployed using this chart version.                               |
+| &gt;= 12.0.0 | From *icm-as* from 12.0.0 has an addtional volume that needs files provided by `persistence.encryption`. |

charts/icm-as/templates/_volumeMounts.tpl

@@ -13,6 +13,8 @@ volumeMounts:
 {{- end }}
 - mountPath: /intershop/sites
   name: sites-volume
+- mountPath: /intershop/system-conf/cluster/encryption
+  name: encryption-volume
 {{- if .Values.persistence.customdata.enabled }}
 - mountPath: {{ .Values.persistence.customdata.mountPoint }}
   name: custom-data-volume
@@ -49,4 +51,4 @@ volumeMounts:
 - mountPath: /mnt/secrets
   name: secrets-store-inline
 {{- end }}
-{{- end -}}
+{{- end -}}

charts/icm-as/templates/_volumes.tpl

@@ -22,6 +22,7 @@ volumes:
 {{- include "icm-as.volume" (list . "jgroups" .Values.persistence.jgroups .Values.podSecurityContext) }}
 {{- end }}
 {{- include "icm-as.volume" (list . "sites" .Values.persistence.sites .Values.podSecurityContext) }}
+{{- include "icm-as.volume" (list . "encryption" .Values.persistence.encryption .Values.podSecurityContext) }}
 {{- if and (.Values.replication.enabled) (eq .Values.replication.role "source")}}
 - name: replication-volume
   configMap:
@@ -78,4 +79,4 @@ Creates a volume named {$name}-volume
   persistentVolumeClaim:
     claimName: "{{ template "icm-as.fullname" $values }}-{{$volumeValues.type}}-{{$volumeName}}-pvc"
 {{- end }}
-{{- end -}}
+{{- end -}}

charts/icm-as/templates/cluster-encryption-pvc.yaml

@@ -0,0 +1,18 @@
+{{- if eq .Values.persistence.encryption.type "cluster"  -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ template "icm-as.fullname" . }}-cluster-encryption-pvc
+spec:
+  accessModes:
+    - ReadOnlyMany
+  # use the storage class defined by cluster-sc.yaml
+  {{- if .Values.persistence.encryption.cluster.storageClass.create }}
+  storageClassName: "{{ template "icm-as.fullname" . }}-cluster-encryptions-sc"
+  {{- else if gt (len .Values.persistence.encryption.cluster.storageClass.existingClass) 0 }}
+  storageClassName: {{ .Values.persistence.encryption.cluster.storageClass.existingClass | quote }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.encryption.size }}
+{{- end -}}

charts/icm-as/templates/cluster-encryption-sc.yaml

@@ -0,0 +1,16 @@
+{{- if eq .Values.persistence.encryption.type "cluster" -}}
+{{- if .Values.persistence.encryption.cluster.storageClass.create -}}
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: {{ include "icm-as.fullname" . }}-cluster-encryption-sc
+provisioner: kubernetes.io/azure-file
+allowVolumeExpansion: true
+mountOptions:
+{{- range .Values.persistence.encryption.cluster.storageClass.mountOptions }}
+- {{ . }}
+{{- end }}
+parameters:
+  skuName: {{ .Values.persistence.encryption.cluster.storageClass.skuName }}
+{{- end -}}
+{{- end -}}

charts/icm-as/templates/local-encryption-pv.yaml

@@ -0,0 +1,17 @@
+{{- if eq .Values.persistence.encryption.type "local" -}}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ template "icm-as.fullname" . }}-local-encryption-pv
+  labels:
+    type: local
+spec:
+  storageClassName: standard
+  capacity:
+    storage: {{ .Values.persistence.encryption.size }}
+  accessModes:
+  - ReadOnlyMany
+  persistentVolumeReclaimPolicy: Delete
+  hostPath:
+    path: "{{ .Values.persistence.encryption.local.path }}"
+{{- end -}}

charts/icm-as/templates/local-encryption-pvc.yaml

@@ -0,0 +1,14 @@
+{{- if eq .Values.persistence.encryption.type "local" -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ template "icm-as.fullname" . }}-local-encryption-pvc
+spec:
+  storageClassName: standard
+  accessModes:
+  - ReadOnlyMany
+  resources:
+    requests:
+      storage: {{ .Values.persistence.encryption.size }}
+  volumeName: {{ template "icm-as.fullname" . }}-local-encryption-pv
+{{- end -}}

charts/icm-as/templates/nfs-encryption-pv.yaml

@@ -0,0 +1,17 @@
+{{- if eq .Values.persistence.encryption.type "nfs" -}}
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ template "icm-as.fullname" . }}-nfs-encryption-pv
+  labels:
+    type: nfs
+{{ include "icm-as.labels" . | indent 4 }}
+spec:
+  capacity:
+    storage: {{ .Values.persistence.encryption.size }}
+  accessModes:
+  - ReadOnlyMany
+  nfs:
+    server: {{ .Values.persistence.encryption.nfs.server | quote }}
+    path: {{ .Values.persistence.encryption.nfs.path | quote }}
+{{- end -}}

charts/icm-as/templates/nfs-encryption-pvc.yaml

@@ -0,0 +1,22 @@
+{{- if eq .Values.persistence.encryption.type "nfs" -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ template "icm-as.fullname" . }}-nfs-encryption-pvc
+  annotations:
+    # avoid deleting with helm update
+    "helm.sh/resource-policy": keep
+  labels:
+{{ include "icm-as.labels" . | indent 4 }}
+spec:
+  accessModes:
+  - ReadOnlyMany
+  storageClassName: ""
+  volumeName: {{ template "icm-as.fullname" . }}-nfs-encryption-pv
+  resources:
+    requests:
+      storage: {{ .Values.persistence.encryption.size }}
+  selector:
+    matchLabels:
+      type: nfs
+{{- end -}}

charts/icm-as/templates/static-encryption-pvc.yaml

@@ -0,0 +1,14 @@
+{{- if eq .Values.persistence.encryption.type "static" -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ template "icm-as.fullname" . }}-static-encryption-pvc
+spec:
+  storageClassName: {{ .Values.persistence.encryption.static.storageClass | quote }}
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .Values.persistence.encryption.size }}
+  volumeName: {{ .Values.persistence.encryption.static.name | quote }}
+{{- end -}}

charts/icm-as/templates/static-sites-pvc.yaml

@@ -0,0 +1,14 @@
+{{- if eq .Values.persistence.sites.type "static" -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ template "icm-as.fullname" . }}-static-sites-pvc
+spec:
+  storageClassName: {{ .Values.persistence.sites.static.storageClass | quote }}
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: {{ .Values.persistence.sites.size }}
+  volumeName: {{ .Values.persistence.sites.static.name | quote }}
+{{- end -}}

charts/icm-as/tests/persistence-sites_test.yaml

@@ -7,6 +7,7 @@ templates:
   - templates/cluster-sites-sc.yaml
   - templates/nfs-sites-pv.yaml
   - templates/nfs-sites-pvc.yaml
+  - templates/static-sites-pvc.yaml
 tests:
   - it: type=local in as-deployment
     release:
@@ -318,3 +319,58 @@ tests:
       - equal:
           path: spec.selector.matchLabels.type
           value: nfs
+
+  - it: type=static in as-deployment
+    release:
+      name: icm-as
+    chart:
+      version: 0.8.15
+    values:
+      - ../values.yaml
+    set:
+      persistence.sites.type: static
+      persistence.sites.size: 1.5Gi
+      persistence.sites.static.name: sites-pv
+      persistence.sites.static.storageClass: azurefile-icm
+    template: templates/as-deployment.yaml
+    asserts:
+      #spec.template.spec.volumes
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: sites-volume
+            persistentVolumeClaim:
+              claimName: "icm-as-static-sites-pvc"
+
+  - it: type=static in static-sites-pvc
+    release:
+      name: icm-as
+    chart:
+      version: 0.8.15
+    values:
+      - ../values.yaml
+    set:
+      persistence.sites.type: static
+      persistence.sites.size: 1.5Gi
+      persistence.sites.static.name: sites-pv
+      persistence.sites.static.storageClass: azurefile-icm
+    template: templates/static-sites-pvc.yaml
+    asserts:
+      - isKind:
+          of: PersistentVolumeClaim
+      - equal:
+          path: metadata.name
+          value: icm-as-static-sites-pvc
+      #spec
+      - equal:
+          path: spec.storageClassName
+          value: azurefile-icm
+      - equal:
+          path: spec.volumeName
+          value: sites-pv
+      - equal:
+          path: spec.accessModes[0]
+          value: ReadWriteMany
+      - equal:
+          path: spec.resources.requests.storage
+          value: 1.5Gi

charts/icm-as/values.yaml

@@ -183,9 +183,14 @@ secrets:
 persistence:
   sites:
     size: 1Gi
-    # type cluster | nfs | azurefiles | existingClaim | local
+    # type cluster | nfs | azurefiles | static | existingClaim | local
     type: local
     existingClaim: <claim name>
+    static:
+      # name of persistent volume to be used
+      name: <volume name>
+      # storage class of the persistent volume to be used
+      storageClass: <storage class>
     cluster:
       storageClass:
         create: false
@@ -208,7 +213,40 @@ persistence:
       server: <ipaddress or hostname>
       path: <server folder>
     local:
-      path: <local folder>
+      path: <local sites folder>
+  encryption:
+    size: 1Gi
+    # type cluster | nfs | azurefiles | static | existingClaim | local
+    type: local
+    existingClaim: <claim name>
+    static:
+      # name of persistent volume to be used
+      name: <volume name>
+      # storage class of the persistent volume to be used
+      storageClass: <storage class>
+    cluster:
+      storageClass:
+        create: false
+        # if create == false an exiting class could be set
+        # if empty value is set the default storage class is used
+        existingClass: ""
+        # skuName: Standard_LRS
+        # mountOptions:
+        # - uid=150
+        # - gid=150
+        # - dir_mode=0777
+        # - file_mode=0777
+        # - mfsymlinks
+        # - cache=strict
+        # - actimeo=30
+    azurefiles:
+      shareName: icm-as-share
+      secretName: icm-as-share-secret
+    nfs:
+      server: <ipaddress or hostname>
+      path: <server folder>
+    local:
+      path: <local encryption folder>
   jgroups:
     size: 1Gi
     # type emptyDir | existingClaim | cluster | local | azurefiles