diff --git a/deployment/certs/ac-cert.pem b/deployment/certs/ac-cert.pem new file mode 100644 index 0000000..abaf275 --- /dev/null +++ b/deployment/certs/ac-cert.pem @@ -0,0 +1,28 @@ +Bag Attributes + friendlyName: webmethods + localKeyID: 54 69 6D 65 20 31 37 35 30 33 32 31 30 31 31 36 31 31 +subject=C=IN, ST=TamilNadu, L=Chennai, O=IBM, OU=IBM Software Labs, CN=IBM +issuer=C=IN, ST=TamilNadu, L=Chennai, O=IBM, OU=IBM Software Labs, CN=IBM +-----BEGIN CERTIFICATE----- +MIIDvjCCAqagAwIBAgIIcv6XX7l+QmowDQYJKoZIhvcNAQELBQAwazELMAkGA1UE +BhMCSU4xEjAQBgNVBAgTCVRhbWlsTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEMMAoG +A1UEChMDSUJNMRowGAYDVQQLExFJQk0gU29mdHdhcmUgTGFiczEMMAoGA1UEAxMD +SUJNMB4XDTI1MDYxOTA1MjE1MFoXDTI4MDYxODA1MjE1MFowazELMAkGA1UEBhMC +SU4xEjAQBgNVBAgTCVRhbWlsTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEMMAoGA1UE +ChMDSUJNMRowGAYDVQQLExFJQk0gU29mdHdhcmUgTGFiczEMMAoGA1UEAxMDSUJN +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAh/B6yQINrhcA0iWEJhsD +VubRsvuBUpToJ/rIGJNhLJuDoz6hh1RJ/mJ02ZfF+1K/99H1jJVXqbOCUh1+XKm8 +OtdNM7l749veVAFTKHliJu18FSSpmSe5UjtTe6Q2QLZU5MGUzanKFTOmjoOAjwaN +Uh79uUS6fgF8OBvBvdungmmc7WJXaqbN48wW+TlCFgct0ZuMnMdZNkNeXZ2UYKlI +h5Bd7Nt2lnyMcNyQOymveZlyP8Fw0vx2D8YRu1ht/CFyJFOLTMfc+Tbc3GuuWOO+ +vOOn+3+Ve+BGEPkmj14L/wpu/w0IkeS+Cec6FxpFDErgqCgh3C/cVodVHBa5Tb9V +zQIDAQABo2YwZDAdBgNVHQ4EFgQUI3/E5ZoUQNHWAnLqS3X11aTuhrwwQwYDVR0R +BDwwOoIMYXNzZXRjYXRhbG9nghBhc3NldGNhdGFsb2ctc3Zjgglsb2NhbGhvc3SC +DWFzc2V0LWNhdGFsb2cwDQYJKoZIhvcNAQELBQADggEBAAr4Ifrw7BLQ5udCH8iu +qia38OK3CBVLi9Sc6pbPjd4bSoYrmZ55KqRK1EzPrEDicd7NVXXvWA/oCamPlAXS +Mbbwq+jOTu/4IT9WdbnmrMTqXfNi2dgeTB+l0dfoF+kqvkQ56BL/wEeiVjH14CsF +fiblIB/abY7OQzC7/2wB3Nag/PXnDwEAEs+1N751ZlOr+TNObbaswoxfnZOQ501T +GOPN+HUKt1YXPkZ1TXNMNCxrZkxW9dlUCcqhPBwR/XSLo9ZJDT9GGqVePMP1/p9U +if4EFCfd1n4p7J14ENqPQKlilm3SicRvz4fjMNFEXLZH63TvPs1Vy3gOmroC6YYv +kio= +-----END CERTIFICATE----- diff --git a/deployment/certs/ac-key.pem b/deployment/certs/ac-key.pem new file mode 100644 index 0000000..94a996f --- /dev/null +++ b/deployment/certs/ac-key.pem @@ -0,0 +1,32 @@ +Bag Attributes + friendlyName: webmethods + localKeyID: 54 69 6D 65 20 31 37 35 30 33 32 31 30 31 31 36 31 31 +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCH8HrJAg2uFwDS +JYQmGwNW5tGy+4FSlOgn+sgYk2Esm4OjPqGHVEn+YnTZl8X7Ur/30fWMlVeps4JS +HX5cqbw6100zuXvj295UAVMoeWIm7XwVJKmZJ7lSO1N7pDZAtlTkwZTNqcoVM6aO +g4CPBo1SHv25RLp+AXw4G8G926eCaZztYldqps3jzBb5OUIWBy3Rm4ycx1k2Q15d +nZRgqUiHkF3s23aWfIxw3JA7Ka95mXI/wXDS/HYPxhG7WG38IXIkU4tMx9z5Ntzc +a65Y476846f7f5V74EYQ+SaPXgv/Cm7/DQiR5L4J5zoXGkUMSuCoKCHcL9xWh1Uc +FrlNv1XNAgMBAAECggEABxZxwHM79Vy7rTlJh5cW+Hv2aQeV+ZFL/XGk5ysgAOxm +06cbUuwBI6NMhl/UccMhwTEQRXEv7egvHkrtYLV02/iHzO+Z1wqKsASVqmGRzYfK +VWvg79xTXEc9lg+8yGj5SigRsxtsLujPgVS36j0kNyjof7Vmp9U5/c7srhJ6zGDT +2rtFukunDJJwcGYZcFPmPuuvfIsJHpR7ci1KAx5rV/qijeT6A1M/4PYeVQKZQv2j +mikPOpg+2J5SeYlwRTrSHeemPU0COk+Z8dmIcHbR3ducfnKnRDaBpkzL9vUcuw4U +EYArv31BioG7HRF4DUUUI0BHpn4DdMOodATNZspvXQKBgQC7jhDvjTwow0WgcHF9 +oDvCyA/zXm7+D/aje214TOpECnG/0d73FN06Me/mhsfZ/+HKcNA5ZiOHXCbJ+h2/ +ahrXH7mw7WpWFOm4B0EXwuxkHSnGGwGu0gO5k9nupuLGjihLgTSd3pIZj6Sh9gqy +R0bTdtQbMtMHUfIQ2ek93Keh6wKBgQC5jFXKpCZK6DleuNadGGtnOtj1wIQiY7BL +za4JBFr3H4v1y+gNTm7CFbgMI6SRGs1DSAmccU6ZFC5Lb7kpFrORmUJC45RnQHcU +ZDoTLVvyNdQ6Rwurj+GnUw8EFQ2Jmu1xNvQeTtr+ZhYe2XgTucSjmzuvP2Bunpvr +DbcAwQtBJwKBgD6rB4mjfXh5Vuh26dT6Fz3ML1g4M4n8t4KEmV1bBePaQYvAimmw +tQLe8LPsURbMYxuLemfTcweliOhwBESTJYi/9wHhMmi08CsncV6JKQeCnxSsrXFG +hywY9PbDGH8TvO8NqxEc72BPGMltNsG/AzFhQRodb1nAzctHpKGg+volAoGAJtDS +ybeZQyZdihFE5ExNe6T16kNB4SfVo6X9eGlu1i/FScBEZTQ5O2Trwa5bKPfgZOjX +CeEyPhfYr3NJ2uyi2BylnfSaARedUai99XERwRO9uAtQx60r2aMoiwQUdurwLTT/ +0K9SZNHaYs2/rvC30DoTPFAXzkxj9cJCvGemARUCgYADcUWoBOd6xtBlz9qPEd5/ +edY78NSd0QVG7Y2n6nLUzhU5bG+k2PgEffb/QSSlVk8qB2/c1REvHS/v5Gq9Yjrd +upmhw+L8M7SmwGuF0uoKbD5oYzWKe/3M7GZOyZr5sbCGnWY3z0hUSQcpVBKsi2vA +4WYuCvg+FqFx+a8A4o7kbw== +-----END PRIVATE KEY----- diff --git a/deployment/certs/en-cert.pem b/deployment/certs/en-cert.pem new file mode 100644 index 0000000..d77525a --- /dev/null +++ b/deployment/certs/en-cert.pem @@ -0,0 +1,27 @@ +Bag Attributes + friendlyName: webmethods + localKeyID: 54 69 6D 65 20 31 37 35 30 33 32 30 39 39 35 38 37 37 +subject=C=IN, ST=TamilNadu, L=Chennai, O=IBM, OU=IBM Software Labs, CN=IBM +issuer=C=IN, ST=TamilNadu, L=Chennai, O=IBM, OU=IBM Software Labs, CN=IBM +-----BEGIN CERTIFICATE----- +MIIDpDCCAoygAwIBAgIJAKg/azK8EnDqMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV +BAYTAklOMRIwEAYDVQQIEwlUYW1pbE5hZHUxEDAOBgNVBAcTB0NoZW5uYWkxDDAK +BgNVBAoTA0lCTTEaMBgGA1UECxMRSUJNIFNvZnR3YXJlIExhYnMxDDAKBgNVBAMT +A0lCTTAeFw0yNTA2MTkwNTIyMjhaFw0yODA2MTgwNTIyMjhaMGsxCzAJBgNVBAYT +AklOMRIwEAYDVQQIEwlUYW1pbE5hZHUxEDAOBgNVBAcTB0NoZW5uYWkxDDAKBgNV +BAoTA0lCTTEaMBgGA1UECxMRSUJNIFNvZnR3YXJlIExhYnMxDDAKBgNVBAMTA0lC +TTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANNmavv0/e6z5SyyKlya +yMlWESO2pFnxy+wYeOf6qBhJIKN8M2Aj2Yi8oOTlyHCDoGaBdEPUDublWsze+iBs +Cl6VTg7E2me1RRYKhUyoN0m1Hfk41ClEI8aa5mUnn3ELp416sdHSbRc0CZHZ3w+C +GYB4Nu0F6Q/FKgqZ+qLizSGWNbE/YXXQHuSw4P9flZsh9IAnGahfZ6aVA0vO1zX8 +llNx1ATXlWv2IjRkWbNSdq/Xf74b0ajZ575UI7EtIDH9bWLab31tqLvLPOOHwqzp +J2bI05CGfLPyg6bf0Ev2z0H8FkthLKgxd0qSUtzReegUSFna4KB956yFKTEpmwqf +Fz0CAwEAAaNLMEkwHQYDVR0OBBYEFBoBOtcQdrDTgQXIz1087ZOqbw/SMCgGA1Ud +EQQhMB+CBmVuZ2luZYIKZW5naW5lLXN2Y4IJbG9jYWxob3N0MA0GCSqGSIb3DQEB +CwUAA4IBAQBi1oTrFD8trPSGrTWpy7cfJxZh0GW0hDlCUBsIMn74nOetUgwSbUqQ +anAgpr84kIdtlMPNhIPG8gSydecWgpbfubdShHahKSWD266bWHaEVXn70AyHxmw3 +VZqDZPPS+O+i03sjjs6tFhhwQL5otVfr/V7/flxkoghuZ/ChqFt+bOG21Mm64OZV +Yqbc3tfJW/oMEYpmPgO+Y7l4dPmH6XoST9jV5M2r//uihJKlVWObtgVDvToq5S6L +u5fall1JvIKBT50TtZ36EQq4Dh/SPxnZpaKju8LjQIwJOluRQFkMBsTh7Jmys5XO +POiuBLd7Vyu+a/E36ti09+0atIUSjyUW +-----END CERTIFICATE----- diff --git a/deployment/certs/en-key.pem b/deployment/certs/en-key.pem new file mode 100644 index 0000000..7c53fd6 --- /dev/null +++ b/deployment/certs/en-key.pem @@ -0,0 +1,32 @@ +Bag Attributes + friendlyName: webmethods + localKeyID: 54 69 6D 65 20 31 37 35 30 33 32 30 39 39 35 38 37 37 +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDTZmr79P3us+Us +sipcmsjJVhEjtqRZ8cvsGHjn+qgYSSCjfDNgI9mIvKDk5chwg6BmgXRD1A7m5VrM +3vogbApelU4OxNpntUUWCoVMqDdJtR35ONQpRCPGmuZlJ59xC6eNerHR0m0XNAmR +2d8PghmAeDbtBekPxSoKmfqi4s0hljWxP2F10B7ksOD/X5WbIfSAJxmoX2emlQNL +ztc1/JZTcdQE15Vr9iI0ZFmzUnav13++G9Go2ee+VCOxLSAx/W1i2m99bai7yzzj +h8Ks6SdmyNOQhnyz8oOm39BL9s9B/BZLYSyoMXdKklLc0XnoFEhZ2uCgfeeshSkx +KZsKnxc9AgMBAAECggEAIkADsVKeGaB3zugGyP4i7cvN9xVOR2xPd673V85akaS3 +bwVeZYMpaWf2QV+hO+l3gWQT7DFdQLeEIJE3wSz/+RcDkI0APbE2wj1uH19Zpc18 +T7aPWSg7C6BpF5Z11KDowplQWghXuFyr+D9uTlrrus6/R2OfwPhWuWT9IIrSZVBf +N5hLAeigLEMbK55MbfwNOwrLk2/CWkfV+F70nAsUzTLSdW4Ffe3Qe1AbeyV+mODx +Nz6ZkpFXM5xhc9TxV7IgNgta9LqLI8UO9CiURWKl92A6nhUB56yBuZn4iIXmWqlp +3929s3frJ3uICH4hczbwpLoSKW5ZvVJtJ5tJk6ejgQKBgQD9NHo4I+2AsHUbct0t +CLS9AzqAt3ZjIH0T5X00Svq5NpsTSj8KrYi72Y3lPxsd2sPfi9kR3gPXCIog4i/u +M1cRBY43jo70KSfrkd+xp4zGfQkNVUgQnXujgELOurAAZeDKDzd3a8CH3ek5K0rh +E9iBXSFe1ZQA6bcwHFL7DP7AkQKBgQDVu842VZtlI2wNt3x57KJ4dlFEEXmJwTTo +yd7yEje0gTGbi5Hdie63Sf6mt5qvtz1Vc2kQfAXPAvOAtLMZ3oxTAXL2l8vzcbLs +adN0QjE8v1vpLvTvbDCJfzNmrET0XIWof0tgPkheAeKKxM9QaxrAANq1i3GczKMw +ufsyBsJB7QKBgDouW8MYplNCuLYE78OQU4929XNsNJzUc0kmG13vuKrkXD/TeKbo +dxnLBKrflEiI4yczyD4tyK4ZfTvPHXpbe68imqozbK+34T9k9oSo3lUhl/njVbrT +pPxN1YwRI64DuuJTGsirDsNpf1SumPcdC0u2bZuP8gE/suMwLvUW6FaxAoGAUhOH +0ee3//PFV9MhcvTDQ300Ie6P/K18MvTqr4z9ZUzDjxbe0fNY/3vj1YPmXBoC7KCg +NRtbY66fccpyiLmkq2+ABWAvivIbopvU/u04WTqnAfntR1AFp5d4VrJK3If3L8iK +WpAwXCFfLKj9b8VhhWAOnO7Kl0siU+DnrMNZr9UCgYEAxtqjmm3Zl9h5BjE7/T9Y +tyAOyGAaMhawdlq+s3UV79T8eMZ6hBGDMPsUWXl7I1t9zRUtra8LW6UnTFYeZB0n +eOSOqnu3GPcmJitZqPRl2G+TUkdhSQocv/kNfgeZKyeWStAqDnHn9QF7cpBI7Wpd +X6y7rOqVVCei81x383Mh1WU= +-----END PRIVATE KEY----- diff --git a/deployment/certs/in-cert.pem b/deployment/certs/in-cert.pem new file mode 100644 index 0000000..16843d2 --- /dev/null +++ b/deployment/certs/in-cert.pem @@ -0,0 +1,27 @@ +Bag Attributes + friendlyName: webmethods + localKeyID: 54 69 6D 65 20 31 37 35 30 33 32 31 36 31 33 32 38 38 +subject=C=IN, ST=TamilNadu, L=Chennai, O=IBM, OU=IBM Software Labs, CN=IBM +issuer=C=IN, ST=TamilNadu, L=Chennai, O=IBM, OU=IBM Software Labs, CN=IBM +-----BEGIN CERTIFICATE----- +MIIDpjCCAo6gAwIBAgIJAJTAdJ7AJ2sfMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV +BAYTAklOMRIwEAYDVQQIEwlUYW1pbE5hZHUxEDAOBgNVBAcTB0NoZW5uYWkxDDAK +BgNVBAoTA0lCTTEaMBgGA1UECxMRSUJNIFNvZnR3YXJlIExhYnMxDDAKBgNVBAMT +A0lCTTAeFw0yNTA2MTkwNTIyMTZaFw0yODA2MTgwNTIyMTZaMGsxCzAJBgNVBAYT +AklOMRIwEAYDVQQIEwlUYW1pbE5hZHUxEDAOBgNVBAcTB0NoZW5uYWkxDDAKBgNV +BAoTA0lCTTEaMBgGA1UECxMRSUJNIFNvZnR3YXJlIExhYnMxDDAKBgNVBAMTA0lC +TTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJSKRWITRq7QIrrnUtAp +dAszIzpTdGDWaHvXb1PEXyzd11TMkkvP9NHiZUWkiOesS/iSI66gTE3kPGbdwm0b +cNys/I71tFwW2IG+kVc4HGdV8h1v/o1TFVUNrODJDsZ81agSRYhCWeoZPJ1TNkfi +jPr4+MxjgKX0lnVB0dElAv4iin9kbaodPsGtz7ts20MUQFgU2NJncvqY9nKinOP5 +qpItmfdmQCcoC7jeFfTZXNkgov3XIjk9XzIjYjYRTYp7kvuByhHIVa1AiJpGglVx +mJpmdoihyZcEQOinnr4i3cltFiWgJe59TBXRCnPNoZMY/+jY+Lluf5BOFJsil227 +6EkCAwEAAaNNMEswHQYDVR0OBBYEFIdBPu+LeYmAFspbRFGqim1chKBGMCoGA1Ud +EQQjMCGCB2luZ3Jlc3OCC2luZ3Jlc3Mtc3Zjgglsb2NhbGhvc3QwDQYJKoZIhvcN +AQELBQADggEBAHNMr+j8kjXQFSxiC89ZtqY8fTFbrUpLt4pAqXDGOwoTTWXwHaXw +QE/u/H+Rqm73Ab3Q6Ywq0dOYzy3t/t4D2ooBpkTIdXjvXnWCqii9hXour5bN0n9M +toOI8sGPyi4bSjxnzfnaK06z5WapeeR2NF93oUV+bu+jubbl+ApkUHXxEryMUyJJ +d42ss0mMoJawwkqFCf+6t7s0KYI8gjduLRkpZAEI85kyn+uFYjOPYnPrC88oBzbP +8wieMHFy7zhG6NCc5zlmnmUVozfiFs75XIIJJw1B3gvUk9WRu6R3WM6xLZMPv5cm +5j/ALGMNV21+q5j6sRhg8Pnxcla6gz5Cgrg= +-----END CERTIFICATE----- diff --git a/deployment/certs/in-key.pem b/deployment/certs/in-key.pem new file mode 100644 index 0000000..efb0a72 --- /dev/null +++ b/deployment/certs/in-key.pem @@ -0,0 +1,32 @@ +Bag Attributes + friendlyName: webmethods + localKeyID: 54 69 6D 65 20 31 37 35 30 33 32 31 36 31 33 32 38 38 +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCUikViE0au0CK6 +51LQKXQLMyM6U3Rg1mh7129TxF8s3ddUzJJLz/TR4mVFpIjnrEv4kiOuoExN5Dxm +3cJtG3DcrPyO9bRcFtiBvpFXOBxnVfIdb/6NUxVVDazgyQ7GfNWoEkWIQlnqGTyd +UzZH4oz6+PjMY4Cl9JZ1QdHRJQL+Iop/ZG2qHT7Brc+7bNtDFEBYFNjSZ3L6mPZy +opzj+aqSLZn3ZkAnKAu43hX02VzZIKL91yI5PV8yI2I2EU2Ke5L7gcoRyFWtQIia +RoJVcZiaZnaIocmXBEDop56+It3JbRYloCXufUwV0QpzzaGTGP/o2Pi5bn+QThSb +Ipdtu+hJAgMBAAECggEADw7Nzg2Jcaz+ik8rK1g6b+y3DmF5p5vwo1ZBbj7WzZ3v +B2UGExqhlTnDvam6aa7jFC+fX6NXHOHNWDm0jRo2KJ6+KxFgH2I/ADcU9YAmC/kv +1jldVw8EN3cvjml/XpJ218cDZrbgNc2pYgL2mpauJz6APTr8hoZLDte1aQPdH+0x +rYtplBVuMa6bUylUULH66SO531FdAXR1CjwK6VKGEqMat03OutTVLCy7uV1+60Qu +fwsqMXzHRbTehQfKdtKHjtMMlqgETEgrGF570Nl7LCr8qOOplKKCFyW2k/pKih1c +Sr3Fmzn7gtHKGN/YAu+Zz+H+sOdGcrplMgVMIXdiUQKBgQC/vl4WwCASYIVzmj9X +t0RDteSonYsa4g5o3ReyrhY9Rv9MNsg631p6hIMX/ukxamUgS9mBRE9m1WCXuCr4 +YzWKWf1l65T7SsKr0EFZoMHSfn+1dFFWVwtIqfs2cnDyKI7VP9bh6fww/8R+Y/LC +hdHVoY35r/6eoLt3ComiOzWymQKBgQDGUXyrj9rM+gbF6/eXpl6kaXs8bLSanHOM +iBOxQkPNbYHSBqGS8np+jKI+aJDe98HkYLpJpi7sGsRy5m2kYMoWM0KNDczbR/ow +jw+0hS7a/jhJlUW7+/j2Be5pLylR06sb73+4qs9i7eLHxb0ZY9Qtai2ARXzLAWj0 +Vc0LREchMQKBgDne9v7e1c82GpEdiOisg4n8KBtMEWP3vmmf8TsYl9W+y+bw0dYS ++3fm7robUb58YjExM2B0gZKD7DdeenmlV89+AaD1TW3azo6UuGSYxGcHjvvxM2tf +siQoSY3RVI2B+Docnnpo6JjRWTjcabSUNxTHQdaOa8bstCfloky4mihhAoGAKeee +CEJlYVqTg87QimLFLMh9Gc9+eg0E/XTjdFkkKowxGkf8bCiAaa0du0ItGnAPsEog +Et/imlEtoXm/QTSSfw5lyZhY6RzUaN5R2zspI20ER8ga7BXaDWJDdkZY3Ml1Jnn8 +6vBs0eKiQMQvqOXHN7Fv2+LS87JgkwBuSysqPIECgYEAry5xN/XDZVWroFpgSaeU +a6QTXlJkI5/LO/o/xT8qSKErO/n/Wf5TLkyISmxeC5oTr6SJzFo2eCpZJ4RyJgG0 +v8+QZtoTWLYYXYncqhh2teyyFJYWJdKTqp7YRKIwvpHmpGkQ6p7ysF14diEOXJAK +RZE/ciADe3E3qOmHZbtOZ5c= +-----END PRIVATE KEY----- diff --git a/deployment/certs/jwt_keystore.jks b/deployment/certs/jwt_keystore.jks new file mode 100644 index 0000000..c15a01a Binary files /dev/null and b/deployment/certs/jwt_keystore.jks differ diff --git a/deployment/certs/keystore-ac.jks b/deployment/certs/keystore-ac.jks new file mode 100644 index 0000000..712a633 Binary files /dev/null and b/deployment/certs/keystore-ac.jks differ diff --git a/deployment/certs/keystore-en.jks b/deployment/certs/keystore-en.jks new file mode 100644 index 0000000..3c7ae0a Binary files /dev/null and b/deployment/certs/keystore-en.jks differ diff --git a/deployment/certs/keystore-in.jks b/deployment/certs/keystore-in.jks new file mode 100644 index 0000000..15b3a78 Binary files /dev/null and b/deployment/certs/keystore-in.jks differ diff --git a/deployment/certs/keystore-nginx.jks b/deployment/certs/keystore-nginx.jks new file mode 100644 index 0000000..7c0f8f2 Binary files /dev/null and b/deployment/certs/keystore-nginx.jks differ diff --git a/deployment/certs/keystore-os.jks b/deployment/certs/keystore-os.jks new file mode 100644 index 0000000..a970c7b Binary files /dev/null and b/deployment/certs/keystore-os.jks differ diff --git a/deployment/certs/keystore-ui.jks b/deployment/certs/keystore-ui.jks new file mode 100644 index 0000000..81b5232 Binary files /dev/null and b/deployment/certs/keystore-ui.jks differ diff --git a/deployment/certs/nginx-cert.crt b/deployment/certs/nginx-cert.crt new file mode 100644 index 0000000..08ffdfc --- /dev/null +++ b/deployment/certs/nginx-cert.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjzCCAnegAwIBAgIIJp+BBRbOd/gwDQYJKoZIhvcNAQELBQAwazELMAkGA1UE +BhMCSU4xEjAQBgNVBAgTCVRhbWlsTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEMMAoG +A1UEChMDSUJNMRowGAYDVQQLExFJQk0gU29mdHdhcmUgTGFiczEMMAoGA1UEAxMD +SUJNMB4XDTI1MDYxOTA4MTYwN1oXDTI4MDYxODA4MTYwN1owazELMAkGA1UEBhMC +SU4xEjAQBgNVBAgTCVRhbWlsTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEMMAoGA1UE +ChMDSUJNMRowGAYDVQQLExFJQk0gU29mdHdhcmUgTGFiczEMMAoGA1UEAxMDSUJN +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvzGNFROOg3drfINtMOEI +fj5QzjrP+nnAufH8RcFg+p7XknuAr+VxLtGBfOj9JacB/3w92Cb9nube9U9XS/f/ +J6lCwimWopPNeL7vtzIgZ9BE7J0drrsABFKWPByubGNJSJ2jzyNiA/Xn7ld2ufWo +7eULERHLxlmyKU3RjzPOPWS13lwCbl4O9k5eJSl7+mMLlPQHzob46leOdgby/Qrp +ouPnbXvzRjrAh2HuXzjV/ES6UcJFc85SBQnSS38Yox5NJH6vjav1EPhW2EI9KQym +KuJvNYbUyq2av2/QfjdjF5LoLhv2vs+A3EjC9JGWcf/dKXnUBOwDfk0+Z0pg9oqm +WQIDAQABozcwNTAdBgNVHQ4EFgQUoj+98ELTunt5cyDYcj57pPN5t7owFAYDVR0R +BA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAsV6sFM/R/KFccdtWJ +GappyMcc/OsxEV5Rao1zw9ycOWcBwCjPRtRTLXwX9JWEseWAtT+rpv4HKAuJyjXa +KsQGx3TUy+4m1gz/+D3mkXV/2UsAiAMgHCiHfAU6a9ADn4nJc64FEvWoUU6mY6Ry +nP2L4j4fLgxYQ5pEz7HhgI2l9pl89m4QdaLfPsFWdOMUtZkD69zBSsKOzaaUNcsM +rhoekHamRSPhArSU+nEiR1Imhza32BCXyM8kvae8wlxLnmHEca44MG/v4l1SI07a +sWt9YoTcPOQqiTMU/1ixPjupB1j1HOAYnbEHLaSloYXyWJfs+zhNVhcGCE9NCU9w +zLKA +-----END CERTIFICATE----- diff --git a/deployment/certs/nginx-key.key b/deployment/certs/nginx-key.key new file mode 100644 index 0000000..a783bfe --- /dev/null +++ b/deployment/certs/nginx-key.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC/MY0VE46Dd2t8 +g20w4Qh+PlDOOs/6ecC58fxFwWD6nteSe4Cv5XEu0YF86P0lpwH/fD3YJv2e5t71 +T1dL9/8nqULCKZaik814vu+3MiBn0ETsnR2uuwAEUpY8HK5sY0lInaPPI2ID9efu +V3a59ajt5QsREcvGWbIpTdGPM849ZLXeXAJuXg72Tl4lKXv6YwuU9AfOhvjqV452 +BvL9Cumi4+dte/NGOsCHYe5fONX8RLpRwkVzzlIFCdJLfxijHk0kfq+Nq/UQ+FbY +Qj0pDKYq4m81htTKrZq/b9B+N2MXkuguG/a+z4DcSML0kZZx/90pedQE7AN+TT5n +SmD2iqZZAgMBAAECggEAB4EOIMTk+8942kj9ROUcNHpFKScBSTs0n4e6J1G8+PE5 +lFABH8ZBYD1MWAb8ApmQuEKb2ctD+pPkrduomTx5WQjpbB3+QdDLyICz/2x5/aEc +x22uP9CqokDMkTzt8qad9nnrd0KUAwRIj2AC8q8L65RpEAkzBoy4M6tQfY6iumGT +RoF3F5m+l9pHKyMba/f7ijClWoNUfNpPWqjSdK4eYznPdkPvS/bVtafQ74VFdWVa +HIw5kzeW9TeE+TkqXJPaPowXugRLFoVEAiTVxMphWu978duS84PfbuMshcK9ZRCg +Bk4E8sLtc5VdoBtlv+7qhPW+yjxw9COUMGad1l9FQQKBgQDCAUSOPfHczghpVuF3 ++VA5Vvel+bdVxkrTvJmwbuwakfHLIQ7wU63pUj8s/fIH9zIsG6O/ZNlVbmrcrylw +Km2Y5VN/wvetyUdJ+tmAc6HGH/F/w0aVl6rw+2ulaPAxjdTViIQOwikNrAGxRip6 +rtFAqM/l4iBCqbtaZQlCMGYd+QKBgQD8SkuFGgVrGaGXNk5UXLHVojZzLrAJ1MY4 +mZyFtWZic5Q3T8uHLMIrCEw5DHY0fN5BSh1qq5dK4g/swPhrtn+B33FsV1RNXpi9 +GwepEKp7MZjkw2LGl6vb0zuWTTWP9K3EVCD5mXy0E7UlfTxaNJ9mv0mkF5OT/KZc +ItFn7NJjYQKBgQC/r+T+7nG1i9V/z5pDopEDtsxGsG/XTm/MugLY8yBSOHXCEM3j +46poaR2G5Ptpp3NpZX3rtEeRQ+JOXrwA2cskUSKpkAiNK91GWZbidl4XlqRVaqqp +UAxUwvbfnsoFDHCI87QXqPxLR/L8J6n9QhH7Y1DXgRADDhXSARae0Zd0cQKBgQCX +sWA5Fo09eTrUvZ1ZUibHKfKNTPwh3SKWM56OMqTt+0qZ+0uH6lyRHTsfbiPAqXfF +T/fiBGxCZSxoERsNQLzn7N644sVYg9FYmuD/QXsP+aFRoz1H5Tg7Q4XneGMFPHwi +uObezO/TIqpfcS6RmmRhlhCELnzYlSe97F12nElf4QKBgQCyPSTQe5LtnHCpIHsl +q6gbQzS3OhVKywBuuO0neoKgwhWQGcEH3CjvmKFhrVIKPDJa4BZ69kWYGoH5mZ7+ +tk/kCKtf1qyKQLgu+6yrliEcIlcVE1jYWPCASsUhgSeL+3okwsZeEUG4BZo7CV+y +0AfhAvoc75ViipbvswTcbDPznA== +-----END PRIVATE KEY----- diff --git a/deployment/certs/os-cert.pem b/deployment/certs/os-cert.pem new file mode 100644 index 0000000..880f3cb --- /dev/null +++ b/deployment/certs/os-cert.pem @@ -0,0 +1,27 @@ +Bag Attributes + friendlyName: webmethods + localKeyID: 54 69 6D 65 20 31 37 35 30 33 32 31 37 36 31 36 36 39 +subject=C=IN, ST=TamilNadu, L=Chennai, O=IBM, OU=IBM Software Labs, CN=IBM +issuer=C=IN, ST=TamilNadu, L=Chennai, O=IBM, OU=IBM Software Labs, CN=IBM +-----BEGIN CERTIFICATE----- +MIIDtzCCAp+gAwIBAgIJAJv2DBe+lLawMA0GCSqGSIb3DQEBCwUAMGsxCzAJBgNV +BAYTAklOMRIwEAYDVQQIEwlUYW1pbE5hZHUxEDAOBgNVBAcTB0NoZW5uYWkxDDAK +BgNVBAoTA0lCTTEaMBgGA1UECxMRSUJNIFNvZnR3YXJlIExhYnMxDDAKBgNVBAMT +A0lCTTAeFw0yNTA2MTkwNTI3MjVaFw0yODA2MTgwNTI3MjVaMGsxCzAJBgNVBAYT +AklOMRIwEAYDVQQIEwlUYW1pbE5hZHUxEDAOBgNVBAcTB0NoZW5uYWkxDDAKBgNV +BAoTA0lCTTEaMBgGA1UECxMRSUJNIFNvZnR3YXJlIExhYnMxDDAKBgNVBAMTA0lC +TTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4wpNRJl0tBJwZtTmZY +nNI6VI73yTjRwJr8a6A7ZMGhsa+giHqn1Quk2N10fWMMd8mBf5gybKKvv/Z4N3x5 +ik9ThOFu/2myS4f137j9Skk2Sp8rQuWnpwgWAfXGHeb4gPucnVnhTRcwIk+9OuTJ +AoEPlR8VCrnjndhvGIxT9ph//e7KYI/m2+vCryEbZ0OiBDXyAraIeBWqqeumryjl +4HlkT0H3cUsHlJGXcg9lWWKFgYqSIhAZPVFuypBXz13C2zU1p+Yhm2dyLLjGWZbR +0vKYXzqYJF+pNvAvbBHJlGT/rCL/rQ9yrqsNVnM7OfqP3Xf35X47wP8qz/C92cZ1 +Xa0CAwEAAaNeMFwwHQYDVR0OBBYEFE6RygAwnHKH+Z30uJwxIMLrBnPqMDsGA1Ud +EQQ0MDKCDGRhdGFzdG9yZS1jcIIJZGF0YXN0b3JlggxkYXRhc3RvcmUtbGKCCWxv +Y2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAuJnrOCPFaPIMyN7mPlNQM8AL6rT1 +0Kj6VLbE1AzKkecrBtmGvH98bZvv2Y2gAHKL/DiwTF98MSam5K7sXo4YZxro25Mp +2shHrUulXEk3ZabuvGw0/58nYWSoW6hX1jr1qNFn97QjwCoXyw6kHVQrvXWn0z5i +9TCCGd80kMTPc2dNFTaEyDwqpQv+1cuVSewUpAn6AfP/V6/MAkVlmPg0nrCi0oTU +lyzTthN47Nv4/84ao/KbiRBL0Uk7DGDW3iwJlWm91q+YmvA1IgCg40bA19eDZVaM +cMOnxojuvyGyDaC80A/YosGwbPV+4kkrRpiR/gieXBDLKGlSQgHY6AleCQ== +-----END CERTIFICATE----- diff --git a/deployment/certs/os-key.pem b/deployment/certs/os-key.pem new file mode 100644 index 0000000..350a572 --- /dev/null +++ b/deployment/certs/os-key.pem @@ -0,0 +1,32 @@ +Bag Attributes + friendlyName: webmethods + localKeyID: 54 69 6D 65 20 31 37 35 30 33 32 31 37 36 31 36 36 39 +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+MKTUSZdLQScG +bU5mWJzSOlSO98k40cCa/GugO2TBobGvoIh6p9ULpNjddH1jDHfJgX+YMmyir7/2 +eDd8eYpPU4Thbv9pskuH9d+4/UpJNkqfK0Llp6cIFgH1xh3m+ID7nJ1Z4U0XMCJP +vTrkyQKBD5UfFQq5453YbxiMU/aYf/3uymCP5tvrwq8hG2dDogQ18gK2iHgVqqnr +pq8o5eB5ZE9B93FLB5SRl3IPZVlihYGKkiIQGT1RbsqQV89dwts1NafmIZtnciy4 +xlmW0dLymF86mCRfqTbwL2wRyZRk/6wi/60Pcq6rDVZzOzn6j9139+V+O8D/Ks/w +vdnGdV2tAgMBAAECggEACt+3HNgUSV4xQAHR4LIiTTa+jOoH3DLJ41KZSLD8osF+ +6j6wburXmHHVYFv/q0EUPDYmOGpxoZ+QxyO6cGh2ivCIgWcaPU3PWbeqEeaRb7wl +6hHMIltChojTldy86u68WSZsLK5f/Ppoi8yS6G/Br+VXLk7CrTwhUzWO3r8SM0fM +skKneI/XVgFwl/spwXffWbF2EtzTgJS7gKOtDOZPTewhKgYnNjAekG/dskKPFw0v +nGw96pZjm3EXywXNCSYylIL/SzCfXFTvVWkFdnF1x6qyRtamxFA81+xsn6/Qx4GN +16XJHv5235x7mZiO5jd2HpM8iRWeSa8k/42cjJnCVQKBgQDERKVxlYqPxsBfoDeV +VYhnRrq29VGXw6NFOzejcMtn24hSh+9wUsu4C9vSgqAspa7+qIz6MB4gg+x1vbrN +up7Y0CcCOG+Que8ptidwy8az9xpLv5vKs9FUKvUI6VlEVjZTmLAgE6JgpCwX0WyC +qpm6n3o+2B+IbzQdCpZKivPf7wKBgQD4EnJtoYWAjrepqKtnlDbvbY4Ude5cxii6 +ebI6EevcsQcpDoXnZOkSqcb0mfBUdX3abeJJ6R12/5vvkAca/OYg9EmfLNjhAUDm +SqzshOH58Y2oP2oZ7gveHRItUCv1pYyEHZGQnqbXwetXfuJtVfL4amaefygVWzCo +MXimYP5AIwKBgCU8qO794kYY/VKnQSRyD+kYQECKFqrmkUmHTK0Tr2PLAPg3ljQH +YWNPzKsJ4X3XCXaDYAvvqSeeH/TOxGxX5d9Yzq3bKz+YJ0oQpzb9Unu+fBy3A8XX +i/WeGNNSAn+2o6QEqhXL49jWDQ+PyjiYSYZgz36w3nqyLn78DTujVVW9AoGBANcD +DiENhWvWx0OKyP2ezjqZpzL+wFmy+ywdPKfuTpNa8MzaJJ9ZrFYbxzDMmCxsJWgE +I8VSAtLYW2y5Vh9DIadgdMs9EMF816aDBPx/dGmxvskcJbdRxwF+Cvoxadig43jD +NB64E/4fuv58IH8Jpu0/M7Cen7xa7IJrVppGqTgnAoGAK0t1d8ttkjTneLtFAYtp +nrk8uDZ5dYV4M5b/VIsCDCeQ8QxmdoTk0jEAXfe0Gi1CkCbFHyghSsi/Oebtv4le +9pF+rYonx/4cldwSmR0AbF3paZAc1r0yIOHM0p1T2EWxvToznFwhCXtrirjnzWVg +NDEEwDUtH8Z8H42xaRpV4aI= +-----END PRIVATE KEY----- diff --git a/deployment/certs/truststore-ac.jks b/deployment/certs/truststore-ac.jks new file mode 100644 index 0000000..ce7105c Binary files /dev/null and b/deployment/certs/truststore-ac.jks differ diff --git a/deployment/certs/truststore-en.jks b/deployment/certs/truststore-en.jks new file mode 100644 index 0000000..b0d6d26 Binary files /dev/null and b/deployment/certs/truststore-en.jks differ diff --git a/deployment/certs/truststore-in.jks b/deployment/certs/truststore-in.jks new file mode 100644 index 0000000..aaeb19e Binary files /dev/null and b/deployment/certs/truststore-in.jks differ diff --git a/deployment/certs/truststore-os.jks b/deployment/certs/truststore-os.jks new file mode 100644 index 0000000..4e9a5e6 Binary files /dev/null and b/deployment/certs/truststore-os.jks differ diff --git a/deployment/certs/truststore-ui.jks b/deployment/certs/truststore-ui.jks new file mode 100644 index 0000000..1521eea Binary files /dev/null and b/deployment/certs/truststore-ui.jks differ diff --git a/deployment/certs/ui-cert.pem b/deployment/certs/ui-cert.pem new file mode 100644 index 0000000..1050241 --- /dev/null +++ b/deployment/certs/ui-cert.pem @@ -0,0 +1,27 @@ +Bag Attributes + friendlyName: webmethods + localKeyID: 54 69 6D 65 20 31 37 35 30 33 32 31 30 32 34 37 32 32 +subject=C=IN, ST=TamilNadu, L=Chennai, O=IBM, OU=IBM Software Labs, CN=IBM +issuer=C=IN, ST=TamilNadu, L=Chennai, O=IBM, OU=IBM Software Labs, CN=IBM +-----BEGIN CERTIFICATE----- +MIIDmzCCAoOgAwIBAgIIHtkfloKwRs0wDQYJKoZIhvcNAQELBQAwazELMAkGA1UE +BhMCSU4xEjAQBgNVBAgTCVRhbWlsTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEMMAoG +A1UEChMDSUJNMRowGAYDVQQLExFJQk0gU29mdHdhcmUgTGFiczEMMAoGA1UEAxMD +SUJNMB4XDTI1MDYxOTA1MjMyNFoXDTI4MDYxODA1MjMyNFowazELMAkGA1UEBhMC +SU4xEjAQBgNVBAgTCVRhbWlsTmFkdTEQMA4GA1UEBxMHQ2hlbm5haTEMMAoGA1UE +ChMDSUJNMRowGAYDVQQLExFJQk0gU29mdHdhcmUgTGFiczEMMAoGA1UEAxMDSUJN +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzGvVnci/Hu+X6UD1/KMt +DUeFO0Lq7YRvGVsQiaratDvIaT+sHp37R4uDauOV+K0ErlQSxoi1yxDnG2W+vyTT +pZNMuM2Mh6ii42l/18harNxILEfglJ5sKX9OSqYiP5eAfdDS6WungtSlXb0LPBzA +9tgwoTH/m058+azlOoKWGLZW5/aFKcQaUr+5UneI5CzfXkyhD/OBt2MBcsDOwtY/ +UxbrApr1wFGduPg6eECNrhHUJetRHEq2j/8BgH67igZaOj2dAUhKIQOxh0xmj9Ae +ouSFm4+fq1EEqyHZkntmFOKBWyBV5u01GFavIagWEVL95RD4c0ARa6bI6C3w7wa/ +TwIDAQABo0MwQTAdBgNVHQ4EFgQUIO1NigCtFruzZKQgWd4uyW8xdu4wIAYDVR0R +BBkwF4ICdWmCBnVpLXN2Y4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQCV +a2aJo3im5Lutx3Eqgisit+prpEvR02P4occYApI7/giPCKDpgMO7HSuk7YSwW9x7 +hKQH1Pmf1jSgdDU7GK9Nub9IxyIaLTquod+CIKhP+JWhtAWbo7O1FAbfoi1ZAysV +u5tHTs7neamo+SL97Pdb8iNinKtMdntlmrNDJX7n0qfdpGV+u/NQkMDoTrHXaBCh +bedvNJMxuuECxDIyHL0xWosI4ehFxkERitupPLjxVYMDQZtkVVWWRVJkiapAm40F +I24zSJQSWTox4MH7ZRie4QJgZn3G9A8Va253UgbMw9ZkzpMz7ZzzLiBanOnM4i1O +Ly+I+15wnEIMmdvbAhFe +-----END CERTIFICATE----- diff --git a/deployment/certs/ui-key.pem b/deployment/certs/ui-key.pem new file mode 100644 index 0000000..71f5813 --- /dev/null +++ b/deployment/certs/ui-key.pem @@ -0,0 +1,32 @@ +Bag Attributes + friendlyName: webmethods + localKeyID: 54 69 6D 65 20 31 37 35 30 33 32 31 30 32 34 37 32 32 +Key Attributes: +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDMa9WdyL8e75fp +QPX8oy0NR4U7QurthG8ZWxCJqtq0O8hpP6wenftHi4Nq45X4rQSuVBLGiLXLEOcb +Zb6/JNOlk0y4zYyHqKLjaX/XyFqs3EgsR+CUnmwpf05KpiI/l4B90NLpa6eC1KVd +vQs8HMD22DChMf+bTnz5rOU6gpYYtlbn9oUpxBpSv7lSd4jkLN9eTKEP84G3YwFy +wM7C1j9TFusCmvXAUZ24+Dp4QI2uEdQl61EcSraP/wGAfruKBlo6PZ0BSEohA7GH +TGaP0B6i5IWbj5+rUQSrIdmSe2YU4oFbIFXm7TUYVq8hqBYRUv3lEPhzQBFrpsjo +LfDvBr9PAgMBAAECggEAIxRsQ5f0CEyIbqxJqlGcRRedavaIVzsvT5QbiexqfJx3 +v2wATv7AZN4xrrGghly2nW3rDOvf+pmLd12l9qpMsbDN7TbE43DShyEPIcoNmXVx +4ztwdECdgh+JIXFSFkSa9bxUvV7Oj7qLKENtPqMWkCW4bqkkWpQFCVmcusY3GMU/ +Kxgm0Zg7q56wzvV8LLM52Zti1mdnhh/0SyP3ZY0WE0I1s+XimTLfcjEqmzzmVYPl +4JfDZVWPqH3dlyrsscotKpXwCPbO4KGT5eXhfOKtvaV+7LRg0YglOL5cRxrEsrtt +e9Bnzii2HvoqYmE0iH9qYn2vCY/l99I4ttHsVa11bQKBgQDfyqqtIf7YTzYUl+68 +LiF8AmThZKxiMB7RnOQ1sbTlkDpO2YkJ6IvhzErytGrYFpoPp9eYn/zsFaNmEg7F +DsNIJnSy9zM34PcrlKRfvv2Z/pTlxGcVkfJVCg9a5unUXJH/ShklEUwi3UPpu0m0 +GkSfibbk1QVebW1aCu6Lvmx/qwKBgQDp13zDQ+WY+G7DLoDaOlfbqdD/q8XppgfS +e9F0ay3+DdXcnEIh8p8gFwwF5F+0yRizq83RHM3gX9mnRGfincAVgit8LYEpzK1x +aqHCE+8mkV38aVsbKt0gcX8YSN5os6JHJrwbAO9J5HpMeOsOySgMKcAh3KVaU91M +7JkQrmeq7QKBgQDaREFI0SJMeJ1HYpOup9NyrqcTievza/ly+XE+yU6ko5Gq+9ID +fvKHTIhAxSR8Ezc5U7scGdZFsCkI0U3kdiySfydMsXsb4edQcw4KcC3J9xnkKzVb +PVg8Bq7JOvQOcibW9b8mfwNh8apeGZOd/Ay4CUn/T6CH43RG4OieFSCfNwKBgH2w +f7UNF6njTtXGdyfVWEgPvPDPyW9O+MFgIDMtMOlvUlZj/v/0Qyeie6nnGLI5rPdW +DyipDNffbUQE9rnOBOMKtojmhJiNFWTy5cNFp7PZSuVTU88EeRrpJmFNOY6Zj04j +OdRh6jyTfFECZYXrBYWUI1uQF6i3jym7uoJG3B35AoGANr0poMYbLwWXyiXd3lj0 +Y5pmrI2tUB4/AeBkCOKm3r+HEjS/kKdSTGjyYhz+WYUlOntWHEbfb7uwVMLlLKpP +F09KX1PwHbFVffsZcko820VQxyq64NA74xXLr0ZrffWt/og0WhL0f3U10dgA9bfw +HqzgfBJoGAwF+0An1dBPSyI= +-----END PRIVATE KEY----- diff --git a/deployment/certs/webmethods_not_for_production.jks b/deployment/certs/webmethods_not_for_production.jks deleted file mode 100644 index 5d75827..0000000 Binary files a/deployment/certs/webmethods_not_for_production.jks and /dev/null differ diff --git a/deployment/docker/.env b/deployment/docker/.env index 58bee65..cacc6f2 100644 --- a/deployment/docker/.env +++ b/deployment/docker/.env @@ -4,44 +4,41 @@ UI_PUBLISH_PORT=8085 ENGINE_PUBLISH_PORT=8082 ASSETCATALOG_PUBLISH_PORT=8081 ELASTICSEARCH_PUBLISH_PORT=9200 +DATASTORE_PUBLISH_PORT=9200 # Images -INGRESS_IMAGE="cp.icr.io/cp/webmethods/api/api-control-plane-ingress:11.1.2" -UI_IMAGE="cp.icr.io/cp/webmethods/api/api-control-plane-ui:11.1.2" -ENGINE_IMAGE="cp.icr.io/cp/webmethods/api/api-control-plane-engine:11.1.2" -ASSETCATALOG_IMAGE="cp.icr.io/cp/webmethods/api/api-control-plane-assetcatalog:11.1.2" -ELASTICSEARCH_IMAGE="docker.elastic.co/elasticsearch/elasticsearch:8.14.3" +# INGRESS_IMAGE="cp.icr.io/cp/webmethods/api/api-control-plane-ingress:11.1.2" +# UI_IMAGE="cp.icr.io/cp/webmethods/api/api-control-plane-ui:11.1.2" +# ENGINE_IMAGE="cp.icr.io/cp/webmethods/api/api-control-plane-engine:11.1.2" +# ASSETCATALOG_IMAGE="cp.icr.io/cp/webmethods/api/api-control-plane-assetcatalog:11.1.2" +INGRESS_IMAGE="cp.stg.icr.io/cp/webmethods/api/api-control-plane-ingress:suite-int-stable" +UI_IMAGE="cp.stg.icr.io/cp/webmethods/api/api-control-plane-ui:suite-int-stable" +ENGINE_IMAGE="cp.stg.icr.io/cp/webmethods/api/api-control-plane-engine:suite-int-stable" +ASSETCATALOG_IMAGE="cp.stg.icr.io/cp/webmethods/api/api-control-plane-assetcatalog:suite-int-stable" +DATASTORE_IMAGE="cp.stg.icr.io/cp/webmethods/api/api-control-plane/third-party/opensearch:2.19.1" -# Elasticsearch config -ELASTICSEARCH_HOST="elasticsearch" -ELASTICSEARCH_ENDPOINT="http://elasticsearch:9200" -# If elastic search is secured only please set the below three variables -#with proper values or else leave it blank -ELASTICSEARCH_USERNAME= -ELASTICSEARCH_PASSWORD= -ELASTICSEARCH_CERTPATH= -#ELASTICSEARCH_CERTPATH=/usr/share/elasticsearch/config/certs/ca/ca.crt +# Datastore configuration +DATASTORE_HOST=datastore-cp +DATASTORE_USERNAME=admin +DATASTORE_PASSWORD=MyPassword@123 # JAEGER Tracing JAEGER_TRACING_IMAGE=jaegertracing/all-in-one:latest JAEGER_COLLECTOR_PORT=4317 JAEGER_UI_PORT=16686 -#NGINX images +#NGINX configuration NGINX_CERTPATH="/usr/share/certs/" NGINX_DOMAIN_NAME="localhost" -NGINX_HTTP_PORT="81" NGINX_HTTPS_PORT="444" NGINX_CER_SUBJECT="/C=GB/ST=London/L=London/O=demo/OU=demo" -CERTIFICATE_FILENAME=webmethods_not_for_production.jks - SERVER_PORT=8443 SERVER_SSL_ENABLED=true -SERVER_SSL_KEY_ALIAS=controlplane -SERVER_SSL_KEY_PASSWORD= +SERVER_SSL_KEY_ALIAS=webmethods +SERVER_SSL_KEY_PASSWORD=webmethods SERVER_SSL_KEY_STORE_PASSWORD=webmethods SERVER_SSL_KEY_STORE_TYPE=JKS -SERVER_SSL_KEY_STORE=file:/opt/softwareag/certs/${CERTIFICATE_FILENAME} - -LICENSE_FILE_NAME=my_cp_license.xml +SERVER_SSL_KEY_STORE=/certs/keystore.jks # Mounted path +SERVER_SSL_TRUST_STORE=/certs/truststore.jks # Mounted path +SERVER_SSL_TRUST_STORE_PASSWORD=webmethods diff --git a/deployment/docker/asset-catalog/asset-catalog-config.env b/deployment/docker/asset-catalog/asset-catalog-config.env index baa39c9..48150b5 100644 --- a/deployment/docker/asset-catalog/asset-catalog-config.env +++ b/deployment/docker/asset-catalog/asset-catalog-config.env @@ -3,5 +3,20 @@ # Open telemetry agent OTEL_JAVAAGENT_ENABLED=false -# Microservice Endpoint -APICP_ENGINE_ENDPOINT=http://engine:8080 +# Connectivity to other services +APICP_ENGINE_ENDPOINT=https://engine:8080 + +# JWKS URI +APICP_AUTH_JWKS_URI=https://ingress:8443/api/ingress/v1/discovery/keys + +# Https Configurations +server.port=8443 +server.ssl.enabled=true +server.ssl.key-store=${SERVER_SSL_KEY_STORE} +server.ssl.key-alias=${SERVER_SSL_KEY_ALIAS} +server.ssl.key-password=${SERVER_SSL_KEY_PASSWORD} +server.ssl.key-store-password=${SERVER_SSL_KEY_STORE_PASSWORD} +server.ssl.key-store-type=${SERVER_SSL_KEY_STORE_TYPE} +server.ssl.trust-store=${SERVER_SSL_TRUST_STORE} +server.ssl.trust-store-password=${SERVER_SSL_TRUST_STORE_PASSWORD} +server.ssl.client-auth=NEED \ No newline at end of file diff --git a/deployment/docker/asset-catalog/asset-catalog-config.debug.env b/deployment/docker/asset-catalog/asset-catalog-config.otel.env similarity index 82% rename from deployment/docker/asset-catalog/asset-catalog-config.debug.env rename to deployment/docker/asset-catalog/asset-catalog-config.otel.env index 3996c84..18be8ed 100644 --- a/deployment/docker/asset-catalog/asset-catalog-config.debug.env +++ b/deployment/docker/asset-catalog/asset-catalog-config.otel.env @@ -1,4 +1,4 @@ -# Asset Catalog service configurations for debug mode +# Asset Catalog service configurations for OpenTelemetry # Open telemetry agent OTEL_JAVAAGENT_ENABLED=true diff --git a/deployment/docker/asset-catalog/asset-catalog.yaml b/deployment/docker/asset-catalog/asset-catalog.yaml index e8b890b..125adf0 100644 --- a/deployment/docker/asset-catalog/asset-catalog.yaml +++ b/deployment/docker/asset-catalog/asset-catalog.yaml @@ -14,25 +14,26 @@ services: restart_policy: condition: "no" env_file: - - asset-catalog-config.env - - ../elasticsearch/es-config.env + - asset-catalog-config.env + - ../datastore/datastore-config.env healthcheck: - test: ["CMD", "curl", "-f", "http://asset-catalog:8080/api/assetcatalog/health"] + test: ["CMD", "curl", "-fk", "--cert", "/certs/ac-cert.pem", "--key", "/certs/ac-key.pem", "https://asset-catalog:8443/api/assetcatalog/health"] interval: 30s timeout: 10s retries: 5 + volumes: + - ../../certs/keystore-ac.jks:/certs/keystore.jks + - ../../certs/truststore-ac.jks:/certs/truststore.jks + - ../../certs/ac-cert.pem:/certs/ac-cert.pem + - ../../certs/ac-key.pem:/certs/ac-key.pem networks: - - ibm-webmethods-api-management - asset-catalog-debug: + - ibm-wm-api-cp-nw + + asset-catalog-otel: <<: *asset-catalog-service env_file: - - asset-catalog-config.env - - asset-catalog-config.debug.env - - ../elasticsearch/es-config.env + - asset-catalog-config.env + - asset-catalog-config.otel.env + - ../datastore/datastore-config.env ports: - - ${ASSETCATALOG_PUBLISH_PORT}:8080 - - asset-catalog-secure-es: - <<: *asset-catalog-service - volumes: - - es-certs:/usr/share/elasticsearch/config/certs + - ${ASSETCATALOG_PUBLISH_PORT}:8443 diff --git a/deployment/docker/control-plane-secure-es.yaml b/deployment/docker/control-plane-secure-es.yaml deleted file mode 100644 index adb3d2b..0000000 --- a/deployment/docker/control-plane-secure-es.yaml +++ /dev/null @@ -1,77 +0,0 @@ -version: '3.8' -services: - nginx: - extends: - file: nginx/nginx.yaml - service: nginx - depends_on: - ingress: - condition: service_healthy - nginx_setup: - extends: - file: nginx/nginx.yaml - service: nginx_setup - ingress: - extends: - file: ingress/ingress.yaml - service: ingress-secure-es - depends_on: - engine: - condition: service_healthy - asset-catalog: - condition: service_healthy - ui: - condition: service_healthy - environment: - - server.forward-headers-strategy=NATIVE - ui: - extends: - file: ui/ui.yaml - service: ui-secure-es - depends_on: - engine: - condition: service_healthy - asset-catalog: - condition: service_healthy - engine: - extends: - file: engine/engine.yaml - service: engine-secure-es - depends_on: - asset-catalog: - condition: service_healthy - asset-catalog: - extends: - file: asset-catalog/asset-catalog.yaml - service: asset-catalog-secure-es - depends_on: - elasticsearch: - condition: service_healthy - elasticsearch: - extends: - file: elasticsearch/elasticsearch-secure.yaml - service: elasticsearch-secure - certificates_setup: - extends: - file: elasticsearch/elasticsearch-secure.yaml - service: certificates_setup - jaeger-tracing: - extends: - file: jaeger-tracing/jaeger-tracing.yaml - service: jaeger-tracing - -volumes: - es-data: - driver: local - es-certs: - driver: local - nginx-certs: - driver: local - conf.d: - driver: local - - -networks: - ibm-webmethods-api-management: - name: ibm-webmethods-api-management - driver: bridge \ No newline at end of file diff --git a/deployment/docker/control-plane.debug.yaml b/deployment/docker/control-plane.debug.yaml index 6bc3db3..5b60b0b 100644 --- a/deployment/docker/control-plane.debug.yaml +++ b/deployment/docker/control-plane.debug.yaml @@ -1,20 +1,20 @@ version: '3.8' services: nginx: - extends: - file: nginx/nginx.yaml - service: nginx depends_on: ingress: condition: service_healthy + nginx_setup: + condition: service_completed_successfully + extends: + file: nginx/nginx.yaml + service: nginx nginx_setup: extends: file: nginx/nginx.yaml service: nginx_setup + ingress: - extends: - file: ingress/ingress.yaml - service: ingress depends_on: engine: condition: service_healthy @@ -22,42 +22,50 @@ services: condition: service_healthy ui: condition: service_healthy + extends: + file: ingress/ingress.yaml + service: ingress-otel environment: - server.forward-headers-strategy=NATIVE + ui: - extends: - file: ui/ui.yaml - service: ui-debug depends_on: engine: condition: service_healthy asset-catalog: condition: service_healthy - engine: extends: - file: engine/engine.yaml - service: engine-debug + file: ui/ui.yaml + service: ui-otel + + engine: depends_on: asset-catalog: condition: service_healthy - asset-catalog: extends: - file: asset-catalog/asset-catalog.yaml - service: asset-catalog-debug + file: engine/engine.yaml + service: engine-otel + + asset-catalog: depends_on: - elasticsearch: + datastore-cp: condition: service_healthy - elasticsearch: extends: - file: elasticsearch/elasticsearch.yaml - service: elasticsearch + file: asset-catalog/asset-catalog.yaml + service: asset-catalog-otel + + datastore-cp: + extends: + file: datastore/datastore.yaml + service: datastore + jaeger-tracing: extends: file: jaeger-tracing/jaeger-tracing.yaml service: jaeger-tracing volumes: - es-data: + datastore-cp-data: driver: local nginx-certs: driver: local @@ -65,6 +73,6 @@ volumes: driver: local networks: - ibm-webmethods-api-management: - name: ibm-webmethods-api-management + ibm-wm-api-cp-nw: + name: ibm-wm-api-cp-nw driver: bridge \ No newline at end of file diff --git a/deployment/docker/control-plane.gainsight.yaml b/deployment/docker/control-plane.gainsight.yaml index 62b9e95..c789ca0 100644 --- a/deployment/docker/control-plane.gainsight.yaml +++ b/deployment/docker/control-plane.gainsight.yaml @@ -1,20 +1,20 @@ version: '3.8' services: nginx: - extends: - file: nginx/nginx.yaml - service: nginx depends_on: ingress: condition: service_healthy + nginx_setup: + condition: service_completed_successfully + extends: + file: nginx/nginx.yaml + service: nginx nginx_setup: extends: file: nginx/nginx.yaml service: nginx_setup + ingress: - extends: - file: ingress/ingress.yaml - service: ingress-gainsight depends_on: engine: condition: service_healthy @@ -22,38 +22,45 @@ services: condition: service_healthy ui: condition: service_healthy + extends: + file: ingress/ingress.yaml + service: ingress-gainsight environment: - server.forward-headers-strategy=NATIVE + ui: - extends: - file: ui/ui.yaml - service: ui-gainsight depends_on: engine: condition: service_healthy asset-catalog: condition: service_healthy - engine: extends: - file: engine/engine.yaml - service: engine-debug + file: ui/ui.yaml + service: ui-gainsight + + engine: depends_on: asset-catalog: condition: service_healthy - asset-catalog: extends: - file: asset-catalog/asset-catalog.yaml - service: asset-catalog-debug + file: engine/engine.yaml + service: engine + + asset-catalog: depends_on: - elasticsearch: + datastore-cp: condition: service_healthy - elasticsearch: extends: - file: elasticsearch/elasticsearch.yaml - service: elasticsearch + file: asset-catalog/asset-catalog.yaml + service: asset-catalog + + datastore-cp: + extends: + file: datastore/datastore.yaml + service: datastore volumes: - es-data: + datastore-cp-data: driver: local nginx-certs: driver: local @@ -61,6 +68,6 @@ volumes: driver: local networks: - ibm-webmethods-api-management: - name: ibm-webmethods-api-management + ibm-wm-api-cp-nw: + name: ibm-wm-api-cp-nw driver: bridge \ No newline at end of file diff --git a/deployment/docker/control-plane.yaml b/deployment/docker/control-plane.yaml index de60d44..681e6c8 100644 --- a/deployment/docker/control-plane.yaml +++ b/deployment/docker/control-plane.yaml @@ -1,20 +1,20 @@ version: '3.8' services: nginx: - extends: - file: nginx/nginx.yaml - service: nginx depends_on: ingress: condition: service_healthy + nginx_setup: + condition: service_completed_successfully + extends: + file: nginx/nginx.yaml + service: nginx nginx_setup: extends: file: nginx/nginx.yaml service: nginx_setup + ingress: - extends: - file: ingress/ingress.yaml - service: ingress depends_on: engine: condition: service_healthy @@ -22,49 +22,59 @@ services: condition: service_healthy ui: condition: service_healthy + extends: + file: ingress/ingress.yaml + service: ingress environment: - server.forward-headers-strategy=NATIVE + ui: - extends: - file: ui/ui.yaml - service: ui depends_on: engine: condition: service_healthy asset-catalog: condition: service_healthy + extends: + file: ui/ui.yaml + service: ui + engine: + depends_on: + asset-catalog: + condition: service_healthy extends: file: engine/engine.yaml service: engine + + asset-catalog: depends_on: - asset-catalog: + datastore-cp: condition: service_healthy - asset-catalog: extends: file: asset-catalog/asset-catalog.yaml service: asset-catalog - depends_on: - elasticsearch: - condition: service_healthy - elasticsearch: + + datastore-cp: extends: - file: elasticsearch/elasticsearch.yaml - service: elasticsearch + file: datastore/datastore.yaml + service: datastore + jaeger-tracing: extends: file: jaeger-tracing/jaeger-tracing.yaml service: jaeger-tracing volumes: - es-data: + datastore-cp-data: driver: local nginx-certs: driver: local conf.d: driver: local + pem_files: + driver: local networks: - ibm-webmethods-api-management: - name: ibm-webmethods-api-management + ibm-wm-api-cp-nw: + name: ibm-wm-api-cp-nw driver: bridge \ No newline at end of file diff --git a/deployment/docker/datastore/datastore-config.env b/deployment/docker/datastore/datastore-config.env new file mode 100644 index 0000000..5188fba --- /dev/null +++ b/deployment/docker/datastore/datastore-config.env @@ -0,0 +1,17 @@ +# Datastore service configurations + +# Connectivity config +APICP_STORE_ASSETS_HOST=${DATASTORE_HOST} +APICP_STORE_ASSETS_PORT=9200 +APICP_STORE_ASSETS_USERNAME=${DATASTORE_USERNAME} +APICP_STORE_ASSETS_PASSWORD=${DATASTORE_PASSWORD} + +# SSL config +APICP_STORE_ASSETS_ENABLE_SSL=true + +APICP_STORE_ASSETS_KEYSTORE_FILE_PATH=/certs/keystore.jks +APICP_STORE_ASSETS_KEYSTORE_PASSWORD=webmethods +APICP_STORE_ASSETS_KEYSTORE_ALIAS_NAME=webmethods + +APICP_STORE_ASSETS_TRUSTSTORE_FILE_PATH=/certs/truststore.jks +APICP_STORE_ASSETS_TRUSTSTORE_PASSWORD=webmethods \ No newline at end of file diff --git a/deployment/docker/datastore/datastore.yaml b/deployment/docker/datastore/datastore.yaml new file mode 100644 index 0000000..b7dfd14 --- /dev/null +++ b/deployment/docker/datastore/datastore.yaml @@ -0,0 +1,51 @@ +services: + datastore: &datastore-service + image: ${DATASTORE_IMAGE} + container_name: datastore-cp + hostname: datastore-cp + restart: "on-failure" + deploy: + resources: + limits: + memory: 2G + cpus: '1' + reservations: + memory: 2G + cpus: '1' + ports: + - ${DATASTORE_PUBLISH_PORT}:9200 + environment: + - discovery.type=single-node + - node.name=webmethods + - cluster.name=webmethods + - bootstrap.memory_lock=true + - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${DATASTORE_PASSWORD} + - plugins.security.ssl.http.enabled=true + - plugins.security.ssl.http.keystore_type=JKS + - plugins.security.ssl.http.keystore_filepath=/usr/share/opensearch/config/certs/keystore.jks + - plugins.security.ssl.http.keystore_alias=webmethods + - plugins.security.ssl.http.keystore_password=webmethods + - plugins.security.ssl.http.keystore_keypassword=webmethods + - plugins.security.ssl.http.truststore_type=JKS + - plugins.security.ssl.http.truststore_filepath=/usr/share/opensearch/config/certs/truststore.jks + - plugins.security.ssl.http.truststore_password=webmethods + - plugins.security.ssl.http.clientauth_mode=REQUIRE + - plugins.index_state_management.history.max_age=7d + - plugins.index_state_management.history.rollover_retention_period=0ms + ulimits: + memlock: + soft: -1 + hard: -1 + healthcheck: + test: [ "CMD-SHELL", "curl -fk --cert /certs/os-cert.pem --key /certs/os-key.pem https://localhost:9200 -u \"${DATASTORE_USERNAME}:${DATASTORE_PASSWORD}\"" ] + interval: 10s + timeout: 10s + retries: 10 + volumes: + - datastore-cp-data:/usr/share/opensearch/data + - ../../certs/keystore-os.jks:/usr/share/opensearch/config/certs/keystore.jks + - ../../certs/truststore-os.jks:/usr/share/opensearch/config/certs/truststore.jks + - ../../certs/os-cert.pem:/certs/os-cert.pem + - ../../certs/os-key.pem:/certs/os-key.pem + networks: + - ibm-wm-api-cp-nw diff --git a/deployment/docker/engine/engine-config.env b/deployment/docker/engine/engine-config.env index e2fe02b..74b576a 100644 --- a/deployment/docker/engine/engine-config.env +++ b/deployment/docker/engine/engine-config.env @@ -4,4 +4,19 @@ OTEL_JAVAAGENT_ENABLED=false # Connectivity to other services -APICP_ASSET_CATALOG_ENDPOINT=http://asset-catalog:8080 \ No newline at end of file +APICP_ASSET_CATALOG_ENDPOINT=https://asset-catalog:8443 + +# JWKS URI +APICP_AUTH_JWKS_URI=https://ingress:8443/api/ingress/v1/discovery/keys + +# Https Configurations +server.port=8443 +server.ssl.enabled=true +server.ssl.key-store=${SERVER_SSL_KEY_STORE} +server.ssl.key-alias=${SERVER_SSL_KEY_ALIAS} +server.ssl.key-password=${SERVER_SSL_KEY_PASSWORD} +server.ssl.key-store-password=${SERVER_SSL_KEY_STORE_PASSWORD} +server.ssl.key-store-type=${SERVER_SSL_KEY_STORE_TYPE} +server.ssl.trust-store=${SERVER_SSL_TRUST_STORE} +server.ssl.trust-store-password=${SERVER_SSL_TRUST_STORE_PASSWORD} +server.ssl.client-auth=NEED \ No newline at end of file diff --git a/deployment/docker/engine/engine-config.debug.env b/deployment/docker/engine/engine-config.otel.env similarity index 83% rename from deployment/docker/engine/engine-config.debug.env rename to deployment/docker/engine/engine-config.otel.env index c686ffa..4b6241d 100644 --- a/deployment/docker/engine/engine-config.debug.env +++ b/deployment/docker/engine/engine-config.otel.env @@ -1,4 +1,4 @@ -# Engine service configurations for debug mode +# Engine service configurations for OpenTelemetry # Open telemetry agent OTEL_JAVAAGENT_ENABLED=true diff --git a/deployment/docker/engine/engine.yaml b/deployment/docker/engine/engine.yaml index ce2b843..988e683 100644 --- a/deployment/docker/engine/engine.yaml +++ b/deployment/docker/engine/engine.yaml @@ -14,25 +14,26 @@ services: restart_policy: condition: "no" env_file: - - engine-config.env - - ../elasticsearch/es-config.env + - engine-config.env + - ../datastore/datastore-config.env healthcheck: - test: ["CMD", "curl", "-f", "http://engine:8080/api/engine/health"] + test: ["CMD", "curl", "-fk", "--cert", "/certs/en-cert.pem", "--key", "/certs/en-key.pem", "https://engine:8443/api/engine/health"] interval: 30s timeout: 10s retries: 5 + volumes: + - ../../certs/keystore-en.jks:/certs/keystore.jks + - ../../certs/truststore-en.jks:/certs/truststore.jks + - ../../certs/en-cert.pem:/certs/en-cert.pem + - ../../certs/en-key.pem:/certs/en-key.pem networks: - - ibm-webmethods-api-management - engine-debug: + - ibm-wm-api-cp-nw + + engine-otel: <<: *engine-service env_file: - - engine-config.env - - engine-config.debug.env - - ../elasticsearch/es-config.env + - engine-config.env + - engine-config.otel.env + - ../datastore/datastore-config.env ports: - - ${ENGINE_PUBLISH_PORT}:8080 - - engine-secure-es: - <<: *engine-service - volumes: - - es-certs:/usr/share/elasticsearch/config/certs \ No newline at end of file + - ${ENGINE_PUBLISH_PORT}:8443 \ No newline at end of file diff --git a/deployment/docker/ingress/ingress-config.env b/deployment/docker/ingress/ingress-config.env index 68cabb1..c0800e0 100644 --- a/deployment/docker/ingress/ingress-config.env +++ b/deployment/docker/ingress/ingress-config.env @@ -12,7 +12,10 @@ com.softwareag.api.umc.oauth.api.secrets= com.softwareag.api.umc.oauth.authorize.endpoint= com.softwareag.api.umc.oauth.access.endpoint= com.softwareag.api.umc.oauth.user.endpoint= +com.softwareag.api.umc.notification.passwordResetRequested.template=/template/PasswordResetRequestTemplate.html +com.softwareag.api.umc.notification.passwordChanged.template=/template/password_changed.html com.softwareag.api.umc.loadbalancer.url=https://localhost:${INGRESS_PUBLISH_PORT} +com.softwareag.api.umc.notification.smtp.host=fakesmtp # Software AG Cloud URL. Leave empty if not using Software AG Cloud for user management. APICP_SAG_CLOUD_URL= @@ -21,15 +24,25 @@ APICP_SAG_CLOUD_URL= OTEL_JAVAAGENT_ENABLED=false # Connectivity to other services -APICP_ENGINE_ENDPOINT='http://engine:8080' -APICP_ASSET_CATALOG_ENDPOINT='http://asset-catalog:8080' -APICP_UI_ENDPOINT='http://ui:8080' +APICP_ENGINE_ENDPOINT=https://engine:8443 +APICP_ASSET_CATALOG_ENDPOINT=https://asset-catalog:8443 +APICP_UI_ENDPOINT=https://ui:8443 +# Https Configurations server.ssl.enabled=${SERVER_SSL_ENABLED} server.ssl.key_alias=${SERVER_SSL_KEY_ALIAS} server.ssl.key_password=${SERVER_SSL_KEY_PASSWORD} server.ssl.key_store_password=${SERVER_SSL_KEY_STORE_PASSWORD} server.ssl.key_store_type=${SERVER_SSL_KEY_STORE_TYPE} server.ssl.key_store=${SERVER_SSL_KEY_STORE} +server.ssl.trust-store=${SERVER_SSL_TRUST_STORE} +server.ssl.trust-store-password=${SERVER_SSL_TRUST_STORE_PASSWORD} +server.ssl.client-auth=NEED -APICP_LICENSE_PATH=/home/license/${LICENSE_FILE_NAME} \ No newline at end of file +APICP_STUDIO_ENABLED=false + +# JWT properties +APICP_INGRESS_TOKEN_SIGNATURE_KEY_STORE=/certs/jwt_keystore.jks +APICP_INGRESS_TOKEN_SIGNATURE_KEY_STORE_PASSWORD=webmethods +APICP_INGRESS_TOKEN_SIGNATURE_KEY_ALIAS=ibm +APICP_INGRESS_TOKEN_SIGNATURE_KEY_PASSWORD=webmethods \ No newline at end of file diff --git a/deployment/docker/ingress/ingress-config.debug.env b/deployment/docker/ingress/ingress-config.otel.env similarity index 83% rename from deployment/docker/ingress/ingress-config.debug.env rename to deployment/docker/ingress/ingress-config.otel.env index 1869bd8..b78deec 100644 --- a/deployment/docker/ingress/ingress-config.debug.env +++ b/deployment/docker/ingress/ingress-config.otel.env @@ -1,4 +1,4 @@ -# Ingress service configurations for debug mode +# Ingress service configurations for OpenTelemetry # Open telemetry agent OTEL_JAVAAGENT_ENABLED=true diff --git a/deployment/docker/ingress/ingress.yaml b/deployment/docker/ingress/ingress.yaml index 8a026fe..c20835b 100644 --- a/deployment/docker/ingress/ingress.yaml +++ b/deployment/docker/ingress/ingress.yaml @@ -14,44 +14,36 @@ services: restart_policy: condition: "no" env_file: - - ingress-config.env - - ../elasticsearch/es-config.env - ports: - - ${INGRESS_PUBLISH_PORT}:8443 + - ingress-config.env + - ../datastore/datastore-config.env healthcheck: - test: ["CMD", "curl", "-fk", "https://ingress:8443/api/ingress/health"] + test: ["CMD", "curl", "-fk", "--cert", "/certs/in-cert.pem", "--key", "/certs/in-key.pem", "https://ingress:8443/api/ingress/health"] interval: 30s timeout: 10s retries: 5 - networks: - - ibm-webmethods-api-management volumes: - - ../../license/${LICENSE_FILE_NAME}:/home/license/${LICENSE_FILE_NAME} - - ../../certs/${CERTIFICATE_FILENAME}:/opt/softwareag/certs/${CERTIFICATE_FILENAME} + - ./PasswordResetRequestTemplate.html:/template/PasswordResetRequestTemplate.html:ro + - ./password_changed.html:/template/password_changed.html + - ../../certs/jwt_keystore.jks:/certs/jwt_keystore.jks + - ../../certs/keystore-in.jks:/certs/keystore.jks + - ../../certs/truststore-in.jks:/certs/truststore.jks + - ../../certs/in-cert.pem:/certs/in-cert.pem + - ../../certs/in-key.pem:/certs/in-key.pem + networks: + - ibm-wm-api-cp-nw - ingress-debug: + ingress-otel: <<: *ingress-service env_file: - - ingress-config.env - - ingress-config.debug.env - - ../elasticsearch/es-config.env - volumes: - - ../../license/${LICENSE_FILE_NAME}:/home/license/${LICENSE_FILE_NAME} - - ../../certs/${CERTIFICATE_FILENAME}:/opt/softwareag/certs/${CERTIFICATE_FILENAME} + - ingress-config.env + - ingress-config.otel.env + - ../datastore/datastore-config.env + ports: + - ${INGRESS_PUBLISH_PORT}:8443 ingress-gainsight: <<: *ingress-service env_file: - ingress-config.env - ingress-config.gainsight.env - - ../elasticsearch/es-config.env - volumes: - - ../../license/${LICENSE_FILE_NAME}:/home/license/${LICENSE_FILE_NAME} - - ../../certs/${CERTIFICATE_FILENAME}:/opt/softwareag/certs/${CERTIFICATE_FILENAME} - - ingress-secure-es: - <<: *ingress-service - volumes: - - es-certs:/usr/share/elasticsearch/config/certs - - ../../license/${LICENSE_FILE_NAME}:/home/license/${LICENSE_FILE_NAME} - - ../../certs/${CERTIFICATE_FILENAME}:/opt/softwareag/certs/${CERTIFICATE_FILENAME} + - ../datastore/datastore-config.env diff --git a/deployment/docker/nginx/nginx.yaml b/deployment/docker/nginx/nginx.yaml index e6ef165..3ae7468 100644 --- a/deployment/docker/nginx/nginx.yaml +++ b/deployment/docker/nginx/nginx.yaml @@ -7,18 +7,19 @@ services: restart_policy: condition: "on-failure" ports: - - "${NGINX_HTTP_PORT}:80" + - "80:80" - "${NGINX_HTTPS_PORT}:443" healthcheck: - test: ["CMD", "curl", "-f", "http://nginx:80"] + test: ["CMD", "curl", "-fk", "https://nginx:443"] interval: 30s timeout: 10s retries: 5 volumes: - conf.d:/etc/nginx/conf.d - nginx-certs:/etc/nginx/certs + - ../../certs:/usr/share/certs networks: - - ibm-webmethods-api-management + - ibm-wm-api-cp-nw nginx_setup: @@ -40,7 +41,7 @@ services: proxy_pass https://ingress:8443; proxy_set_header X-Forwarded-Proto http; proxy_set_header Host ${NGINX_DOMAIN_NAME}; - proxy_set_header X-Forwarded-Port ${NGINX_HTTP_PORT}; + proxy_set_header X-Forwarded-Port "80"; } } server { @@ -49,21 +50,24 @@ services: ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; - ssl_certificate /etc/nginx/certs/${NGINX_DOMAIN_NAME}.crt; - ssl_certificate_key /etc/nginx/certs/${NGINX_DOMAIN_NAME}.key; + ssl_certificate /usr/share/certs/nginx-cert.crt; + ssl_certificate_key /usr/share/certs/nginx-key.key; + location / { proxy_pass https://ingress:8443; proxy_set_header X-Forwarded-Proto https; proxy_set_header Host ${NGINX_DOMAIN_NAME}; proxy_set_header X-Forwarded-Port ${NGINX_HTTPS_PORT}; + + # Configure Nginx as a client using self-signed certs + proxy_ssl_certificate /usr/share/certs/nginx-cert.crt; + proxy_ssl_certificate_key /usr/share/certs/nginx-key.key; + + #proxy_ssl_trusted_certificate /usr/share/certs/in-cert.pem; + proxy_ssl_verify off; } } " > /usr/share/conf.d/default.conf ' - healthcheck: - test: ["CMD-SHELL"] - interval: 1s - timeout: 5s - retries: 120 networks: - - ibm-webmethods-api-management \ No newline at end of file + - ibm-wm-api-cp-nw \ No newline at end of file diff --git a/deployment/docker/ui/ui-config.env b/deployment/docker/ui/ui-config.env index 191a622..a578248 100644 --- a/deployment/docker/ui/ui-config.env +++ b/deployment/docker/ui/ui-config.env @@ -4,5 +4,21 @@ OTEL_JAVAAGENT_ENABLED=false # Connectivity to other services -APICP_ENGINE_ENDPOINT=http://engine:8080 -APICP_ASSET_CATALOG_ENDPOINT=http://asset-catalog:8080 +APICP_ENGINE_ENDPOINT=https://engine:8443 +APICP_ASSET_CATALOG_ENDPOINT=https://asset-catalog:8443 + +# JWKS URI +APICP_AUTH_JWKS_URI=http://ingress:8080/api/ingress/v1/discovery/keys + +# Https Configurations +server.port=8443 +server.ssl.enabled=true +server.ssl.key-store=${SERVER_SSL_KEY_STORE} +server.ssl.key-alias=${SERVER_SSL_KEY_ALIAS} +server.ssl.key-password=${SERVER_SSL_KEY_PASSWORD} +server.ssl.key-store-password=${SERVER_SSL_KEY_STORE_PASSWORD} +server.ssl.key-store-type=${SERVER_SSL_KEY_STORE_TYPE} + +server.ssl.trust-store=${SERVER_SSL_TRUST_STORE} +server.ssl.trust-store-password=${SERVER_SSL_TRUST_STORE_PASSWORD} +server.ssl.client-auth=NEED \ No newline at end of file diff --git a/deployment/docker/ui/ui-config.debug.env b/deployment/docker/ui/ui-config.otel.env similarity index 100% rename from deployment/docker/ui/ui-config.debug.env rename to deployment/docker/ui/ui-config.otel.env diff --git a/deployment/docker/ui/ui.yaml b/deployment/docker/ui/ui.yaml index cd67a9f..d138785 100644 --- a/deployment/docker/ui/ui.yaml +++ b/deployment/docker/ui/ui.yaml @@ -14,29 +14,32 @@ services: restart_policy: condition: "no" env_file: - - ui-config.env + - ui-config.env healthcheck: - test: ["CMD", "curl", "-f", "http://ui:8080/controlplane/api/ui/health"] + test: ["CMD", "curl", "-fk", "--cert", "/certs/ui-cert.pem", "--key", "/certs/ui-key.pem", "https://ui:8443/controlplane/api/ui/health"] interval: 30s timeout: 10s retries: 5 + volumes: + - ../../certs/keystore-ui.jks:/certs/keystore.jks + - ../../certs/truststore-ui.jks:/certs/truststore.jks + - ../../certs/ui-cert.pem:/certs/ui-cert.pem + - ../../certs/ui-key.pem:/certs/ui-key.pem networks: - - ibm-webmethods-api-management - ui-debug: + - ibm-wm-api-cp-nw + + ui-otel: <<: *ui-service env_file: - - ui-config.env - - ui-config.debug.env + - ui-config.env + - ui-config.otel.env ports: - - ${UI_PUBLISH_PORT}:8080 + - ${UI_PUBLISH_PORT}:8443 + ui-gainsight: <<: *ui-service env_file: - ui-config.env - ui-config.gainsight.env ports: - - ${UI_PUBLISH_PORT}:8080 - ui-secure-es: - <<: *ui-service - volumes: - - es-certs:/usr/share/elasticsearch/config/certs \ No newline at end of file + - ${UI_PUBLISH_PORT}:8443 \ No newline at end of file diff --git a/deployment/helm/templates/assetcatalog_configmap.yaml b/deployment/helm/templates/assetcatalog_configmap.yaml index b06ec0e..ea54389 100644 --- a/deployment/helm/templates/assetcatalog_configmap.yaml +++ b/deployment/helm/templates/assetcatalog_configmap.yaml @@ -1,16 +1,42 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: v1 kind: ConfigMap metadata: name: {{ .Values.applications.assetcatalog.name }}-config data: - SERVICE_ELASTICSEARCH_HOST: {{ .Values.applications.es.name }}-lb - SERVICE_ELASTICSEARCH_PORT: "9200" - SERVICE_ELASTICSEARCH_CERTPATH: "" + APICP_STORE_ASSETS_HOST: {{ .Values.applications.datastore.name }}-lb + APICP_STORE_ASSETS_PORT: "9200" + APICP_STORE_ASSETS_USERNAME: "admin" + APICP_STORE_ASSETS_PASSWORD: "MyPassword@123" + APICP_STORE_ASSETS_ENABLE_SSL: "true" + APICP_STORE_ASSETS_KEYSTORE_FILE_PATH: "/certs/keystore-ac.jks" + APICP_STORE_ASSETS_KEYSTORE_PASSWORD: "webmethods" + APICP_STORE_ASSETS_KEYSTORE_ALIAS_NAME: "webmethods" + APICP_STORE_ASSETS_TRUSTSTORE_FILE_PATH: "/certs/truststore-ac.jks" + APICP_STORE_ASSETS_TRUSTSTORE_PASSWORD: "webmethods" + + + APICP_ENGINE_ENDPOINT: "https://{{ .Values.applications.engine.name }}-svc:8443" + APICP_AUTH_JWKS_URI: "https://{{ .Values.applications.ingress.name }}-svc:8443/api/ingress/v1/discovery/keys" + + SERVER_PORT: "8443" + SERVER_SSL_ENABLED: "true" + SERVER_SSL_KEY_ALIAS: "webmethods" + SERVER_SSL_KEY_PASSWORD: "webmethods" + SERVER_SSL_KEY_STORE: "/certs/keystore-ac.jks" + SERVER_SSL_KEY_STORE_PASSWORD: "webmethods" + SERVER_SSL_KEY_STORE_TYPE: "JKS" + + SERVER_SSL_TRUST_STORE: "/certs/truststore-ac.jks" + SERVER_SSL_TRUST_STORE_PASSWORD: "webmethods" + SERVER_SSL_CLIENT_AUTH: "NEED" + OTEL_JAVAAGENT_ENABLED: "{{ .Values.applications.jaegertracing.enabled }}" {{- if .Values.applications.jaegertracing.enabled }} OTEL_METRICS_EXPORTER: "none" - APICP_ENGINE_ENDPOINT: "http://{{ .Values.applications.engine.name }}-svc:8080" JAVA_OPTS: "-Dotel.exporter.otlp.endpoint=http://{{ .Values.applications.jaegertracing.name }}-svc:{{ .Values.applications.jaegertracing.port }} -Dotel.resource.attributes=service.name={{ .Values.applications.assetcatalog.name }}" LOGGING_LEVEL_COM_SOFTWAREAG_CONTROLPLANE: "{{ .Values.applications.assetcatalog.logLevel }}" {{- end }} ---- \ No newline at end of file +--- diff --git a/deployment/helm/templates/assetcatalog_deployment.yaml b/deployment/helm/templates/assetcatalog_deployment.yaml index 43e5d46..e80a287 100644 --- a/deployment/helm/templates/assetcatalog_deployment.yaml +++ b/deployment/helm/templates/assetcatalog_deployment.yaml @@ -1,3 +1,6 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: apps/v1 kind: Deployment metadata: @@ -21,9 +24,17 @@ spec: date: "{{ now | unixEpoch }}" spec: automountServiceAccountToken: false + volumes: + - name: certs + secret: + secretName: {{ .Values.secrets.certs.name }} containers: - image: {{ .Values.applications.assetcatalog.imageName }}:{{ .Values.applications.assetcatalog.imageTag }} name: {{ .Values.applications.assetcatalog.name }} + volumeMounts: + - name: certs + mountPath: {{ .Values.secrets.certs.mountPath }} + readOnly: true envFrom: - configMapRef: name: {{ .Values.applications.assetcatalog.name }}-config @@ -39,29 +50,31 @@ spec: cpu: {{ .Values.applications.assetcatalog.resources.requests.cpu }} memory: {{ .Values.applications.assetcatalog.resources.requests.memory }} ports: - - containerPort: 8080 + - containerPort: 8443 name: http readinessProbe: - httpGet: - path: /api/assetcatalog/health/readiness - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 + exec: + command: + - sh + - -c + - "curl -fk -s --cert /certs/ac-cert.pem --key /certs/ac-key.pem https://localhost:8443/api/assetcatalog/health/readiness || exit 1" + initialDelaySeconds: 100 periodSeconds: 20 successThreshold: 1 failureThreshold: 3 - timeoutSeconds: 5 + timeoutSeconds: 15 livenessProbe: - httpGet: - path: /api/assetcatalog/health/liveness - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 + exec: + command: + - sh + - -c + - "curl -fk -s --cert /certs/ac-cert.pem --key /certs/ac-key.pem https://localhost:8443/api/assetcatalog/health/liveness || exit 1" + initialDelaySeconds: 100 periodSeconds: 20 successThreshold: 1 failureThreshold: 3 - timeoutSeconds: 5 + timeoutSeconds: 15 terminationGracePeriodSeconds: 30 imagePullSecrets: - - name: {{ .Values.imagePullSecretName }} + - name: regcred --- \ No newline at end of file diff --git a/deployment/helm/templates/assetcatalog_service.yaml b/deployment/helm/templates/assetcatalog_service.yaml index d5a75b2..4183525 100644 --- a/deployment/helm/templates/assetcatalog_service.yaml +++ b/deployment/helm/templates/assetcatalog_service.yaml @@ -1,3 +1,6 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: v1 kind: Service metadata: @@ -5,9 +8,9 @@ metadata: namespace: {{ default "control-plane" .Release.Namespace }} spec: ports: - - port: 8080 + - port: 8443 protocol: TCP - targetPort: 8080 + targetPort: 8443 name: http selector: app: {{ .Values.applications.assetcatalog.name }} diff --git a/deployment/helm/templates/datastore_configmap.yaml b/deployment/helm/templates/datastore_configmap.yaml new file mode 100644 index 0000000..f4eb51f --- /dev/null +++ b/deployment/helm/templates/datastore_configmap.yaml @@ -0,0 +1,29 @@ +# +# Copyright IBM Corp. 2024, 2025 +# +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.applications.datastore.name }}-config +data: + OPENSEARCH_JAVA_OPTS: "-Xms1g -Xmx1g" + cluster.initial_cluster_manager_nodes: "{{ .Values.applications.datastore.cluster.initial_cluster_manager_nodes }}" + discovery.seed_hosts: "{{ .Values.applications.datastore.name }}-headless" + cluster.name: {{ .Values.applications.datastore.name }}-cluster + network.host: "0.0.0.0" + + OPENSEARCH_INITIAL_ADMIN_PASSWORD: "MyPassword@123" + plugins.security.ssl.http.enabled: "true" + plugins.security.ssl.http.keystore_type: "JKS" + plugins.security.ssl.http.keystore_filepath: "/usr/share/opensearch/config/certs/keystore-os.jks" + plugins.security.ssl.http.keystore_alias: "webmethods" + plugins.security.ssl.http.keystore_password: "webmethods" + plugins.security.ssl.http.keystore_keypassword: "webmethods" + plugins.security.ssl.http.truststore_type: "JKS" + plugins.security.ssl.http.truststore_filepath: "/usr/share/opensearch/config/certs/truststore-os.jks" + plugins.security.ssl.http.truststore_password: "webmethods" + plugins.security.ssl.http.clientauth_mode: "REQUIRE" + + plugins.index_state_management.history.max_age: 7d + plugins.index_state_management.history.rollover_retention_period: 0ms +--- \ No newline at end of file diff --git a/deployment/helm/templates/elasticsearch_service.yaml b/deployment/helm/templates/datastore_service.yaml similarity index 52% rename from deployment/helm/templates/elasticsearch_service.yaml rename to deployment/helm/templates/datastore_service.yaml index f4a7ee4..4324cee 100644 --- a/deployment/helm/templates/elasticsearch_service.yaml +++ b/deployment/helm/templates/datastore_service.yaml @@ -1,11 +1,13 @@ +# Copyright IBM Corp. 2024, 2025 +# apiVersion: v1 kind: Service metadata: - name: {{ .Values.applications.es.name }}-lb + name: {{ .Values.applications.datastore.name }}-lb spec: type: ClusterIP selector: - app: {{ .Values.applications.es.name }} + app: {{ .Values.applications.datastore.name }} ports: - name: http protocol: TCP @@ -15,11 +17,11 @@ spec: apiVersion: v1 kind: Service metadata: - name: {{ .Values.applications.es.name }}-headless + name: {{ .Values.applications.datastore.name }}-headless spec: clusterIP: None selector: - app: {{ .Values.applications.es.name }} + app: {{ .Values.applications.datastore.name }} ports: - name: transport port: 9300 diff --git a/deployment/helm/templates/datastore_statefulset.yaml b/deployment/helm/templates/datastore_statefulset.yaml new file mode 100644 index 0000000..cf3d37f --- /dev/null +++ b/deployment/helm/templates/datastore_statefulset.yaml @@ -0,0 +1,110 @@ +# +# Copyright IBM Corp. 2024, 2025 +# +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Values.applications.datastore.name }} + labels: + app: {{ .Values.applications.datastore.name }} +spec: + serviceName: {{ .Values.applications.datastore.name }}-headless + podManagementPolicy: Parallel + replicas: {{ .Values.applications.datastore.replicas }} + selector: + matchLabels: + app: {{ .Values.applications.datastore.name }} + updateStrategy: + type: RollingUpdate + volumeClaimTemplates: + - metadata: + name: {{ .Values.applications.datastore.name }}-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.applications.datastore.storage }} + template: + metadata: + annotations: + sensor.falcon-system.crowdstrike.com/injection: disabled + labels: + app: {{ .Values.applications.datastore.name }} + spec: + securityContext: + fsGroup: 1000 + imagePullSecrets: + - name: regcred + initContainers: + - name: init-sysctl + image: cp.stg.icr.io/cp/webmethods/api/api-control-plane/third-party/busybox:latest + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + runAsUser: 0 + command: ["sysctl", "-w", "vm.max_map_count=262144"] + volumes: + - name: logs + emptyDir: {} + - name: certs + secret: + secretName: {{ .Values.secrets.certs.name }} + containers: + - name: {{ .Values.applications.datastore.name }} + resources: + limits: + cpu: {{ .Values.applications.datastore.resources.limits.cpu }} + memory: {{ .Values.applications.datastore.resources.limits.memory }} + requests: + cpu: {{ .Values.applications.datastore.resources.requests.cpu }} + memory: {{ .Values.applications.datastore.resources.requests.memory }} + securityContext: + privileged: true + runAsUser: 1000 + capabilities: + add: + - IPC_LOCK + - SYS_RESOURCE + - SYS_ADMIN + - DAC_OVERRIDE + - DAC_READ_SEARCH + image: {{ .Values.applications.datastore.imageName }}:{{ .Values.applications.datastore.imageTag }} + imagePullPolicy: "IfNotPresent" + envFrom: + - configMapRef: + name: {{ .Values.applications.datastore.name }}-config + env: + - name: node.name + valueFrom: + fieldRef: + fieldPath: metadata.name + readinessProbe: + exec: + command: + - curl + - -fk + - --cert + - /usr/share/opensearch/config/certs/in-cert.pem + - --key + - /usr/share/opensearch/config/certs/in-key.pem + - -u + - admin:MyPassword@123 + - https://localhost:9200 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 10 + ports: + - containerPort: 9200 + name: http + - containerPort: 9300 + name: transport + volumeMounts: + - name: {{ .Values.applications.datastore.name }}-data + mountPath: /usr/share/opensearch/data + - name: logs + mountPath: /usr/share/opensearch/logs + - name: certs + mountPath: /usr/share/opensearch/config/certs + readOnly: true \ No newline at end of file diff --git a/deployment/helm/templates/elasticsearch_configmap.yaml b/deployment/helm/templates/elasticsearch_configmap.yaml deleted file mode 100644 index 8f3e5ba..0000000 --- a/deployment/helm/templates/elasticsearch_configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Values.applications.es.name }}-config -data: - ES_JAVA_OPTS: "-Xms512m -Xmx512m" - cluster.initial_master_nodes: "{{ .Values.applications.es.cluster.initial_master_nodes }}" - discovery.seed_hosts: "{{ .Values.applications.es.name }}-headless" - cluster.name: {{ .Values.applications.es.name }}-cluster - network.host: "0.0.0.0" - xpack.ml.enabled: "false" - xpack.security.enabled: "false" ---- \ No newline at end of file diff --git a/deployment/helm/templates/elasticsearch_statefulset.yaml b/deployment/helm/templates/elasticsearch_statefulset.yaml deleted file mode 100644 index 25f2444..0000000 --- a/deployment/helm/templates/elasticsearch_statefulset.yaml +++ /dev/null @@ -1,96 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ .Values.applications.es.name }} - labels: - app: {{ .Values.applications.es.name }} -spec: - serviceName: {{ .Values.applications.es.name }}-headless - podManagementPolicy: Parallel - replicas: {{ .Values.applications.es.replicas }} - selector: - matchLabels: - app: {{ .Values.applications.es.name }} - updateStrategy: - type: RollingUpdate - volumeClaimTemplates: - - metadata: - name: {{ .Values.applications.es.name }}-data - spec: - accessModes: - - ReadWriteOnce - {{- if .Values.applications.es.storageClassName }} - storageClassName: {{ .Values.applications.es.storageClassName }} - {{- end }} - resources: - requests: - storage: {{ .Values.applications.es.storage }} - template: - metadata: - annotations: - sensor.falcon-system.crowdstrike.com/injection: disabled - labels: - app: {{ .Values.applications.es.name }} - spec: - securityContext: - fsGroup: 1000 - initContainers: - - name: init-sysctl - image: public.ecr.aws/docker/library/busybox:latest - imagePullPolicy: IfNotPresent - securityContext: - privileged: true - runAsUser: 0 - command: ["sysctl", "-w", "vm.max_map_count=262144"] - volumes: - - name: logs - emptyDir: {} - containers: - - name: {{ .Values.applications.es.name }} - resources: - limits: - cpu: {{ .Values.applications.es.resources.limits.cpu }} - memory: {{ .Values.applications.es.resources.limits.memory }} - requests: - cpu: {{ .Values.applications.es.resources.requests.cpu }} - memory: {{ .Values.applications.es.resources.requests.memory }} - securityContext: - privileged: true - runAsUser: 1000 - capabilities: - add: - - IPC_LOCK - - SYS_RESOURCE - - SYS_ADMIN - - DAC_OVERRIDE - - DAC_READ_SEARCH - image: {{ .Values.applications.es.imageName }}:{{ .Values.applications.es.imageTag }} - imagePullPolicy: "IfNotPresent" - envFrom: - - configMapRef: - name: {{ .Values.applications.es.name }}-config - env: - - name: node.name - valueFrom: - fieldRef: - fieldPath: metadata.name - readinessProbe: - httpGet: - scheme: HTTP - path: /_cluster/health?local=true - port: 9200 - initialDelaySeconds: 20 - periodSeconds: 20 - successThreshold: 1 - timeoutSeconds: 5 - failureThreshold: 3 - ports: - - containerPort: 9200 - name: http - - containerPort: 9300 - name: transport - volumeMounts: - - name: {{ .Values.applications.es.name }}-data - mountPath: /usr/share/elasticsearch/data - - name: logs - mountPath: /usr/share/elasticsearch/logs \ No newline at end of file diff --git a/deployment/helm/templates/engine_configmap.yaml b/deployment/helm/templates/engine_configmap.yaml index fd028f9..7e35ce9 100644 --- a/deployment/helm/templates/engine_configmap.yaml +++ b/deployment/helm/templates/engine_configmap.yaml @@ -1,12 +1,38 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: v1 kind: ConfigMap metadata: name: {{ .Values.applications.engine.name }}-config data: - APICP_ASSET_CATALOG_ENDPOINT: "http://{{ .Values.applications.assetcatalog.name }}-svc:8080" - SERVICE_ELASTICSEARCH_HOST: {{ .Values.applications.es.name }}-lb - SERVICE_ELASTICSEARCH_PORT: "9200" - SERVICE_ELASTICSEARCH_CERTPATH: "" + APICP_ASSET_CATALOG_ENDPOINT: "https://{{ .Values.applications.assetcatalog.name }}-svc:8443" + + APICP_STORE_ASSETS_HOST: {{ .Values.applications.datastore.name }}-lb + APICP_STORE_ASSETS_PORT: "9200" + APICP_STORE_ASSETS_USERNAME: "admin" + APICP_STORE_ASSETS_PASSWORD: "MyPassword@123" + APICP_STORE_ASSETS_ENABLE_SSL: "true" + APICP_STORE_ASSETS_KEYSTORE_FILE_PATH: "/certs/keystore-en.jks" + APICP_STORE_ASSETS_KEYSTORE_PASSWORD: "webmethods" + APICP_STORE_ASSETS_KEYSTORE_ALIAS_NAME: "webmethods" + APICP_STORE_ASSETS_TRUSTSTORE_FILE_PATH: "/certs/truststore-en.jks" + APICP_STORE_ASSETS_TRUSTSTORE_PASSWORD: "webmethods" + + APICP_AUTH_JWKS_URI: "https://{{ .Values.applications.ingress.name }}-svc:8443/api/ingress/v1/discovery/keys" + + SERVER_PORT: "8443" + SERVER_SSL_ENABLED: "true" + SERVER_SSL_KEY_ALIAS: "webmethods" + SERVER_SSL_KEY_PASSWORD: "webmethods" + SERVER_SSL_KEY_STORE: "/certs/keystore-en.jks" + SERVER_SSL_KEY_STORE_PASSWORD: "webmethods" + SERVER_SSL_KEY_STORE_TYPE: "JKS" + SERVER_SSL_TRUST_STORE: "/certs/truststore-en.jks" + SERVER_SSL_TRUST_STORE_PASSWORD: "webmethods" + SERVER_SSL_CLIENT_AUTH: "NEED" + + OTEL_JAVAAGENT_ENABLED: "true" {{- if .Values.applications.jaegertracing.enabled }} OTEL_METRICS_EXPORTER: "none" diff --git a/deployment/helm/templates/engine_deployment.yaml b/deployment/helm/templates/engine_deployment.yaml index e616e8d..eebad6b 100644 --- a/deployment/helm/templates/engine_deployment.yaml +++ b/deployment/helm/templates/engine_deployment.yaml @@ -1,3 +1,6 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: apps/v1 kind: Deployment metadata: @@ -21,9 +24,17 @@ spec: date: "{{ now | unixEpoch }}" spec: automountServiceAccountToken: false + volumes: + - name: certs + secret: + secretName: {{ .Values.secrets.certs.name }} containers: - name: {{ .Values.applications.engine.name }} image: {{ .Values.applications.engine.imageName }}:{{ .Values.applications.engine.imageTag }} + volumeMounts: + - name: certs + mountPath: {{ .Values.secrets.certs.mountPath }} + readOnly: true envFrom: - configMapRef: name: {{ .Values.applications.engine.name }}-config @@ -39,29 +50,31 @@ spec: cpu: {{ .Values.applications.engine.resources.requests.cpu }} memory: {{ .Values.applications.engine.resources.requests.memory }} ports: - - containerPort: 8080 + - containerPort: 8443 name: http readinessProbe: - httpGet: - path: /api/engine/health/readiness - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 + exec: + command: + - sh + - -c + - "curl -fk -s --cert /certs/en-cert.pem --key /certs/en-key.pem https://localhost:8443/api/engine/health/readiness || exit 1" + initialDelaySeconds: 100 periodSeconds: 20 successThreshold: 1 failureThreshold: 3 - timeoutSeconds: 5 + timeoutSeconds: 15 livenessProbe: - httpGet: - path: /api/engine/health/liveness - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 + exec: + command: + - sh + - -c + - "curl -fk -s --cert /certs/en-cert.pem --key /certs/en-key.pem https://localhost:8443/api/engine/health/liveness || exit 1" + initialDelaySeconds: 100 periodSeconds: 20 successThreshold: 1 failureThreshold: 3 - timeoutSeconds: 5 + timeoutSeconds: 15 terminationGracePeriodSeconds: 30 imagePullSecrets: - - name: {{ .Values.imagePullSecretName }} + - name: regcred --- \ No newline at end of file diff --git a/deployment/helm/templates/engine_service.yaml b/deployment/helm/templates/engine_service.yaml index 609666d..848cd2f 100644 --- a/deployment/helm/templates/engine_service.yaml +++ b/deployment/helm/templates/engine_service.yaml @@ -1,3 +1,6 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: v1 kind: Service metadata: @@ -5,10 +8,11 @@ metadata: namespace: {{ default "control-plane" .Release.Namespace }} spec: ports: - - port: 8080 + - name: http + port: 8443 protocol: TCP - targetPort: http - name: http + targetPort: 8443 + selector: app: {{ .Values.applications.engine.name }} type: ClusterIP diff --git a/deployment/helm/templates/ingress_configmap.yaml b/deployment/helm/templates/ingress_configmap.yaml index ce96d74..5c969aa 100644 --- a/deployment/helm/templates/ingress_configmap.yaml +++ b/deployment/helm/templates/ingress_configmap.yaml @@ -1,31 +1,47 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: v1 kind: ConfigMap metadata: name: {{ .Values.applications.ingress.name }}-config data: -{{ (.Files.Glob "license/*").AsConfig | indent 2 }} -{{ if eq .Values.applications.ingress.sslEnabled true }} SERVER_SSL_ENABLED: "true" - SERVER_PORT: "8443" - SERVER_SSL_KEY_ALIAS: "controlplane" - SERVER_SSL_KEY_PASSWORD: "" - SERVER_SSL_KEY_STORE: "file:/opt/softwareag/certs/webmethods_not_for_production.jks" + SERVER_SSL_KEY_ALIAS: "webmethods" + SERVER_SSL_KEY_PASSWORD: "webmethods" + SERVER_SSL_KEY_STORE: "/certs/keystore-in.jks" SERVER_SSL_KEY_STORE_PASSWORD: "webmethods" SERVER_SSL_KEY_STORE_TYPE: "JKS" - {{ else }} - SERVER_SSL_ENABLED: "false" - SERVER_PORT: "8080" - {{ end }} - APICP_ENGINE_ENDPOINT: "http://{{ .Values.applications.engine.name }}-svc:8080" - APICP_ASSET_CATALOG_ENDPOINT: "http://{{ .Values.applications.assetcatalog.name }}-svc:8080" - APICP_UI_ENDPOINT: "http://{{ .Values.applications.ui.name }}-svc:8080" - APICP_TENANT_ID: "{{ .Values.applications.ingress.tenantId }}" - APICP_SAG_CLOUD_URL: "" - APICP_LICENSE_PATH: "/home/license/{{ .Values.applications.ingress.licenseFileName }}" - SERVICE_ELASTICSEARCH_HOST: {{ .Values.applications.es.name }}-lb - SERVICE_ELASTICSEARCH_PORT: "9200" + SERVER_SSL_TRUST_STORE: "/certs/truststore-in.jks" + SERVER_SSL_TRUST_STORE_PASSWORD: "webmethods" + SERVER_SSL_CLIENT_AUTH: "NEED" + + APICP_ENGINE_ENDPOINT: "https://{{ .Values.applications.engine.name }}-svc:8443" + APICP_ASSET_CATALOG_ENDPOINT: "https://{{ .Values.applications.assetcatalog.name }}-svc:8443" + APICP_UI_ENDPOINT: "https://{{ .Values.applications.ui.name }}-svc:8443" + APICP_STORE_ASSETS_HOST: {{ .Values.applications.datastore.name }}-lb + APICP_STORE_ASSETS_PORT: "9200" + APICP_STORE_ASSETS_USERNAME: "admin" + APICP_STORE_ASSETS_PASSWORD: "MyPassword@123" + APICP_STORE_ASSETS_ENABLE_SSL: "true" + APICP_STORE_ASSETS_KEYSTORE_FILE_PATH: "/certs/keystore-in.jks" + APICP_STORE_ASSETS_KEYSTORE_PASSWORD: "webmethods" + APICP_STORE_ASSETS_KEYSTORE_ALIAS_NAME: "webmethods" + APICP_STORE_ASSETS_TRUSTSTORE_FILE_PATH: "/certs/truststore-in.jks" + APICP_STORE_ASSETS_TRUSTSTORE_PASSWORD: "webmethods" MANAGEMENT_HEALTH_ELASTICSEARCH_ENABLED: "false" + CONTROL_PLANE_TENANTID: "{{ .Values.applications.ingress.tenantId }}" + APICP_TENANT_ID: "{{ .Values.applications.ingress.tenantId }}" com.softwareag.api.umc.loadbalancer.url: "http://{{ .Values.domainName }}" + SAGCLOUD_URL: "" + APICP_SAG_CLOUD_URL: "" + APICP_LICENSE_PATH: "/home/license.xml" + APICP_STUDIO_ENABLED: "false" + APICP_INGRESS_TOKEN_SIGNATURE_KEY_STORE: "/certs/jwt_keystore.jks" + APICP_INGRESS_TOKEN_SIGNATURE_KEY_STORE_PASSWORD: "webmethods" + APICP_INGRESS_TOKEN_SIGNATURE_KEY_ALIAS: "ibm" + APICP_INGRESS_TOKEN_SIGNATURE_KEY_PASSWORD: "webmethods" + com.softwareag.api.umc.users.system.password: "manage" com.softwareag.api.umc.oauth.active: "" com.softwareag.api.umc.oauth.providers: "" com.softwareag.api.umc.oauth.api.keys: "" @@ -33,6 +49,9 @@ data: com.softwareag.api.umc.oauth.authorize.endpoint: "" com.softwareag.api.umc.oauth.access.endpoint: "" com.softwareag.api.umc.oauth.user.endpoint: "" + + JAVA_OPTS: "-Xms256m -Xmx256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/ingress_heap_dump.hprof -Dcom.softwareag.api.umc.config.file=umc-defaults-controlplane.properties" + OTEL_JAVAAGENT_ENABLED: "{{ .Values.applications.jaegertracing.enabled }}" {{- if .Values.applications.jaegertracing.enabled }} JAVA_OPTS: "-Dotel.exporter.otlp.endpoint=http://{{ .Values.applications.jaegertracing.name }}-svc:{{ .Values.applications.jaegertracing.port }} -Dotel.resource.attributes=service.name={{ .Values.applications.ingress.name }}" @@ -42,4 +61,5 @@ data: {{- if .Values.applications.gainsight.enabled }} APICP_INGRESS_SECURITYCONFIG_HEADERS_CONTENT_SECURITY_POLICY : "default-src 'self'; img-src * 'self' data: *.aptrinsic.com storage.googleapis.com; object-src 'none'; script-src 'self' *.aptrinsic.com; style-src 'self' 'unsafe-inline' *.aptrinsic.com 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; connect-src 'self' *.aptrinsic.com" {{- end }} + --- diff --git a/deployment/helm/templates/ingress_deployment.yaml b/deployment/helm/templates/ingress_deployment.yaml index 3a91238..d7aa85d 100644 --- a/deployment/helm/templates/ingress_deployment.yaml +++ b/deployment/helm/templates/ingress_deployment.yaml @@ -1,3 +1,6 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: apps/v1 kind: Deployment metadata: @@ -25,12 +28,18 @@ spec: - name: license-file configMap: name: {{ .Values.applications.ingress.name }}-config + - name: certs + secret: + secretName: {{ .Values.secrets.certs.name }} containers: - image: {{ .Values.applications.ingress.imageName }}:{{ .Values.applications.ingress.imageTag }} name: {{ .Values.applications.ingress.name }} volumeMounts: - name: license-file - mountPath: /home/license + mountPath: /home + - name: certs + mountPath: /certs + readOnly: true envFrom: - configMapRef: name: {{ .Values.applications.ingress.name }}-config @@ -45,50 +54,34 @@ spec: requests: cpu: {{ .Values.applications.ingress.resources.requests.cpu }} memory: {{ .Values.applications.ingress.resources.requests.memory }} -# should be enabled if the certificate from host system is being mounted -# volumeMounts: -# - name: hostpath-volume -# mountPath: /opt/softwareag/certs/webmethods_not_for_production.jks ports: - - containerPort: 8080 + - containerPort: 8443 name: http + - containerPort: 8080 + name: internal readinessProbe: - httpGet: - path: /api/ingress/health/readiness - {{ if eq .Values.applications.ingress.sslEnabled true }} - port: 8443 - scheme: HTTPS - {{ else }} - port: 8080 - scheme: HTTP - {{ end }} + exec: + command: + - sh + - -c + - "curl -fk -s --cert /certs/in-cert.pem --key /certs/in-key.pem https://localhost:8443/api/ingress/health/readiness || exit 1" initialDelaySeconds: 100 periodSeconds: 20 successThreshold: 1 failureThreshold: 3 - timeoutSeconds: 5 + timeoutSeconds: 15 livenessProbe: - httpGet: - path: /api/ingress/health/liveness - {{ if eq .Values.applications.ingress.sslEnabled true }} - port: 8443 - scheme: HTTPS - {{ else }} - port: 8080 - scheme: HTTP - {{ end }} + exec: + command: + - sh + - -c + - "curl -fk -s --cert /certs/in-cert.pem --key /certs/in-key.pem https://localhost:8443/api/ingress/health/liveness || exit 1" initialDelaySeconds: 100 periodSeconds: 20 successThreshold: 1 failureThreshold: 3 - timeoutSeconds: 5 -# should be enabled if the certificate from host system is being mounted -# volumes: -# - name: hostpath-volume -# hostPath: -# path: /mnt/path/in/your/host/webmethods_not_for_production.jks -# type: File + timeoutSeconds: 15 terminationGracePeriodSeconds: 30 imagePullSecrets: - - name: {{ .Values.imagePullSecretName }} + - name: regcred --- diff --git a/deployment/helm/templates/ingress_service.yaml b/deployment/helm/templates/ingress_service.yaml index 0c04e05..d4a8f2b 100644 --- a/deployment/helm/templates/ingress_service.yaml +++ b/deployment/helm/templates/ingress_service.yaml @@ -1,3 +1,6 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: v1 kind: Service metadata: @@ -6,13 +9,13 @@ metadata: spec: ports: - name: http - port: 8080 + port: 8443 protocol: TCP - {{ if eq .Values.applications.ingress.sslEnabled true }} targetPort: 8443 - {{ else }} + - name: internal # Only for the JWT related internal communication. + port: 8080 + protocol: TCP targetPort: 8080 - {{ end }} selector: app: {{ .Values.applications.ingress.name }} type: ClusterIP diff --git a/deployment/helm/templates/jaegar_configmap.yaml b/deployment/helm/templates/jaegar_configmap.yaml deleted file mode 100644 index 5ccc774..0000000 --- a/deployment/helm/templates/jaegar_configmap.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if .Values.applications.jaegertracing.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Values.applications.jaegertracing.name }}-config -data: - COLLECTOR_ZIPKIN_HOST_PORT: "9411" - COLLECTOR_OTLP_ENABLED: "true" ---- -{{- end }} \ No newline at end of file diff --git a/deployment/helm/templates/jaegar_service.yaml b/deployment/helm/templates/jaegar_service.yaml deleted file mode 100644 index e4c06ab..0000000 --- a/deployment/helm/templates/jaegar_service.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.applications.jaegertracing.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.applications.jaegertracing.name }}-svc - namespace: {{ default "control-plane" .Release.Namespace }} -spec: - ports: - - port: {{ .Values.applications.jaegertracing.port }} - protocol: TCP - targetPort: {{ .Values.applications.jaegertracing.port }} - name: http - selector: - app: {{ .Values.applications.jaegertracing.name }} - type: ClusterIP ---- -{{- end }} \ No newline at end of file diff --git a/deployment/helm/templates/jaegar_ui_service.yaml b/deployment/helm/templates/jaegar_ui_service.yaml deleted file mode 100644 index 52b754a..0000000 --- a/deployment/helm/templates/jaegar_ui_service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.applications.jaegertracing.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ .Values.applications.jaegertracing.name }}-ui-svc - namespace: {{ default "control-plane" .Release.Namespace }} -spec: - ports: - - port: {{ .Values.applications.jaegertracing.uiPort }} - protocol: TCP - targetPort: {{ .Values.applications.jaegertracing.uiPort }} - name: http-ui - nodePort: {{ .Values.applications.jaegertracing.extPort }} - selector: - app: {{ .Values.applications.jaegertracing.name }} - type: NodePort ---- -{{- end }} \ No newline at end of file diff --git a/deployment/helm/templates/jaeger_deployment.yaml b/deployment/helm/templates/jaeger_deployment.yaml deleted file mode 100644 index c8f5d0b..0000000 --- a/deployment/helm/templates/jaeger_deployment.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if .Values.applications.jaegertracing.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Values.applications.jaegertracing.name }} - namespace: {{ default "control-plane" .Release.Namespace }} -spec: - replicas: {{ .Values.applications.jaegertracing.replicaCount }} - selector: - matchLabels: - app: {{ .Values.applications.jaegertracing.name }} - template: - metadata: - labels: - app: {{ .Values.applications.jaegertracing.name }} - annotations: - spec: - automountServiceAccountToken: false - containers: - - image: {{ .Values.applications.jaegertracing.imageName }}:{{ .Values.applications.jaegertracing.imageTag }} - name: {{ .Values.applications.jaegertracing.name }} - envFrom: - - configMapRef: - name: {{ .Values.applications.jaegertracing.name }}-config - imagePullPolicy: Always - livenessProbe: - httpGet: - path: / - port: http-ui - initialDelaySeconds: 60 - periodSeconds: 20 - successThreshold: 1 - failureThreshold: 3 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: http-ui - initialDelaySeconds: 60 - periodSeconds: 20 - successThreshold: 1 - failureThreshold: 3 - timeoutSeconds: 5 - securityContext: - runAsNonRoot: true - runAsUser: 1724 - resources: - limits: - cpu: {{ .Values.applications.jaegertracing.resources.limits.cpu }} - memory: {{ .Values.applications.jaegertracing.resources.limits.memory }} - requests: - cpu: {{ .Values.applications.jaegertracing.resources.requests.cpu }} - memory: {{ .Values.applications.jaegertracing.resources.requests.memory }} - ports: - - name: http - containerPort: {{ .Values.applications.jaegertracing.port }} - protocol: TCP - - name: http-ui - containerPort: 16686 - protocol: TCP - terminationGracePeriodSeconds: 30 ---- -{{- end }} \ No newline at end of file diff --git a/deployment/helm/templates/nginx_configmap.yaml b/deployment/helm/templates/nginx_configmap.yaml new file mode 100644 index 0000000..aec1b42 --- /dev/null +++ b/deployment/helm/templates/nginx_configmap.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-config +data: + default.conf: | + server { + server_name localhost; + listen 443 ssl ; + ssl_session_timeout 5m; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + ssl_certificate /etc/nginx/certs/nginx-cert.crt; + ssl_certificate_key /etc/nginx/certs/nginx-key.key; + + location / { + proxy_pass https://{{ .Values.applications.ingress.name }}-svc:8443; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host {{ .Values.domainName }}; + proxy_set_header X-Forwarded-Port 443; + + # Configure Nginx as a client using self-signed certs + proxy_ssl_certificate /etc/nginx/certs/nginx-cert.crt; + proxy_ssl_certificate_key /etc/nginx/certs/nginx-key.key; + + #proxy_ssl_trusted_certificate /etc/nginx/certs/in-cert.pem; + proxy_ssl_verify off; + } + } \ No newline at end of file diff --git a/deployment/helm/templates/nginx_deployment.yaml b/deployment/helm/templates/nginx_deployment.yaml new file mode 100644 index 0000000..3b7e9e8 --- /dev/null +++ b/deployment/helm/templates/nginx_deployment.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: cp.stg.icr.io/cp/webmethods/api/api-control-plane/third-party/nginx:latest + imagePullPolicy: Always + securityContext: + privileged: true + runAsUser: 0 + ports: + - containerPort: 443 + volumeMounts: + - name: nginx-config + mountPath: /etc/nginx/conf.d/default.conf + subPath: default.conf + - name: certs + mountPath: /etc/nginx/certs + readOnly: true + volumes: + - name: nginx-config + configMap: + name: nginx-config + - name: certs + secret: + secretName: {{ .Values.secrets.certs.name }} + imagePullSecrets: + - name: regcred + \ No newline at end of file diff --git a/deployment/helm/templates/nginx_ingress.yaml b/deployment/helm/templates/nginx_ingress.yaml deleted file mode 100644 index 874551c..0000000 --- a/deployment/helm/templates/nginx_ingress.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: control-plane - namespace: {{ default "control-plane" .Release.Namespace }} - annotations: - {{ if eq .Values.applications.ingress.sslEnabled true }} - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - nginx.ingress.kubernetes.io/ssl-passthrough: "true" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - {{ end }} -spec: - ingressClassName: {{ .Values.ingressClassName | default "nginx" }} - rules: - - host: {{ .Values.domainName }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Values.applications.ingress.name }}-svc - port: - {{- if eq .Values.applications.ingress.sslEnabled true }} - number: 8443 - {{- else }} - number: 8080 - {{- end }} diff --git a/deployment/helm/templates/nginx_service.yaml b/deployment/helm/templates/nginx_service.yaml new file mode 100644 index 0000000..47d62ad --- /dev/null +++ b/deployment/helm/templates/nginx_service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: nginx +spec: + type: LoadBalancer + selector: + app: nginx + ports: + - protocol: TCP + port: 443 + targetPort: 443 \ No newline at end of file diff --git a/deployment/helm/templates/ui_configmap.yaml b/deployment/helm/templates/ui_configmap.yaml index 17bd2aa..2536259 100644 --- a/deployment/helm/templates/ui_configmap.yaml +++ b/deployment/helm/templates/ui_configmap.yaml @@ -1,10 +1,29 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: v1 kind: ConfigMap metadata: name: {{ .Values.applications.ui.name }}-config data: - APICP_ENGINE_ENDPOINT: "http://{{ .Values.applications.engine.name }}-svc:8080" - APICP_ASSET_CATALOG_ENDPOINT: "http://{{ .Values.applications.assetcatalog.name }}-svc:8080" + APICP_ENGINE_ENDPOINT: "https://{{ .Values.applications.engine.name }}-svc:8443" + APICP_ASSET_CATALOG_ENDPOINT: "https://{{ .Values.applications.assetcatalog.name }}-svc:8443" + APICP_AUTH_JWKS_URI: "https://{{ .Values.applications.ingress.name }}-svc:8443/api/ingress/v1/discovery/keys" + SPRING_CODEC_MAX_IN_MEMORY_SIZE: "{{ .Values.applications.ui.springCodecMaxMemorySize }}" + # JAVA_OPTS: "-Xms256m -Xmx256m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/tmp/ui_heap_dump.hprof" + + SERVER_PORT: "8443" + SERVER_SSL_ENABLED: "true" + SERVER_SSL_KEY_ALIAS: "webmethods" + SERVER_SSL_KEY_PASSWORD: "webmethods" + SERVER_SSL_KEY_STORE: "/certs/keystore-ui.jks" + SERVER_SSL_KEY_STORE_PASSWORD: "webmethods" + SERVER_SSL_KEY_STORE_TYPE: "JKS" + SERVER_SSL_TRUST_STORE: "/certs/truststore-ui.jks" + SERVER_SSL_TRUST_STORE_PASSWORD: "webmethods" + SERVER_SSL_CLIENT_AUTH: "NEED" + + OTEL_JAVAAGENT_ENABLED: "{{ .Values.applications.jaegertracing.enabled }}" {{- if .Values.applications.jaegertracing.enabled }} LOGGING_LEVEL_COM_SOFTWAREAG_CONTROLPLANE: "{{ .Values.applications.ui.logLevel }}" diff --git a/deployment/helm/templates/ui_deployment.yaml b/deployment/helm/templates/ui_deployment.yaml index 2914f0a..9d59c93 100644 --- a/deployment/helm/templates/ui_deployment.yaml +++ b/deployment/helm/templates/ui_deployment.yaml @@ -1,3 +1,6 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: apps/v1 kind: Deployment metadata: @@ -21,9 +24,17 @@ spec: date: "{{ now | unixEpoch }}" spec: automountServiceAccountToken: false + volumes: + - name: certs + secret: + secretName: {{ .Values.secrets.certs.name }} containers: - name: {{ .Values.applications.ui.name }} image: {{ .Values.applications.ui.imageName }}:{{ .Values.applications.ui.imageTag }} + volumeMounts: + - name: certs + mountPath: {{ .Values.secrets.certs.mountPath }} + readOnly: true envFrom: - configMapRef: name: {{ .Values.applications.ui.name }}-config @@ -39,29 +50,31 @@ spec: cpu: {{ .Values.applications.ui.resources.requests.cpu }} memory: {{ .Values.applications.ui.resources.requests.memory }} ports: - - containerPort: 8080 + - containerPort: 8443 name: http readinessProbe: - httpGet: - path: /controlplane/api/ui/health/readiness - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 + exec: + command: + - sh + - -c + - "curl -fk -s --cert /certs/ui-cert.pem --key /certs/ui-key.pem https://localhost:8443/controlplane/api/ui/health/readiness || exit 1" + initialDelaySeconds: 100 periodSeconds: 20 successThreshold: 1 failureThreshold: 3 - timeoutSeconds: 5 + timeoutSeconds: 15 livenessProbe: - httpGet: - path: /controlplane/api/ui/health/liveness - port: 8080 - scheme: HTTP - initialDelaySeconds: 60 + exec: + command: + - sh + - -c + - "curl -fk -s --cert /certs/ui-cert.pem --key /certs/ui-key.pem https://localhost:8443/controlplane/api/ui/health/liveness || exit 1" + initialDelaySeconds: 100 periodSeconds: 20 successThreshold: 1 failureThreshold: 3 - timeoutSeconds: 5 + timeoutSeconds: 15 terminationGracePeriodSeconds: 30 imagePullSecrets: - - name: {{ .Values.imagePullSecretName }} + - name: regcred --- \ No newline at end of file diff --git a/deployment/helm/templates/ui_service.yaml b/deployment/helm/templates/ui_service.yaml index 4be598e..1179bea 100644 --- a/deployment/helm/templates/ui_service.yaml +++ b/deployment/helm/templates/ui_service.yaml @@ -1,3 +1,6 @@ +# +# Copyright IBM Corp. 2024, 2025 +# apiVersion: v1 kind: Service metadata: @@ -5,9 +8,9 @@ metadata: namespace: {{ default "control-plane" .Release.Namespace }} spec: ports: - - port: 8080 + - port: 8443 protocol: TCP - targetPort: 8080 + targetPort: 8443 name: http selector: app: {{ .Values.applications.ui.name }} diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml index 0986580..ed172b2 100644 --- a/deployment/helm/values.yaml +++ b/deployment/helm/values.yaml @@ -149,6 +149,12 @@ applications: plan: "Free" stage: "Staging" key: "AP-BCBBKBNAYWW6-2-2" + +secrets: + certs: + name: certs-secret + mountPath: /certs + domainName: my-control-plane imagePullSecretName: regcred # -- Optionally configure a ingress class to use for the kubernetes ingress (default: nginx)