Merge pull request #34 from IBM/Release-Aug-2020

August release

.gitignore

@@ -1,6 +1,7 @@
 _book
 *.html
 
+/ci.*
 *.lock
 *.tgz
 refreshChartMuseum.sh
@@ -23,6 +24,7 @@ StaticContent.zip
 .settings
 *.drawio
 /Release-*
+~$*
 build/
 !/Jenkins/Pipelines/Build
 

CHANGELOG.md

@@ -2,6 +2,35 @@
 
 All notable changes to this project will be documented in this file.
 
+## v20.8.0
+
+### Removed
+
+* Removed initContainers from statefulset.yaml in MQ chart
+
+### Added
+
+* Add option to provide pull secret name created outside the Helm release
+* Add `proxy-read-timeout` for NGinx-based Ingress controllers
+* Add option to provide the `ibm.io/region` annotation to PVC
+* Add supplementGroup value to MQ chart that may be required depending on the persistent volume
+* Add troubleshooting section to cover IBM Cloud Object storage connection issue
+* Add Note explaining Universal Base Images (UBI)
+
+
+### Changed
+
+* Remove hardcoded WebSphere Liberty credentials
+* Disable Admin Center by default
+* Move custom SQL execution to pre-install hook
+* Upgraded MQ image from 9.1.3 to 9.1.5
+
+### Fixed
+
+* InitContainer for Batch does not meet pod security policy requirements
+* Missing Batch debug-file configmap ([#29](https://github.com/IBM/spm-kubernetes/issues/29))
+* Fixed Helm Chart syntax for enabling JMX Stats
+
 ## v20.7.0
 
 ### Removed
@@ -18,10 +47,10 @@ All notable changes to this project will be documented in this file.
 * Chart hooks for managing LTPA keys and MQ client user
 * Liberty runtime liveness probe (checks log for specific error messages)
 * Instructions for handling failed JMS messages on the MQ dead message queue
-* In the MQ chart, a check before creating deployment to see if multi-instance MQ is desired.
-* Values for use in multi-instance MQ, with both static and dynamic storage.
-* A stateful set YAML file for use in multi-instance MQ.
-* PV and PVC YAML files for use in multi-instance MQ.
+* In the MQ chart, a check before creating deployment to see if multi-instance MQ is desired
+* Values for use in multi-instance MQ, with both static and dynamic storage
+* A stateful set YAML file for use in multi-instance MQ
+* PV and PVC YAML files for use in multi-instance MQ
 
 ### Changed
 
@@ -68,7 +97,7 @@ All notable changes to this project will be documented in this file.
 * Change SSL keystore type from JKS to PKCS#12
 * Changed IHS image to run as non-root user
 * Changed IHS image to mount in SSL certificates provided by Kubernetes secrets
-* Updated Architecture Diagram to clearly demark producers, consumers and types of worker nodes.
+* Updated Architecture Diagram to clearly demark producers, consumers and types of worker nodes
 * Changed EAR readiness pathes to avoid multiple redirections in the logs
 
 ### Fixed

helm-charts/apps/Chart.yaml

@@ -18,7 +18,7 @@ kubeVersion: ">=1.16"
 appVersion: "7.0.10.0"
 name: apps
 description: Helm Chart for Deployment of Curam SPM Applications within a Kubernetes Cluster
-version: 3.0.0
+version: 3.1.0
 maintainers:
   - name: Cúram SPM Dev Team
     url: https://github.com/IBM/spm-kubernetes

helm-charts/apps/README.md

@@ -34,4 +34,4 @@ Not required as the underlying WebSphere Liberty server runs with the default re
 
 ## Configuration
 
-See [README.md](../spm) in the `spm` umbrella chart.
+See [README.md](../spm/README.md) in the `spm` umbrella chart.

helm-charts/apps/RELEASENOTES.md

@@ -1,13 +1,13 @@
 # What's new
 
-* OpenShift support introduced
+* Red Hat OpenShift support introduced
 * Runs with `restricted` (default) pod security policy
 
 ### Fixes
 
 # Breaking Changes
 
-* The structure of values for configuring the Liberty runtime of the application has changed
+* The structure of values for configuring the Liberty runtime of the application has changed:
 
   | Old property | New property | Default value | Comment |
   | ------------ | ------------ | ------------- | ------- |
@@ -26,7 +26,7 @@
   | `global.xmlserver.port` | Removed | `- `| Specifying the XML server port is not relevant in the Kubernetes environment. |
 
 
-* The new values must be nest under `apps`, when specifying values using the umbrella chart to take effect, for example:
+* When specifying value overrides using the umbrella chart the new values must be nested under `apps`, for example:
 
   ```yaml
   apps:
@@ -39,10 +39,17 @@
 
 ## Prerequisites
 
-* See README.md
+* For a full list of any prerequisites please see the [README.md](README.md)
 
 # Version History
 
+## v3.1.0
+
+* Generate WebSphere Liberty keystore and administrative credentials on install
+* Move custom SQL execution to pre-install hook
+* Add option to provide pull secret name created outside the release
+* Fixed Helm Chart syntax for enabling JMX Stats
+
 ## v3.0.0
 
 * Reduce privilege requirements to run with the `restricted` security policy

helm-charts/apps/templates/configmaps/configmap-jms-consumer-security.yaml

@@ -30,18 +30,18 @@ data:
 
       <ssl clientAuthentication="false" clientAuthenticationSupported="false" id="defaultSSLConfig" keyStoreRef="defaultKeyStore"
           securityLevel="HIGH" sslProtocol="TLSv1.2" />
-      <keyStore id="defaultKeyStore" location="key.p12" password="{xor}Lz4sLCgwLTs=" />
+      <keyStore id="defaultKeyStore" location="key.p12" password="${env.XORKeystorePassword}" />
       <ltpa keysPassword="${env.LTPA_KEYS_PASS}" keysFileName="${server.output.dir}/resources/security/{{ .Values.ltpaKeys.secretKey }}" />
 
       <basicRegistry id="basic" realm="BasicRegistry">
-        <user name="websphere" password="{xor}KDo9LC83Oi06" />
+        <user name="${env.WebSphereUsername}" password="${env.XORWebSpherePassword}" />
         <user name="${env.SYSTEM_USER}" password="${env.SYSTEM_PASSWORD}" />
 
         <group name="everyone"/>
       </basicRegistry>
 
       <administrator-role>
-        <user>websphere</user>
+        <user>${env.WebSphereUsername}</user>
       </administrator-role>
 
       <authentication id="Basic" cacheEnabled="true"/>
@@ -53,15 +53,15 @@ data:
       <jaasLoginContextEntry id="system.WEB_INBOUND" loginModuleRef="myCustomWebInbound,hashtable,userNameAndPassword,certificate" name="system.WEB_INBOUND"/>
       <jaasLoginModule className="curam.util.security.CuramLoginModule" controlFlag="REQUIRED" id="myCustomWebInbound" libraryRef="customLoginLib">
         <options
-          exclude_usernames="websphere,${env.SYSTEM_USER}"
+          exclude_usernames="${env.WebSphereUsername},${env.SYSTEM_USER}"
           login_trace="{{ .Values.loginConfig.trace }}"
         />
       </jaasLoginModule>
 
       <jaasLoginContextEntry id="system.DEFAULT" loginModuleRef="myCustomDefault,hashtable,userNameAndPassword,certificate" name="system.DEFAULT"/>
       <jaasLoginModule className="curam.util.security.CuramLoginModule" controlFlag="REQUIRED" id="myCustomDefault" libraryRef="customLoginLib">
         <options
-          exclude_usernames="websphere,${env.SYSTEM_USER}"
+          exclude_usernames="${env.WebSphereUsername},${env.SYSTEM_USER}"
           login_trace="{{ .Values.loginConfig.trace }}"
         />
       </jaasLoginModule>

helm-charts/apps/templates/configmaps/configmap-jms-producer-security.yaml

@@ -30,11 +30,11 @@ data:
 
       <ssl clientAuthentication="false" clientAuthenticationSupported="false" id="defaultSSLConfig" keyStoreRef="defaultKeyStore"
           securityLevel="HIGH" sslProtocol="TLSv1.2" />
-      <keyStore id="defaultKeyStore" location="key.p12" password="{xor}Lz4sLCgwLTs=" />
+      <keyStore id="defaultKeyStore" location="key.p12" password="${env.XORKeystorePassword}" />
       <ltpa keysPassword="${env.LTPA_KEYS_PASS}" keysFileName="${server.output.dir}/resources/security/{{ .Values.ltpaKeys.secretKey }}" />
 
       <basicRegistry id="basic" realm="BasicRegistry">
-        <user name="websphere" password="{xor}KDo9LC83Oi06" />
+        <user name="${env.WebSphereUsername}" password="${env.XORWebSpherePassword}" />
         {{- if not .Values.global.openldap.enabled }}
         <user name="${env.SYSTEM_USER}" password="${env.SYSTEM_PASSWORD}" />
         {{- end }}
@@ -43,7 +43,7 @@ data:
       </basicRegistry>
 
       <administrator-role>
-        <user>websphere</user>
+        <user>${env.WebSphereUsername}</user>
       </administrator-role>
 
       <authentication id="Basic" cacheEnabled="true"/>
@@ -55,7 +55,7 @@ data:
       <jaasLoginContextEntry id="system.WEB_INBOUND" loginModuleRef="myCustomWebInbound,hashtable,userNameAndPassword,certificate,token" name="system.WEB_INBOUND"/>
       <jaasLoginModule className="curam.util.security.CuramLoginModule" controlFlag="REQUIRED" id="myCustomWebInbound" libraryRef="customLoginLib">
         <options
-          exclude_usernames="websphere,${env.SYSTEM_USER}"
+          exclude_usernames="${env.WebSphereUsername},${env.SYSTEM_USER}"
           login_trace="{{ .Values.loginConfig.trace }}"
           {{- if .Values.global.openldap.enabled }}
           check_identity_only="{{ .Values.loginConfig.identityOnly }}"
@@ -66,7 +66,7 @@ data:
       <jaasLoginContextEntry id="system.DEFAULT" loginModuleRef="myCustomDefault,hashtable,userNameAndPassword,certificate,token" name="system.DEFAULT"/>
       <jaasLoginModule className="curam.util.security.CuramLoginModule" controlFlag="REQUIRED" id="myCustomDefault" libraryRef="customLoginLib">
         <options
-          exclude_usernames="websphere,${env.SYSTEM_USER}"
+          exclude_usernames="${env.WebSphereUsername},${env.SYSTEM_USER}"
           login_trace="{{ .Values.loginConfig.trace }}"
           {{- if .Values.global.openldap.enabled }}
           check_identity_only="{{ .Values.loginConfig.identityOnly }}"

helm-charts/apps/templates/configmaps/configmap-jvm-options-override.yaml

@@ -32,7 +32,7 @@ data:
     {{ . }}
     {{- end }}
     {{- if and (not $app.excludeJmxStats) ($.Values.global.apps.common.persistence.enabled) ($.Values.global.apps.common.persistence.jmxstats.enabled) -}}
-    {{- include "persistence.jmxStats" | nindent 4 -}}
+    {{- include "persistence.jmxStats" $ | nindent 4 -}}
     {{- end -}}
 {{- end }}
 {{- end }}

helm-charts/apps/templates/configmaps/configmap-server.yaml

@@ -36,7 +36,9 @@ data:
         <feature>javaee-7.0</feature>
         <feature>localConnector-1.0</feature>
         <feature>jaxb-2.2</feature>
+        {{- if .Values.wlpAdmin.enableAdminCenter }}
         <feature>adminCenter-1.0</feature>
+        {{- end }}
         <feature>jndi-1.0</feature>
       </featureManager>
 

helm-charts/apps/templates/deployment-consumer.yaml

@@ -42,9 +42,9 @@ spec:
       {{- include "sch.security.securityContext" (list $ $.sch.chart.podSecurityContext) | indent 6 }}
       affinity:
         {{- include "sch.affinity.nodeAffinity" (list $ $.sch.chart.nodeAffinity) | indent 8 }}
-      {{- if $.Values.global.imagePullSecret.username }}
+      {{- if or $.Values.global.imagePullSecret.secretName $.Values.global.imagePullSecret.username }}
       imagePullSecrets:
-        - name: {{ $.Release.Name }}-pull-secret
+        - name: {{ default (printf "%s-pull-secret" $.Release.Name) $.Values.global.imagePullSecret.secretName }}
       {{- end }}
       restartPolicy: {{ $app.restartPolicy | default "Always" }}
       serviceAccountName: {{ default (include "sch.names.fullName" (list $)) $.Values.serviceAccountName }}
@@ -172,7 +172,10 @@ spec:
             - name: keystore
               value: /mnt/keystores/key.p12
             - name: password
-              value: password
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (printf "%s-wlpadm" $.Release.Name) $.Values.wlpAdmin.secretName }}
+                  key: KeystorePassword
           command:
             - /bin/sh
             - -c
@@ -193,7 +196,10 @@ spec:
             - name: truststore
               value: /mnt/keystores/key.p12
             - name: password
-              value: password
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default (printf "%s-wlpadm" $.Release.Name) $.Values.wlpAdmin.secretName }}
+                  key: KeystorePassword
           command:
             - /bin/sh
             - -c
@@ -210,16 +216,6 @@ spec:
             - name: mq-certs
               mountPath: /mnt/mqCertificates
         {{- end }}
-        - name: wait-for-curam
-          {{- include "utilities.definition" $ | indent 10 }}
-          command:
-            - /bin/sh
-            - -c
-            - >
-              until nc -z -w3 {{ include "sch.names.fullCompName" (list $ "curam") }} {{ $.Values.httpsPort }}; do
-                echo waiting for {{ include "sch.names.fullCompName" (list $ "curam") }}:{{ $.Values.httpsPort }} to be reachable;
-                sleep 2;
-              done;
       containers:
         - name: {{ $.Chart.Name }}-consumer-{{ $name }}
           image: {{ include "apps.imageFullName" $imageData }}
@@ -233,6 +229,8 @@ spec:
                 name: {{ default (printf "%s-db-credentials" $.Release.Name) $.Values.global.database.credsSecretName }}
             - secretRef:
                 name: {{ default (printf "%s-system-credentials" $.Release.Name) $.Values.systemUser.credsSecretName }}
+            - secretRef:
+                name: {{ default (printf "%s-wlpadm" $.Release.Name) $.Values.wlpAdmin.secretName }}
           env:
             - name: LICENSE
               value: {{ $.Values.global.license }}