Merge pull request #52 from IBM/Release-Dec-2020

December 2020 release

.gitignore

@@ -96,3 +96,4 @@ yarn-error.log
 # Yarn Integrity file
 .yarn-integrity
 !package-lock.json
+buildlogs

CHANGELOG.md

@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file
 
+
+## v20.12.0
+
+### Changed
+
+* Limit allowed HTTP verbs as detailed in the [Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS8S5A_7.0.11/com.ibm.curam.content.doc/Security/t_SECHAND_httpverbperms.html)
+* Set `-Xshareclasses` to `none` for Liberty-based images as workaround for OpenJ9 issue ([#51](https://github.com/IBM/spm-kubernetes/issues/51))
+* Adds values from `podAnnotations` at deployment of `apps` chart
+
+### Fixed
+
+* Added clarification that NFS folders must be configured prior to using MQ with NFS ([#31](https://github.com/IBM/spm-kubernetes/issues/31))
+* Added `mountOptions` configuration to `mqserver` PVs ([#30](https://github.com/IBM/spm-kubernetes/issues/30))
+* Synchronised handling of MQ TLS certificate secrets between `apps` and `mqserver` charts ([#28](https://github.com/IBM/spm-kubernetes/issues/28))
+
 ## v20.11.0
 
 ### Added

dockerfiles/Liberty/Batch.Dockerfile

@@ -38,6 +38,7 @@ CMD ["runbatch"]
 ARG ANT_VERSION
 ENV ANT_HOME=/opt/apache-ant-${ANT_VERSION} \
     ANT_OPTS='-Xmx1400m -Dcmp.maxmemory=1400m' \
+    IBM_JAVA_OPTIONS='-Xshareclasses:none -XX:+UseContainerSupport' \
     JAVA_HOME=/opt/ibm/java \
     JAVAMAIL_HOME=/opt/javamail \
     WLP_HOME=/opt/ibm/wlp

dockerfiles/Liberty/ServerEAR.Dockerfile

@@ -17,7 +17,7 @@
 ARG WLP_VERSION=20.0.0.9-full-java8-ibmjava-ubi
 ARG MQ_ADAPTER_VERSION=9.1.5.0
 ARG MQ_RA_LICENSE
-ARG JMX_EXPORTER_URL=https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.13.0/jmx_prometheus_javaagent-0.13.0.jar
+ARG JMX_EXPORTER_URL=https://repo1.maven.org/maven2/io/prometheus/jmx/jmx_prometheus_javaagent/0.14.0/jmx_prometheus_javaagent-0.14.0.jar
 
 # Explode EAR in a disposable environment
 FROM alpine AS ExplodedEAR
@@ -41,7 +41,11 @@ RUN java -jar /tmp/${MQ_ADAPTER_VERSION}-IBM-MQ-Java-InstallRA.jar ${MQ_RA_LICEN
 FROM ibmcom/websphere-liberty:${WLP_VERSION} AS servercode
 ARG JMX_EXPORTER_URL
 
+ENV IBM_JAVA_OPTIONS='-Xshareclasses:none -XX:+UseContainerSupport'
+
 USER root
+# Prometheus JMX Exporter
+ADD $JMX_EXPORTER_URL /config/configDropins/overrides/jmx_prometheus_javaagent.jar
 RUN rpm -e --nodeps tzdata \
     && yum install -y tzdata \
     && yum install -y wget \
@@ -53,12 +57,10 @@ RUN rpm -e --nodeps tzdata \
     && chmod -R g=u /opt/ibm/wlp/usr/shared \
     && chmod -R g=u /output \
     && rm -f /config/configDropins/defaults/* \
-    # Prometheus JMX Exporter
-    && wget -O /config/configDropins/overrides/jmx_prometheus_javaagent.jar -o /tmp/wget.txt $JMX_EXPORTER_URL \
     && touch /config/configDropins/overrides/config.yaml \
     && chown 1001:0 /config/configDropins/overrides/config.yaml /config/configDropins/overrides/jmx_prometheus_javaagent.jar \
     && rm -f /tmp/wget.txt
- 
+
 USER 1001
 
 COPY --chown=1001:0 content/*.sh /opt/ibm/helpers/runtime/

helm-charts/apps/Chart.yaml

@@ -17,19 +17,19 @@ apiVersion: v2
 kubeVersion: ">=1.16"
 appVersion: "7.0.11.0"
 name: apps
-description: |- 
+description: |-
   Helm Chart for Deployment of Curam SPM Applications within a Kubernetes Cluster
-  
+
   Documentation
   For complete documentation please see the chart README
 
   License
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
-  
+
   http://www.apache.org/licenses/LICENSE-2.0
-version: 3.2.1
+version: 3.2.2
 maintainers:
   - name: IBM
   - name: Cúram SPM Dev Team

helm-charts/apps/RELEASENOTES.md

@@ -12,12 +12,15 @@
 
 # Version History
 
+## v3.2.2
+
+* Adds values from `podAnnotations` at deployment
+* Synchronise logic for handling MQ TLS certificate secrets with `mqserver` chart.
 
 ## v3.2.1
 
 * Activate SAML when using single sign-on (SSO)
 
-
 ## v3.2.0
 
 * Remove hard requirement on OpenLDAP for elasticity.

helm-charts/apps/templates/_helpers.tpl

@@ -79,10 +79,10 @@ JMX Stats Persistence enablement options
 {{- end -}}
 
 {{/*
-Prometheus JMX Exporter
+Prometheus JMX Exporter JVM Config
 */}}
-{{- define "jmxExporter.config" -}}
-{{- printf "-javaagent:/config/configDropins/overrides/jmx_prometheus_javaagent.jar=%s:%d:/config/configDropins/overrides/config.yaml"  .Values.global.apps.common.jmxExporter.agent.host ( .Values.global.apps.common.jmxExporter.agent.port | default 8080 | int ) -}}
+{{- define "jmxExporter.configJvm" -}}
+{{- printf "-javaagent:/config/configDropins/overrides/jmx_prometheus_javaagent.jar=%d:/config/configDropins/overrides/config.yaml" ( .Values.jmxExporter.port | default 8080 | int ) -}}
 {{- end -}}
 
 {{/*

helm-charts/apps/templates/configmaps/configmap-jmx-exporter-config.yaml

@@ -0,0 +1,30 @@
+{{- include "sch.config.init" (list . "apps.sch.chart.config.values") -}}
+{{- if and .Values.global.useBetaFeatures .Values.jmxExporter.enabled }}
+---
+###############################################################################
+# Copyright 2019,2020 IBM Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+###############################################################################
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-jmx-exporter-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "sch.metadata.labels.standard" (list . "") | nindent 4 }}
+data:
+  config.yaml: |-
+    {{- .Values.jmxExporter.configYaml | default "" | nindent 4 -}}
+{{- end }}

helm-charts/apps/templates/configmaps/configmap-jvm-options-override.yaml

@@ -34,8 +34,5 @@ data:
     {{- if and (not $app.excludeJmxStats) ($.Values.global.apps.common.persistence.enabled) ($.Values.global.apps.common.persistence.jmxstats.enabled) -}}
     {{- include "persistence.jmxStats" $ | nindent 4 -}}
     {{- end -}}
-    {{- if ($.Values.global.apps.common.jmxExporter.enabled) -}}
-    {{- include "jmxExporter.config" $ | nindent 4 -}}
-    {{- end -}}
 {{- end }}
 {{- end }}

helm-charts/apps/templates/configmaps/configmap-jvm-options.yaml

@@ -36,3 +36,6 @@ data:
     -verbose:gc
     -Xverbosegclog:verbosegc.log
     {{- end }}
+    {{- if and $.Values.global.useBetaFeatures $.Values.jmxExporter.enabled -}}
+    {{- include "jmxExporter.configJvm" . | nindent 4 -}}
+    {{- end -}}

helm-charts/apps/templates/deployment-consumer.yaml

@@ -40,6 +40,9 @@ spec:
         {{- include "sch.metadata.labels.standard" (list $ (printf "%s-consumer" $name)) | nindent 8 }}
       annotations:
         {{- include "sch.metadata.annotations.metering" (list $ $.sch.chart.metering) | indent 8 }}
+        {{- with $.Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       {{- include "sch.security.securityContext" (list $ $.sch.chart.podSecurityContext) | indent 6 }}
       affinity:
@@ -93,6 +96,11 @@ spec:
         - name: ltpa-secret
           secret:
             secretName: {{ default (printf "%s-ltpa-keys" $.Release.Name) $.Values.ltpaKeys.secretName }}
+        {{- if and $.Values.global.useBetaFeatures $.Values.jmxExporter.enabled }}
+        - name: jmx-exporter-config
+          configMap:
+            name: {{ $.Release.Name }}-jmx-exporter-config
+        {{- end }}
         - name: keystore-volume
           emptyDir: {}
         - name: env-volume
@@ -109,15 +117,13 @@ spec:
           secret:
             secretName: {{ $.Values.global.database.ssl.secretName }}
         {{- end }}
-        {{- if $.Values.global.mq.tlsSecretName }}
         - name: mq-certs
           secret:
             {{- if $.Values.global.mq.useConnectionNameList }}
-            secretName: {{ $.Values.global.mq.tlsSecretName }}
+            secretName: {{ required "Name of secret containing IBM MQ certificates not provided! (global.mq.tlsSecretName)" $.Values.global.mq.tlsSecretName }}
             {{- else }}
-            secretName: {{ $.Release.Name }}-mq-secret
+            secretName: {{ $.Values.global.mq.tlsSecretName | default (printf "%s-mq-secret" $.Release.Name) }}
             {{- end }}
-        {{- end}}
         {{- if $.Values.global.apps.common.persistence.enabled }}
         - name: {{ $.Release.Name }}-persistence-volume
           persistentVolumeClaim:
@@ -148,7 +154,7 @@ spec:
                 echo waiting for {{ $name }}{{ $.Values.global.mq.queueManager.name | lower }}-ibm-mq:1414 to be reachable;
                 sleep 2;
               done;
-            {{- else }}            
+            {{- else }}
             - >
               until nc -z -w3 {{ $.Release.Name }}-mqserver-{{ $name }} 1414; do
                 echo waiting for {{ $.Release.Name }}-mqserver-{{ $name }}:1414 to be reachable;
@@ -207,7 +213,6 @@ spec:
               mountPath: /mnt/envvol
             - name: service-certs
               mountPath: /mnt/svcCertificates
-        {{- if $.Values.global.mq.tlsSecretName }}
         - name: import-certs-for-mq
           {{- include "utilities.definition" $ | indent 10 }}
           env:
@@ -227,15 +232,14 @@ spec:
               {{- if $.Values.global.mq.useConnectionNameList }}
               keytool -import -trustcacerts -noprompt -alias {{ $qmgrName | lower }} -file $mqCrtDir/key_{{ $qmgrName }}.arm -keystore $truststore -storepass $password -storetype pkcs12;
               {{- else }}
-              keytool -import -trustcacerts -noprompt -alias ibmwebspheremqqm1 -file $mqCrtDir/tls.crt -keystore $truststore -storepass $password -storetype pkcs12;
+              keytool -import -trustcacerts -noprompt -alias ibmwebspheremq{{ $.Values.global.mq.queueManager.name | lower }} -file $mqCrtDir/tls.crt -keystore $truststore -storepass $password -storetype pkcs12;
               {{- end }}
               keytool -list -v -keystore $truststore -storepass $password -storetype pkcs12;
           volumeMounts:
             - name: keystore-volume
               mountPath: /mnt/keystores
             - name: mq-certs
               mountPath: /mnt/mqCertificates
-        {{- end }}
       containers:
         - name: {{ $.Chart.Name }}-consumer-{{ $name }}
           image: {{ include "apps.imageFullName" $imageData }}
@@ -282,7 +286,7 @@ spec:
             - name: MQ_HOST_NAME
             {{- if $.Values.global.mq.multiInstance.operatorsEnabled }}
               value: {{ $name }}{{ $.Values.global.mq.queueManager.name | lower }}-ibm-mq
-            {{- else }}            
+            {{- else }}
               value: {{ $.Release.Name }}-mqserver-{{ $name }}
             {{- end }}
             - name: MQ_QMGR_NAME
@@ -359,6 +363,11 @@ spec:
             - name: ltpa-secret
               mountPath: /opt/ibm/wlp/output/defaultServer/resources/security/{{ $.Values.ltpaKeys.secretKey }}
               subPath: {{ $.Values.ltpaKeys.secretKey }}
+            {{- if and $.Values.global.useBetaFeatures $.Values.jmxExporter.enabled }}
+            - name: jmx-exporter-config
+              mountPath: /config/configDropins/overrides/config.yaml
+              subPath: config.yaml
+            {{- end }}
             - name: keystore-volume
               mountPath: /output/resources/security
             {{- if $.Values.global.apps.common.persistence.enabled }}

helm-charts/apps/templates/deployment-producer.yaml

@@ -39,6 +39,9 @@ spec:
         {{- include "sch.metadata.labels.standard" (list $ (printf "%s-producer" $name) ) | nindent 8 }}
       annotations:
         {{- include "sch.metadata.annotations.metering" (list $ $.sch.chart.metering) | nindent 8 }}
+        {{- with $.Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       {{- include "sch.security.securityContext" (list $ $.sch.chart.podSecurityContext) | nindent 6 }}
       affinity:
@@ -105,6 +108,11 @@ spec:
           configMap:
             name: {{ $.Release.Name }}-federated-metadata-cm
         {{- end }}
+        {{- if and $.Values.global.useBetaFeatures $.Values.jmxExporter.enabled }}
+        - name: jmx-exporter-config
+          configMap:
+            name: {{ $.Release.Name }}-jmx-exporter-config
+        {{- end }}
         - name: keystore-volume
           emptyDir: {}
         - name: env-volume
@@ -121,15 +129,13 @@ spec:
           secret:
             secretName: {{ $.Values.global.database.ssl.secretName }}
         {{- end }}
-        {{- if $.Values.global.mq.tlsSecretName }}
         - name: mq-certs
           secret:
             {{- if $.Values.global.mq.useConnectionNameList }}
-            secretName: {{ $.Values.global.mq.tlsSecretName }}
+            secretName: {{ required "Name of secret containing IBM MQ certificates not provided! (global.mq.tlsSecretName)" $.Values.global.mq.tlsSecretName }}
             {{- else }}
-            secretName: {{ $.Release.Name }}-mq-secret
+            secretName: {{ $.Values.global.mq.tlsSecretName | default (printf "%s-mq-secret" $.Release.Name) }}
             {{- end }}
-        {{- end}}
         {{- if $.Values.global.apps.common.persistence.enabled }}
         - name: {{ $.Release.Name }}-persistence-volume
           persistentVolumeClaim:
@@ -211,7 +217,6 @@ spec:
               mountPath: /mnt/keystores
             - name: service-certs
               mountPath: /mnt/svcCertificates
-        {{- if $.Values.global.mq.tlsSecretName }}
         - name: import-certs-for-mq
           {{- include "utilities.definition" $ | indent 10 }}
           env:
@@ -236,7 +241,7 @@ spec:
               {{- if $.Values.global.mq.useConnectionNameList }}
               keytool -import -trustcacerts -noprompt -alias {{ $qmgrName | lower }} -file $mqCrtDir/key_{{ $qmgrName }}.arm -keystore $truststore -storepass $password -storetype pkcs12;
               {{- else }}
-              keytool -import -trustcacerts -noprompt -alias ibmwebspheremqqm1 -file $mqCrtDir/tls.crt -keystore $truststore -storepass $password -storetype pkcs12;
+              keytool -import -trustcacerts -noprompt -alias ibmwebspheremq{{ $.Values.global.mq.queueManager.name | lower }} -file $mqCrtDir/tls.crt -keystore $truststore -storepass $password -storetype pkcs12;
               {{- end }}
               keytool -list -v -keystore $truststore -storepass $password -storetype pkcs12;
               echo "POD_HOSTNAME=$podHostname" | sed "s/-/_/g" > /mnt/envvol/server.env
@@ -247,7 +252,6 @@ spec:
               mountPath: /mnt/envvol
             - name: mq-certs
               mountPath: /mnt/mqCertificates
-        {{- end }}
       containers:
         - name: {{ $.Chart.Name }}-producer-{{ $name }}
           image: {{ include "apps.imageFullName" $imageData }}
@@ -408,6 +412,11 @@ spec:
               mountPath: /output/resources/security/federation_metadata.xml
               subPath: federation_metadata.xml
             {{- end }}
+            {{- if and $.Values.global.useBetaFeatures $.Values.jmxExporter.enabled }}
+            - name: jmx-exporter-config
+              mountPath: /config/configDropins/overrides/config.yaml
+              subPath: config.yaml
+            {{- end }}
             - name: keystore-volume
               mountPath: /output/resources/security
             {{- if $.Values.global.apps.common.persistence.enabled }}

helm-charts/apps/values.yaml

@@ -17,6 +17,7 @@
 global:
   # Set to 'accept' to accept the license terms of WebSphere Liberty and WebSphere MQ
   license: ''
+  useBetaFeatures: false
   images:
     registry: &imageRegistry minikube.local:5000
     imageLibrary: ''
@@ -72,12 +73,6 @@ global:
           # The property timerPeriod sets the value curam.jmx.output_statistics_timer_period in milliseconds
           enabled: false
           timerPeriod: 60000
-      jmxExporter:
-        # Enable use of Prometheus JMX Exporter javaagent in Liberty
-        enabled: false
-        agent:
-          host: localhost
-          port: 8080
     config:
       curam:
         enabled: true
@@ -216,8 +211,8 @@ global:
   mq:
     # Set to True if running MQ in HA mode
     useConnectionNameList: false
-    objectSuffix: minikube
-    tlsSecretName: mq-secret
+    objectSuffix: ''
+    tlsSecretName: ''
     multiInstance:
       operatorsEnabled: false
     queueManager:
@@ -228,7 +223,7 @@ global:
         # appUsernameKey is the secret key that contains the username for client connections between Liberty and MQ
         appUsernameKey: 'appUsername'
   ingress:
-    hostname: minikube.local
+    hostname: ''
 
 # Name of an existing ServiceAccount for the application runtime
 serviceAccountName: ""
@@ -293,3 +288,12 @@ defaultResources:
   limits:
     cpu: 0.75
     memory: 1Gi
+
+# Pods Annotations
+podAnnotations: {}
+
+# JMX Exporter configuration (Beta Feature)
+jmxExporter:
+  enabled: false
+  port: 8080
+  configYaml: ''